From 391a875d78710e5313a7ee2179f0da41e0147e26 Mon Sep 17 00:00:00 2001 From: Martijn de Gouw Date: Thu, 22 Jun 2023 17:14:13 +0200 Subject: [PATCH] Add support for specifying key type Defaults to rsa for backwards compatibility --- REFERENCE.md | 36 ++++++++++++++++++++++++++++++++++++ manifests/certonly.pp | 14 ++++++++++++-- manifests/init.pp | 4 ++++ 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 1771d7d7..0fe51870 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -75,7 +75,9 @@ The following parameters are available in the `letsencrypt` class: * [`agree_tos`](#-letsencrypt--agree_tos) * [`unsafe_registration`](#-letsencrypt--unsafe_registration) * [`config_dir`](#-letsencrypt--config_dir) +* [`key_type`](#-letsencrypt--key_type) * [`key_size`](#-letsencrypt--key_size) +* [`elliptic_curve`](#-letsencrypt--elliptic_curve) * [`certificates`](#-letsencrypt--certificates) * [`renew_pre_hook_commands`](#-letsencrypt--renew_pre_hook_commands) * [`renew_post_hook_commands`](#-letsencrypt--renew_post_hook_commands) @@ -208,6 +210,14 @@ The path to the configuration directory. Default value: `'/etc/letsencrypt'` +##### `key_type` + +Data type: `Enum['rsa', 'ecdsa']` + +Type of private key + +Default value: `'rsa'` + ##### `key_size` Data type: `Integer[2048]` @@ -216,6 +226,14 @@ Size for the RSA public key Default value: `4096` +##### `elliptic_curve` + +Data type: `String[1]` + +The SECG elliptic curve name to use + +Default value: `'secp256r1'` + ##### `certificates` Data type: `Hash[String[1],Hash]` @@ -786,7 +804,9 @@ The following parameters are available in the `letsencrypt::certonly` defined ty * [`letsencrypt_command`](#-letsencrypt--certonly--letsencrypt_command) * [`additional_args`](#-letsencrypt--certonly--additional_args) * [`environment`](#-letsencrypt--certonly--environment) +* [`key_type`](#-letsencrypt--certonly--key_type) * [`key_size`](#-letsencrypt--certonly--key_size) +* [`elliptic_curve`](#-letsencrypt--certonly--elliptic_curve) * [`manage_cron`](#-letsencrypt--certonly--manage_cron) * [`cron_output`](#-letsencrypt--certonly--cron_output) * [`cron_before_command`](#-letsencrypt--certonly--cron_before_command) @@ -869,6 +889,14 @@ An optional array of environment variables Default value: `[]` +##### `key_type` + +Data type: `Enum['rsa', 'ecdsa']` + +Type of private key + +Default value: `$letsencrypt::key_type` + ##### `key_size` Data type: `Integer[2048]` @@ -877,6 +905,14 @@ Size for the RSA public key Default value: `$letsencrypt::key_size` +##### `elliptic_curve` + +Data type: `String[1]` + +The SECG elliptic curve name to use + +Default value: `$letsencrypt::elliptic_curve` + ##### `manage_cron` Data type: `Boolean` diff --git a/manifests/certonly.pp b/manifests/certonly.pp index 1c17ecc8..d04e77e7 100644 --- a/manifests/certonly.pp +++ b/manifests/certonly.pp @@ -87,7 +87,9 @@ # @param letsencrypt_command Command to run letsencrypt # @param additional_args An array of additional command line arguments to pass to the `letsencrypt` command. # @param environment An optional array of environment variables +# @param key_type Type of private key # @param key_size Size for the RSA public key +# @param elliptic_curve The SECG elliptic curve name to use # @param manage_cron # Indicating whether or not to schedule cron job for renewal. # Runs daily but only renews if near expiration, e.g. within 10 days. @@ -128,7 +130,9 @@ Letsencrypt::Plugin $plugin = 'standalone', Array[Stdlib::Unixpath] $webroot_paths = [], String[1] $letsencrypt_command = $letsencrypt::command, + Enum['rsa', 'ecdsa'] $key_type = $letsencrypt::key_type, Integer[2048] $key_size = $letsencrypt::key_size, + String[1] $elliptic_curve = $letsencrypt::elliptic_curve, Array[String[1]] $additional_args = [], Array[String[1]] $environment = [], Boolean $manage_cron = false, @@ -153,10 +157,16 @@ $title_nowc = regsubst($title, '^\*\.', '') if $ensure == 'present' { + if $key_type == 'rsa' { + $key_args = "--rsa-key-size ${key_size}" + } else { + $key_args = "--elliptic-curve ${elliptic_curve}" + } + if ($custom_plugin) { - $default_args = "--text --agree-tos --non-interactive certonly --rsa-key-size ${key_size}" + $default_args = "--text --agree-tos --non-interactive certonly --key-type ${key_type} ${key_args}" } else { - $default_args = "--text --agree-tos --non-interactive certonly --rsa-key-size ${key_size} -a ${plugin}" + $default_args = "--text --agree-tos --non-interactive certonly --key-type ${key_type} ${key_args} -a ${plugin}" } } else { $default_args = '--text --agree-tos --non-interactive delete' diff --git a/manifests/init.pp b/manifests/init.pp index dd4c80ea..f22da4ad 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,7 +27,9 @@ # @param agree_tos A flag to agree to the Let's Encrypt Terms of Service. # @param unsafe_registration A flag to allow using the 'register-unsafely-without-email' flag. # @param config_dir The path to the configuration directory. +# @param key_type Type of private key # @param key_size Size for the RSA public key +# @param elliptic_curve The SECG elliptic curve name to use # @param certificates A hash containing certificates. Each key is the title and each value is a hash, both passed to letsencrypt::certonly. # @param renew_pre_hook_commands Array of commands to run in a shell before obtaining/renewing any certificates. # @param renew_post_hook_commands Array of commands to run in a shell after attempting to obtain/renew certificates. @@ -76,7 +78,9 @@ Boolean $manage_install = true, Boolean $agree_tos = true, Boolean $unsafe_registration = false, + Enum['rsa', 'ecdsa'] $key_type = 'rsa', Integer[2048] $key_size = 4096, + String[1] $elliptic_curve = 'secp256r1', Hash[String[1],Hash] $certificates = {}, # $renew_* should only be used in letsencrypt::renew (blame rspec) Variant[String[1], Array[String[1]]] $renew_pre_hook_commands = [],