Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10847

puppetlabs/apache : reload on new cert for vhost

    XMLWordPrintable

Details

    • New Feature
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • None
    • None
    • apache
    • None

    • I've not modified the environment that OpsWorks set up.

    • Hide

      the apache class should have a method to let a certificate change trigger a reload while keeping the certificates in file system objects that have restricted permissions. This could be done by having a way to access the service object without accessing the class as a whole (if I could subscribe the service without subscribing the group www-data I would not have a dependency cycle). It could also be done by creating a way to manage the certificates used by apache as part of the class, perhaps by depending on a module that already offers that functionality so that you can re-use its controls.

      Show
      the apache class should have a method to let a certificate change trigger a reload while keeping the certificates in file system objects that have restricted permissions. This could be done by having a way to access the service object without accessing the class as a whole (if I could subscribe the service without subscribing the group www-data I would not have a dependency cycle). It could also be done by creating a way to manage the certificates used by apache as part of the class, perhaps by depending on a module that already offers that functionality so that you can re-use its controls.
    • Needs Assessment

    Description

      Basic Info
      Module Version:
      puppetlabs/apache 5.6.0
      Puppet Version:
      PE 2018.1.7 as installed by AWS OpsWorks-CM
      OS Name/Version:
      "operatingsystem": "Amazon",
      "operatingsystemmajrelease": "2",
      "operatingsystemrelease": "2",

      Describe your issue in as much detail as possible...

      Desired Behavior:
      I am obtaining a certificate with the puppet/letsencrypt module from https://forge.puppet.com/puppet/letsencrypt and configuring apache with
      puppetlabs/apache also from forge.puppet, both set to pull the latest module in my Puppetfile. I would like to set it up so that when letsencrypt renews the certificate, puppet reloads apache. I have the following configuration

      ```
      class

      { '::apache': confd_dir => '/etc/apache2/conf-enabled', default_mods => false, default_ssl_vhost => false, default_vhost => false, mpm_module => 'event', purge_configs => true, serveradmin => 'webmaster@schierer.name', servername => 'www.schierer.name', }

      letsencrypt::certonly

      { 'schierer.name': domains => [ 'schierer.name', 'www.schierer.name', ], plugin => 'dns-route53', }

      -> file

      { '/etc/apache2/ssl/cert.pem': ensure => 'present', links => 'follow', owner => 'root', group => 'www-data', mode => '0750', source => 'file:///etc/letsencrypt/live/schierer.name/cert.pem', }

      -> file

      { '/etc/apache2/ssl/chain.pem': ensure => 'present', links => 'follow', owner => 'root', group => 'www-data', mode => '0750', source => 'file:///etc/letsencrypt/live/schierer.name/chain.pem', }

      -> file

      { '/etc/apache2/ssl/privkey.pem': ensure => 'present', links => 'follow', owner => 'root', group => 'www-data', mode => '0750', source => 'file:///etc/letsencrypt/live/schierer.name/privkey.pem', }

      apache::vhost

      { 'schierer.name ssl': servername => 'schierer.name', serveraliases => [ 'www.schierer.name', 'schierer.name', ], port => 443, ssl => true, ssl_cert => '/etc/apache2/ssl/cert.pem', ssl_key => '/etc/apache2/ssl/privkey.pem', ssl_ca => '/etc/apache2/ssl/chain.pem', docroot => '/home/schierer/www', }

      ```

      Actual Behavior:

      any attempt to make the class ::apache depend on the certificate results in a dependency cycle because of the group ownership. Making the certificate world readable would avoid that, if I changed the group to root as well, but it still seams like this should be possible without that.

      I can make the vhost depend on the cert, but that does not trigger a refresh of the service. subscribing the vhost to the cert triggers are refresh of the vhost's configuration files, but since they do not actually change as a result, the overall apache service does not end up getting reloaded.

      Please take a moment and attach any relevant log output and/or manifests. This will help us immensely when troubleshooting the issue.

      Attachments

        Activity

          People

            Unassigned Unassigned
            luke.schierer Luke Schierer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Zendesk Support