Mercurial > repos > other > Puppet
changeset 133:9337c9ce648a puppet-3.6
Switch to using LetsEncrypt certs by default
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Fri, 11 Nov 2016 17:15:23 +0000 |
| parents | 9af4b04c2667 |
| children | b1815d10eb91 |
| files | modules/website/manifests/https.pp modules/website/manifests/https/redir.pp modules/website/manifests/init.pp |
| diffstat | 3 files changed, 21 insertions(+), 49 deletions(-) [+] |
line wrap: on
line diff
--- a/modules/website/manifests/https.pp Fri Nov 04 20:55:22 2016 +0000 +++ b/modules/website/manifests/https.pp Fri Nov 11 17:15:23 2016 +0000 @@ -5,7 +5,7 @@ $ip = $website::primary_ip, $ssl_cert = undef, $ssl_key = undef, - $ssl_ca_chain = $website::ca_chain, + $ssl_ca_chain = undef, $priority = undef, $docroot_owner = undef, $docroot_group = undef, @@ -70,31 +70,17 @@ } if $ssl_cert == undef { - $sslcert = "${website::certdir}/${shortdomain}.crt" - $sslkey = "${website::certdir}/${shortdomain}.key" - File { - mode => '0400', - owner => 'root', - group => 'root', - } - file { $sslcert: - source => "puppet:///private/pki/custom/${shortdomain}.crt", - before => Apache::Vhost[$name], - notify => Service['httpd'], - ensure => present; - } - file { $sslkey: - source => "puppet:///private/pki/custom/${shortdomain}.key", - before => Apache::Vhost[$name], - notify => Service['httpd'], - ensure => present; - } + $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem" + $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" } else { $sslcert = $ssl_cert - $sslkey = $ssl_key + $sslkey = $ssl_key } - if $ssl_ca_chain == '' { + if $ssl_ca_chain == undef { + $ssl_chain = $website::ca_chain + } + elsif $ssl_ca_chain == '' { # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert $ssl_chain = undef } else {
--- a/modules/website/manifests/https/redir.pp Fri Nov 04 20:55:22 2016 +0000 +++ b/modules/website/manifests/https/redir.pp Fri Nov 11 17:15:23 2016 +0000 @@ -6,7 +6,7 @@ $redir, $ssl_cert = undef, $ssl_key = undef, - $ssl_ca_chain = $website::ca_chain, + $ssl_ca_chain = undef, $docroot_owner = undef, $docroot_group = undef, $serveraliases = [], @@ -35,35 +35,17 @@ } if $ssl_cert == undef { - $sslcert = "${website::certdir}/${shortdomain}.crt" - $sslkey = "${website::certdir}/${shortdomain}.key" - File { - mode => '0400', - owner => 'root', - group => 'root', - } - if ! defined(File[$sslcert]) { - file { $sslcert: - source => "puppet:///private/pki/custom/${shortdomain}.crt", - before => Apache::Vhost[$name], - notify => Service['httpd'], - ensure => present; - } - } - if ! defined(File[$sslkey]) { - file { $sslkey: - source => "puppet:///private/pki/custom/${shortdomain}.key", - before => Apache::Vhost[$name], - notify => Service['httpd'], - ensure => present; - } - } + $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem" + $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" } else { $sslcert = $ssl_cert $sslkey = $ssl_key } - if $ssl_ca_chain == '' { + if $ssl_ca_chain == undef { + $ssl_chain = $website::ca_chain + } + elsif $ssl_ca_chain == '' { # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert $ssl_chain = undef } else {
--- a/modules/website/manifests/init.pp Fri Nov 04 20:55:22 2016 +0000 +++ b/modules/website/manifests/init.pp Fri Nov 11 17:15:23 2016 +0000 @@ -1,7 +1,6 @@ class website( $base_dir, $cert_dir = '/etc/pki/custom', - $ssl_chain = 'ca-chain.pem', $primary_ip, $secondary_ip, $default_owner, @@ -20,7 +19,7 @@ $certdir = $cert_dir $docroot_owner = $default_owner $docroot_group = $default_group - $ca_chain = $ssl_chain + $ca_chain = "/etc/letsencrypt/live/${::fqdn}/chain.pem" $tld = $default_tld $extra_tlds = $default_extra_tlds $htmlphpfragment = "Include conf.extra/html-php.conf" @@ -111,5 +110,10 @@ require => Package['policycoreutils-python'], unless => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"', } + cron { 'letsencrypt-renewal': + command => '/usr/bin/certbot renew --quiet', + hour => '*/12', + minute => '21', + } } }