I am trying to create a letsencrypt module in Puppet. Basically, what I am trying to achieve is the following:
- Adding a new node and importing my module:
class { "letsencrypt": url => "example.com" }
- The puppet master will then check in his file folder if there is already a private key and a CSR for the given URL and then either:
- copy the private key and the CSR to the node, or
- run
openssl openssl genrsa 4096 > example.com.key
(and one key for the letsencrypt account and the certificate signing request), save it to the puppet files folder and run step 2 again.
- Setup a cron job on the node to run acme-tiny once every three months.
- Run acme-tiny once on the node and get the first certificate and reload/start the web server.
Basically my problem is how to do run a command on the puppet master. I would like to run the key generation on the puppet master and have the private key there, and only have the certificate request run on the node.
Is this even possible with Puppet? Or should I pass the complete procedure to the node entirely, not tracking anything in Puppet at all (just setting up the cronjob etc)?
Thanks!
Puppet provides a function named
generate
, which will populate a local manifest variable with the output of an arbitrary local command. It could be used to call a custom local script that performs the key generation, installs the public key locally, and returns the private key content, which can then be installed as a file resource on the puppet agent. For example:file { "/path/to/private/key": ensure => present, content => generate("/path/to/my/custom/script"), ... }