certs

Table of Contents

• Overview
• Module Description
• Setup
  • Setup requirements
• Usage
  • Installation
  • Examples
• Reference
• Limitations - OS compatibility, etc.
• Contributors

Overview

Configures SSL certificates and keys.

Module Description

This module provides SSL certificate files required by Apache or other services via the certs::site define. It can be used in conjunction with puppetlabs/apache's apache::vhost definitions to provide the ssl_cert and ssl_key files or any other service requiring SSL certificates.

It can also be used independent of any Puppet-defined service that requires the files to exist on a managed node.

Setup

Setup Requirements

The certificate files must come from an external store. Recommended stores are a site-specific (and private) module containing SSL files or a network-accessible filesystem, such as NFS, that the managed node can access. Once a file store is determined, include at least one certs::site define and specify the file store location as the source_path.

By default, this module will place certificates and keys in their relative locations and restart the specified service, provided it is defined in the catalog.

• RedHat

  • certificates directory: /etc/pki/tls/certs
  • keys directory: /etc/pki/tls/private
  • service: httpd

• Debian & Suse

  • certificates directory: /etc/ssl/certs
  • keys directory: /etc/ssl/private
  • service: apache2

• FreeBSD

  • certificates directory: /usr/local/etc/apache24
  • keys directory: /usr/local/etc/apache24
  • service: apache24

• Gentoo

  • certificates directory: /etc/ssl/apache2
  • keys directory: /etc/ssl/apache2
  • service: apache2

Usage

No trailing slashes should be provided for any paths.

Installation

Puppet Forge:

puppet module install broadinstitute-certs

Puppetfile:

mod 'broadinstitute/certs'

Examples

Puppet Manifest

manifest.pp

  include certs
  $domain = 'www.example.com'
  certs::site { $domain:
    source_path    => 'puppet:///site_certificates',
    ca_cert        => true,
    ca_name        => 'caname',
    ca_source_path => 'puppet:///ca_certs',
  }

With Hiera

node.yaml

  classes:
    - certs
  certs::sites:
    'www.example.com':
      source_path: 'puppet:///site_certificates'
      ca_cert: true
      ca_name: 'caname'
      ca_source_path: 'puppet:///ca_certs'

Resource Chaining with Apache Module

manifest.pp

  Certs::Site<| |> -> Apache::Vhost<| |>

Global Defaults

You can also reset some of the settings in params.pp globally via the certs base class which will be inherited by all certs::site defines used that are later defined. In this example, we can reset the default certificate and key paths for all instantiated sites so that we don't have to manually set the custom path in each site:

  $domain1 = 'www.example.com'
  $domain2 = 'foo.example.com'

  class { 'certs':
    cert_path => '/path/to/certs',
    key_path  => '/path/to/keys',
  }

  certs::site { $domain1:
    source_path    => 'puppet:///site_certificates',
    ca_cert        => true,
    ca_name        => 'caname',
    ca_source_path => 'puppet:///ca_certs',
  }

  certs::site { $domain2:
    source_path    => 'puppet:///site_certificates',
    ca_cert        => true,
    ca_name        => 'caname',
    ca_source_path => 'puppet:///ca_certs',
  }

Reference

REFERENCE.md (generated with Puppet Strings)

Limitations

This module is CI tested against open source Puppet on:

• CentOS 6, 7, 8
• RHEL 6, 7, 8

This module also provides functions for other distributions and operating systems, such as FreeBSD and Gentoo, but is not formally tested on them and are subject to regressions.

Contributors

Riccardo Calixte (@rcalixte)

Andrew Teixeira (@coreone)

More contributors.

Reference

Table of Contents

Classes

• certs: The certs class provides a single define, certs::site, configurable within Hiera as well.

Defined types

• certs::site: Puppet module for SSL certificate installation.

Classes

certs

The certs class provides a single define, certs::site, configurable within Hiera as well.

