8ef970d32a
|
||
|---|---|---|
| .github | ||
| defaults | ||
| filter_plugins | ||
| meta | ||
| tasks | ||
| templates/etc | ||
| .ansible-lint.yml | ||
| .yamllint | ||
| LICENSE.txt | ||
| README.md | ||
| playbook.yml | ||
| requirements.yml | ||
README.md
Ansible Role - Certificate Generator
Ansible Role to create certificates to use on a linux server.
Tested:
- Debian 11
Functionality
-
Package installation
- Ansible dependencies (minimal)
- Crypto Dependencies
-
Configuration
-
Four Possible Modes:
- Generate Self-Signed certificate
- Use a minimal Certificate Authority to create signed certificates
- Configure LetsEncrypt-Certbot to generate publicly valid certificates
- Supported for Nginx and Apache
- Host needs to have a valid public dns record pointed at it
- Needs to be publicly reachable over port 80/tcp
- Use a proper Certificate Authority (full PKI) to create signed certificates => not yet available
-
Default config:
- Mode => Self-Signed
-
Info
-
Note: this role currently only supports debian-based systems
-
Note: Most of the role's functionality can be opted in or out.
For all available options - see the default-config located in the main defaults-file!
-
Note: The certificate file-name (name variable as defined or else CommonName) will be updated:
- spaces are transformed into underlines
- all Characters except "0-9a-zA-Z." are removed
- the file-extension (crt/chain.crt/key/csr) will be appended
-
Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!
Requirements
- Community collection:
ansible-galaxy install -r requirements.yml
Usage
Notes
The self-signed and minimal-ca modes will only create a single certificate per run.
Re-runs can save some overhead by using the 'certs' tag.
The LetsEncrypt mode will create/remove multiple certificates as defined.
Config
Example for LetsEncrypt config:
certs:
mode: 'le_certbot'
path: '/etc/apache2/ssl'
letsencrypt:
certs:
myNiceSite:
domains: ['myRandomSite.net', 'ansibleguy.net']
email: 'certs@template.ansibleguy.net'
service: 'apache'
Example for Self-Signed config:
certs:
mode: 'selfsigned'
# choose 'ca' instead if you use dns-names
# some browsers won't let you connect when using self-signed ones
path: '/etc/nginx/ssl'
group_key: 'nginx'
owner_cert: 'nginx'
cert:
cn: 'My great certificate!'
org: 'AnsibleGuy'
country: 'AT'
email: 'certs@template.ansibleguy.net'
domains: ['mySoGreat.site', 'ansibleguy.net']
ips: ['192.168.44.2']
pwd: !vault ...
Example for minimal-CA config:
certs:
mode: 'ca'
path: '/etc/ca/certs'
mode_key: '0400'
cert:
name: 'custom_file_name' # extension will be appended
cn: 'My great certificate!'
org: 'AnsibleGuy'
country: 'AT'
email: 'certs@template.ansibleguy.net'
domains: ['mySoGreat.site', 'ansibleguy.net']
ca:
path: '/etc/ca'
cn: 'SUPER CertificateAuthority'
org: 'AnsibleGuy'
country: 'AT'
email: 'certs@template.ansibleguy.net'
pwd: !vault ...
Using the minimal-CA you can create multiple certificates signed by the CA by re-running the role with changed 'cert' settings.
You might want to use 'ansible-vault' to encrypt your passwords:
ansible-vault encrypt_string
Execution
Run the playbook:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass
There are also some useful tags available:
- certs => ignore ca tasks; only generate certs
- selfsigned
- config
- certs
To debug errors - you can set the 'debug' variable at runtime:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes