As a follow-up to Centrally managing your Let’s Encrypt certificates using the dns-01 challenge, in this article I’ll post a follow-up for Puppet users on how to distribute those certificates easily to your servers.
I’ve written a small Puppet module which installs your certificates in /etc/letsencrypt/live/<your.host.name>, which is where the official client places them as well. This way you can easily use it as a drop-in replacement without having to change your daemon configuration files. The directories where the previous certificate versions are kept by the official client are not being maintained, but I don’t think anyone will miss them.
Do note that simply using this module will not generate the certificates automatically; it will only deploy already made certificates stored on the Puppet server. Certificate requests should still be done by the procedure discussed in the previous post. The rest of this article assumes that setup is already in place.
Installation
Check out the module on GitHub and place it in /etc/puppet/modules/letsencrypt.
Configure the dns-01 hook script to place the certificates in /etc/puppet/modules/letsencrypt/files and set permissions so Puppet can read them. In short, add the following to /root/dehydrated/config:
DESTINATION="/etc/puppet/modules/letsencrypt/files" CERT_OWNER=puppet CERT_GROUP=puppet CERT_MODE=0600 CERTDIR_OWNER=puppet CERTDIR_GROUP=puppet CERTDIR_MODE=0700
Example
class { 'letsencrypt': } letsencrypt::certificate { 'your.host.name': ensure => present, notify => Service['apache2']; }
This snippet will deploy a certificate/key/chain combination for your.host.name in /etc/letsencrypt/live/your.host.name/ on the target machine. Some other parameters are also accepted, which change the owner, group and access mode for the certificate files and their parent directory (defaults are root:root, 0644 and 0755 respectively).
The optional notify parameter allows you to make Puppet reload one or multiple services after updating the certificate file. This way your renewed certificate will automatically be loaded into your server software.
You can add as many certificates to one Puppet node as you want, obviously the name has to be unique for each.
I’ve distributed my free Let’s Encrypt certificates to a few of my hosts this way, and keep them up to date from a central location – I hope it’s useful for you as well. Feel free to leave any feedback!