public_git
/
ansibleguy.infra_mariadb
mirror of https://github.com/ansibleguy/infra_certs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Ansible Role to generate certificates
107 Commits 1 Branch 0 Tags 388 KiB
Python 72%
Jinja 28%
Go to file
Rath Pascal 14a86fe834 updating namespace and links of role 2025-10-25 15:22:35 +02:00
.github updating namespace and links of role 2025-10-25 15:22:35 +02:00
defaults/main updating namespace and links of role 2025-10-25 15:22:35 +02:00
filter_plugins minor fixes 2025-10-25 01:22:38 +02:00
meta updating namespace and links of role 2025-10-25 15:22:35 +02:00
molecule/default updating namespace and links of role 2025-10-25 15:22:35 +02:00
tasks updating namespace and links of role 2025-10-25 15:22:35 +02:00
templates/etc updating namespace and links of role 2025-10-25 15:22:35 +02:00
.ansible-lint.yml lint fixes 2023-01-05 21:38:08 +01:00
.pylintrc update pylint config 2024-10-06 13:40:28 +02:00
.yamllint update ci 2025-02-15 13:32:07 +01:00
LICENSE.txt updating namespace and links of role 2025-10-25 15:22:35 +02:00
README.md updating namespace and links of role 2025-10-25 15:22:35 +02:00
playbook.yml updating namespace and links of role 2025-10-25 15:22:35 +02:00
requirements.yml minor fix 2024-03-03 21:44:15 +01:00
requirements_lint.txt added github workflow for linting 2023-07-14 18:17:19 +02:00

README.md

Ansible Role - Certificate Generator

Ansible Role to create certificates to use on a linux server.

Lint Ansible Galaxy

Molecule Integration-Tests:

Internal CI: Tester Role | Jobs API

Tested:

  • Debian 11
  • Debian 12

Install

# latest
ansible-galaxy role install git+https://github.com/O-X-L/ansible-role-certs

# from galaxy
ansible-galaxy install oxlorg.certs

# or to custom role-path
ansible-galaxy install oxlorg.certs --roles-path ./roles

# install dependencies
ansible-galaxy install -r requirements.yml

Usage

Notes

The self-signed and minimal-ca modes will only create a single certificate per run.

Re-runs can save some overhead by using the 'certs' tag.

The LetsEncrypt mode will create/remove multiple certificates as defined.

Config

Example for LetsEncrypt config:

certs:
  mode: 'le_certbot'
  path: '/etc/apache2/ssl'
  letsencrypt:
    certs:
      myNiceSite:
        domains: ['myRandomSite.net', 'oxl.at']
        email: 'certs@template.oxl.at'
    service: 'apache'

Example for Self-Signed config:

certs:
  mode: 'selfsigned'  # or 'snakeoil' (if faster)
  # choose 'ca' instead if you use dns-names
  #   some browsers won't let you connect when using self-signed ones
  path: '/etc/nginx/ssl'
  group_key: 'nginx'
  owner_cert: 'nginx'
  cert:
    cn: 'My great certificate!'
    org: 'AnsibleGuy'
    country: 'AT'
    email: 'certs@template.oxl.at'
    domains: ['mySoGreat.site', 'oxl.at']
    ips: ['192.168.44.2']
    pwd: !vault ...

Example for minimal-CA config:

certs:
  mode: 'ca'
  path: '/etc/ca/certs'
  mode_key: '0400'
  cert:
    name: 'custom_file_name'  # extension will be appended
    cn: 'My great certificate!'
    org: 'AnsibleGuy'
    country: 'AT'
    email: 'certs@template.oxl.at'
    domains: ['mySoGreat.site', 'oxl.at']
  ca:
    path: '/etc/ca'
    cn: 'SUPER CertificateAuthority'
    org: 'AnsibleGuy'
    country: 'AT'
    email: 'certs@template.oxl.at'
    pwd: !vault ...

Using the minimal-CA you can create multiple certificates signed by the CA by re-running the role with changed 'cert' settings.

You might want to use 'ansible-vault' to encrypt your passwords:

ansible-vault encrypt_string

Execution

Run the playbook:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass

There are also some useful tags available:

  • certs => ignore ca tasks; only generate certs
  • selfsigned
  • config
  • certs

To debug errors - you can set the 'debug' variable at runtime:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes

Functionality

  • Package installation

    • Ansible dependencies (minimal)
    • Crypto Dependencies

  • Configuration

    • Four Possible Modes:

      • Generate Self-Signed certificate
      • Use a minimal Certificate Authority to create signed certificates
      • Configure LetsEncrypt-Certbot to generate publicly valid certificates
        • Supported for Nginx and Apache
        • Host needs to have a valid public dns record pointed at it
        • Needs to be publicly reachable over port 80/tcp

    • Default config:

      • Mode => Self-Signed

Info

  • Note: this role currently only supports debian-based systems

  • Note: Most of the role's functionality can be opted in or out.

    For all available options - see the default-config located in the main defaults-file!

  • Note: If you have the need to mass manage certificates - you might want to check out the oxlorg.pki role that enables you to create and manage a full Public Key Infrastructure.

  • Note: The certificate file-name (name variable as defined or else CommonName) will be updated:

    • spaces are transformed into underlines
    • all Characters except "0-9a-zA-Z." are removed
    • the file-extension (crt/chain.crt/key/csr) will be appended

  • Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!

  • Info: For LetsEncrypt renewal to work, you must allow outgoing connections to:

    80/tcp, 443/tcp+udp to acme-v02.api.letsencrypt.org, staging-v02.api.letsencrypt.org (debug mode) and r3.o.lencr.org