Examples

Set some basic global options

class { 'certs':
  cert_path => '/path/to/certs',
  key_path  => '/path/to/keys',
}

Parameters

The following parameters are available in the certs class:

• ca_cert
• ca_content
• ca_ext
• ca_name
• ca_path
• ca_source_path
• cert_chain
• cert_content
• cert_dir_mode
• cert_ext
• cert_mode
• cert_path
• chain_content
• chain_ext
• chain_name
• chain_path
• chain_source_path
• dhparam_file
• group
• key_content
• key_dir_mode
• key_ext
• key_mode
• key_path
• owner
• service
• sites
• source_path
• supported_os
• validate_x509

ca_cert

Data type: Boolean

Boolean for whether to look for a CA certificate file. Optional value. (default: false).

Default value: false

ca_content

Data type: Optional[String]

A string representing the contents of the CA file. Optional value. (default: undef).

Default value: undef

ca_ext

Data type: String

The extension of the CA certificate file. This sets the default globally for use by all certs::site resources. Optional value. (default: 'crt').

Default value: lookup('certs::cert_ext')

ca_name

Data type: Optional[String]

The name of the CA certificate file. Optional value. (default: undef).

Default value: undef

ca_path

Data type: Stdlib::Absolutepath

Location where the CA certificate file will be stored on the managed node. This sets the default globally for use by all certs::site resources. Optional value. (default: cert_path).

Default value: lookup('certs::cert_path')

ca_source_path

Data type: Optional[String]

The location of the CA certificate file. Typically references a module's files. e.g. puppet:///ca_certs will search for the mount point defined in the fileserver.conf on the Puppet Server for the specified files. Optional value. (default: source_path).

Default value: $source_path

cert_chain

Data type: Boolean

Boolean for whether to look for a certificate chain file. Optional value. (default: false).

Default value: false

cert_content

Data type: Optional[String]

A string representing the contents of the certificate file. This can only be provided if $source_path is undefined or an error will occur. Optional value. (default: undef).

Default value: undef

cert_dir_mode

Data type: String

Permissions of the certificate directory. This sets the default globally for use by all certs::site resources. Optional value. (default: '0755').

cert_ext

Data type: String

The extension of the certificate file. This sets the default globally for use by all certs::site resources. Optional value. (default: '.crt').

cert_mode

Data type: String

Permissions of the certificate files. This sets the default globally for use by all certs::site resources. Optional value. (default: '0644').

cert_path

Data type: Stdlib::Absolutepath

Location where the certificate files will be stored on the managed node. This sets the default globally for use by all certs::site resources. Optional value. Defaults:

• /etc/pki/tls/certs on RedHat-based systems
• /etc/ssl/certs on Debian-based and Suse-based systems
• /usr/local/etc/apache24 on FreeBSD-based systems
• /etc/ssl/apache2 on Gentoo-based systems

chain_content

Data type: Optional[String]

A string representing the contents of the chain file. Optional value. (default: undef).

Default value: undef

chain_ext

Data type: String

The extension of the certificate chain file. This sets the default globally for use by all certs::site resources. Optional value. (default: 'crt').

Default value: lookup('certs::cert_ext')

chain_name

Data type: Optional[String]

The name of the certificate chain file. Optional value. (default: undef).

Default value: undef

chain_path

Data type: Stdlib::Absolutepath

Location where the certificate chain file will be stored on the managed node. This sets the default globally for use by all certs::site resources. Optional value. (default: $cert_path).

Default value: lookup('certs::cert_path')

chain_source_path

Data type: Optional[String]

The location of the certificate chain file. Typically references a module's files. e.g. puppet:///chain_certs will search for the mount point defined in the fileserver.conf on the Puppet Server for the specified files. Optional value. (default: $source_path).

Default value: $source_path

dhparam_file

Data type: String

The name of the dhparam file. This sets the default globally for use by all certs::site resources. Optional value. (default: 'dh2048.pem').

group

Data type: String

Name of the group owner of the certificates. This sets the default globally for use by all certs::site resources. Optional value. Defaults:

• root for Redhat-based, Debian-based, and Suse-based systems
• wheel for FreeBSD and Gentoo-based systems

key_content

Data type: Optional[String]

A string representing the contents of the key file. This can only be provided if $source_path is undefined or an error will occur. Optional value. (default: undef).

