Allow to use the same domain multiple times with mod_md

When using mod_md to manage TLS certificates, a domain can only appear once as a parameter of a MDomain configuration. When a single node configue multiple Virtual Hosts to serve the same website on different IP Addresses or on different ports, and we want to use mod_md to manage the TLS certificate, the current code produce a MDomain entry in each virtual host, leading to configuration error and preventing apache from starting. This commit rework how the MDomain setting is emitted, and ensure it is only output once even if multiple Virtual Hosts configure the same domain.
puppetlabs · Jan 9, 2025 · b1f108a · b1f108a
1 parent 00d529d
commit b1f108a
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 12 deletions.
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
@@ -2239,7 +2239,6 @@
   $file_header_params = {
     'comment'               => $comment,
     'nvh_addr_port'         => $nvh_addr_port,
-    'mdomain'               => $mdomain,
     'servername'            => $servername,
     'define'                => $define,
     'protocols'             => $protocols,
@@ -2257,6 +2256,19 @@
     content => epp('apache/vhost/_file_header.epp', $file_header_params),
   }
 
+  if $mdomain {
+    # Multiple VHosts can configure the same domain on different ports.
+    # Apache will fail if multile MDomain directive are set, so ensure we define it only for the first virutal host of each domain.
+    ensure_resource('file', "${servername}-mod_md", {
+        ensure  => file,
+        path    => "${apache::confd_dir}/mdomain-${servername}.conf",
+        mode    => $apache::file_mode,
+        content => epp('apache/mdomain.epp', { mdomain => $mdomain, servername => $servername }),
+        require => File[$apache::confd_dir],
+        notify  => Class['apache::service'],
+    })
+  }
+
   if $docroot and $ensure == 'present' {
     if $virtual_docroot {
       include apache::mod::vhost_alias

diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
@@ -966,7 +966,7 @@
           it { is_expected.to contain_class('apache::mod::md') }
 
           it {
-            expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with(
+            expect(subject).to contain_file('example.com-mod_md').with(
               content: %r{^MDomain example\.com example\.net auto$},
             )
           }
@@ -2166,7 +2166,7 @@
           end
 
           it {
-            expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with(
+            expect(subject).to contain_file('rspec.example.com-mod_md').with(
               content: %r{^MDomain rspec.example.com$},
             )
           }

diff --git a/templates/mdomain.epp b/templates/mdomain.epp
@@ -0,0 +1,11 @@
+<%- |
+  Variant[Boolean, String[1]] $mdomain,
+  String[1]                   $servername,
+| -%>
+<%- if $mdomain { -%>
+  <%- if $mdomain =~ String { -%>
+MDomain <%= $mdomain %>
+  <%-} else {-%>
+MDomain <%= $servername %>
+  <%- } -%>
+<% } -%>
diff --git a/templates/vhost/_file_header.epp b/templates/vhost/_file_header.epp
@@ -3,15 +3,6 @@
 # Managed by Puppet
 # ************************************
 <%= [$comment].flatten.map |$c| { "# ${c}" }.join("\n") -%>
-<%- if $mdomain { -%>
-
-  <%- if $mdomain =~ String { -%>
-
-MDomain <%= $mdomain %>
-  <%-} else {-%>
-MDomain <%= $servername %>
-  <%- } -%>
-<% } -%>
 
 <VirtualHost <%= [$nvh_addr_port].flatten().filter |$value| { $value }.join(' ') %>>
 <% $define.each | $k, $v| { -%>