Add missing parameters to mod_md

smortex · smortex · commit 3c73fc060f8a · 2026-01-16T11:19:16.000-10:00
A bunch of new parameters have been intruduced in mod_md.
Sync the module with the latest documentation from Apache to allow
to configure them.
diff --git a/manifests/mod/md.pp b/manifests/mod/md.pp
@@ -20,6 +20,12 @@
 # @param md_certificate_check
 #   -
 #
+# @param md_certificate_file
+#   Specify a static certificate file for the MD.
+#
+# @param md_certificate_key_file
+#   Specify a static private key for for the static cerrtificate.
+#
 # @param md_certificate_monitor
 #   The URL of a certificate log monitor.
 #
@@ -33,12 +39,27 @@
 #   Define a program to be called when the `dns-01` challenge needs to be
 #   setup/torn down.
 #
+# @param md_challenge_dns01_version
+#   Set the type of arguments to call MDChallengeDns01 with
+#
+# @param md_check_interval
+#   Determines how often certificates are checked
+#
 # @param md_contact_email
 #   The ACME protocol requires you to give a contact url when you sign up.
 #
+# @param md_external_account_binding
+#   Set the external account binding keyid and hmac values to use at CA
+#
 # @param md_http_proxy
 #   Define a proxy for outgoing connections.
 #
+# @param md_initial_delay
+#   How long to delay the first certificate check.
+#
+# @param md_match_names
+#   Determines how DNS names are matched to vhosts
+#
 # @param md_members
 #   Control if the alias domain names are automatically added.
 #
@@ -57,16 +78,31 @@
 # @param md_private_keys
 #   Set type and size of the private keys generated.
 #
+# @param md_profile
+#   Use a specific ACME profile from the CA
+#
+# @param md_profile_mandatory
+#   Control if an MDProfile is mandatory.
+#
 # @param md_renew_mode
 #   Controls if certificates shall be renewed.
 #
+# @param md_renew_via_ari
+#   usage of the ACME ARI extension (rfc9773).
+#
 # @param md_renew_window
 #   Control when a certificate will be renewed.
 #
 # @param md_require_https
 #   Redirects http: traffic to https: for Managed Domains.
 #   An http: Virtual Host must nevertheless be setup for that domain.
 #
+# @param md_retry_delay
+#   Time length for first retry, doubled on every consecutive error.
+#
+# @param md_retry_failover
+#   The number of errors before a failover to another CA is triggered
+#
 # @param md_server_status
 #   Control if Managed Domain information is added to server-status.
 #
@@ -85,6 +121,9 @@
 # @param md_store_dir
 #   Path on the local file system to store the Managed Domains data.
 #
+# @param md_store_locks
+#   Configure locking of store for updates
+#
 # @param md_warn_window
 #  Define the time window when you want to be warned about an expiring
 #  certificate.
@@ -99,27 +138,40 @@
   Optional[Enum['accepted']]                                $md_certificate_agreement  = undef,
   Optional[Stdlib::HTTPUrl]                                 $md_certificate_authority  = undef,
   Optional[String]                                          $md_certificate_check      = undef, # undocumented
+  Optional[Stdlib::Absolutepath]                            $md_certificate_file       = undef,
+  Optional[Stdlib::Absolutepath]                            $md_certificate_key_file   = undef,
   Optional[String]                                          $md_certificate_monitor    = undef,
   Optional[Enum['ACME']]                                    $md_certificate_protocol   = undef,
   Optional[Apache::OnOff]                                   $md_certificate_status     = undef,
   Optional[Stdlib::Absolutepath]                            $md_challenge_dns01        = undef,
+  Optional[Integer[1,2]]                                    $md_challenge_dns01_version = undef,
+  Optional[String]                                          $md_check_interval         = undef,
   Optional[String]                                          $md_contact_email          = undef,
+  Optional[String]                                          $md_external_account_binding = undef,
   Optional[Stdlib::HTTPUrl]                                 $md_http_proxy             = undef,
+  Optional[String]                                          $md_initial_delay          = undef,
+  Optional[String]                                          $md_match_names            = undef,
   Optional[Enum['auto', 'manual']]                          $md_members                = undef,
   Optional[Stdlib::Absolutepath]                            $md_message_cmd            = undef,
   Optional[Apache::OnOff]                                   $md_must_staple            = undef,
   Optional[Stdlib::Absolutepath]                            $md_notify_cmd             = undef,
   Optional[String]                                          $md_port_map               = undef,
