Continuous Delivery for Puppet Enterprise (PE) supports the use of Secure Sockets Layer (SSL) for enhanced security when using the software.
- The web UI
- Communication of Puppet agents running on job hardware nodes
- OAuth applications used with some source control providers
SSL configuration requirements and prerequisites
Before enabling SSL on your system, review the following important information.
- Enabling SSL requires super user permissions.
- Enabling SSL requires a restart of the Continuous Delivery for PE Docker container.
If you installed Continuous Delivery for PE from the PE
console: Before configuring SSL, you must install the
cd4pemodule, which automates upgrades of Continuous Delivery for PE and manages your configuration. For instructions, see Automate upgrades of Continuous Delivery for PE.
- If you are running legacy (now deprecated) Continuous Delivery agents on your job hardware: After configuring SSL you must delete and reinstall the Continuous Delivery agent on all job hardware. See What to do next at the bottom of this page for instructions.
Setting up a new SSL configuration
Configure your Continuous Delivery for PE instance to use SSL by entering the relevant certificates in the root console and then updating your web UI endpoint to reflect the new DNS host and SSL port.
- Log into the root console by selecting Root console from the workspaces menu at the top of the Continuous Delivery for PE navigation bar or signing in as the root user.
- Click Settings and make sure you're viewing the Endpoints tab.
In the Configure SSL area, paste in the CA certificate, server
certificate, and server private key for your Continuous Delivery for PE host.
Note: If you also have an intermediary CA certificate, paste both the CA certificate and the intermediary CA certificate into the CA certificate field.
Click the toggle to Enable SSL.
Note: You can leave your SSL configuration disabled and save the information you've entered. If SSL information is entered and saved but not enabled, your certificates are saved and the private key is saved in an encrypted format until you're ready to enable SSL.
- Click Save SSL settings. If you've enabled SSL, proceed to the next step.
In the Configure Endpoints area of the page, update the web UI
endpoint. The format for the new web UI endpoint is
By default, Continuous Delivery for PE uses port 8443 for SSL.
Azure DevOps Services users: Update the backend service
endpoint to use
https. This change allows Azure DevOps Services webhooks to function correctly.Important: Continuous Delivery for PE does not support webhooks using SSL. This step is only to provide compatibility with Azure DevOps Services.
- Click Update endpoints.
Stop and restart the Continuous Delivery for PE
container by running the following:
service docker-cd4pe stop service docker-cd4pe start
sudo /usr/local/bin/distelli agent stop sudo /usr/local/bin/distelli agent uninstall sudo /usr/local/bin/distelli agent install
uninstallcommand throws an expected
POST not supported for resource /decommission-server/error. You can safely ignore this error.