Configure SSL
Continuous Delivery for Puppet Enterprise (PE) supports the use of Secure Sockets Layer (SSL) for enhanced security when using the software.
When SSL is enabled, it impacts these elements of your Continuous Delivery for PE installation:
- The web UI
- Communication of Puppet agents running on job hardware nodes
- OAuth applications used with some source control providers
SSL configuration requirements and prerequisites
Before enabling SSL on your system, review the following important information.
- Enabling SSL requires super user permissions.
- Enabling SSL requires a restart of the Continuous Delivery for PE Docker container.
-
If you installed Continuous Delivery for PE from the PE
console: Before configuring SSL, you must install the
cd4pe
module, which automates upgrades of Continuous Delivery for PE and manages your configuration. For instructions, see Automate upgrades of Continuous Delivery for PE. - If you are running legacy (now deprecated) Continuous Delivery agents on your job hardware: After configuring SSL you must delete and reinstall the Continuous Delivery agent on all job hardware. See What to do next at the bottom of this page for instructions.
Setting up a new SSL configuration
Configure your Continuous Delivery for PE instance to use SSL by entering the relevant certificates in the root console and then updating your web UI endpoint to reflect the new DNS host and SSL port.
Before you begin
Review the SSL configuration requirements and prerequisites section above. Results
You can now access Continuous Delivery for PE over SSL by pointing
your web browser to the new web UI endpoint you entered. Access over both
https
and http
is allowed. What to do next
If you are running legacy (now deprecated) Continuous Delivery agents on
your job hardware: After configuring SSL you must delete and
reinstall the Continuous Delivery agent on all job hardware. To delete and
reinstall an agent, SSH into your job hardware agent node and run the
following:sudo /usr/local/bin/distelli agent stop
sudo /usr/local/bin/distelli agent uninstall
sudo /usr/local/bin/distelli agent install
Note: The
uninstall
command throws an
expected POST not supported for resource
/decommission-server/
error. You can safely ignore
this error.