13.6.1. Wildcard SSL Certificates
See if your situation matches the following:
You have at least two virtual hosts in the same domain name space, say www1.example.com and www2.example.com
You want both virtual hosts to be available over Secure HTTP.
You are using Puppet to manage the configuration on the webserver(s).
You have a wildcard certificate for *.example.com.
When using the webserver module, you have the configuration for these virtual hosts in either the private domain name space specific tree, under webserver/sites/, or under the globally available files/webserver/sites/ directory outside of a domain name space specific configuration tree. We'll refer to the base location of these files as webserver/sites/ in this example.
In the node manifest on the webserver that runs www1.example.com, provide the following snippet:
node 'node1.example.com' {
include webserver
webserver::virtualhost { "www1.example.com":
certificate => true
}
}
webserver::virtualhost, now that it has been given the certificate => true parameter, will try and get a $name.cert, $name.key and $name.ca.cert file from the Puppet fileserver, put them in /etc/httpd/sites-enabled/, so that you may load them in the www1.example.com.conf virtual host configuration file you supply for the virtual host already.
Provide the same snippet in the node manifest for www2.example.com, and whereever else you need it.
Making sure that the wildcard certificate is available as www1.example.com, and www2.example.com, and possibly more virtual hosts would require you to have the same certificate file available under different names.
Here comes the trick;
Instead of copying *.example.com.cert (and it's .key and .ca.cert) to various other filenames, create symbolic links to the wildcard certificate file:
$ pwd
~/devel/puppetmanaged.org/domain-example.com/webserver/sites
$ ls -go
total 68
-rw-rw-r--. 1 609 intranet.example.com.conf
-rw-r--r--. 1 1631 *.example.com.ca.cert
-rw-r--r--. 1 1891 *.example.com.cert
-rw-r-----. 1 887 *.example.com.key
-rw-rw-r--. 1 5730 puppet.example.com.conf
lrwxrwxrwx. 1 16 www1.example.com.ca.cert -> *.example.com.ca.cert
lrwxrwxrwx. 1 13 www1.example.com.cert -> *.example.com.cert
-rw-rw-r--. 1 1129 www1.example.com.conf
lrwxrwxrwx. 1 12 www1.example.com.key -> *.example.com.key
lrwxrwxrwx. 1 1786 www2.example.com.ca.cert -> *.example.com.ca.cert
lrwxrwxrwx. 1 1651 www2.example.com.cert -> *.example.com.cert
-rw-rw-r--. 1 1656 www2.example.com.conf
lrwxrwxrwx. 1 891 www2.example.com.key -> *.example.com.key
-rw-rw-r--. 1 283 wpad.example.com.conf
The fancy * character
Remember that even fancy characters are still characters. '*' can be perfectly used in a filename, if only you escape it in shells such as bash.
