public_git
/
ansibleguy.infra_certs
mirror of https://github.com/ansibleguy/infra_certs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Ansible Role to generate certificates
69 Commits 1 Branch 0 Tags 388 KiB
Python 72%
Jinja 28%
Go to file
AnsibleGuy 1355b5fe5b
ansible web-ui info 		2024-02-25 22:52:23 +01:00
.github updated workflow config 2023-11-28 11:31:45 +01:00
defaults/main moved var-combining to separate file 2023-05-13 16:25:55 +02:00
filter_plugins added config checks/validations 2023-02-12 21:45:42 +01:00
meta meta-version lint-fix 2023-05-13 22:16:20 +02:00
molecule/default disabled molecule 'lint' from test-sequence 2023-07-20 19:26:41 +02:00
tasks saving result of existing letsencrypt-certificates (save time on redundant operation) 2023-09-15 16:59:42 +02:00
templates/etc created tasks to handle minimal-ca, self-signed and letsencrypt-certbot certificates 2021-11-06 02:08:29 +01:00
.ansible-lint.yml lint fixes 2023-01-05 21:38:08 +01:00
.pylintrc lint fixes 2023-02-13 09:46:44 +01:00
.yamllint fixed meta, linting updates, added ansible-lint config and test-badges 2022-08-12 21:08:01 +02:00
LICENSE.txt updated license 2022-01-29 00:10:46 +01:00
README.md ansible web-ui info 2024-02-25 22:52:23 +01:00
playbook.yml lint fix 2023-07-15 10:06:57 +02:00
requirements.yml lint fix 2023-01-21 17:43:41 +01:00
requirements_lint.txt added github workflow for linting 2023-07-14 18:17:19 +02:00

README.md

Ansible Role - Certificate Generator

Ansible Role to create certificates to use on a linux server.

Molecule Test Status YamlLint Test Status PyLint Test Status Ansible-Lint Test Status Ansible Galaxy

Molecule Logs: Short, Full

Tested:

  • Debian 11
  • Debian 12

Install

# latest
ansible-galaxy role install git+https://github.com/ansibleguy/infra_certs

# from galaxy
ansible-galaxy install ansibleguy.infra_certs

# or to custom role-path
ansible-galaxy install ansibleguy.infra_certs --roles-path ./roles

# install dependencies
ansible-galaxy install -r requirements.yml

Functionality

  • Package installation

    • Ansible dependencies (minimal)
    • Crypto Dependencies

  • Configuration

    • Four Possible Modes:

      • Generate Self-Signed certificate
      • Use a minimal Certificate Authority to create signed certificates
      • Configure LetsEncrypt-Certbot to generate publicly valid certificates
        • Supported for Nginx and Apache
        • Host needs to have a valid public dns record pointed at it
        • Needs to be publicly reachable over port 80/tcp

    • Default config:

      • Mode => Self-Signed

Info

  • Note: this role currently only supports debian-based systems

  • Note: Most of the role's functionality can be opted in or out.

    For all available options - see the default-config located in the main defaults-file!

  • Note: If you have the need to mass manage certificates - you might want to check out the ansibleguy.infra_pki role that enables you to create and manage a full Public Key Infrastructure.

  • Note: The certificate file-name (name variable as defined or else CommonName) will be updated:

    • spaces are transformed into underlines
    • all Characters except "0-9a-zA-Z." are removed
    • the file-extension (crt/chain.crt/key/csr) will be appended

  • Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!

  • Info: For LetsEncrypt renewal to work, you must allow outgoing connections to:

    80/tcp, 443/tcp+udp to acme-v02.api.letsencrypt.org, staging-v02.api.letsencrypt.org (debug mode) and r3.o.lencr.org

Usage

You want a simple Ansible GUI? Check-out my Ansible WebUI

Notes

The self-signed and minimal-ca modes will only create a single certificate per run.

Re-runs can save some overhead by using the 'certs' tag.

The LetsEncrypt mode will create/remove multiple certificates as defined.

Config

Example for LetsEncrypt config:

certs:
  mode: 'le_certbot'
  path: '/etc/apache2/ssl'
  letsencrypt:
    certs:
      myNiceSite:
        domains: ['myRandomSite.net', 'ansibleguy.net']
        email: 'certs@template.ansibleguy.net'
    service: 'apache'

Example for Self-Signed config:

certs:
  mode: 'selfsigned'
  # choose 'ca' instead if you use dns-names
  #   some browsers won't let you connect when using self-signed ones
  path: '/etc/nginx/ssl'
  group_key: 'nginx'
  owner_cert: 'nginx'
  cert:
    cn: 'My great certificate!'
    org: 'AnsibleGuy'
    country: 'AT'
    email: 'certs@template.ansibleguy.net'
    domains: ['mySoGreat.site', 'ansibleguy.net']
    ips: ['192.168.44.2']
    pwd: !vault ...

Example for minimal-CA config:

certs:
  mode: 'ca'
  path: '/etc/ca/certs'
  mode_key: '0400'
  cert:
    name: 'custom_file_name'  # extension will be appended
    cn: 'My great certificate!'
    org: 'AnsibleGuy'
    country: 'AT'
    email: 'certs@template.ansibleguy.net'
    domains: ['mySoGreat.site', 'ansibleguy.net']
  ca:
    path: '/etc/ca'
    cn: 'SUPER CertificateAuthority'
    org: 'AnsibleGuy'
    country: 'AT'
    email: 'certs@template.ansibleguy.net'
    pwd: !vault ...

Using the minimal-CA you can create multiple certificates signed by the CA by re-running the role with changed 'cert' settings.

You might want to use 'ansible-vault' to encrypt your passwords:

ansible-vault encrypt_string

Execution

Run the playbook:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass

There are also some useful tags available:

  • certs => ignore ca tasks; only generate certs
  • selfsigned
  • config
  • certs

To debug errors - you can set the 'debug' variable at runtime:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes