1. Overview
2. Setup - The basics of getting started with certs
   • Setup requirements
   • Beginning with certs
3. Usage - Configuration options and additional functionality

Provides SSL certificate files required by apache and other webservers via the certs::vhost define. These files can then be provided to apache::vhost and other classes that require the files to already exist on a managed node.

The certificate files must come from an external store. Recommended stores are a site-specific (and private!) module containing SSL files or a network- accessible filesystem, such as NFS, that the managed node can access.

Once a file store is determined, include at least one certs::vhost define and specify the file store location as the source_path. You may optionally specify a target_path if the default location of /etc/ssl/certs is not desired.

No trailing slash should be provided to source_path.

certs::vhost { 'www.example.com':
  source_path => 'puppet:///modules/site_certificates',
}

Creates /etc/ssl/certs/www.example.com.crt and /etc/ssl/certs/www.example.com.key based off of puppet:///site_certificates/www.example.com.crt and puppet:///site_certificates/www.example.com.key.

certs::vhost { 'www.example.com':
  target_path => '/etc/httpd/ssl.d',
  source_path => 'puppet:///modules/site_certificates',
}

Creates the same crt and key files in /etc/httpd/ssl.d.

Certs::Vhost<| |> -> Apache::Vhost<| |>

If you wish for your certificate and key to go to different paths, you can specify them accordingly. If one or bothof these values are not passed, target_path will be used.

certs::vhost { 'www.example.com':
  crt_target_path => '/etc/pki/certs',
  key_target_path => '/etc/pki/private',
  source_path => 'puppet:///modules/site_certificates',
}

When providing the certificate files to the apache::vhost or similar classes it is best to ensure they are properly dependent upon the certs::vhost.

To use the vault options, you must have a module that is API compatible with puppet-vault_lookup installed. If you are not using vault, this dependency is optional. Some types of certificates may have been encoded with base64 for compatibility with Vault, you can specify base64_vault_crt to decode this certificate type.

certs::vhost { 'www.example.com':
  target_path      => '/etc/httpd/ssl.d',
  source_path      => '/v1/kv/puppet/ssl',
  vault            => true,
  base64_vault_crt => true,
}

You can optionally specify file options such as owner and mode by using the file_options variable.

certs::vhost { 'www.example.com':
  target_path  => '/etc/httpd/ssl.d',
  source_path  => 'puppet:///modules/site_certificates',
  file_options => { owner => 'root',
                    group => 'root',
                    mode  => '0644',}
}