dehydrated

pdk
Puppet module for centralized CSR signing using Let’s Encrypt™ and lukas2511/dehydrated - keeping your keys safe on the host they belong to.

12,738 downloads

98 latest version

5.0 quality score

Version information

  • 2.0.1 (latest)
  • 2.0.0
  • 1.0.1
  • 1.0.0
  • 0.1.11
  • 0.1.10
  • 0.1.9
  • 0.1.8
  • 0.1.7
  • 0.1.6
  • 0.1.5
  • 0.1.4
  • 0.1.3
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Jan 7th 2019
This version is compatible with:
  • Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.7.0 < 6.0.0
  • CentOS
    ,
    OracleLinux
    ,
    RedHat
    ,
    Scientific
    ,
    Debian
    ,
    Ubuntu
    ,
    windows
    ,
    Fedora
    ,
    SLES

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'bzed-dehydrated', '0.1.6'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add bzed-dehydrated
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install bzed-dehydrated --version 0.1.6

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

bzed/dehydrated — version 0.1.6 Jan 7th 2019

Reference

Table of Contents

Classes

Public Classes

Private Classes

  • dehydrated::setup: Setup required files and folders. Don't include/call this class.

Defined types

Public Defined types

Private Defined types

  • dehydrated::certificate::collect: A short summary of the purpose of this defined type.
  • dehydrated::certificate::csr: Creates a key file with CSR
  • dehydrated::certificate::deploy: Deploy collected certificate and CA files.
  • dehydrated::certificate::dh: Create the DH params file.
  • dehydrated::certificate::request: Prepare everything to request a certifificate for our CSRs.
  • dehydrated::certificate::transfer: Transfer crt/ca/ocsp files.

Resource types

Functions

Classes

dehydrated

Base class to setup the letsencrypt certificate handling with dehydrated.

Examples

# should be sufficient in most cases.
include dehydrated

# if you are "upgrading" from bzed-letsencrypt,
# you might want to use these options to stay
# compatible with the old group/directory:
class { 'dehydrated' :
  group    => 'letsencrypt',
  base_dir => '/etc/letsencrypt',
}

Parameters

The following parameters are available in the dehydrated class.

base_dir

Data type: Stdlib::Absolutepath

The base directory where keys/csr/certs are stored. Defaults to:

  • on $::os['family']=='Debian': /etc/dehydrated
  • on other Linux/Unix systems: /etc/pki/dehydrated
  • on windows: C:\LE_certs.

Default value: $::dehydrated::params::base_dir

crt_dir

Data type: Stdlib::Absolutepath

The directory where certificates are stored. Defaults to ${base_dir}/certs

Default value: join([$base_dir, 'certs'], $::dehydrated::params::path_seperator)

csr_dir

Data type: Stdlib::Absolutepath

The directory where CSRs are stored. Defaults to ${base_dir}/csr

Default value: join([$base_dir, 'csr'], $::dehydrated::params::path_seperator)

key_dir

Data type: Stdlib::Absolutepath

The directory where pricate keys are stored. Defaults to ${base_dir}/private

Default value: join([$base_dir, 'private'], $::dehydrated::params::path_seperator)

user

Data type: String

Linux: The user who owns the files in /etc/dehydrated. Windows: The user who owns the files in C:\LE_Certs. Needs to be specified!

Default value: $::dehydrated::params::user

group

Data type: String

Linux: The group which owns the files in /etc/dehydrated. If you have a non-root process which needs to access private keys, add its user to this group. Windows: The group which owns the files in C:\LE_Certs. Needs to be specified!

Default value: $::dehydrated::params::group

dehydrated_user

Data type: Optional[String]

User to run the dehydrated script as. Only used on the host that actually requests certificates.

Default value: $::dehydrated::params::dehydrated_user

dehydrated_group

Data type: Optional[String]

Group to run the dehydrated script as. Only used on the host that actually requests certificates.

Default value: $::dehydrated::params::dehydrated_group

letsencrypt_ca

Data type: String

Let’s Encrypt CA to use. Defaults to v2-production. See the letsencrypt_cas parameter for a way to specify your own Let’s Encrypt / ACME compatible CA. This configures the default CA to use, but You can actually define different CAs for each certificate, see the ::dehydrated::certificate define for details.

Default value: $::dehydrated::params::letsencrypt_ca

letsencrypt_cas

Data type: Hash

Hash with the definitions of the official testing and production Let’s Encrypt CAs this puppet module was tested against.

Default value: $::dehydrated::params::letsencrypt_cas

dh_param_size

Data type: Integer[768]

Default size of the DH params we should generate. Defaults to 2048.

Default value: $::dehydrated::params::dh_param_size

challengetype

Data type: Dehydrated::Challengetype

Default challengetype to use. Defaults to 'dns-01'. You can specify a different challengetype for each certificate, see ::dehydrated::certificate.

Default value: $::dehydrated::params::challengetype

algorithm

Data type: Dehydrated::Algorithm

Default algorithm / elliptic-curve you want to use. Supported: rsa, secp384r1, prime256v1. Defaults to rsa. You can specify a different algorithm for each certificate, see ::dehydrated::certificate.

Default value: $::dehydrated::params::algorithm

dehydrated_base_dir

Data type: Stdlib::Absolutepath

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host. Path where the dehydrated script and configurations/csrs are being stored. Defaults to '/opt/dehydrated'.

Default value: $::dehydrated::params::dehydrated_base_dir

dehydrated_git_dir

Data type: Stdlib::Absolutepath

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host. Path where the dehydrated script is being checkout out into using git. Defaults to ${dehydrated_base_dir}/dehydrated.

Default value: "${dehydrated_base_dir}/dehydrated"

dehydrated_git_tag

Data type: String

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host. Version of the dehydrated script we want to use. Change it on your own risk.

Default value: $::dehydrated::params::dehydrated_git_tag

dehydrated_git_url

Data type: Dehydrated::GitUrl

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host. Git url to clone dehydrated from. If you have an internal mirror/version, you can override the default github url here.

Default value: $::dehydrated::params::dehydrated_git_url

dehydrated_host

Data type: Stdlib::Fqdn

Default setting for the host you want to request the certificates on. Required on that host, on all others it is used as default for certificates requested via ::dehydrated::certificate. You can specify a different dehydrated_host on each certificate if you want to. If $facts['fqdn'] == $::dehydrated::dehydrated_host, dehydrated will be installed and the certificate request cronjob will be setup.

Default value: $::dehydrated::params::dehydrated_host

dehydrated_requests_dir

Data type: Stdlib::Absolutepath

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host. Path where requests that need to be handled are being stored.

Default value: "${dehydrated_base_dir}/requests"

dehydrated_hooks_dir

Data type: Stdlib::Absolutepath

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host.

Default value: "${dehydrated_base_dir}/hooks"

dehydrated_requests_config

Data type: Stdlib::Absolutepath

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host.

Default value: "${dehydrated_base_dir}/requests.json"

dehydrated_wellknown_dir

Data type: Stdlib::Absolutepath

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host.

Default value: "${dehydrated_base_dir}/acme-challenges"

dehydrated_alpncert_dir

Data type: Stdlib::Absolutepath

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host.

Default value: "${dehydrated_base_dir}/alpn-certs"

dehydrated_host_packages

Data type: Array

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host.

Default value: $::dehydrated::params::dehydrated_host_packages

dehydrated_environment

Data type: Hash

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host.

Default value: $::dehydrated::params::dehydrated_environment

dehydrated_domain_validation_hook

Data type: Optional[Dehydrated::Hook]

Only used if $facts['fqdn'] == $::dehydrated::dehydrated_host.

Default value: $::dehydrated::params::dehydrated_domain_validation_hook

dehydrated_hook

Data type: Dehydrated::Hook

Name of the hook script dehydrated will use to validate the authorization request. The hook script must live in the $dehydrated_hooks_dir on $::dehydrated::dehydrated_host.

Default value: "${challengetype}.sh"

dehydrated_contact_email

Data type: Optional[Dehydrated::Email]

Contact email address for created accounts. We'll create one account for each puppet host.

Default value: $::dehydrated::params::dehydrated_contact_email

dehydrated_status_file

Data type: Stdlib::Absolutepath

File the dehydrated job runner will dump its status into. Pretty printed JSON.

Default value: "${dehydrated_base_dir}/status.json"

dehydrated_monitoring_status_file

Data type: Stdlib::Absolutepath

Status file for monitoring with check_statusfile, see README.md for details.

Default value: "${dehydrated_base_dir}/monitoring.status"

manage_user

Data type: Boolean

Create $dehydrated_user/$dehydrated_group and $user/$group if necessary.

Default value: $::dehydrated::params::manage_user

manage_packages

Data type: Boolean

Install required packages using ensure_packages? Should be safe to leave enabled in most cases.

Default value: $::dehydrated::params::manage_packages

pki_packages

Data type: Array

Required packages to create /etc/pki. Not really used yet.

