yamlssl-certificatepuppetlets-encrypt

letsencrypt certonly does not seem to run in yaml


I am looking for some advice / help with an issue I am facing in yaml. But it is also puppet related.

I am using a control-repo for my puppet configuration. I am hosting a site of one of my puppet agent VM's. I can get letsencrypt::certonly to work in puppet i.e my letsencrypt.pp file. But, I would like the certonly configuration to be in my .yaml file for my agent VM. The issue is when I run puppet agent on my agent VM the code all runs without any errors. But my SSL certificate is not populated. This should appear in /etc/letsencrypt/live/. I also check if it exists by using a SSL checker online to see if it had been generated else where It had not. So, from what I can tell this code is not running. Like I said if I have this in my letsencrypt.pp file the SSL cert is generated and all works well.

So, I think I don't have the right code for letsencrypt::certonly for yaml. Any help to correct this for yaml would be really appreciated. My nodes yaml file looks like the following apart from a few redaction's.

---
classes:
   - roles::www

# UFW Rules
ufw::rules:
  'Allow HTTP':
    action: allow
    to_ports_app: 80
    proto: tcp
  'Allow HTTPS':
    action: allow
    to_ports_app: 443
    proto: tcp



# nginx rules
nginx::nginx_servers:
  'www.test.domain.com': 
    server_name: ['test.domain.com']
    ipv6_enable: true
    ssl: true
    http2: 'on'
    ipv6_listen_options: ''
    ssl_redirect: true
    ssl_cert: '/etc/letsencrypt/live/test.domain.com/cert.pem' 
    ssl_key: '/etc/letsencrypt/live/test.domain.com/privkey.pem' 
    www_root: '/www-data/www.test.domain.com/' 
    server_cfg_ssl_append:
    ssl_dhparam: '/usr/lib/python3/dist-packages/certbot/ssl-dhparams.pem'

# letsencryot certonly
letsencrypt::certonly:
    'test.domain.com':
      cert_name: 'test.domain.com'
      domains:
        - 'test.domain.com'
        - '*.test.domain.com'
      plugin: dns-cloudflare
      manage_cron: false
      require:
        classes:
          - profiles::nginx
    
# letsencrypt
letsencrypt::email: 'email@email.com'
letsencrypt::plugin::dns_cloudflare::email: 'email@email.com'

It is only the letsencrypt::certonly section of this file that does not seem to be correct / working.

I am using the puppet-letsencrypt module from the Puppet Forge, version 10.0.0, like so:

class profiles::letsencrypt {

  package { 'cron':
    ensure => installed,
  }

  class { 'letsencrypt':
    config  => {
      email  => 'email@email.com',
      server => 'https://acme-v02.api.letsencrypt.org/directory',
    },
    require => Package['cron'],
  }

  file { '/etc/letsencrypt/options-ssl-nginx.conf':
    ensure => file,
  }

  file { '/etc/letsencrypt/ssl-dhparams.pem':
    ensure => file,
  }
  include 'letsencrypt'
  include 'letsencrypt::plugin::dns_cloudflare'
}

Solution

  • You seem to have an incorrect expectation. In the module you are using, letsencrypt::certonly is a resource type. Class parameters are loaded automatically from external data, but resources and classes themselves need to be declared in your manifest set to be included in your nodes' catalogs. You cannot (directly) declare resources via your external data.

    But there are many ways that you can use external data to specify which resources your classes should declare, with which properties. One of them would go like this:

    For example:

    class profiles::letsencrypt (
        Hash[String, Hash] $certonlies = {},
    ) {
        # ...
        $certonlies.each() |$t, $params| {
            # declare the resource:
            letsencrypt::certonly { $t:
                * => $params;
            }
        }
    }
    

    The corresponding data might look like this:

    # ...
    profiles::letsencrypt::certonlies:
        'test.domain.com':
          cert_name: 'test.domain.com'
          domains:
            - 'test.domain.com'
            - '*.test.domain.com'
          manage_cron: false
          plugin: 'dns-cloudflare'
          require: 'Class[profiles::nginx]'
    

    Additional notes: