markt-de / puppet-acme Goto Github PK
View Code? Open in Web Editor NEWCentralized SSL certificate management using acme.sh and the ACME protocol
Home Page: https://forge.puppet.com/markt/acme
License: Apache License 2.0
Centralized SSL certificate management using acme.sh and the ACME protocol
Home Page: https://forge.puppet.com/markt/acme
License: Apache License 2.0
Hello,
Would it be possible to add the functionality of '--toPkcs' to acme::certificate params?
https://github.com/acmesh-official/acme.sh/wiki#3-how-to-get-pkcs12pfx-format
Use case: A puppet managed java-based application that utilizes SSL certs but in keystore format. So the acme.sh cert issued must be exported to pkcs12 manually or with openssl puppet module each cert lifecycle.
EDIT: I noticed this module supports posthooks. Is it possible to issue/renew a certificate to pkcs12 using a posthook_cmd?
Thanks,
Brian
i would have opened a discussion if they where enabled in this git repo. i am not sure if i simply do something wrong or if i found a bug.
for the development i created the certificates with the ca letsencrypt_test
. this worked quite well, just needed some puppet runs and the certificate was correctly there. after that i switched to the ca letsencrypt
but the certificates where still from the test ca. i wasn't able to force a regeneration of the cert.
so i tried to delete the complete acme folder from the client but after the puppet run the i got wrong certs again. also tried to delete the folder on server and client which led me to an unusable system (not exactly in this order, i played around a bit) as "suddenly" the private key doesn't match the cert any more.
Jan 10 02:25:09 aio001 nginx[932050]: nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/acme.sh/keys/.../private.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Jan 10 02:25:09 aio001 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
am i doing something wrong? should this module be able to switch ca's? how can i start-over? how to force regeneration?
New versions of acme.sh now default to zerossl which fails, especially if you've been using LetsEncrypt for a while.
It would be good to add configuration to the module to allow selecting of the different CAs. Right now the only option is 'production' or 'staging' and that assumes an LE CA. However, acme.sh now has support for several different servers other than just LE.
See: https://github.com/acmesh-official/acme.sh/wiki/Server
I had to go force my default ca on my account configs to get around this after doing an upgrade!
acme::certificate
requires the definition of the ca but should also use the default ca if not provided
I am in the process of migrating a service from one node to another. As part of this, I set up the same certificates on the second node, both with the respective hostname as a SAN:
The puppet run completes on the second node, but on the puppet master it now errors out with:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Acme::Request[myservice.myhost.tld] is already declared; cannot redeclare (file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/csr.pp, line: 192) (file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/csr.pp, line: 192, column: 5) (file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/certificate.pp, line: 59) on node puppetmaster.myhost.tld
The certificates are set up in hiera like this:
on node1 (which is also the puppetmaster, in case that matters):
acme::certificates:
'myservice.myhost.tld node1.myhost.tld':
use_profile: my_profile
on node2:
acme::certificates:
'myservice.myhost.tld node2.myhost.tld':
use_profile: my_profile
Perhaps the acme::request resources that are exported "to" the puppetmaster should be canonicalized with the hostname?
I'm trying to get this module setup (I'm on CentOS 8) and I keep getting the following error during runs on the puppetmaster:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, 'versioncmp' parameter 'a' expects a String value, got Undef (file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/request/handler.pp, line: 188, column: 25) on node REDACTED
Looking at the line in question I'm trying to puzzle out where $openssl_version is supposed to come from as the stated dependencies don't seem to be creating the fact.
Current configuration:
puppetserver 6.12.0
puppet-agent: 6.16
OS: CentOS 8
declared dependencies:
puppetlabs-stdlib: 6.3.0
puppetlabs-concat: 6.2.0
puppetlabs-vcsrepo: 3.1.0
camptocamp-openssl: 1.14.0
Getting issues when i run puppet to get letsencrypt ssl cert. Below are the errors. How do I fix this issue?
[Mon Sep 18 15:59:29 EDT 2017] you must specify a path to the nsupdate key file
[Mon Sep 18 15:59:29 EDT 2017] Error add txt for domain:_acme-challenge.[domain_Name]
On the Puppet 5 Server, I've just noticed that every manifest run now fails when your module attempts to renew any certificate that isn't yet near expiration. When I manually execute the failing command, I notice that the result is non-fatal; rather, the user is politely informed when the next renewal time should be. However, because the acme.sh script returns a non-zero exit state -- 2 rather than 0 -- your exec
resource mistakes the result as a fatal error.
To the "renew-certificate-${domain}" exec
at https://github.com/fraenki/puppet-acme/blob/master/manifests/request.pp#L272, simply add this additional line:
returns => [ 0, 2, ],
This line will permit the exec
to report a success when the certificate renewal either has actually succeeded (0) or has been deferred to a later date (2).
This error can be reproduced by:
puppet agent -tv
on the Puppet 5 Server to observe the error.Error: '/opt/acme.sh/acme.sh --staging --issue --domain host.domain.tld --dns dns_gd --days 30 --log /var/log/acme.sh/acme.log --log-level 2 --home /etc/acme.sh/home --keylength 4096 --accountconf /etc/acme.sh/accounts/[email protected]/account_staging.conf --ocsp --csr /etc/acme.sh/csrs/host.domain.tld/cert.csr --certpath /etc/acme.sh/certs/host.domain.tld/cert.pem --capath /etc/acme.sh/certs/host.domain.tld/chain.pem --fullchainpath /etc/acme.sh/certs/host.domain.tld/fullchain.pem --dnssleep 15 >/dev/null' returned 2 instead of one of [0]
Error: /Stage[main]/Acme::Request::Handler/Acme::Request[host.domain.tld]/Exec[renew-certificate-host.domain.tld]/returns: change from 'notrun' to ['0'] failed: '/opt/acme.sh/acme.sh --staging --issue --domain host.domain.tld --dns dns_gd --days 30 --log /var/log/acme.sh/acme.log --log-level 2 --home /etc/acme.sh/home --keylength 4096 --accountconf /etc/acme.sh/accounts/[email protected]/account_staging.conf --ocsp --csr /etc/acme.sh/csrs/host.domain.tld/cert.csr --certpath /etc/acme.sh/certs/host.domain.tld/cert.pem --capath /etc/acme.sh/certs/host.domain.tld/chain.pem --fullchainpath /etc/acme.sh/certs/host.domain.tld/fullchain.pem --dnssleep 15 >/dev/null' returned 2 instead of one of [0]
[Sun Feb 25 03:00:09 UTC 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Sun Feb 25 03:00:10 UTC 2018] Domains not changed.
[Sun Feb 25 03:00:10 UTC 2018] Skip, Next renewal time is: Fri Mar 23 17:41:34 UTC 2018
[Sun Feb 25 03:00:10 UTC 2018] Add '--force' to force to renew.
echo $?
2
Hello,
I'm getting the following error message:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, 'versioncmp' parameter 'a' expects a String value, got Undef (file: /etc/puppetlabs/code/environments/puppet7/modules/acme/manifests/request/handler.pp, line: 185, column: 18
The line:
$old_openssl = versioncmp($facts['openssl_version'], '1.1.0') < 0
Debug mode:
Debug: Facter: Executing command: /usr/bin/openssl version 2>&1
Debug: Facter: value for openssl_version is still nil
# /usr/bin/openssl version 2>&1
OpenSSL 1.1.1k FIPS 25 Mar 2021
├─┬ fraenki-acme (v4.0.0)
│ ├── puppetlabs-stdlib (v8.5.0)
│ ├── puppetlabs-concat (v7.3.0)
│ ├── puppetlabs-vcsrepo (v5.4.0)
│ ├── puppetlabs-augeas_core (v1.2.0)
│ └── puppet-openssl (v2.0.1)
Puppet server - 7.11.0
Puppet agent - 7.24.0
RHEL 8 based OS.
I've already reviewed #27, but not seeing a clear solution.
Thank you.
After upgrading to version 2.1.0 and issuing a new certificate I get an error on my puppet master.
Error: Could not retrieve catalog from remote server:
Error 500 on SERVER: Server Error:
Could not find resource 'File[/etc/acme.sh/configs/gitlab.example.com/params.dh]' in parameter 'require'
(file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/deploy/crt.pp, line: 99) on node puppet.example.com
Not sure why this is happening..
After downgrading to 2.0.0 the error is gone.
First of all, thank you for this opportunity for central certificate management with puppet.
I use this module with ISPConfig dns plugin.
For issuing certificates, I noticed two problems with puppet-acme:
Configurable timeout for EXEC "issue-certificate-${domain}"
Publishing the dns record via ISPConfig and from there to an external slave DNS provider takes time.
The default timeout of 300 is not always enough.
Param dnssleep should be optional
If not provided or set to e.g false/-1, do not prepend --dnssleep to the command. This way acme.sh can recheck the dns entry periodically and finish after success or will be terminated when EXEC timeout is exceeded.
At the moment I run the issuing command by hand on the puppet master. The last certificate took about 7 minutes to be issued. Too much for default exec runtime.
Hi,
Is it possible to use this module without a puppet server (running 'puppet apply' for example)?
Thanks for your help
Hello,
I'm getting the following error message with below code and would appreciate your assistance.
Thank you.
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Resource type not found: NSUPDATE_SERVER (file: /etc/puppetlabs/code/environments/puppet/site-modules/profiles/manifests/puppetboard.pp, line: 31, column: 13) on node puppet
class { 'acme':
accounts => ['[email protected]'],
profiles => {
nsupdate_example => {
challengetype => 'dns-01',
hook => 'nsupdate',
env => {
NSUPDATE_SERVER => 'dns.example.com'
},
options => {
dnssleep => 5,
nsupdate_id => 'acme-update',
nsupdate_type => 'hmac-sha512',
nsupdate_key => '`123456',
}
}
}
}
When updating to 1.0.3 on puppet 5.5, I get the following error:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Unknown function: 'get'. (file: /etc/puppetlabs/code/environments/p
roduction/modules/acme/manifests/request/crt.pp, line: 24, column: 33) (file: /etc/puppetlabs/code/environments/production/modules/acme/manifests/init.pp, line: 106) on node mynode
I believe this is caused by changeset 59144d6, which introduces usage of the $facts.get() function, which is not available before Puppet 6.0.
It would probably be better to use the fact() function from stdlib. Since the fact names don't use dot navigation, a simple $facts["..."]
lookup might do as well.
Currently module has these options --fullchainpath
but master acme.sh has --fullchain-file
.
so is it on purpose that we it depends on older version of acme.sh ?
Building a fresh node with your module using the DNS-01 mechanism with GoDaddy works mostly well. However, if we destroy a node that had already received its certificate, chain, and key files, we are unable to rebuild that node because we end up with a mismatched certificate/key pair. In my own testing, I was only able to rebuild an affected node by fully destroying both the affected node and the Puppet Server itself, then rebuilding them both! This is obviously not an ideal workaround.
Steps to reproduce:
There is no readily-identifiable way to resolve this error. I manually compared the private key and certificate files on the affected node and indeed, they are mismatched. I tried destroying the old certificate files from /etc/acme.sh/* directories on the Puppet Server for the affected node and repeating the request sequence in hope that your module would re-request fresh copies of the files from GoDaddy, but this had no effect; in fact, the certificate files are never recreated on the Puppet Server. This leaves me to suspect that you're caching the certificates in PuppetDB, which is cool except this needs to be clear in your documentation along with a direct means of flushing affected resources.
Please advise.
letsencrypt/certbot allows the usage without email address but this puppetmodule has a hard requirement to accounts/email adresses. would be awesome to allow the usage of this module without providing a email address.
When using DNS-01 and a high value for dnssleep
the exec may terminate due to a timeout:
Error: /Stage[main]/Acme::Request::Handler/Acme::Request[foobar.example.com]/Exec[issue-certificate-foobar.example.com]/returns: change from 'notrun' to ['0'] failed: Command exceeded timeout
Maybe we should set the exec timeout dynamically, depending on the value of dnssleep
.
I am getting this error on the first issue of a certificate:
Notice: /Stage[main]/Acme::Request::Handler/Acme::Request[www.example.com]/Exec[issue-certificate-www.example.com]/returns: /opt/acme.sh/acme.sh: 4678: /opt/acme.sh/acme.sh: cannot create /etc/acme.sh/certs/www.example.com/cert.pem: Directory nonexistent
I need to manually create the directory /etc/acme.sh/certs/www.example.com
to make it work.
date
and stat
syntaxsince we have been using this module we have an exitcode 2 at every puppet run on the puppetserver.
Hey,
we use Puppetboard for our environments. We have some secrets leakage here:
Can we remove this notice?:
puppet-acme/manifests/request.pp
Line 132 in 13b1f41
Hello,
puppet6.example.com - puppet (ACME) master
reflect.example.com - puppet client
After our initial installation, we got the following error message on the master:
puppet6.example.com puppet-agent[13881]: Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Could not find resource 'File[/etc/acme.sh/configs/reflect.example.com/params.dh]' in parameter 'require' (file: /etc/puppetlabs/code/environments/puppet6/site-modules/acme/manifests/deploy/crt.pp, line: 97) on node puppet6.example.com
puppet6.example.com puppet-agent[13881]: (/Stage[main]/Acme/Acme::Request::Crt[reflect.example.com]/Acme::Deploy::Crt[reflect.example.com]/Concat[/etc/acme.sh/keys/reflect.example.com/fullchain_with_key.pem]/Concat_file[/etc/acme.sh/keys/reflect.example.com/fullchain_with_key.pem]) Failed to generate additional resources using 'eval_generate': Could not retrieve source(s) /etc/acme.sh/keys/reflect.example.com/private.key
params.dh as far as I understand should only be on the node itself (not on the master). The same goes for private.key. With the way source code is written right now, puppet is expecting both files to on both - master and node and is looking for /etc/acme.sh/keys/reflect.example.com/private.key, which of course doesn't exist on the master.
I added the following lines in deploy/crt.pp, which fixed that problem.
if $::hostname == 'puppet6' { $dh = "${cfg_dir}/puppet6.example.com/params.dh" $key = "${key_dir}/puppet6.example.com/private.key" $crt_full_chain_with_key = "${key_dir}/puppet.example.com/fullchain_with_key.pem" } else { $dh = "${cfg_dir}/${domain}/params.dh" $key = "${key_dir}/${domain}/private.key" $crt_full_chain_with_key = "${key_dir}/${domain}/fullchain_with_key.pem" }
At this point I am experiencing the following issue:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Concat[/etc/acme.sh/keys/puppet.example.com/fullchain_with_key.pem] is already declared at (file: /etc/puppetlabs/code/environments/puppet6/site-modules/acme/manifests/deploy/crt.pp, line: 78); cannot redeclare (file: /etc/puppetlabs/code/environments/puppet6/site-modules/acme/manifests/deploy/crt.pp, line: 78) (file: /etc/puppetlabs/code/environments/puppet6/site-modules/acme/manifests/deploy/crt.pp, line: 78, column: 3) (file: /etc/puppetlabs/code/environments/puppet6/site-modules/acme/manifests/request/crt.pp, line: 32) on node puppet6.example.com
I have tried a couple of things, but none of them work 100% as often times fullchain_with_key.pem doesn't get distributed at all.
I would really appreciate your help on this matter.
Thank you!
Using ensure_packages('git')
for puppetmaster setup creates a duplicate declaration error when the package 'git' is included in another module with something else than ensure_packages('git')
or ensure => present
.
A good explanation can be found in this issue for another module:
willdurand/puppet-composer#44
I propose changing the
ensure_packages('git')
to a
if !defined(Package['git']) {
ensure_packages('git')
}
which will solve the issue.
Hi, you've said that HTTP-01 challenge is untested, but I'd like to use it anyway.
Following hiera config warns me that my profile is incomplete and that is missing either "challengetype" or "hook":
acme::acme_revision: 'master'
acme::acme_host: 'server.domain.com'
acme::accounts: [ '[email protected]' ]
acme::default_ca: 'letsencrypt_test'
acme::ca_whitelist:
- 'letsencrypt_test'
acme::profiles:
'http_config':
challengetype: 'http-01'
acme::certificates:
'sub.domain.com':
use_profile: 'http_config'
use_account: '[email protected]'
ca: 'letsencrypt_test'
Will it be enough to adjust basic profiles validation section in handler.pp manifest?
Regards,
Mario
would be handy to be able to define a default account
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.