   Optional[String]                                          $md_private_keys           = undef,
+  Optional[String]                                          $md_profile                = undef,
+  Optional[Apache::OnOff]                                   $md_profile_mandatory      = undef,
   Optional[Enum['always', 'auto', 'manual']]                $md_renew_mode             = undef,
+  Optional[Apache::OnOff]                                   $md_renew_via_ari          = undef,
   Optional[String]                                          $md_renew_window           = undef,
   Optional[Enum['off', 'permanent', 'temporary']]           $md_require_https          = undef,
+  Optional[String]                                          $md_retry_delay            = undef,
+  Optional[Integer[0]]                                      $md_retry_failover         = undef,
   Optional[Apache::OnOff]                                   $md_server_status          = undef,
   Optional[Apache::OnOff]                                   $md_staple_others          = undef,
   Optional[Apache::OnOff]                                   $md_stapling               = undef,
   Optional[String]                                          $md_stapling_keep_response = undef,
   Optional[String]                                          $md_stapling_renew_window  = undef,
   Optional[Stdlib::Absolutepath]                            $md_store_dir              = undef,
+  Optional[String]                                          $md_store_locks            = undef,
   Optional[String]                                          $md_warn_window            = undef,
 ) {
   include apache
diff --git a/spec/classes/mod/md_spec.rb b/spec/classes/mod/md_spec.rb
@@ -18,27 +18,40 @@
             'md_certificate_agreement' => { type: 'MDCertificateAgreement', pass_opt: 'MDCertificateAgreement' },
             'md_certificate_authority' => { type: 'URL', pass_opt: 'MDCertificateAuthority' },
             'md_certificate_check' => { type: 'String', pass_opt: 'MDCertificateCheck' },
+            'md_certificate_file' => { type: 'Path', pass_opt: 'MDCertificateFile' },
+            'md_certificate_key_file' => { type: 'Path', pass_opt: 'MDCertificateKeyFile' },
             'md_certificate_monitor' => { type: 'URL', pass_opt: 'MDCertificateMonitor' },
             'md_certificate_protocol' => { type: 'MDCertificateProtocol', pass_opt: 'MDCertificateProtocol' },
             'md_certificate_status' => { type: 'OnOff', pass_opt: 'MDCertificateStatus' },
             'md_challenge_dns01' => { type: 'Path', pass_opt: 'MDChallengeDns01' },
+            'md_challenge_dns01_version' => { type: 'Dns01Version', pass_opt: 'MDChallengeDns01Version' },
+            'md_check_interval' => { type: 'Duration', pass_opt: 'MDCheckInterval' },
             'md_contact_email' => { type: 'EMail', pass_opt: 'MDContactEmail' },
+            'md_external_account_binding' => { type: 'Path', pass_opt: 'MDExternalAccountBinding' },
             'md_http_proxy' => { type: 'URL', pass_opt: 'MDHttpProxy' },
+            'md_initial_delay' => { type: 'Duration', pass_opt: 'MDInitialDelay' },
+            'md_match_names' => { type: 'String', pass_opt: 'MDMatchNames' },
             'md_members' => { type: 'MDMembers', pass_opt: 'MDMembers' },
             'md_message_cmd' => { type: 'Path', pass_opt: 'MDMessageCmd' },
             'md_must_staple' => { type: 'OnOff', pass_opt: 'MDMustStaple' },
             'md_notify_cmd' => { type: 'Path', pass_opt: 'MDNotifyCmd' },
             'md_port_map' => { type: 'String', pass_opt: 'MDPortMap' },
             'md_private_keys' => { type: 'String', pass_opt: 'MDPrivateKeys' },
+            'md_profile' => { type: 'String', pass_opt: 'MDProfile' },
+            'md_profile_mandatory' => { type: 'OnOff', pass_opt: 'MDProfileMandatory' },
             'md_renew_mode' => { type: 'MDRenewMode', pass_opt: 'MDRenewMode' },
+            'md_renew_via_ari' => { type: 'OnOff', pass_opt: 'MDRenewViaARI' },
             'md_renew_window' => { type: 'Duration', pass_opt: 'MDRenewWindow' },
             'md_require_https' => { type: 'MDRequireHttps', pass_opt: 'MDRequireHttps' },
+            'md_retry_delay' => { type: 'Duration', pass_opt: 'MDRetryDelay' },
+            'md_retry_failover' => { type: 'Integer', pass_opt: 'MDRetryFailover' },
             'md_server_status' => { type: 'OnOff', pass_opt: 'MDServerStatus' },
             'md_staple_others' => { type: 'OnOff', pass_opt: 'MDStapleOthers' },
             'md_stapling' => { type: 'OnOff', pass_opt: 'MDStapling' },
             'md_stapling_keep_response' => { type: 'Duration', pass_opt: 'MDStaplingKeepResponse' },
