search

markt-de / puppet-acme

Centralized SSL certificate management using acme.sh and the ACME protocol
https://forge.puppet.com/markt/acme
Apache License 2.0
9 stars 17 forks source link

Facts for certificates not being generated #51

Open VendettaMike opened 2 months ago

VendettaMike commented 2 months ago

I was reviewing facts on my Puppet server and noticed that only the _acmecsrs fact was included, no _acmecerts facts. I looked into the _/lib/facter/acmecert.rb code and saw the following: 

Dir['/etc/acme.sh/results/*.pem']
  .map { |a| File.basename(a, '.pem') }
  .each do |cert_name|
  crt = File.read("/etc/acme.sh/results/#{cert_name}.pem")
  ca = File.read("/etc/acme.sh/results/#{cert_name}.ca")

This looks like it is trying to collect facts from the results directory which is only present on the Puppetserver. On the Puppet node, in my configuration, everything is stored in the certs folder. Changing to the following resulted in the _acmecerts facts being created:

Dir['/etc/acme.sh/certs/*/*.pem']
  .map { |a| File.basename(File.dirname(a)) }
  .each do |cert_name|
  crt = File.read("/etc/acme.sh/certs/#{cert_name}/cert.pem")
  ca = File.read("/etc/acme.sh/certs/#{cert_name}/chain.pem")`

Is this a bug or is it just my configuration?

 acme:
    accounts:
    - myemail@mynet.com
    ca_whitelist:
    - letsencrypt
    - letsencrypt_test
    certificates:
      myhost.mynet.com:
        use_profile: nsupdate
        use_account: myemail@mynet.com
        ca: letsencrypt
        notify: Service[myservice]
    default_account: myemail@mynet.com
    default_ca: letsencrypt
    default_profile: nsupdate
    dnssleep: 15
    exec_timeout: 600
    profiles:
      nsupdate:
        challengetype: dns-01
        hook: nsupdate
        env:
          NSUPDATE_SERVER: 10.10.10.10
        options:
          dnssleep: 15
          nsupdate_id: keyname
          nsupdate_type: hmac-sha256
          nsupdate_key: abcdef1234567890
VendettaMike commented 2 months ago

I should follow this up in that I think the facts should be coming from the node agent, and not the master. In the above code, both the node and the master will generate facts for the certificates, so there will be duplicates, but then administrators can use this information to check on node certificate status and compare to what the master has.

In my instance, I've also added additional facts such as issue and expiry date, and issuer information so that reports can be easily generated to ensure renewals and distribution are occurring, and with the right provider for each node.