From 9cee243af6674489b631861cfee045f692e27589 Mon Sep 17 00:00:00 2001 From: Patrik Lundin Date: Mon, 4 Nov 2024 09:39:02 +0100 Subject: [PATCH] Allow ACME validation from step-ca to cache --- global/overlay/etc/puppet/modules/cdn/manifests/cache.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp index d4da2b8..c1f6500 100644 --- a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp +++ b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp @@ -137,6 +137,12 @@ class cdn::cache( $dash_split = split($my_hostname,'[-]') $environment = $dash_split[2] + sunet::nftables::allow { 'allow-step-ca-acme': + from => '89.45.237.248', # internal-sto3-test-ca-1.cdn.sunet.se + port => 80, + proto => 'tcp', + } + # Get client cert for connecting to MQTT bus exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]} --http-01-address ${facts['networking']['ip']}": creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"