Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge.
Basic process is outlined in How To Secure Apache with Let's Encrypt on Ubuntu 18.04 .
subjectAltNamein cert terms) to be included in the certificate. No wildcards are permitted.
ssl-in the puppet nodefile
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.
Check for any potential errors:
~# certbot --apache renew --dry-run
Renew the Certificate:
~# certbot --apache renew
mod_md manages common properties of domains for one or more virtual hosts.
TL;DR: See https://github.com/apache/infrastructure-p6/blob/production/data/nodes/nightlies-vm-he-fi.apache.org.yaml for a working setup.
Configuring mod_md for apache is ezpz.
Enable mod_ssl and mod_md manually in the node yaml first:
Then, in the SSL vhost, set SSL to false and don't specify keys/certs, but specify SSLEngine On.
We do this because we want SSL on, but don't want puppet to manage it at all:
serveradmin: section of the above vhost stanza is important to include as mod_md uses it as the email address when making the cert request. If you omit the email address, the certificate will not be requested and you will be stuck with a self-signed fallback cert.
httpd might need a manual stop/start after the first run, but will set up certs automatically then.