I'm working on a Puppet module which configures UCARP, HAProxy using Puppet Lab's haproxy module and generates X.509 using the Let's Encrypt CA via certbot. I managed to write the Puppet code in a way to configure HAProxy and setup the Let's Encrypt certificates in a single Puppet run:
- Configure HAProxy with a single HTTP listener, redirecting requests to the URI
/.well-known/acme-challenge
to a high-port on the local system. - Start HAProxy.
- Retrieve certificates using
certbot
via Let's Encrypt's staging servers by listening on the mentioned high-port on the local system. If it fails, abort. - Delete the staging certificates.
- Retrieve certificates using
certbot
via Let's Encrypt's live servers. If it fails abort. - Add HTTPS listeners to HAProxy's configuration using the Let's Encrypt certificates.
- Reload HAProxy.
These steps work as expected.
Via a custom Puppet fact, Puppet knows which system is the active one and which systems are stand-by nodes. So the certificates will be generated and renewed on the node which is active.
Now my question is, how can I deploy the generated certificates on the other stand-by nodes? I looked into exported resources, but I'm not sure whether this is the correct way to due it.
How would you solve this problem?
0 comments:
Post a Comment