             'md_stapling_renew_window' => { type: 'Duration', pass_opt: 'MDStaplingRenewWindow' },
             'md_store_dir' => { type: 'Path', pass_opt: 'MDStoreDir' },
+            'md_store_locks' => { type: 'Path', pass_opt: 'MDStoreLocks' },
             'md_warn_window' => { type: 'Duration', pass_opt: 'MDWarnWindow' }
           }
 
@@ -64,6 +77,17 @@
                     { puppetized_config_option.to_sym => valid_value }
                   end
 
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'Dns01Version'
+              valid_config_values = [1, 2]
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => #{valid_value}" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
                   it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
                 end
               end
@@ -130,6 +154,17 @@
                     { puppetized_config_option.to_sym => valid_value }
                   end
 
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'Integer'
+              valid_config_values = [42]
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => #{valid_value}" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
                   it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
                 end
               end
diff --git a/templates/mod/md.conf.epp b/templates/mod/md.conf.epp
@@ -16,6 +16,12 @@ MDCertificateAuthority <%= $apache::mod::md::md_certificate_authority %>
 <% if $apache::mod::md::md_certificate_check { -%>
 MDCertificateCheck <%= $apache::mod::md::md_certificate_check %>
 <% } -%>
+<% if $apache::mod::md::md_certificate_file { -%>
+MDCertificateFile "<%= $apache::mod::md::md_certificate_file %>"
+<% } -%>
+<% if $apache::mod::md::md_certificate_key_file { -%>
+MDCertificateKeyFile "<%= $apache::mod::md::md_certificate_key_file %>"
+<% } -%>
 <% if $apache::mod::md::md_certificate_monitor { -%>
 MDCertificateMonitor <%= $apache::mod::md::md_certificate_monitor %>
 <% } -%>
@@ -28,12 +34,27 @@ MDCertificateStatus <%= $apache::mod::md::md_certificate_status %>
 <% if $apache::mod::md::md_challenge_dns01 { -%>
 MDChallengeDns01 "<%= $apache::mod::md::md_challenge_dns01 %>"
 <% } -%>
+<% if $apache::mod::md::md_challenge_dns01_version { -%>
+MDChallengeDns01Version <%= $apache::mod::md::md_challenge_dns01_version %>
+<% } -%>
+<% if $apache::mod::md::md_check_interval { -%>
+MDCheckInterval <%= $apache::mod::md::md_check_interval %>
+<% } -%>
 <% if $apache::mod::md::md_contact_email { -%>
 MDContactEmail <%= $apache::mod::md::md_contact_email %>
 <% } -%>
+<% if $apache::mod::md::md_external_account_binding { -%>
+MDExternalAccountBinding "<%= $apache::mod::md::md_external_account_binding %>"
+<% } -%>
 <% if $apache::mod::md::md_http_proxy { -%>
 MDHttpProxy <%= $apache::mod::md::md_http_proxy %>
 <% } -%>
+<% if $apache::mod::md::md_initial_delay { -%>
+MDInitialDelay <%= $apache::mod::md::md_initial_delay %>
+<% } -%>
+<% if $apache::mod::md::md_match_names { -%>
+MDMatchNames <%= $apache::mod::md::md_match_names %>
+<% } -%>
 <% if $apache::mod::md::md_members { -%>
 MDMembers <%= $apache::mod::md::md_members %>
 <% } -%>
@@ -52,15 +73,30 @@ MDPortMap <%= $apache::mod::md::md_port_map %>
 <% if $apache::mod::md::md_private_keys { -%>
 MDPrivateKeys <%= $apache::mod::md::md_private_keys %>
 <% } -%>
+<% if $apache::mod::md::md_profile { -%>
+MDProfile <%= $apache::mod::md::md_profile %>
+<% } -%>
+<% if $apache::mod::md::md_profile_mandatory { -%>
+MDProfileMandatory <%= $apache::mod::md::md_profile_mandatory %>
+<% } -%>
 <% if $apache::mod::md::md_renew_mode { -%>
 MDRenewMode <%= $apache::mod::md::md_renew_mode %>
 <% } -%>
+<% if $apache::mod::md::md_renew_via_ari { -%>
+MDRenewViaARI <%= $apache::mod::md::md_renew_via_ari %>
+<% } -%>
 <% if $apache::mod::md::md_renew_window { -%>
 MDRenewWindow <%= $apache::mod::md::md_renew_window %>
 <% } -%>
 <% if $apache::mod::md::md_require_https { -%>
 MDRequireHttps <%= $apache::mod::md::md_require_https %>
 <% } -%>
+<% if $apache::mod::md::md_retry_delay { -%>
+MDRetryDelay <%= $apache::mod::md::md_retry_delay %>
+<% } -%>
+<% if $apache::mod::md::md_retry_failover { -%>
+MDRetryFailover <%= $apache::mod::md::md_retry_failover %>
+<% } -%>
 <% if $apache::mod::md::md_server_status { -%>
 MDServerStatus <%= $apache::mod::md::md_server_status %>
 <% } -%>
@@ -79,6 +115,9 @@ MDStaplingRenewWindow <%= $apache::mod::md::md_stapling_renew_window %>
 <% if $apache::mod::md::md_store_dir { -%>
 MDStoreDir "<%= $apache::mod::md::md_store_dir %>"
 <% } -%>
+<% if $apache::mod::md::md_store_locks { -%>
+MDStoreLocks "<%= $apache::mod::md::md_store_locks %>"
+<% } -%>
 <% if $apache::mod::md::md_warn_window { -%>
 MDWarnWindow <%= $apache::mod::md::md_warn_window %>
 <% } -%>
