Installing your centrally managed Let’s Encrypt certificates with a Puppet module

As a follow-up to Centrally managing your Let’s Encrypt certificates using the dns-01 challenge, in this article I’ll post a follow-up for Puppet users on how to distribute those certificates easily to your servers.

I’ve written a small Puppet module which installs your certificates in /etc/letsencrypt/live/<your.host.name>, which is where the official client places them as well. This way you can easily use it as a drop-in replacement without having to change your daemon configuration files. The directories where the previous certificate versions are kept by the official client are not being maintained, but I don’t think anyone will miss them.

Do note that simply using this module will not generate the certificates automatically; it will only deploy already made certificates stored on the Puppet server. Certificate requests should still be done by the procedure discussed in the previous post. The rest of this article assumes that setup is already in place.

Note: This blog post has been updated since its first incarnation to account for the name change from letsencrypt.sh to dehydrated, following a possible trademark violation by using the Let’s Encrypt name.

Installation

Check out the module on GitHub and place it in /etc/puppet/modules/letsencrypt.

Configure the dns-01 hook script to place the certificates in /etc/puppet/modules/letsencrypt/files and set permissions so Puppet can read them. In short, add the following to /root/dehydrated/config:

DESTINATION="/etc/puppet/modules/letsencrypt/files"
CERT_OWNER=puppet
CERT_GROUP=puppet
CERT_MODE=0600
CERTDIR_OWNER=puppet
CERTDIR_GROUP=puppet
CERTDIR_MODE=0700

Example

  class { 'letsencrypt': }

  letsencrypt::certificate {
    'your.host.name':
      ensure => present,
      notify => Service['apache2'];
  }

This snippet will deploy a certificate/key/chain combination for your.host.name in /etc/letsencrypt/live/your.host.name/ on the target machine. Some other parameters are also accepted, which change the owner, group and access mode for the certificate files and their parent directory (defaults are root:root, 0644 and 0755 respectively).

The optional notify parameter allows you to make Puppet reload one or multiple services after updating the certificate file. This way your renewed certificate will automatically be loaded into your server software.

You can add as many certificates to one Puppet node as you want, obviously the name has to be unique for each.

I’ve distributed my free Let’s Encrypt certificates to a few of my hosts this way, and keep them up to date from a central location – I hope it’s useful for you as well. Feel free to leave any feedback!

Writing informative technical how-to documentation takes time, dedication and knowledge. Should my blog series have helped you in getting things working the way you want them to, or configure certain software step by step, feel free to tip me via PayPal (paypal@powersource.cx) or the Flattr button. Thanks!