dehydrated
: Base class to define necessary variables and include setup classes.dehydrated::params
: A short summary of the purpose of this classdehydrated::setup::requests
: Deploy requests.json file on dehydrated host
dehydrated::setup
: Setup required files and folders. Don't include/call this class.dehydrated::setup::dehydrated_host
: setup dehydrated and users/groups for it
dehydrated::certificate
: Creates key & csr and request the certificate.
dehydrated::certificate::collect
: A short summary of the purpose of this defined type.dehydrated::certificate::csr
: Creates a key file with CSRdehydrated::certificate::deploy
: Deploy collected certificate and CA files.dehydrated::certificate::dh
: Create the DH params file.dehydrated::certificate::request
: Prepare everything to request a certifificate for our CSRs.dehydrated::certificate::transfer
: Transfer crt/ca files.
dehydrated_csr
: CSRs for dehydrateddehydrated_dhparam
: DH params for dehydrateddehydrated_fingerprint
: Create a fingerprint file key for a private key file.dehydrated_key
: Create a private key for dehydrated.dehydrated_pfx
: pkcs12 / pfx files for dehydrated
Dehydrated::Algorithm
Dehydrated::CRT
Dehydrated::CSR
Dehydrated::Challengetype
Dehydrated::DN
: what we can request certificates for.Dehydrated::Email
Dehydrated::GitSSHUrl
Dehydrated::GitUrl
: a type that hopefully matches all possible git urls.Dehydrated::Hook
Dehydrated::WildcardDN
: based on Stdlib::Fqdn lint:ignore:140chars
Base class to setup the letsencrypt certificate handling with dehydrated.
# should be sufficient in most cases.
include dehydrated
# if you are "upgrading" from bzed-letsencrypt,
# you might want to use these options to stay
# compatible with the old group/directory:
class { 'dehydrated' :
group => 'letsencrypt',
base_dir => '/etc/letsencrypt',
}
The following parameters are available in the dehydrated
class:
base_dir
crt_dir
csr_dir
key_dir
user
group
dehydrated_user
dehydrated_group
letsencrypt_ca
letsencrypt_cas
dh_param_size
challengetype
algorithm
key_size
dehydrated_base_dir
dehydrated_git_dir
dehydrated_git_tag
dehydrated_git_url
dehydrated_host
dehydrated_requests_dir
dehydrated_hooks_dir
dehydrated_requests_config
dehydrated_wellknown_dir
dehydrated_alpncert_dir
dehydrated_host_packages
dehydrated_environment
dehydrated_domain_validation_hook
dehydrated_hook
dehydrated_contact_email
accounts_per_agent
dehydrated_status_file
dehydrated_monitoring_status_file
manage_user
manage_packages
pki_packages
packages
certificates
build_pfx_files
preferred_chain
Data type: Stdlib::Absolutepath
The base directory where keys/csr/certs are stored. Defaults to:
- on $::os['family']=='Debian': /etc/dehydrated
- on other Linux/Unix systems: /etc/pki/dehydrated
- on windows: C:\LE_certs.
Default value: $dehydrated::params::base_dir
Data type: Stdlib::Absolutepath
The directory where certificates are stored. Defaults to ${base_dir}/certs
Default value: join([$base_dir, 'certs'], $dehydrated::params::path_seperator)
Data type: Stdlib::Absolutepath
The directory where CSRs are stored. Defaults to ${base_dir}/csr
Default value: join([$base_dir, 'csr'], $dehydrated::params::path_seperator)
Data type: Stdlib::Absolutepath
The directory where pricate keys are stored. Defaults to ${base_dir}/private
Default value: join([$base_dir, 'private'], $dehydrated::params::path_seperator)
Data type: String
Linux: The user who owns the files in /etc/dehydrated. Windows: The user who owns the files in C:\LE_Certs. Needs to be specified!
Default value: $dehydrated::params::user
Data type: String
Linux: The group which owns the files in /etc/dehydrated. If you have a non-root process which needs to access private keys, add its user to this group. Windows: The group which owns the files in C:\LE_Certs. Needs to be specified!
Default value: $dehydrated::params::group
Data type: Optional[String]
User to run the dehydrated script as. Only used on the host that actually requests certificates.
Default value: $dehydrated::params::dehydrated_user
Data type: Optional[String]
Group to run the dehydrated script as. Only used on the host that actually requests certificates.
Default value: $dehydrated::params::dehydrated_group
Data type: String
Let’s Encrypt CA to use. Defaults to v2-production. See the letsencrypt_cas parameter for a way to specify your own Let’s Encrypt / ACME compatible CA. This configures the default CA to use, but You can actually define different CAs for each certificate, see the dehydrated::certificate define for details.
