Puppet Class: isp3node::base::ssl
- Defined in:
- manifests/base/ssl.pp
Summary
Manage the servers local main ssl certificateOverview
Place the certificate from hiera to a known location or obtain from Lets Encrypt and create symlinks. Further replace SSL key and cert of ISPConfig as soon as it is installed. For Lets Encrypt, a list of renewal jobs can be registered to execute e.g. service reloads after certificate renewals.
26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
# File 'manifests/base/ssl.pp', line 26
class isp3node::base::ssl(
Integer $dhparamsize = 2048,
Optional[Boolean] $letsencrypt = true,
# TODO Need a better way to restart services after cert renewal ... Maybe a restart script and every service adds itself with concat?
Optional[Array[String]] $le_deploycommands = ['systemctl restart postfix'],
Optional[String] $email = lookup('isp3node::email', undef, undef, undef),
Optional[String] $cert = undef,
Optional[String] $ca = undef,
Optional[String] $key = undef,
) {
# TODO add option to switch to webroot for servers running nginx
File{
owner => root,
group => root,
mode => '0444',
}
file{'/etc/ssl/local':
ensure => directory,
}
exec{'ssl-dhparam':
command => "openssl dhparam -out /etc/ssl/local/dhparam.pem ${dhparamsize}",
require => [File['/etc/ssl/local']],
creates => '/etc/ssl/local/dhparam.pem',
path => $facts['path'],
timeout => 1800,
}
if($letsencrypt) {
# Deploy hook to generate pem containing the key
$deployhooks = [
"cat /etc/letsencrypt/live/${facts['fqdn']}/privkey.pem > /etc/ssl/local/${facts['fqdn']}.keybundle.pem",
"cat /etc/letsencrypt/live/${facts['fqdn']}/fullchain.pem >> /etc/ssl/local/${facts['fqdn']}.keybundle.pem",
"chmod 600 /etc/ssl/local/${facts['fqdn']}.keybundle.pem",
]
class { 'letsencrypt':
email => $email,
package_ensure => 'latest',
renew_cron_ensure => present,
}
unless($facts['isp3node']['nginx']['installed'] and
('80/tcp' in $facts['isp3node']['ports'] or '80/tcp6' in $facts['isp3node']['ports'])
){
letsencrypt::certonly { $facts['fqdn']:
domains => [$facts['fqdn']],
deploy_hook_commands => $deployhooks + $le_deploycommands,
}
} else {
letsencrypt::certonly { $facts['fqdn']:
domains => [$facts['fqdn']],
deploy_hook_commands => $deployhooks + $le_deploycommands,
plugin => 'webroot',
webroot_paths => ['/var/www/default']
}
}
file{"/etc/ssl/local/${facts['fqdn']}.crt":
ensure => link,
target => "/etc/letsencrypt/live/${facts['fqdn']}/cert.pem",
}
file{"/etc/ssl/local/${facts['fqdn']}.bundle.crt":
ensure => link,
target => "/etc/letsencrypt/live/${facts['fqdn']}/fullchain.pem",
}
file{'/etc/ssl/local/ca.crt':
ensure => link,
target => "/etc/letsencrypt/live/${facts['fqdn']}/chain.pem",
}
file{"/etc/ssl/local/${facts['fqdn']}.key":
ensure => link,
target => "/etc/letsencrypt/live/${facts['fqdn']}/privkey.pem",
mode => '0400',
}
}
else {
file{"/etc/ssl/local/${facts['fqdn']}.crt":
ensure => file,
content => $cert,
}
file{"/etc/ssl/local/${facts['fqdn']}.bundle.crt":
ensure => link,
content => "${cert}\n${ca}"
}
file{'/etc/ssl/local/ca.crt':
ensure => file,
content => $ca,
}
file{"/etc/ssl/local/${facts['fqdn']}.key":
ensure => file,
content => $key,
mode => '0400',
}
}
# If ISP is installed and this is the master, place certificate for ispconfig panel
if($facts['isp3node']['ispconfig']['installed'] and $facts['fqdn'] == lookup('isp3node::master')){
file{'ispconfig-interface-ssl-cert':
ensure => link,
path => '/usr/local/ispconfig/interface/ssl/ispserver.crt',
target => "/etc/ssl/local/${facts['fqdn']}.bundle.crt",
backup => '.puppet-bak',
replace => true,
mode => '0440',
owner => 'root',
group => 'root',
require => File["/etc/ssl/local/${facts['fqdn']}.bundle.crt"],
notify => Service['nginx'],
}
file{'ispconfig-interface-ssl-key':
ensure => link,
path => '/usr/local/ispconfig/interface/ssl/ispserver.key',
target => "/etc/ssl/local/${facts['fqdn']}.key",
backup => '.puppet-bak',
replace => true,
mode => '0440',
owner => 'root',
group => 'root',
require => File["/etc/ssl/local/${facts['fqdn']}.key"],
notify => Service['nginx'],
}
}
}
|