Default value: undef

key_dir_mode

Data type: String

Permissions of the private keys directory. This sets the default globally for use by all certs::site resources. Optional value. (default: '0755').

key_ext

Data type: String

The extension of the private key file. This sets the default globally for use by all certs::site resources. Optional value. (default: '.key').

key_mode

Data type: String

Permissions of the private keys. This sets the default globally for use by all certs::site resources. Optional value. (default: '0600').

key_path

Data type: Stdlib::Absolutepath

Location where the private keys will be stored on the managed node. This sets the default globally for use by all certs::site resources. Optional value. Defaults:

• /etc/pki/tls/private on RedHat-based systems
• /etc/ssl/private on Debian-based and Suse-based systems
• /usr/local/etc/apache24 on FreeBSD-based systems
• /etc/ssl/apache2 on Gentoo-based systems

owner

Data type: String

Name of the owner of the certificates. This sets the default globally for use by all certs::site resources. Optional value. (default: 'root').

service

Data type: Optional[Variant[Array[String],Boolean,String]]

Name of the server service(s) to notify when certificates are updated. Setting to false (or any Boolean) will disable service notifications. This sets the default globally for use by all certs::site resources. Optional value. Defaults:

• httpd for RedHat-based systems
• apache2 for Debian-based, Suse-based, and Gentoo-based systems
• apache24 for FreeBSD-based systems

Default value: lookup('certs::service')

sites

Data type: Hash

A hash of certs::site configurations, typically provided by Hiera. Optional value: (default: {}).

Default value: {}

source_path

Data type: Optional[String]

The location of the certificate files. Typically references a module's files. e.g. puppet:///site_certs will search for the mount point defined in the fileserver.conf on the Puppet Server for the specified files.

Default value: undef

supported_os

Data type: Boolean

A boolean value for whether or not the running OS is supported by the module. Configured by default data.

Default value: false

validate_x509

Data type: Boolean

A boolean value to determine whether or not to validate the certificate and key pairs. Failure will cause the catalog to fail compilation. Optional value. (default: false).

Default value: false

Defined types

certs::site

Can be used in conjunction with puppetlabs/apache's apache::vhost definitions, to provide the ssl_cert and ssl_key files, or any other service requiring SSL certificates. It can also be used independent of any Puppet-defined service.

Examples

Without Hiera

include certs
$cname = 'www.example.com'
certs::site { $cname:
  ca_cert        => true,
  ca_name        => 'caname',
  ca_source_path => 'puppet:///ca_certs',
  source_path    => 'puppet:///site_certificates',
}

With Hiera

---
classes:
  - certs
certs::sites:
  'www.example.com':
    ca_cert: true
    ca_name: 'caname'
    ca_source_path: 'puppet:///ca_certs'
    source_path: 'puppet:///site_certificates'

Resource Chaining with Apache Module

Certs::Site<| |> -> Apache::Vhost<| |>

Parameters

The following parameters are available in the certs::site defined type:

• ca_cert
• ca_content
• ca_ext
• ca_name
• ca_path
• ca_source_path
• cert_chain
• cert_content
• cert_dir_mode
• cert_ext
• cert_mode
• cert_path
• chain_content
• chain_ext
• chain_name
• chain_path
• chain_source_path
• dhparam
• dhparam_content
• dhparam_dir
• dhparam_file
• ensure
• group
• key_content
• key_dir_mode
• key_ext
• key_mode
• key_path
• merge_chain
• merge_dhparam
• merge_key
• owner
• service
• source_cert_name
• source_key_name
• source_path
• validate_x509

ca_cert

Data type: Boolean

Boolean for whether to look for a CA certificate file. Optional value. (default: false).

Default value: $::certs::ca_cert

ca_content

Data type: Optional[String]

A string representing the contents of the CA file. Optional value. (default: undef).

Default value: $::certs::ca_content

ca_ext

Data type: String

The extension of the CA certificate file. Optional value. (default: 'crt').

Default value: $::certs::ca_ext

ca_name

Data type: Optional[String]

The name of the CA certificate file. Optional value. (default: undef).

Default value: $::certs::ca_name

ca_path

Data type: Stdlib::Absolutepath

Location where the CA certificate file will be stored on the managed node. Optional value. (default: cert_path).

Default value: $::certs::ca_path

ca_source_path

Data type: Optional[String]

The location of the CA certificate file. Typically references a module's files. e.g. puppet:///ca_certs will search for the mount point defined in the fileserver.conf on the Puppet Server for the specified files. Optional value. (default: source_path).

