Forge Home


Generate and distribute a shared cert to your PuppetDB nodes.


9,013 latest version

4.6 quality score

Version information

  • 0.1.0 (latest)
  • 0.0.2
  • 0.0.1
released Feb 6th 2015
This version is compatible with:
  • , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'pizzaops-puppetdb_shared_cert', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add pizzaops-puppetdb_shared_cert
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install pizzaops-puppetdb_shared_cert --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



pizzaops/puppetdb_shared_cert — version 0.1.0 Feb 6th 2015


Generates a shared certificate to be used for load-balancing PuppetDB nodes in Puppet Enterprise, as per the documented known issue.

Module Description

This module uses reidmv-puppet_certificate to generate certificates on the CA node, and then distributes them to the PuppetDB node via standard file resources, before the puppet_enterprise::puppetdb class copies them into PuppetDB's ssl directory.


puppet module install pizzaops-puppetdb_shared_cert

If you're using r10k, you'll need to include the dependencies, puppetlabs-stdlib 4.5.0, and reidmv-puppet_certificate 0.0.2.


Classify the CA master with puppetdb_shared_cert::ca. By default, it will read $::puppet_enterprise::profile::puppetdb::certname for the certname and set the alt-names to puppetdb,puppetdb.${domain}.

class { 'puppetdb_shared_cert::ca':
  certname      => 'puppetdb-shared-cert',
  dns_alt_names => ['','puppetdb'],

Classify your PuppetDB nodes with puppetdb_shared_cert::puppetdb, and the standard puppet_enterprise::profile::puppetdb class. puppetdb_shared_cert::puppetdb will ship the certs generated by the CA class to your puppetdb nodes. It has the same defaults as the ca class.

class { 'puppetdb_shared_cert::puppetdb':
  certname      => 'puppetdb-shared-cert',
  dns_alt_names => ['','puppetdb'],

You may also supply all data directly to the ::puppetdb_shared_cert class to reduce duplication. For example you might add it to the PE infrastructure console group, and then add the ca and puppetdb classes to the appropriate groups.

NB: You will need to supply the datadabase password to the puppet_enterprise::profile::puppetdb class, via the console or hiera, when setting up multiple PuppetDBs. That is the only required configuration in my testing.