Skip to content

Use custom Puppet fileserver mount points for auto-ca and LE certs

Currently we have two different patterns for sourcing auto-ca and Let's encrypt TLS material:

  • auto-ca: uses a symlink at modules/ssl/files pointing to /var/lib/puppet/auto-ca (this is new, before today auto-ca was just dumping its files into the environment, directly)

  • Let's Encrypt: uses a special ERB template which sources the actual certificate content from another path on the filesystem using a plain Ruby File.read() call

Both methods, apart from being different ways of doing the same thing, add a fair amount of indirection to an already complex and sometimes confusing system.

We should look into making this simpler but configuring a custom Puppet Server mountpoint to allow clients to retrieve the required TLS material directly without relying on special snowflake symlinks and templates.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information