我在 Vagrant VM 中开发 Puppet 清单。我想配置一个 SSL 终止的 Web 服务器,但当节点仅在我的笔记本电脑上运行时,Let's Encrypt 验证显然会失败。
有没有一种好的方法可以配置 Puppet 仅在真实服务器上使用真实的 Let's Encrypt,并在开发环境中生成自签名证书?也许是 Let's Encrypt 服务器的虚假实现,它使用自签名 CA 授予所有请求?
答案1
我在自己的 Vagrant 盒子上采取的一种方法是使用本地的“snakeoil”证书,并在需要时对我的类进行参数化,以便我可以传递不同的证书。
class custom::profile::apache(
$vhost_domain = $::fqdn,
$use_letsencrypt = true,
){
if $::custom::profile::apache::use_letsencrypt == true {
$ssl_cert = "/etc/letsencrypt/live/${::custom::profile::apache::vhost_domain}/cert.pem"
$ssl_key = "/etc/letsencrypt/live/${::custom::profile::apache::vhost_domain}/privkey.pem"
$ssl_chain = "/etc/letsencrypt/live/${::custom::profile::apache::vhost_domain}/chain.pem"
$require = Exec["letsencrypt certonly ${::fqdn}"]
} else {
$ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
$ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key'
$ssl_chain = undef
$require = undef
}
include ::apache
::apache::vhost { "https-${::custom::profile::apache::vhost_domain}":
...
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
require => $require,
}
}