- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with dehydrated
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
The dehydrated module lets you use Puppet to manage Let's Encrypt certificates creation and renewal using dehydrated.
Let's encrypt needs a contact address that must be passed to the dehydrated class:
class { 'dehydrated':
contact_email => '[email protected]',
}This is enough to get started and creating certificates.
After including the required dehydrated class, each dehydrated::certificate will produce a single certificate file:
class { 'dehydrated':
contact_email => '[email protected]',
}
dehydrated::certificate { 'example.com':
}A dehydrated::certificate can use the domains parameter to indicate Subject Alternative Names (SAN).
class { 'dehydrated':
contact_email => '[email protected]',
}
dehydrated::certificate { 'example.com':
domains => [
'www.example.com',
'example.net',
'www.example.net'
],
}The cron_integration parameter of the dehydrated class configures cron to renew certificates before they expire.
class { 'dehydrated':
contact_email => '[email protected]',
cron_integration => true,
}Please note that the web server is not automatically restarted when certificates are renewed.
The apache_integration parameter of the dehydrated class configures apache to serve the challenges used for domain validation.
The following example redirect all HTTP requests to HTTPS except those related to letsencrypt's validation:
include ::apache
include ::apache::mod::rewrite
class { 'dehydrated':
contact_email => '[email protected]',
apache_integration => true,
}
apache::vhost { 'main':
port => 80,
default_vhost => true,
docroot => '/var/empty',
manage_docroot => false,
directories => [
{
path => '/var/empty',
rewrites => [
{
rewrite_rule => '.* https://%{HTTP_HOST}%{REQUEST_URI} [R=301]',
},
],
},
],
}Main class used to setup the system.
contact_email: The e-mail address Let's Encrypt can use to reach you regarding your certificates.
-
apache_integration: Specifies whether to setup apache to serve the generated challenges. Default: 'false'. -
cron_integration: Specifies whether to setup cron to automatically renew certificates. Default: 'false'. -
user: Specifies the user account used to manage certificates. Default: 'dehydrated'. -
$dehydrated::ipversion: Resolve names to addresses of IP version only. -
$dehydrated::ca: Path to certificate authority. -
$dehydrated::ca_terms: Path to certificate authority license terms redirect. -
$dehydrated::license: Path to license agreement. -
$dehydrated::challengetype: Which challenge should be used? -
$dehydrated::keysize: Default keysize for private keys. -
$dehydrated::openssl_cnf: Path to openssl config file. -
$dehydrated::hook: Program or function called in certain situations. -
$dehydrated::hook_chain: Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate. -
$dehydrated::renew_days: Minimum days before expiration to automatically renew certificate. -
$dehydrated::private_key_renew: Regenerate private keys instead of just signing new certificates on renewal. Default: 'yes'. -
$dehydrated::private_key_rollover: Create an extra private key for rollover. -
$dehydrated::key_algo: Which public key algorithm should be used? -
$dehydrated::ocsp_must_staple: Option to add CSR-flag indicating OCSP stapling to be mandatory.
Class used to describe the certificates that should be maintained.
domains: Specifies the list of domains to include as SAN (Subject Alternative Names).