ssl: Maintain SSL certs and private keysssl::params: Determine default parameters for ssl
ssl::cert: Deploy SSL certificates and keys in a couple of common formatsssl::cert::haproxy: Install key and certs combination for HAProxyssl::cert::nginx: DEPRECATEDssl::hashfile: Create certificate hash file
ssl::ensure_newline: Ensure there's a trailing newlinessl::pem::join: Join certs and keys into a single PEM. Ensure the correct newlines exist.
You can store SSL certs in your control repo. Simply create a profile and put the certs in its files directory. (Note that you don't actually have to create a manifest for it.)
Suppose you wanted to use profile::ssl. Set cert_source => 'profile/ssl',
and add cert files in site/profile/files/ssl/.
You can also store SSL keys. These should be encrypted, and the simplest solution for that is hiera-eyaml. Simply add keys to the keys parameter on this class in hiera. For example:
ssl::cert_source: 'profile/ssl'
ssl::keys:
'puppet.com': ENC[PKCS7,MIIH...
'forge.puppet.com': ENC[PKCS7,MIIH...The following parameters are available in the ssl class:
Data type: String[1]
Where to find cert files with the file() function.
Data type: Hash[String[1], String[1]]
Private keys indexed by key names.
Default value: {}
Data type: Boolean
Enable or disable a file resource for the ssl directory
Default value: true
Determine default parameters for ssl
Deploy SSL certificates and keys in a couple of common formats
See the README for information about how to store certificates and keys for use by this type.
This deploys:
${key_dir}/${key_name}.key${cert_dir}/${key_name}.crt${cert_dir}/${key_name}_inter.crt— the intermediate certificate(s)${cert_dir}/${key_name}_combined.crt— the primary certificate followed by the intermediate certificate(s)
ssl::cert { 'www.example.com': }The following parameters are available in the ssl::cert defined type:
Data type: String[1]
The name of the certificate
Default value: $title
Data type: Optional[String[1]]
The directory that certs are stored in. If no values is provided then the value from $ssl::cert_dir is used.
Default value: undef
Data type: Optional[String[1]]
The directory that certificate keys are stored in. If no values is provided then the value from $ssl::key_dir is used.
Default value: undef
Data type: String[1]
The user to set as the owner of the generated files
Default value: 'root'
Data type: String[1]
THe group to set as the owner of the generated files
Default value: '0'
Data type: String[1]
The file mode to be set on each generated file
Default value: '0640'
Install key and certs combination for HAProxy.
See the README for information about how to store certificates and keys for use by this type.
This deploys /etc/haproxy/certs.d/${key_name}.crt, which contains:
- The primary certificate
- The private key
- The intermediate certificate(s)
ssl::cert::haproxy { 'www.example.com': }ssl::cert::haproxy { 'www.example.com':
path => '/opt/custom_haproxy_build/etc/haproxy/certs',
}The following parameters are available in the ssl::cert::haproxy defined type:
Data type: String[1]
The name of the certificate
Default value: $title
Data type: Stdlib::Unixpath
The full path of the certificate, including the certificate's name.
Default value: "/etc/haproxy/certs.d/${key_name}.crt"
Data type: String[1]
The user that owns the certificate
Default value: 'root'
Data type: String[1]
The group that owns the certificate
Default value: '0'
Data type: String[1]
The file mode of the certificate file
Default value: '0400'
This is only here to simplify some of our legacy code.
We recommend using ssl::cert and configuring NGINX to use the
_combined.crt file instead of using this resource.
The following parameters are available in the ssl::cert::nginx defined type:
Data type: String[1]
The name of the certificate
Default value: $title
Data type: Optional[String[1]]
The directory that certs are stored in. If no values is provided then the value from $ssl::cert_dir is used.
Default value: undef
Data type: Optional[String[1]]
The directory that certificate keys are stored in. If no values is provided then the value from $ssl::key_dir is used.
Default value: undef
Data type: String[1]
The user to set as the owner of the generated files
Default value: 'root'
Data type: String[1]
THe group to set as the owner of the generated files
Default value: '0'
Data type: String[1]
The file mode to be set on each generated file
Default value: '0640'
Create certificate hash file
[ $certfile, $certchainfile, $certinterfile, ].each |$hashfile| {
ssl::hashfile { $hashfile: certdir => $ssl::cert_dir }
}The following parameters are available in the ssl::hashfile defined type:
Data type: Stdlib::Unixpath
The directory ssl certs are stored in
Type: Puppet Language
Ensure there's a trailing newline
file { '/tmp/www.example.com.crt':
ensure => file,
content => ssl::ensure_newline($ssl::keys['www.example.com']),
}Ensure there's a trailing newline
Returns: String Returns a string that ends with a newline (\n)
file { '/tmp/www.example.com.crt':
ensure => file,
content => ssl::ensure_newline($ssl::keys['www.example.com']),
}Data type: String[0]
A string to ensure ends with a new line (aka '\n')
Type: Puppet Language
Join certs and keys into a single PEM. Ensure the correct newlines exist.
file { '/tmp/www.example.com_combined.crt":
ensure => file,
content => ssl::pem::join([
file("${ssl::cert_source}/${key_name}.crt"),
file("${ssl::cert_source}/${key_name}_inter.crt"),
]),
}Join certs and keys into a single PEM. Ensure the correct newlines exist.
Returns: String Returns a string representing the combined certificates.
file { '/tmp/www.example.com_combined.crt":
ensure => file,
content => ssl::pem::join([
file("${ssl::cert_source}/${key_name}.crt"),
file("${ssl::cert_source}/${key_name}_inter.crt"),
]),
}Data type: Array[String[0]]
An array of strings representing PEM files that need to be concatenated together