create ssl cert per vhost, not one monster

theforeman · Sep 18, 2024 · 2f6f03b · 2f6f03b
1 parent cc1300e
commit 2f6f03b
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 35 deletions.
diff --git a/puppet/modules/web/manifests/init.pp b/puppet/modules/web/manifests/init.pp
@@ -15,37 +15,6 @@
     letsencrypt => $https,
   }
 
-  if $https {
-    $letsencypt_domain = 'theforeman.org'
-
-    letsencrypt::certonly { $letsencypt_domain:
-      plugin        => 'webroot',
-      # domain / webroot_paths must match exactly
-      domains       => [
-        'theforeman.org',
-        'archivedeb.theforeman.org',
-        'deb.theforeman.org',
-        'debugs.theforeman.org',
-        'downloads.theforeman.org',
-        'stagingdeb.theforeman.org',
-        'www.theforeman.org',
-        'yum.theforeman.org',
-        'stagingyum.theforeman.org',
-      ],
-      webroot_paths => [
-        '/var/www/vhosts/web/htdocs',
-        '/var/www/vhosts/archivedeb/htdocs',
-        '/var/www/vhosts/deb/htdocs',
-        '/var/www/vhosts/debugs/htdocs',
-        '/var/www/vhosts/downloads/htdocs',
-        '/var/www/vhosts/stagingdeb/htdocs',
-        '/var/www/vhosts/web/htdocs',
-        '/var/www/vhosts/yum/htdocs',
-        '/var/www/vhosts/stagingyum/htdocs',
-      ],
-    }
-  }
-
   if $facts['os']['selinux']['enabled'] {
     include selinux
 

diff --git a/puppet/modules/web/manifests/vhost.pp b/puppet/modules/web/manifests/vhost.pp
@@ -52,6 +52,13 @@
   }
 
   if $web::https {
+    letsencrypt::certonly { $servername:
+      plugin        => 'webroot',
+      # domain / webroot_paths must match exactly
+      domains       => [$servername] + $serveraliases,
+      webroot_paths => [$docroot] + ([$docroot] * $serveraliases.lenth),
+    }
+
     apache::vhost { "${title}-https":
       servername    => $servername,
       serveraliases => $serveraliases,
@@ -62,10 +69,10 @@
       docroot_mode  => $docroot_mode,
       port          => 443,
       ssl           => true,
-      ssl_cert      => "${letsencrypt::config_dir}/live/${web::letsencypt_domain}/cert.pem",
-      ssl_chain     => "${letsencrypt::config_dir}/live/${web::letsencypt_domain}/chain.pem",
-      ssl_key       => "${letsencrypt::config_dir}/live/${web::letsencypt_domain}/privkey.pem",
-      require       => Letsencrypt::Certonly[$web::letsencypt_domain],
+      ssl_cert      => "${letsencrypt::config_dir}/live/${servername}/cert.pem",
+      ssl_chain     => "${letsencrypt::config_dir}/live/${servername}/chain.pem",
+      ssl_key       => "${letsencrypt::config_dir}/live/${servername}/privkey.pem",
+      require       => Letsencrypt::Certonly[$servername],
       *             => $attrs,
     }
   }