Guidelines

This site is for tech Q&A. Please keep your posts focused on the subject at hand.

Ask one question at a time. Don't conflate multiple problems into a single question.

Make sure to include all relevant information in your posts. Try to avoid linking to external sites.

Links to documentation are fine, but in addition you should also quote the relevant parts in your posts.

0 votes
204 views
204 views

At work we're configuring Nginx servers with Puppet (using the Vox Pupuli Nginx module). Now we want to switch the SSL config to Let's Encrypt. I currently have the following settings (in hiera) for my vhosts:

nginx::nginx_servers:
  'www.example.com':
    ssl: true
    ssl_redirect: false
    locations:
      'www-letsencrypt':
        location: '~ ^/.well-known/acme-challenge'
        location_cfg_prepend:
          'default_type': 'text/plain'
        www_root: '/var/www/letsencrypt'
        ssl: false
      'www':
        location: '/'
        ssl: false
        location_custom_cfg:
          'return': '301 https://$host$request_uri'
      'www-ssl':
        location: '/'
        # other settings here ...

However, when I run the Puppet agent I'm getting a duplicate resource declaration error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Concat::Fragment[www.example.com-500-6666cd76f96956469e7be39d750cc7d9] is already declared in file /etc/puppetlabs/code/environments/production/modules/nginx/manifests/resource/location.pp:296; cannot redeclare at /etc/puppetlabs/code/environments/production/modules/nginx/manifests/resource/location.pp:296 at /etc/puppetlabs/code/environments/production/modules/nginx/manifests/resource/location.pp:296:7 at /etc/puppetlabs/code/environments/production/modules/nginx/manifests/resource/server.pp:454 on node server.example.com

If I change the SSL location for instance to location: '~ .*' the agent runs fine, but I'd prefer having / as the location for SSL as well.

The agent also runs with no error when I specify distinct vhosts for non-SSL and SSL:

nginx::nginx_servers:
  'www.example.com':
    ssl: true
    ssl_redirect: false
    locations:
      'www-letsencrypt':
        location: '~ ^/.well-known/acme-challenge'
        location_cfg_prepend:
          'default_type': 'text/plain'
        www_root: '/var/www/letsencrypt'
        ssl: false
      'www':
        location: '/'
        ssl: false
        location_custom_cfg:
          'return': '301 https://$host$request_uri'
  'www.example.com-ssl':
    ssl: true
    ssl_redirect: false
    locations:
      'www-ssl':
        location: '/'
        # other settings here ...

But then Puppet would create separate config files for each vhost, so I don't want that either.

How do I specify that the module should configure different / locations for the non-SSL vhost and the SSL vhost in the same file?

in Sysadmin
edited by
by (100)
1 4 11
edit history

Your answer

Preview

Privacy: Your email address will only be used for sending these notifications.
Anti-spam verification:
By submitting this post you agree to our Terms & Conditions.
To avoid this verification in future, please log in or register.

1 Answer

0 votes
 

You need to set the parameter ssl_only to "true" to restrict the location to the SSL vhost. That will prevent the module from trying to configure the location "www-ssl" with both vhosts (the location "www" is already tied to the non-SSL vhost only, because you already set ssl to "false"). Note that ssl_redirect must also be set to "false" (which you already have), otherwise you'd still be getting a duplicate resource declaration error.

nginx::nginx_servers:
  'www.example.com':
    ssl: true
    ssl_redirect: false
    locations:
      'www-letsencrypt':
        location: '~ ^/.well-known/acme-challenge'
        location_cfg_prepend:
          'default_type': 'text/plain'
        www_root: '/var/www/letsencrypt'
        ssl: false
      'www':
        location: '/'
        ssl: false
        location_custom_cfg:
          'return': '301 https://$host$request_uri'
      'www-ssl':
        location: '/'
        ssl_only: true
        # other settings here ...

edited by
by (100)
1 4 11
edit history
...