sslpuppetpuppetlabs-apache

Automatically find right intermediate CA certificate


We are using Puppet to configure multiple clusters running Apache HTTPD using the Apache module from Puppetlabs.

All certificates are stored in a git repository Puppet has already access to (e.g. puppet://files-host/path/to/certs/${fqdn}.crt).

Right now we have to explicit specify the intermediate CA certificate (ssl_chain variable in the apache class) for each used certificate.

Is it possible to let Puppet automatically find out the correct intermediate CA certificate? In a "real" scripting language I would iterate over all *.pem files and compare the subject with the issuer of the certificate. But how could that work in Puppet?

We do not want to embed the intermediate CA certificate into all certificates.


Solution

  • I've got a solution for my problem. It's not the optimal way, but it seems to be the only one in case of a Puppet managed infrastructure.

    All intermediate CA certificates are located in a single directory in the git repository and Puppet will put the whole content of the folder to the managed hosts (set the "recursive" and "purge" attributes of the file resource to true).

    Each certificate and key file is also deployed using file resources. The file resource for the certificate file will notify an exec resource executing a shell script which symlinks the right CA certificate to a static file path (i.e. /etc/ssl/private/my-domain.pem -> /etc/ssl/ca/some-ca.pem. So there are three files for each FQDN (fqdn.crt, fqdn.key and fqdn.pem).