Puppet Class: lsys::webserver::ssl

Defined in:
manifests/webserver/ssl.pp

Summary

TLS assets setup for WebServer

Overview

TLS assets setup for WebServer

Examples:

include lsys::webserver::ssl

Parameters:

  • server_name (Stdlib::Fqdn)

    WebServer server name

  • cert_identity (Optional[String]) (defaults to: undef)

    Certificate name to use in order to lookup certificate data in Puppet Hiera Hiera lookup keys are ‘<cert_identity>_private` and `<cert_identity>_certificate` where `<cert_identity>` is normalized value following next rules:

    ‘*’ -> ‘wildcard’, ‘.’ -> ‘_’, ‘-’ -> ‘_’, “‘” -> ’_’ and ‘ ’ -> ‘_’

    cert_identity must match either certificate Common Name or any of Subject alternate DNS name

  • ssl_cert (Optional[String]) (defaults to: undef)

    Content of x509 certificate to use for TLS setup

  • ssl_key (Optional[String]) (defaults to: undef)

    Content of RSA private key to use for TLS setup

  • manage_cert_data (Boolean) (defaults to: true)

    Whether provided certificate and key should be installed on server or not



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'manifests/webserver/ssl.pp', line 31

class lsys::webserver::ssl (
  Stdlib::Fqdn $server_name,
  Boolean $manage_cert_data = true,
  Optional[String] $cert_identity = undef,
  Optional[String] $ssl_cert = undef,
  Optional[String] $ssl_key = undef,
) {
  include tlsinfo

  # if both SSL cert and key provided via parameters - them have more priority
  # then certificate identity for lookup
  if $ssl_cert and $ssl_key {
    $cert_lookupkey = $server_name
    $certdata       = $ssl_cert

    if $manage_cert_data {
      # we use Hiera for certificate/private key storage
      tlsinfo::certpair { $cert_lookupkey:
        identity => true,
        cert     => $ssl_cert,
        pkey     => $ssl_key,
        # in case of self signed CA
        strict   => false,
      }
    }
  }
  else {
    if $cert_identity {
      $cert_lookupkey = $cert_identity
    }
    else {
      $cert_lookupkey = $server_name
    }

    $certdata = tlsinfo::lookup($cert_lookupkey)

    if $manage_cert_data {
      # we use Hiera for certificate/private key storage
      tlsinfo::certpair { $cert_lookupkey:
        identity => true,
      }
    }
  }

  # we use default locations for certificate and key storage - get
  # these locations
  $ssl_cert_path = tlsinfo::certpath($certdata)
  $ssl_key_path = tlsinfo::keypath($certdata)
}