hiera resources don't process ssl locations properly

[vrillusions]

Wanted to user hiera for the virtualhost configuration but running into an error I couldn't figure out the cause of.

This does not work:

nginx::nginx_vhosts:
  'MY.EXAMPLE.com':
    ipv6_enable: true
    www_root: '/srv/www/default/public/'
    ssl: true
    ssl_cert: 'puppet:///modules/local/EXAMPLE.com-wildcard-with_intermed.crt'
    ssl_key: 'puppet:///modules/local/EXAMPLE.com-wildcard.key'

But removing above and adding this to node def does:

  nginx::resource::vhost { 'MY.EXAMPLE.com':
    ensure      => present,
    ipv6_enable => true,
    www_root    => '/srv/www/default/public/',
    ssl         => true,
    ssl_cert    => 'puppet:///modules/local/EXAMPLE.com-wildcard-with_intermed.crt',
    ssl_key     => 'puppet:///modules/local/EXAMPLE.com-wildcard.key',
  }

The error I get (I did some linewraps instead of it being a single long line):

Error: Failed to apply catalog: Validation of File[/etc/nginx/MY.EXAMPLE.com.crt]
failed: You cannot specify more than one of content, source, target at 
/etc/puppet/modules/nginx/manifests/resource/vhost.pp:209

As all I see for that resource is a source type I'm not sure why it sees something else. I've tried turning on debug mode on both server and client and didn't see anything useful come through.

[vrillusions]

This was based off v0.0.2 released on puppet forge. I pulled down master since I ran into issue #101 and tried it again and failed:

Error: Failed to apply catalog: Validation of File[/etc/nginx/MY.EXAMPLE.com.crt] failed: 
You cannot specify more than one of content, source, target at 
/etc/puppet/modules/nginx/manifests/resource/vhost.pp:217

Btw this is puppet version 3.2.3 and hiera 1.2.1 (versions are the same on both the node and master)

[jfryman]

/cc @xcompass Any thoughts, good sir?

[xcompass]

It seems you have defined to create certificate file /etc/nginx/MY.EXAMPLE.com.crt somewhere else. Could you take a look at your manifest to see if you are creating the certificate in another vhost or server configuration?

[xcompass]

Are you using a wildcard certificate on multiple vhosts on the same server? If yes, I think I know the problem. I'll send a pull request later today. Got to go now.

[xcompass]

Haha, got some time before I take off. @vrillusions could you please give it a try? Thanks.

[xcompass]

Updated to use ensure_resource

[jfryman]

I've pushed v0.0.3 to the Forge. Give it a shot!

[vrillusions]

Good news is it worked. Strange thing is, I didn't use that wildcard for a bunch of things. Here's the entire config. Also I've now just obscured the hostname to HNAME for the main site (not like you couldn't guess the domain name :) ) although I did have to completely blank out the other vhost still, but it doesn't use ssl. I did have some location resources but I removed for this test to eliminate places to fail.:

# /etc/puppet/manifests/nodes/HNAME.vrillusions.com.pp
node 'HNAME.vrillusions.com' {
  include 'baseclass'
  include 'nginx'

  #nginx::resource::vhost { 'HNAME.TLD':
  #  ensure      => present,
  #  www_root    => '/srv/www/HNAME.TLD/public/',
  #  index_files => [ 'index.html' ],
  #}

  #nginx::resource::vhost { 'HNAME.vrillusions.com':
  #  ensure      => present,
  #  ipv6_enable => true,
  #  www_root    => '/srv/www/default/public',
  #  ssl         => true,
  #  ssl_cert    => 'puppet:///modules/local/vrillusions.com-wildcard-with_intermed.crt',
  #  ssl_key     => 'puppet:///modules/local/vrillusions.com-wildcard.key',
  #  ssl_ciphers => 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA:!ADH:!aNULL:!MD5',
  #}
  # -- removed location resources as they weren't in the hiera config yet either --
}

# it's in a larger template.pp but this is the baseclass
class baseclass {
  include 'local'
  include 'stdlib'
  include 'plugins'
  include 'resolv'
  include 'puppet::client'
  include 'ssh'

  create_resources('host', hiera_hash('resources::host', []))
  create_resources('ssh_authorized_key', hiera_hash('resources::ssh_authorized_key', []))
  create_resources('user', hiera_hash('resources::user', []))
}

# HNAME.vrillusions.com.yaml
# there's also environment level and defaults but those just set ssh options and such
---
nginx::confd_purge: true
nginx::server_tokens: 'off'
nginx::nginx_vhosts:
  'HNAME.TLD':
    www_root: '/srv/www/HNAME.TLD/public/'
    index_files:
      'index.html'
  'HNAME.vrillusions.com':
    ensure: present
    ipv6_enable: true
    www_root: '/srv/www/default/public'
    ssl: true
    ssl_cert: 'puppet:///modules/local/vrillusions.com-wildcard-with_intermed.crt'
    ssl_key: 'puppet:///modules/local/vrillusions.com-wildcard.key'
    ssl_ciphers: 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA:!ADH:!aNULL:!MD5'

If I comment out the nginx::nginx_vhosts section and uncomment the section in node def there's no changes. Also erased the ssl files to verify they do actually get created and work. So not sure why it would it would think it's defined twice especially when it should have complained about duplicate resources but it does work now. And this was with v0.0.3 on forge as I just read that before starting this. Thanks.

(edit)
removed the comment from yaml about ssl not working now :)