Default value: $::dehydrated::params::pki_packages

packages

Data type: Array

The list of packages we actually need to install to make this module work properly. You are free to modify this list if you need to.

Default value: $::dehydrated::params::packages

certificates

Data type: Array[Variant[Dehydrated::DN, Tuple[Dehydrated::DN, Array[Dehydrated::DN]]]]

Allows to request certificates instead of using ::dehydrated::certificate. The puppet definition of this rather complex parameter is Array[Variant[Dehydrated::DN, Tuple[Dehydrated::DN, Array[Dehydrated::DN]]]] So basically, you need to specify an Array. Contents are either a

  • distinguished name
  • tuple with [distinguished name, array of distinguished names] The first case requests a default certificate. The tuple version will request a SAN certificate.

Default value: []

build_pfx_files

Data type: Boolean

Create PKCS12 container with key, certificate and ca certificates. Defaults to true on windows, to false on all other OS.

Default value: $::dehydrated::params::build_pfx_files

dehydrated::params

The dehydrated::params class.

dehydrated::setup::dehydrated_host

The dehydrated::setup::dehydrated_host class.

Defined types

dehydrated::certificate

Triggers key and csr generation and installs the certificate

Examples

dehydrated::certificate { 'test.example.com': }

Parameters

The following parameters are available in the dehydrated::certificate defined type.

dn

Data type: Dehydrated::DN

Default value: $name

base_filename

Data type: String

Default value: regsubst($dn, '^*', 'wildcard')

subject_alternative_names

Data type: Array[Dehydrated::DN]

Default value: []

challengetype

Data type: Dehydrated::Challengetype

Default value: $::dehydrated::challengetype

algorithm

Data type: Dehydrated::Algorithm

Default value: $::dehydrated::algorithm

dh_param_size

Data type: Integer[768]

Default value: $::dehydrated::dh_param_size

dehydrated_host

Data type: Stdlib::Fqdn

Default value: $::dehydrated::dehydrated_host

dehydrated_environment

Data type: Hash

Default value: $::dehydrated::dehydrated_environment

dehydrated_hook

Data type: Dehydrated::Hook

Default value: $::dehydrated::dehydrated_hook

letsencrypt_ca

Data type: String

Default value: $::dehydrated::letsencrypt_ca

dehydrated_domain_validation_hook

Data type: Optional[Dehydrated::Hook]

Default value: $::dehydrated::dehydrated_domain_validation_hook

key_password

Data type: Optional[String]

Default value: undef

Resource types

dehydrated_csr

CSRs for dehydrated

Properties

The following properties are available in the dehydrated_csr type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the dehydrated_csr type.

path
force

Valid values: true, false

Whether to replace the certificate if the private key or CommonName/SANs mismatches

Default value: false

password

The optional password for the private key

private_key
algorithm

Valid values: prime256v1, secp384r1, rsa

The algorithm to use, supported: rsa, secp384r1, prime256v1

Default value: rsa

common_name

The common name for the csr

digest

Digest used while signing the CSR, defaults to SHA512

Default value: SHA512

subject_alternative_names

SANs to request

Default value: []

country

country part of the certificate name

locality

locality part of the certificate name

organization

locality part of the certificate name

state

state part of the certificate name

organizational_unit

organizational_unit part of the certificate name

email_address

emailAddress part of the certificate name

dehydrated_dhparam

DH params for dehydrated

Properties

The following properties are available in the dehydrated_dhparam type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the dehydrated_dhparam type.

path
size

The key size

Default value: 2048

dehydrated_key

Create a private key for dehydrated.

Properties

The following properties are available in the dehydrated_key type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the dehydrated_key type.

path

Key location, must be absolute.

algorithm

Valid values: prime256v1, secp384r1, rsa

Algorithm to use for Key generation, supported: prime256v1, secp384r1, rsa

Default value: rsa

password

The optional password for the key

size

The key size, used for RSA only.

Default value: 2048

dehydrated_pfx

pkcs12 / pfx files for dehydrated

Properties

The following properties are available in the dehydrated_pfx type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the dehydrated_pfx type.

path
password

The optional password for the pkcs12 container

key_password

The optional password for the private key

certificate

The path of the certificate to put into the pkcs12 container

ca

The path of the ca certificates to put into the pkcs12 container

pkcs12_name

A string describing the key / pkcs12 container

private_key

Functions

dehydrated::file

Type: Ruby 4.x API

The dehydrated::file function.

dehydrated::file(String $files, Optional[String] *$more_files)

The dehydrated::file function.

Returns: Any

files

Data type: String

*more_files

Data type: Optional[String]