From e86d51f126a7ca200b6839409fae40f9277c6082 Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Wed, 18 Sep 2024 11:28:41 +0200
Subject: [PATCH] create ssl cert per vhost, not one monster

---
 puppet/modules/web/manifests/init.pp  | 31 ---------------------------
 puppet/modules/web/manifests/vhost.pp | 14 ++++++++----
 2 files changed, 10 insertions(+), 35 deletions(-)

diff --git a/puppet/modules/web/manifests/init.pp b/puppet/modules/web/manifests/init.pp
index 1ca76708b..f8298b962 100644
--- a/puppet/modules/web/manifests/init.pp
+++ b/puppet/modules/web/manifests/init.pp
@@ -15,37 +15,6 @@
     letsencrypt => $https,
   }
 
-  if $https {
-    $letsencypt_domain = 'theforeman.org'
-
-    letsencrypt::certonly { $letsencypt_domain:
-      plugin        => 'webroot',
-      # domain / webroot_paths must match exactly
-      domains       => [
-        'theforeman.org',
-        'archivedeb.theforeman.org',
-        'deb.theforeman.org',
-        'debugs.theforeman.org',
-        'downloads.theforeman.org',
-        'stagingdeb.theforeman.org',
-        'www.theforeman.org',
-        'yum.theforeman.org',
-        'stagingyum.theforeman.org',
-      ],
-      webroot_paths => [
-        '/var/www/vhosts/web/htdocs',
-        '/var/www/vhosts/archivedeb/htdocs',
-        '/var/www/vhosts/deb/htdocs',
-        '/var/www/vhosts/debugs/htdocs',
-        '/var/www/vhosts/downloads/htdocs',
-        '/var/www/vhosts/stagingdeb/htdocs',
-        '/var/www/vhosts/web/htdocs',
-        '/var/www/vhosts/yum/htdocs',
-        '/var/www/vhosts/stagingyum/htdocs',
-      ],
-    }
-  }
-
   if $facts['os']['selinux']['enabled'] {
     include selinux
 
diff --git a/puppet/modules/web/manifests/vhost.pp b/puppet/modules/web/manifests/vhost.pp
index 7ba173b9e..dcde95915 100644
--- a/puppet/modules/web/manifests/vhost.pp
+++ b/puppet/modules/web/manifests/vhost.pp
@@ -52,6 +52,12 @@
   }
 
   if $web::https {
+    letsencrypt::certonly { $servername:
+      plugin        => 'webroot',
+      domains       => [$servername] + $serveraliases,
+      webroot_paths => [$docroot],
+    }
+
     apache::vhost { "${title}-https":
       servername    => $servername,
       serveraliases => $serveraliases,
@@ -62,10 +68,10 @@
       docroot_mode  => $docroot_mode,
       port          => 443,
       ssl           => true,
-      ssl_cert      => "${letsencrypt::config_dir}/live/${web::letsencypt_domain}/cert.pem",
-      ssl_chain     => "${letsencrypt::config_dir}/live/${web::letsencypt_domain}/chain.pem",
-      ssl_key       => "${letsencrypt::config_dir}/live/${web::letsencypt_domain}/privkey.pem",
-      require       => Letsencrypt::Certonly[$web::letsencypt_domain],
+      ssl_cert      => "${letsencrypt::config_dir}/live/${servername}/cert.pem",
+      ssl_chain     => "${letsencrypt::config_dir}/live/${servername}/chain.pem",
+      ssl_key       => "${letsencrypt::config_dir}/live/${servername}/privkey.pem",
+      require       => Letsencrypt::Certonly[$servername],
       *             => $attrs,
     }
   }