Default value: pick_default($::certs::ca_source_path, $source_path)

cert_chain

Data type: Boolean

Boolean for whether to look for a certificate chain file. Optional value. (default: false).

Default value: $::certs::cert_chain

cert_content

Data type: Optional[String]

A string representing the contents of the certificate file. This can only be provided if $source_path is undefined or an error will occur. Optional value. (default: undef).

Default value: $::certs::cert_content

cert_dir_mode

Data type: String

Permissions of the certificate directory. Optional value. (default: '0755').

Default value: $::certs::cert_dir_mode

cert_ext

Data type: String

The extension of the certificate file. Optional value. (default: '.crt').

Default value: $::certs::cert_ext

cert_mode

Data type: String

Permissions of the certificate files. Optional value. (default: '0644').

Default value: $::certs::cert_mode

cert_path

Data type: Stdlib::Absolutepath

Location where the certificate files will be stored on the managed node. Optional value. Defaults:

• /etc/pki/tls/certs on RedHat-based systems
• /etc/ssl/certs on Debian-based and Suse-based systems
• /usr/local/etc/apache24 on FreeBSD-based systems
• /etc/ssl/apache2 on Gentoo-based systems

Default value: $::certs::cert_path

chain_content

Data type: Optional[String]

A string representing the contents of the chain file. Optional value. (default: undef).

Default value: $::certs::chain_content

chain_ext

Data type: String

The extension of the certificate chain file. Optional value. (default: 'crt').

Default value: $::certs::chain_ext

chain_name

Data type: Optional[String]

The name of the certificate chain file. Optional value. (default: undef).

Default value: $::certs::chain_name

chain_path

Data type: Stdlib::Absolutepath

Location where the certificate chain file will be stored on the managed node. Optional value. (default: $cert_path).

Default value: $::certs::chain_path

chain_source_path

Data type: Optional[String]

The location of the certificate chain file. Typically references a module's files. e.g. puppet:///chain_certs will search for the mount point defined in the fileserver.conf on the Puppet Server for the specified files. Optional value. (default: $source_path).

Default value: pick_default($::certs::chain_source_path, $source_path)

dhparam

Data type: Boolean

A boolean value to determine whether a dhparam file should be placed on the system along with the other certificate files. The dhparam file will need to exist on the source side just as with the other certificate files in order for the file to be delivered. Optional value. (default: false).

Default value: false

dhparam_content

Data type: Optional[String]

A string representing the contents of the dhparam file. This option will take precedence over dhparam_file if it exists on the source side. Optional value. (default: undef).

Default value: undef

dhparam_dir

Data type: Optional[Stdlib::Absolutepath]

The directory in which the dhparam file should be placed. Optional value. (default: $cert_path).

Default value: undef

dhparam_file

Data type: String

The name of the dhparam file. Optional value. (default: 'dh2048.pem').

Default value: $::certs::dhparam_file

ensure

Data type: Enum['present','absent']

Ensure for the site resources. If 'present', files will be put in place. If 'absent', files will be removed. Optional value. (default: 'present').

Default value: 'present'

group

Data type: String

Name of the group owner of the certificates. Optional value. Defaults:

• root for Redhat-based, Debian-based, and Suse-based systems
• wheel for FreeBSD and Gentoo-based systems

Default value: $::certs::group

key_content

Data type: Optional[String]

A string representing the contents of the key file. This can only be provided if $source_path is undefined or an error will occur. Optional value. (default: undef).

Default value: $::certs::key_content

key_dir_mode

Data type: String

Permissions of the private keys directory. Optional value. (default: '0755').

Default value: $::certs::key_dir_mode

key_ext

Data type: String

The extension of the private key file. Optional value. (default: '.key').

Default value: $::certs::key_ext

key_mode

Data type: String

Permissions of the private keys. Optional value. (default: '0600').

Default value: $::certs::key_mode

key_path

Data type: Stdlib::Absolutepath

Location where the private keys will be stored on the managed node. Optional value. Defaults:

• /etc/pki/tls/private on RedHat-based systems
• /etc/ssl/private on Debian-based and Suse-based systems
• /usr/local/etc/apache24 on FreeBSD-based systems
• /etc/ssl/apache2 on Gentoo-based systems

Default value: $::certs::key_path

merge_chain

Data type: Boolean

Option to merge the CA and chain files into the actual certificate file, which is required by some software. Optional value. (default: false).