Default value: $dehydrated::params::letsencrypt_ca
Data type: Hash
Hash with the definitions of the official testing and production Let’s Encrypt CAs this puppet module was tested against.
Default value: $dehydrated::params::letsencrypt_cas
Data type: Integer[768]
Default size of the DH params we should generate. Defaults to 2048.
Default value: $dehydrated::params::dh_param_size
Data type: Dehydrated::Challengetype
Default challengetype to use. Defaults to 'dns-01'. You can specify a different challengetype for each certificate, see dehydrated::certificate.
Default value: $dehydrated::params::challengetype
Data type: Dehydrated::Algorithm
Default algorithm / elliptic-curve you want to use. Supported: rsa, secp384r1, prime256v1. Defaults to rsa. You can specify a different algorithm for each certificate, see dehydrated::certificate.
Default value: $dehydrated::params::algorithm
Data type: Integer[768]
Size of the key if we create a new one. Only used if algorithm is 'rsa'. You can specify a different size for each certificate; see dehydrated::certificate.
Default value: $dehydrated::params::key_size
Data type: Stdlib::Absolutepath
Only used if $trusted['certname'] == $dehydrated::dehydrated_host. Path where the dehydrated script and configurations/csrs are being stored. Defaults to '/opt/dehydrated'.
Default value: $dehydrated::params::dehydrated_base_dir
Data type: Stdlib::Absolutepath
Only used if $trusted['certname'] ==
Default value: "${dehydrated_base_dir}/dehydrated"
Data type: String
Only used if $trusted['certname'] == $dehydrated::dehydrated_host. Version of the dehydrated script we want to use. Change it on your own risk.
Default value: $dehydrated::params::dehydrated_git_tag
Data type: Dehydrated::GitUrl
Only used if $trusted['certname'] == $dehydrated::dehydrated_host. Git url to clone dehydrated from. If you have an internal mirror/version, you can override the default github url here.
Default value: $dehydrated::params::dehydrated_git_url
Data type: Stdlib::Fqdn
Default setting for the host you want to request the certificates on. Required on that host, on all others it is used as default for certificates requested via dehydrated::certificate. You can specify a different dehydrated_host on each certificate if you want to. If $trusted['certname'] == $dehydrated::dehydrated_host, dehydrated will be installed and the certificate request cronjob will be setup.
Default value: $dehydrated::params::dehydrated_host
Data type: Stdlib::Absolutepath
Only used if $trusted['certname'] == $dehydrated::dehydrated_host. Path where requests that need to be handled are being stored.
Default value: "${dehydrated_base_dir}/requests"
Data type: Stdlib::Absolutepath
Only used if $trusted['certname'] == $dehydrated::dehydrated_host.
Default value: "${dehydrated_base_dir}/hooks"
Data type: Stdlib::Absolutepath
Only used if $trusted['certname'] == $dehydrated::dehydrated_host.
Default value: "${dehydrated_base_dir}/requests.json"
Data type: Stdlib::Absolutepath
Only used if $trusted['certname'] == $dehydrated::dehydrated_host.
Default value: "${dehydrated_base_dir}/acme-challenges"
Data type: Stdlib::Absolutepath
Only used if $trusted['certname'] == $dehydrated::dehydrated_host.
Default value: "${dehydrated_base_dir}/alpn-certs"
Data type: Array
Only used if $trusted['certname'] == $dehydrated::dehydrated_host.
Default value: $dehydrated::params::dehydrated_host_packages
Data type: Hash
Only used if $trusted['certname'] == $dehydrated::dehydrated_host.
Default value: $dehydrated::params::dehydrated_environment
Data type: Optional[Dehydrated::Hook]
Only used if $trusted['certname'] == $dehydrated::dehydrated_host.
Default value: $dehydrated::params::dehydrated_domain_validation_hook
Data type: Dehydrated::Hook
Name of the hook script dehydrated will use to validate the authorization request. The hook script must live in the $dehydrated_hooks_dir on $dehydrated::dehydrated_host.
Default value: "${challengetype}.sh"
Data type: Optional[Dehydrated::Email]
Contact email address for created accounts. We'll create one account for each puppet host.
Default value: $dehydrated::params::dehydrated_contact_email
Data type: Boolean
Create one ACME account per puppet client (true; the default), or one account globally.
Default value: true
Data type: Stdlib::Absolutepath
File the dehydrated job runner will dump its status into. Pretty printed JSON.
Default value: "${dehydrated_base_dir}/status.json"
Data type: Stdlib::Absolutepath
Status file for monitoring with check_statusfile, see README.md for details.
