Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Facts for certificates not being generated #51

Open
VendettaMike opened this issue May 27, 2024 · 1 comment
Open

Facts for certificates not being generated #51

VendettaMike opened this issue May 27, 2024 · 1 comment

Comments

@VendettaMike
Copy link

I was reviewing facts on my Puppet server and noticed that only the acme_csrs fact was included, no acme_certs facts. I looked into the /lib/facter/acme_cert.rb code and saw the following:

Dir['/etc/acme.sh/results/*.pem']
  .map { |a| File.basename(a, '.pem') }
  .each do |cert_name|
  crt = File.read("/etc/acme.sh/results/#{cert_name}.pem")
  ca = File.read("/etc/acme.sh/results/#{cert_name}.ca")

This looks like it is trying to collect facts from the results directory which is only present on the Puppetserver. On the Puppet node, in my configuration, everything is stored in the certs folder. Changing to the following resulted in the acme_certs facts being created:

Dir['/etc/acme.sh/certs/*/*.pem']
  .map { |a| File.basename(File.dirname(a)) }
  .each do |cert_name|
  crt = File.read("/etc/acme.sh/certs/#{cert_name}/cert.pem")
  ca = File.read("/etc/acme.sh/certs/#{cert_name}/chain.pem")`

Is this a bug or is it just my configuration?

 acme:
    accounts:
    - [email protected]
    ca_whitelist:
    - letsencrypt
    - letsencrypt_test
    certificates:
      myhost.mynet.com:
        use_profile: nsupdate
        use_account: [email protected]
        ca: letsencrypt
        notify: Service[myservice]
    default_account: [email protected]
    default_ca: letsencrypt
    default_profile: nsupdate
    dnssleep: 15
    exec_timeout: 600
    profiles:
      nsupdate:
        challengetype: dns-01
        hook: nsupdate
        env:
          NSUPDATE_SERVER: 10.10.10.10
        options:
          dnssleep: 15
          nsupdate_id: keyname
          nsupdate_type: hmac-sha256
          nsupdate_key: abcdef1234567890
@VendettaMike VendettaMike changed the title Fact for CERTs not Facts for certificates not being generated May 27, 2024
@VendettaMike
Copy link
Author

I should follow this up in that I think the facts should be coming from the node agent, and not the master. In the above code, both the node and the master will generate facts for the certificates, so there will be duplicates, but then administrators can use this information to check on node certificate status and compare to what the master has.

In my instance, I've also added additional facts such as issue and expiry date, and issuer information so that reports can be easily generated to ensure renewals and distribution are occurring, and with the right provider for each node.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VendettaMike