Forge Home

ssl

Manage SSL certificates and keys

6,209 downloads

568 latest version

5.0 quality score

Version information

  • 2.0.0 (latest)
  • 1.0.0
released Sep 17th 2021
This version is compatible with:
  • Puppet Enterprise 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
  • Puppet >= 6.1.0 < 8.0.0
  • , , , , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'ploperations-ssl', '2.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add ploperations-ssl
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install ploperations-ssl --version 2.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

ploperations/ssl — version 2.0.0 Sep 17th 2021

ssl

Build Status

The primary purpose of this module is to install certificates and keys in a few common formats.

Storing certificates and keys

This requires that certificates and keys are stored separately. Keys should be stored in Hiera, while files must be stored in the files/ directory of one of your profiles.

The primary certificate must be named "name.crt", and the intermediate certificate must be name "name_inter.crt". For example, if you store your files in profile::ssl:

site/profile/files/ssl/puppet.com.crt
site/profile/files/ssl/puppet.com_inter.crt
site/profile/files/ssl/forge.puppet.com.crt
site/profile/files/ssl/forge.puppet.com_inter.crt

Set the profile to use in Hiera, or by setting the cert_source parameter directly on the ssl class. The value should be in the same format as the file() function expects, e.g. 'profile/ssl'.

The private keys for your certificates go into Hiera as entries in the ssl::keys hash. We recommend encrypting them with [Hiera eyaml][https://github.com/voxpupuli/hiera-eyaml]. To continue with the example from above:

ssl::cert_source: 'profile/ssl'
ssl::keys:
  'puppet.com': ENC[PKCS7,MIIH...
  'forge.puppet.com': ENC[PKCS7,MIIH...

Deploying certificates and keys

ssl::cert

This is the most generic resource. It stores keys in the default global certificate and key directories for your OS.

On Debian, the puppet.com cert would be deployed as follows:

/etc/ssl/certs/puppet.com.crt
/etc/ssl/certs/puppet.com_inter.crt
/etc/ssl/certs/puppet.com_combined.crt
/etc/ssl/private/puppet.com.key

The _combined.crt file is a concatenation of the primary certificate followed by the intermediate certificate. This is the format used by NGINX and a variety of other applications.

ssl::cert::haproxy

This combines certificates with their key in the format expected by HAProxy. By default, it puts them in /etc/haproxy/certs.d/${key_name}.crt.

Additional usage info

This module is documented via pdk bundle exec puppet strings generate --format markdown. Please see REFERENCE.md for more info.

Changelog

CHANGELOG.md is generated prior to each release via pdk bundle exec rake changelog. This process relies on labels that are applied to each pull request.

Development

Pull requests are welcome!