Default value: "${dehydrated_base_dir}/monitoring.status"
Data type: Boolean
Create $dehydrated_user/$dehydrated_group and $user/$group if necessary.
Default value: $dehydrated::params::manage_user
Data type: Boolean
Install required packages using ensure_packages? Should be safe to leave enabled in most cases.
Default value: $dehydrated::params::manage_packages
Data type: Array
Required packages to create /etc/pki. Not really used yet.
Default value: $dehydrated::params::pki_packages
Data type: Array
The list of packages we actually need to install to make this module work properly. You are free to modify this list if you need to.
Default value: $dehydrated::params::packages
Data type: Array[Variant[Dehydrated::DN, Tuple[Dehydrated::DN, Array[Dehydrated::DN]]]]
Allows to request certificates instead of using dehydrated::certificate. The puppet definition of this rather complex parameter is Array[Variant[Dehydrated::DN, Tuple[Dehydrated::DN, Array[Dehydrated::DN]]]] So basically, you need to specify an Array. Contents are either a
- distinguished name
- tuple with [distinguished name, array of distinguished names] The first case requests a default certificate. The tuple version will request a SAN certificate.
Default value: []
Data type: Boolean
Create PKCS12 container with key, certificate and ca certificates. Defaults to true on windows, to false on all other OS.
Default value: $dehydrated::params::build_pfx_files
Data type: Optional[String]
Preferred dehydrated CA chain to use
Default value: $dehydrated::params::preferred_chain
A description of what this class does
include dehydrated::params
We collect all request information from puppetdb, clean, enrich and merge it to create requests.json on the dehydrated host
include dehydrated::setup::requests
Triggers key and csr generation and requests the certificate via the host configured in $dehydrated_host. This is the main defined type to use if you want to have a certificate. Together with the defaults in the dehydrated class you should have everything to make requesting certificates possible. Especially the dehydrated::certificate::* types do not have a public API and can change without warning. Don't rely on them. Dehydrated::Certificate[$dn] is also what you want to use to subscribe to if you want to restart services after certificates have been installed/updated.
dehydrated::certificate { 'test.example.com': }
The following parameters are available in the dehydrated::certificate
defined type:
dn
base_filename
subject_alternative_names
challengetype
algorithm
key_size
dh_param_size
dehydrated_host
dehydrated_environment
dehydrated_hook
letsencrypt_ca
dehydrated_domain_validation_hook
key_password
preferred_chain
Data type: Dehydrated::DN
The main distinguished name to use for the certificate. Defaults to $name.
Default value: $name
Data type: String
The base part of the filename of all related files. For wildcard certificates the * is replaced by wildcard. Feel free to use whatever a valid filename is.
Default value: regsubst($dn, '^\*', '_wildcard_')
Data type: Array[Dehydrated::DN]
To request a SAN certificate, pass an array with the alternative names here. The main $dn will be added automatically.
Default value: []
Data type: Dehydrated::Challengetype
Default challengetype to use. Defaults to $dehydrated::challengetype, which defaults to 'dns-01'. You can specify a different challengetype for each certificate here.
Default value: $dehydrated::challengetype
Data type: Dehydrated::Algorithm
Algorithm / elliptic-curve you want to use. Supported: rsa, secp384r1, prime256v1. Defaults to $dehydrated::algorithm, which defaults to 'rsa'. You can specify a different algorithm for each certificate here.
Default value: $dehydrated::algorithm
Data type: Integer[768]
Size of the key if we create a new one. Only used if algorithm is 'rsa'.
Default value: $dehydrated::key_size
Data type: Integer[768]
Size of the DH params we should generate. Defaults to $dehydrated::dh_param_size, which defaults to 2048. You can specify a different DH param size for each certificate here.
Default value: $dehydrated::dh_param_size
Data type: Stdlib::Fqdn
$trusted['certname'] of the host which is responsible to request the certificates from the Let's Encrypt CA. Defaults to $dehydrated::dehydrated_host where you can configure your default.
Default value: $dehydrated::dehydrated_host
Data type: Hash
Hash with the environment variables to set for the $dehydrated_domain_validation_hook and also for running the hook in dehydrated. Defaults to $dehydrated::dehydrated_environment, empty by default.
Default value: $dehydrated::dehydrated_environment
Data type: Optional[Dehydrated::Hook]
Name of the hook script you want to use. Can be left on undef if http-01 is being
used as challengetype to use the built-in http-01 implementation of dehydrated.
Defaults to
Default value: $dehydrated::dehydrated_hook
Data type: String
Defines the CA you want to use to request certificates. If you want to use a non-supported CA, you need to configure it in $dehydrated::letsencrypt_cas on your $dehydrated_host. Normally, the following CAs are pre-configured: staging, production, v2-staging, v2-production Defaults to $dehydrated::letsencrypt_ca, which points to v2-production.
