Configure SSL

Continuous Delivery for Puppet Enterprise (PE) supports the use of Secure Sockets Layer (SSL) for enhanced security when using the software.

When SSL is enabled, it impacts these elements of your Continuous Delivery for PE installation:
  • The web UI
  • Communication of Puppet agents running on job hardware nodes
  • OAuth applications used with some source control providers

SSL configuration requirements and prerequisites

Before enabling SSL on your system, review the following important information.

  1. Enabling SSL requires super user permissions.
  2. Enabling SSL requires a restart of the Continuous Delivery for PE Docker container.
  3. If you installed Continuous Delivery for PE from the PE console: Before configuring SSL, you must install the cd4pe module, which automates upgrades of Continuous Delivery for PE and manages your configuration. For instructions, see Automate upgrades of Continuous Delivery for PE.
  4. If you are running legacy (now deprecated) Continuous Delivery agents on your job hardware: After configuring SSL you must delete and reinstall the Continuous Delivery agent on all job hardware. See What to do next at the bottom of this page for instructions.

Setting up a new SSL configuration

Configure your Continuous Delivery for PE instance to use SSL by entering the relevant certificates in the root console and then updating your web UI endpoint to reflect the new DNS host and SSL port.

Before you begin
Review the SSL configuration requirements and prerequisites section above.
  1. Log into the root console by selecting Root console from the workspaces menu at the top of the Continuous Delivery for PE navigation bar or signing in as the root user.
  2. Click Settings and make sure you're viewing the Endpoints tab.
  3. In the Configure SSL area, paste in the CA certificate, server certificate, and server private key for your Continuous Delivery for PE host.
    Note: If you also have an intermediary CA certificate, paste both the CA certificate and the intermediary CA certificate into the CA certificate field.
  4. Optional: Click the toggle to Enable SSL.
    Note: You can leave your SSL configuration disabled and save the information you've entered. If SSL information is entered and saved but not enabled, your certificates are saved and the private key is saved in an encrypted format until you're ready to enable SSL.
  5. Click Save SSL settings. If you've enabled SSL, proceed to the next step.
  6. In the Configure Endpoints area of the page, update the web UI endpoint. The format for the new web UI endpoint is https://<DNS_HOST>:<SSL_PORT>.

    By default, Continuous Delivery for PE uses port 8443 for SSL.

  7. Azure DevOps Services users: Update the backend service endpoint to use https. This change allows Azure DevOps Services webhooks to function correctly.
    Important: Continuous Delivery for PE does not support webhooks using SSL. This step is only to provide compatibility with Azure DevOps Services.
  8. Click Update endpoints.
  9. Stop and restart the Continuous Delivery for PE container by running the following: 
    service docker-cd4pe stop
service docker-cd4pe start
Results
You can now access Continuous Delivery for PE over SSL by pointing your web browser to the new web UI endpoint you entered. Access over both https and http is allowed.
What to do next
If you are running legacy (now deprecated) Continuous Delivery agents on your job hardware: After configuring SSL you must delete and reinstall the Continuous Delivery agent on all job hardware. To delete and reinstall an agent, SSH into your job hardware agent node and run the following:
sudo /usr/local/bin/distelli agent stop
sudo /usr/local/bin/distelli agent uninstall
sudo /usr/local/bin/distelli agent install
Note: The uninstall command throws an expected POST not supported for resource /decommission-server/ error. You can safely ignore this error.