Skip to content

opus-codium/puppet-dehydrated

Repository files navigation

dehydrated

Build Status Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores License

Table of Contents

Module Description

The dehydrated module lets you use Puppet to manage Let's Encrypt certificates creation and renewal using dehydrated.

Setup

Beginning with dehydrated

Let's encrypt needs a contact address that must be passed to the dehydrated class:

class { 'dehydrated':
  contact_email => '[email protected]',
}

This is enough to get started and creating certificates.

Usage

Generate a simple certificate

After including the required dehydrated class, each dehydrated::certificate will produce a single certificate file:

class { 'dehydrated':
  contact_email => '[email protected]',
}

dehydrated::certificate { 'example.com':
}

Generate a certificate with SAN

A dehydrated::certificate can use the domains parameter to indicate Subject Alternative Names (SAN).

class { 'dehydrated':
  contact_email => '[email protected]',
}

dehydrated::certificate { 'example.com':
  domains => [
    'www.example.com',
    'example.net',
    'www.example.net'
  ],
}

Use DNS-01 hook

Examples of dns-01 hook.sh:

Hook must wait until DNS records are really synced across public DNS servers and only then finish. Otherwise Let's Encrypt won't find the records from their side and dehydrated run will fail.

class { 'dehydrated':
  contact_email => '[email protected]',
  challengetype => 'dns-01',
  hook          => '/home/dehydrated/hook.sh',
  timeout       => 600,
}

dehydrated::certificate { 'example.com':
}

Renewing certificates with cron

The cron_integration parameter of the dehydrated class configures cron to renew certificates before they expire.

class { 'dehydrated':
  contact_email    => '[email protected]',
  cron_integration => true,
}

Please note that the web server is not automatically restarted when certificates are renewed.

Serving challenges with Apache

The apache_integration parameter of the dehydrated class configures apache to serve the challenges used for domain validation.

The following example redirect all HTTP requests to HTTPS except those related to letsencrypt's validation:

include ::apache
include ::apache::mod::rewrite

class { 'dehydrated':
  contact_email      => '[email protected]',
  apache_integration => true,
}

apache::vhost { 'main':
  port           => 80,
  default_vhost  => true,
  docroot        => '/var/empty',
  manage_docroot => false,
  directories    => [
    {
      path     => '/var/empty',
      rewrites => [
        {
          rewrite_rule => '.* https://%{HTTP_HOST}%{REQUEST_URI} [R=301]',
        },
      ],
    },
  ],
}