Puppet: deploy certificate from active node to stand-by node

I'm working on a Puppet module which configures UCARP, HAProxy using Puppet Lab's haproxy module and generates X.509 using the Let's Encrypt CA via certbot. I managed to write the Puppet code in a way to configure HAProxy and setup the Let's Encrypt certificates in a single Puppet run:

1. Configure HAProxy with a single HTTP listener, redirecting requests to the URI /.well-known/acme-challenge to a high-port on the local system.
2. Start HAProxy.
3. Retrieve certificates using certbot via Let's Encrypt's staging servers by listening on the mentioned high-port on the local system. If it fails, abort.
4. Delete the staging certificates.
5. Retrieve certificates using certbot via Let's Encrypt's live servers. If it fails abort.
6. Add HTTPS listeners to HAProxy's configuration using the Let's Encrypt certificates.
7. Reload HAProxy.

These steps work as expected.

Via a custom Puppet fact, Puppet knows which system is the active one and which systems are stand-by nodes. So the certificates will be generated and renewed on the node which is active.

Now my question is, how can I deploy the generated certificates on the other stand-by nodes? I looked into exported resources, but I'm not sure whether this is the correct way to due it.

How would you solve this problem?

0 Answers

If You Enjoyed This, Take 5 Seconds To Share It

• Facebook
• Twitter
• Google+
• StumbleUpon
• Digg
• Delicious
• LinkedIn
• Reddit
• Technorati