Default value: $dehydrated::letsencrypt_ca
Data type: Optional[Dehydrated::Hook]
Name of the hook script to run before dehydrated is actually executed. Used to check if a domain is still valid or if you are allowed to modify it. Or whatever else you want to do as preparation. Good thing to use before running into limits by trying to request certificates for domains you don't own. Defaults to $dehydrated::dehydrated_domain_validation_hook where you can configure the default for your setup.
Default value: $dehydrated::dehydrated_domain_validation_hook
Data type: Optional[String]
If your key should be protected by a password, specify it here.
Default value: undef
Data type: Optional[String]
Preferred letsencrypt CA chain you want to use
Default value: $dehydrated::preferred_chain
CSRs for dehydrated
The following properties are available in the dehydrated_csr
type.
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the dehydrated_csr
type.
algorithm
common_name
country
digest
email_address
force
locality
organization
organizational_unit
password
path
private_key
provider
state
subject_alternative_names
Valid values: prime256v1
, secp384r1
, rsa
The algorithm to use, supported: rsa, secp384r1, prime256v1
Default value: rsa
The common name for the csr
country part of the certificate name
Digest used while signing the CSR, defaults to SHA512
Default value: SHA512
emailAddress part of the certificate name
Valid values: true
, false
Whether to replace the certificate if the private key or CommonName/SANs mismatches
Default value: false
locality part of the certificate name
locality part of the certificate name
organizational_unit part of the certificate name
The optional password for the private key
The specific backend to use for this dehydrated_csr
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
state part of the certificate name
SANs to request
Default value: []
DH params for dehydrated
The following properties are available in the dehydrated_dhparam
type.
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the dehydrated_dhparam
type.
The specific backend to use for this dehydrated_dhparam
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
The key size
Default value: 2048
Create a fingerprint file key for a private key file.
The following properties are available in the dehydrated_fingerprint
type.
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the dehydrated_fingerprint
type.
The optional password for the key
Fingerprint location, must be absolute.
Key location, must be absolute.
The specific backend to use for this dehydrated_fingerprint
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
Create a private key for dehydrated.
The following properties are available in the dehydrated_key
type.
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the dehydrated_key
type.
Valid values: prime256v1
, secp384r1
, rsa
Algorithm to use for Key generation, supported: prime256v1, secp384r1, rsa
Default value: rsa
The optional password for the key
Key location, must be absolute.
The specific backend to use for this dehydrated_key
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
The key size, used for RSA only.
Default value: 3072
pkcs12 / pfx files for dehydrated
The following properties are available in the dehydrated_pfx
type.
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the dehydrated_pfx
type.
The path of the ca certificates to put into the pkcs12 container
The path of the certificate to put into the pkcs12 container
The optional password for the private key
The optional password for the pkcs12 container
A string describing the key / pkcs12 container
The specific backend to use for this dehydrated_pfx
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Type: Ruby 4.x API
The dehydrated::file function.
The dehydrated::file function.
Returns: Any
Data type: String
Data type: Optional[String]
The Dehydrated::Algorithm data type.
Alias of Pattern[/^(rsa|prime256v1|secp384r1)$/]
The Dehydrated::CRT data type.
Alias of Pattern[/(?m:.*-+BEGIN CERTIFICATE-+.*-+END CERTIFICATE-+.*)/]
The Dehydrated::CSR data type.
Alias of Pattern[/(?m:.*-+BEGIN CERTIFICATE REQUEST-+.*-+END CERTIFICATE REQUEST-+.*)/]
The Dehydrated::Challengetype data type.
Alias of Pattern[/^(http-01|dns-01|tls-alpn-01)$/]
what we can request certificates for.
Alias of Variant[Stdlib::Fqdn, Dehydrated::WildcardDN]
The Dehydrated::Email data type.
Alias of Pattern[/^(?i:[A-Z0-9_%+"-]+[A-Z0-9._%+"-]+@[A-Z0-9.-]+\.[A-Z]{2,})$/]
The Dehydrated::GitSSHUrl data type.
Alias of Pattern[/(?i:^(ssh:\/\/([^\/@]+@)?[^\/]+\/.*|([^@:]+@)?[^:]+:.*))/]
a type that hopefully matches all possible git urls.
Alias of Variant[Dehydrated::GitSSHUrl, Stdlib::HTTPUrl, Stdlib::Absolutepath]
The Dehydrated::Hook data type.
Alias of Pattern[/^[^\\\/]+$/]
based on Stdlib::Fqdn lint:ignore:140chars
Alias of Pattern[/^\*\.(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/]