create ssl cert per vhost, not one monster

puppet/modules/profiles/manifests/jenkins/controller.pp

@@ -41,10 +41,6 @@
     require         => Package[$packages],
   }
 
-  class { 'web::base':
-    letsencrypt => $https,
-  }
-
   class { 'web::jenkins':
     hostname => $hostname,
     https    => $https,

puppet/modules/redmine/manifests/init.pp

@@ -202,6 +202,8 @@
   }
 
   if $https {
+    include web::letsencrypt
+
     letsencrypt::certonly { $servername:
       plugin        => 'webroot',
       domains       => [$servername],

puppet/modules/web/manifests/base.pp

@@ -1,14 +1,5 @@
 # Basic webserver config
-#
-# @param letsencrypt
-#   Whether to include letsencrypt
-class web::base(
-  Boolean $letsencrypt = true,
-) {
-  if $letsencrypt {
-    include web::letsencrypt
-  }
-
+class web::base {
   include apache
 
   file { '/var/www/vhosts':

puppet/modules/web/manifests/init.pp

@@ -11,40 +11,7 @@
 class web(
   Boolean $https = false,
 ) {
-  class { 'web::base':
-    letsencrypt => $https,
-  }
-
-  if $https {
-    $letsencypt_domain = 'theforeman.org'
-
-    letsencrypt::certonly { $letsencypt_domain:
-      plugin        => 'webroot',
-      # domain / webroot_paths must match exactly
-      domains       => [
-        'theforeman.org',
-        'archivedeb.theforeman.org',
-        'deb.theforeman.org',
-        'debugs.theforeman.org',
-        'downloads.theforeman.org',
-        'stagingdeb.theforeman.org',
-        'www.theforeman.org',
-        'yum.theforeman.org',
-        'stagingyum.theforeman.org',
-      ],
-      webroot_paths => [
-        '/var/www/vhosts/web/htdocs',
-        '/var/www/vhosts/archivedeb/htdocs',
-        '/var/www/vhosts/deb/htdocs',
-        '/var/www/vhosts/debugs/htdocs',
-        '/var/www/vhosts/downloads/htdocs',
-        '/var/www/vhosts/stagingdeb/htdocs',
-        '/var/www/vhosts/web/htdocs',
-        '/var/www/vhosts/yum/htdocs',
-        '/var/www/vhosts/stagingyum/htdocs',
-      ],
-    }
-  }
+  include web::base
 
   if $facts['os']['selinux']['enabled'] {
     include selinux

puppet/modules/web/manifests/jenkins.pp

@@ -12,7 +12,9 @@
     'no_proxy_uris' => ['/.well-known'],
   }
 
-  if $web::base::letsencrypt {
+  if $https {
+    include web::letsencrypt
+
     letsencrypt::certonly { $hostname:
       plugin        => 'webroot',
       domains       => [$hostname],
@@ -34,7 +36,7 @@
     mode   => '0755',
   }
 
-  if $web::base::letsencrypt and $https {
+  if $https {
     $url = "https://${hostname}"
 
     apache::vhost { 'jenkins':

puppet/modules/web/manifests/vhost.pp

@@ -52,6 +52,14 @@
   }
 
   if $web::https {
+    include web::letsencrypt
+
+    letsencrypt::certonly { $servername:
+      plugin        => 'webroot',
+      domains       => [$servername] + $serveraliases,
+      webroot_paths => [$docroot],
+    }
+
     apache::vhost { "${title}-https":
       servername    => $servername,
       serveraliases => $serveraliases,
@@ -62,10 +70,10 @@
       docroot_mode  => $docroot_mode,
       port          => 443,
       ssl           => true,
-      ssl_cert      => "${letsencrypt::config_dir}/live/${web::letsencypt_domain}/cert.pem",
-      ssl_chain     => "${letsencrypt::config_dir}/live/${web::letsencypt_domain}/chain.pem",
-      ssl_key       => "${letsencrypt::config_dir}/live/${web::letsencypt_domain}/privkey.pem",
-      require       => Letsencrypt::Certonly[$web::letsencypt_domain],
+      ssl_cert      => "${letsencrypt::config_dir}/live/${servername}/cert.pem",
+      ssl_chain     => "${letsencrypt::config_dir}/live/${servername}/chain.pem",
+      ssl_key       => "${letsencrypt::config_dir}/live/${servername}/privkey.pem",
+      require       => Letsencrypt::Certonly[$servername],
       *             => $attrs,
     }
   }