Default value: false

merge_dhparam

Data type: Boolean

Option to merge the DH paramaters file into the actual certificate file, which is required by some software. Optional value. (default: false).

Default value: false

merge_key

Data type: Boolean

Option to merge the private into the actual certificate file, which is required by some software. Optional value. (default: false).

Default value: false

owner

Data type: String

Name of the owner of the certificates. Optional value. (default: 'root').

Default value: $::certs::owner

service

Data type: Optional[Variant[Array[String],Boolean,String]]

Name of the server service(s) to notify when certificates are updated. Setting to false (or any Boolean) will disable service notifications. Optional value. Defaults:

• httpd for RedHat-based systems
• apache2 for Debian-based, Suse-based, and Gentoo-based systems
• apache24 for FreeBSD-based systems

Default value: $::certs::service

source_cert_name

Data type: Optional[String]

The name of the source certificate file. Optional value. (default: $namevar).

Default value: undef

source_key_name

Data type: Optional[String]

The name of the source key file. Optional value. (default: $namevar).

Default value: undef

source_path

Data type: Optional[String]

The location of the certificate files. Typically references a module's files. e.g. puppet:///site_certs will search for the mount point defined in the fileserver.conf on the Puppet Server for the specified files.

Default value: $::certs::source_path

validate_x509

Data type: Boolean

A boolean value to determine whether or not to validate the certificate and key pairs. Failure will cause the catalog to fail compilation. Optional value. (default: false).

Default value: $::certs::validate_x509

Change log

All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

3.0.0 (2021-09-10)

Full Changelog

Changed

• Remove RedHat 6 support #55 (coreone)

Added

• Allow source filenames to be different than the certs::site namevar #53 (coreone)

2.5.1 (2020-01-27)

Full Changelog

Added

• Convert to PDK #44 (coreone)

Fixed

• Make dhparam directory customizable (Fixes #38) #45 (coreone)
• Fix ensure_resource on multiple directories not working correctly #43 (coreone)

2.5.0 (2018-07-27)

Full Changelog

Added

• Change default mode and location when merging key #31 #37 (rcalixte)

2.4.0 (2018-07-26)

Full Changelog

Added

• Rewrite service notifications #36 (rcalixte)

2.3.2 (2018-07-24)

Full Changelog

Fixed

• Fix service notifications #35 (rcalixte)

2.3.1 (2018-06-18)

Full Changelog

2.3.0 (2018-06-18)

Full Changelog

Added

• Add more global defaults #33 (rcalixte)

2.2.1 (2018-06-07)

Full Changelog

Added

• Documentation fixes (#30) #32 (rcalixte)

2.2.0 (2018-05-18)

Full Changelog

Added

• Release 2.2.0 #28 (rcalixte)

2.1.1 (2018-05-16)

Full Changelog

2.1.0 (2018-05-16)

Full Changelog

Added

• Add validation parameter #25 (rcalixte)
• Handle trusted certificate updates on EL6/7 #22 (jorhett)
• Refactor for modern Puppet #21 (jorhett)

Fixed

• Use puppet lookup so a hash merge of sites is possible #20 (jorhett)

1.2.1 (2017-08-02)

Full Changelog

Added

• Validation for bool #14 (coreone)

Fixed

• Fix boolean vs. string issue #13 (coreone)

1.2.0 (2017-07-28)

Full Changelog

Added

• More dhparams stuff #12 (coreone)
• Add dhparam files as well as other cleanup #11 (coreone)

1.1.0 (2017-01-17)

Full Changelog

Added

• merge_key and SPEC updates #7 (coreone)

1.0.0 (2016-09-06)

Full Changelog

Added

• Add tests, content instead of source logic, and ensure support #6 (coreone)
• Update README #5 (rcalixte)
• Testing fixes and global default settings #4 (coreone)
• Various fixes and cert/chain merge ability #3 (coreone)

0.4.0 (2016-08-25)

Full Changelog

* This Changelog was automatically generated by github_changelog_generator