4

I develop Puppet manifests in a Vagrant VM. I'd like to configure an SSL-terminating webserver, but obviously Let's Encrypt verification will fail when the node is only running on my laptop.

Is there a nice way to configure Puppet to use the real Let's Encrypt only on the real server, and generate a self-signed certificate in the development environment? Maybe a fake implementation of the Let's Encrypt server which grants all requests using a self-signed CA?

jacobbaer
  • 473
  • 1
  • 4
  • 5

1 Answers1

1

An approach I've taken on my own Vagrant boxes is to use the local "snakeoil" certificate, and parametise my classes where needed so that I can pass in a different cert.

class custom::profile::apache(
  $vhost_domain    = $::fqdn,
  $use_letsencrypt = true,
){

  if $::custom::profile::apache::use_letsencrypt == true {
    $ssl_cert  = "/etc/letsencrypt/live/${::custom::profile::apache::vhost_domain}/cert.pem"
    $ssl_key   = "/etc/letsencrypt/live/${::custom::profile::apache::vhost_domain}/privkey.pem"
    $ssl_chain = "/etc/letsencrypt/live/${::custom::profile::apache::vhost_domain}/chain.pem"
    $require   = Exec["letsencrypt certonly ${::fqdn}"]
  } else {
    $ssl_cert   = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
    $ssl_key    = '/etc/ssl/private/ssl-cert-snakeoil.key'
    $ssl_chain  = undef
    $require    = undef
  }

  include ::apache

  ::apache::vhost { "https-${::custom::profile::apache::vhost_domain}":
    ...
    ssl_cert  => $ssl_cert,
    ssl_key   => $ssl_key,
    ssl_chain => $ssl_chain,
    require   => $require,
  }
}
Craig Watson
  • 9,575
  • 3
  • 32
  • 47