When ne_enable_ssl is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
ne_ssl_ca_cert_pem
ne_ssl_cert_pem
ne_ssl_privatekey_pem
via Hiera (if you use it) or ENC.
+All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.
SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the ssl_cert_file line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the $ne_enable_ssl boolean parameter, which is set to false by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to true will include all SSL / TLS settings.
When ne_enable_ssl is enabled (default), the certificates for the ca (root if standalone or intermediate), the nagios server and the key for the nagios server have to be provided through the following values:
ne_ssl_ca_cert_pem
ne_ssl_cert_pem
ne_ssl_privatekey_pem
via Hiera (if you use it) or ENC.
+All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.
SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the ssl_cert_file line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the $ne_enable_ssl boolean parameter, which is set to false by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to true will include all SSL / TLS settings.
# File 'manifests/main/files.pp', line 6
@@ -251,7 +250,6 @@ class confdroid_nrpe::main::files (
}
if $ne_allow_sudo == true {
-
file { $ne_sudo_file:
ensure => file,
path => $ne_sudo_file,
@@ -279,45 +277,45 @@ class confdroid_nrpe::main::files (
content => template($ne_nrpe_te_erb),
notify => Exec['create_nrpe_pp'],
}
+ }
- # file for ssl certificate
- if $ne_enable_ssl == true {
- file { $ne_ssl_cert_file:
- ensure => file,
- path => $ne_ssl_cert_file,
- owner => 'root',
- group => 'root',
- mode => '0644',
- selrange => s0,
- selrole => object_r,
- seltype => cert_t,
- seluser => system_u,
- content => template($ne_ssl_cert_erb),
- }
- file { $ne_ssl_privatekey_file:
- ensure => file,
- path => $ne_ssl_privatekey_file,
- owner => 'root',
- group => 'root',
- mode => '0600',
- selrange => s0,
- selrole => object_r,
- seltype => cert_t,
- seluser => system_u,
- content => template($ne_ssl_privatekey_erb),
- }
- file { $ne_ssl_ca_cert_file:
- ensure => file,
- path => $ne_ssl_ca_cert_file,
- owner => 'root',
- group => 'root',
- mode => '0644',
- selrange => s0,
- selrole => object_r,
- seltype => cert_t,
- seluser => system_u,
- content => template($ne_ssl_ca_cert_erb),
- }
+ # file for ssl certificate
+ if $ne_enable_ssl == true {
+ file { $ne_ssl_cert_file:
+ ensure => file,
+ path => $ne_ssl_cert_file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ selrange => s0,
+ selrole => object_r,
+ seltype => cert_t,
+ seluser => system_u,
+ content => template($ne_ssl_cert_erb),
+ }
+ file { $ne_ssl_privatekey_file:
+ ensure => file,
+ path => $ne_ssl_privatekey_file,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ selrange => s0,
+ selrole => object_r,
+ seltype => cert_t,
+ seluser => system_u,
+ content => template($ne_ssl_privatekey_erb),
+ }
+ file { $ne_ssl_ca_cert_file:
+ ensure => file,
+ path => $ne_ssl_ca_cert_file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ selrange => s0,
+ selrole => object_r,
+ seltype => cert_t,
+ seluser => system_u,
+ content => template($ne_ssl_ca_cert_erb),
}
}
}
diff --git a/doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html b/doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
index 5d42b30..d69bad7 100644
--- a/doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
+++ b/doc/puppet_classes/confdroid_nrpe_3A_3Aparams.html
@@ -699,7 +699,7 @@ inherited by all classes except defines.
(Boolean)
- (defaults to: false)
+ (defaults to: true)
—
@@ -945,7 +945,7 @@ class confdroid_nrpe::params (
String $ne_command_timeout = '60',
String $ne_connection_timeout = '300',
String $ne_allow_weak_rnd_seed = '1',
- Boolean $ne_enable_ssl = false,
+ Boolean $ne_enable_ssl = true,
String $ne_ssl_version = 'TLSv2+',
String $ne_ssl_use_adh = '1',
String $ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',