Am Do., 17. Mai 2018 um 16:07 Uhr schrieb Jochen Haeberle <>:
> I managed to install seafile by now with a lot of puppet support in three

> 1) Puppet: install files, prepare db, generate answer file, print reminder
> 2) Manual script run, entering db-password
> 3) Puppet: Setup Nginx, Let’s encrypt and move folders to network device

> I do not really like this, but I do not see any other solution at the
moment. I might easily run into concurrency issues

What I did in a similar situation was to detect the different setup phases
with custom facts. I was using this mechanism to generate certificate
requests with puppet, than manually sign them with our internal CA, copy
the signed certificate back to the server and on the next run let puppet
continue the setup when it detects the certificate is present. In case
you're interested, here's my custom fact for that setup:

cat modules/profiles/facts.d/servercert

set -e
set -u
set -o pipefail

CERTFILE="$CERTDIR/$(hostname -f).crt"
KEYFILE="/etc/ssl/private/$(hostname -f).pem"

if [ -a "$KEYFILE" ] ; then
   if [ -a "$CERTFILE" ] ; then
     CERTMOD="$(openssl x509 -noout -modulus -in "$CERTFILE" | grep
^Modulus= | cut -d= -f2)"
     KEYMOD="$(openssl rsa -check -noout -modulus -in "$KEYFILE" | grep
^Modulus= | cut -d= -f2)"
     if [ "x$CERTMOD" == "x$KEYMOD" ] ; then
       if openssl verify -CAfile "$CAFILE" "$CERTFILE" > /dev/null ; then
         echo "servercert=present"
         echo "servercertfile=$CERTFILE"
         echo "servercertkeyfile=$KEYFILE"
         echo "servercertinfo=$(openssl x509 -noout -enddate -in
       else # Cert/CA mismatch
         echo "servercert=absent"
         echo "servercertinfo=Certificate from unknown CA"
       echo "servercert=absent"
       echo "servercertinfo=Key/Certificate mismatch"
   else # CERTFILE missing
     echo "servercert=absent"
     echo "servcercertinfo=Certificate missing"
else # KEYFILE missing
   echo "servercert=absent"
   echo "servercertinfo=Key missing"

This gives me several variables I can check for in the puppet manifest and
depending on where in the installation process we are, for example enable
the apache ssl vhost. (It also makes sure that the certificate is actually
signed by our CA, but that's not really relvant for your problem).

Hope that helps a bit

You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To view this discussion on the web visit
For more options, visit

Reply via email to