Improve comment

global/overlay/etc/puppet/modules/cdn/files/ca/configure-acme

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# When initializing step-ca with the docker flag DOCKER_STEPCA_INIT_ACME
+# a basic ACME provisioner is enabled. This script runs commands to modify the
+# default configuration.
+
+# Enable forceCN if not set.
+# This is needed because certbot does not include a
+# Subject CN field in the CSR:
+# https://github.com/certbot/certbot/issues/9633#issuecomment-1484988078
+# ... and the Mosquitto MQTT server uses the Subject CN in ACL filters.
+#
+# Ideally Mosquitto would learn to look at the SAN field instead:
+# https://github.com/eclipse-mosquitto/mosquitto/issues/2511
+if [ "$(step ca provisioner list | jq -r '.[] | select (.name == "acme") | .forceCN')" = "null" ]; then
+    step ca provisioner update acme --force-cn --admin-subject=step --admin-provisioner=admin  --admin-password-file=/opt/step-ca/init/secrets/provisioner-password
+fi

global/overlay/etc/puppet/modules/cdn/files/ca/set-provisioner-pw

@@ -1,11 +1,11 @@
 #!/bin/bash
 
-# When initializing step-ca with the docker flag STEPCA_INIT_PASSWORD_FILE the
-# password will be used both for key encryption as well as the admin "step"
-# provisioner. If not using that flag a separate password will be generated for
-# each usage. This seems better as you are not typing the encryption password
-# any other time, while the provisioner password is used anytime you are
-# managing things.
+# When initializing step-ca with the docker flag
+# DOCKER_STEPCA_INIT_PASSWORD_FILE the password will be used both for key
+# encryption as well as the admin "step" provisioner. If not using that flag a
+# separate password will be generated for each usage. This seems better as you
+# are not typing the encryption password any other time, while the provisioner
+# password is used anytime you are managing things.
 #
 # This script is used on first setup of step-ca to modify the provisioner to
 # use its own password instead. Pending

global/overlay/etc/puppet/modules/cdn/manifests/ca.pp

@@ -59,6 +59,14 @@ class cdn::ca(
     content => file('cdn/ca/bootstrap-client'),
   }
 
+  file { '/opt/step-ca/init/scripts/configure-acme':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => file('cdn/ca/configure-acme'),
+  }
+
   file { '/opt/step-ca/init/deb':
     ensure => directory,
     owner  => 'root',

global/overlay/etc/puppet/modules/cdn/manifests/cache.pp

@@ -231,13 +231,13 @@ class cdn::cache(
 
         concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}":
           target => $combined_pem,
-          source => "/opt/certbot/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",
+          source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",
           order  => '01',
         }
 
         concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}":
           target => $combined_pem,
-          source => "/opt/certbot/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",
+          source => "/opt/certbot-sync/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",
           order  => '02',
         }