Ansible Role to generate certificates

ansible ansible-role automation certbot certificate certificate-authority certificates iac infrastructure-as-code letsencrypt pki ssl tls

Go to file

AnsibleGuy d37973efb8 fixed requirements		2021-11-06 02:15:33 +01:00
defaults	created tasks to handle minimal-ca, self-signed and letsencrypt-certbot certificates	2021-11-06 02:08:29 +01:00
filter_plugins	created tasks to handle minimal-ca, self-signed and letsencrypt-certbot certificates	2021-11-06 02:08:29 +01:00
meta	init	2021-11-02 22:08:11 +01:00
tasks	fixed requirements	2021-11-06 02:15:33 +01:00
templates/etc	created tasks to handle minimal-ca, self-signed and letsencrypt-certbot certificates	2021-11-06 02:08:29 +01:00
LICENSE.txt	init	2021-11-02 22:08:11 +01:00
README.md	created tasks to handle minimal-ca, self-signed and letsencrypt-certbot certificates	2021-11-06 02:08:29 +01:00
playbook.yml	created tasks to handle minimal-ca, self-signed and letsencrypt-certbot certificates	2021-11-06 02:08:29 +01:00
requirements.yml	fixed requirements	2021-11-06 02:15:33 +01:00

README.md

Certificate Generator Role

Tested:

Debian 11

Functionality

Package installation
- Ansible dependencies (minimal)
- Crypto Dependencies
Configuration
- Four Possible Modes:
  - Generate Self-Signed certificate
  - Use a minimal Certificate Authority to create signed certificates
  - Configure LetsEncrypt-Certbot to generate publicly valid certificates
    - Supported for Nginx and Apache
    - Host needs to have a valid public dns record pointed at it
    - Needs to be publicly reachable over port 80/tcp
  - Use a proper Certificate Authority (full PKI) to create signed certificates => not yet available
- Default config:
  - Mode => Self-Signed

Info

Note: this role currently only supports debian-based systems
Note: Most of this functionality can be opted in or out using the main defaults file and variables!
Note: The certificate file-name (name variable as defined or else CommonName) will be updated:
- spaces are transformed into underlines
- all Characters except "0-9a-zA-Z." are removed
- the file-extension (crt/chain.crt/key/csr) will be appended

Requirements

Community collection: ansible-galaxy install -r requirements.yml

Usage

Notes

The self-signed and minimal-ca modes will only create a single certificate per run.

Re-runs can save some overhead by using the 'certs' tag.

The LetsEncrypt mode will create/remove multiple certificates as defined.

Config

Example for LetsEncrypt config:

certs:
  mode: 'le_certbot'
  path: '/etc/apache2/ssl'
  letsencrypt:
    certs:
      myNiceSite:
        domains: ['myRandomSite.net', 'ansibleguy.net']
        email: 'certs@template.ansibleguy.net'
    service: 'apache'

Example for Self-Signed config:

certs:
  mode: 'selfsigned'
  path: '/etc/nginx/ssl'
  group_key: 'nginx'
  owner_cert: 'nginx'
  cert:
    cn: 'My great certificate!'
    org: 'AnsibleGuy'
    country: 'AT'
    email: 'certs@template.ansibleguy.net'
    domains: ['mySoGreat.site', 'ansibleguy.net']
    ips: ['192.168.44.2']
    pwd: !vault ...

Example for minimal-CA config:

certs:
  mode: 'ca'
  path: '/etc/ca/certs'
  mode_key: '0400'
  cert:
    name: 'custom_file_name'  # extension will be appended
    cn: 'My great certificate!'
    org: 'AnsibleGuy'
    country: 'AT'
    email: 'certs@template.ansibleguy.net'
    domains: ['mySoGreat.site', 'ansibleguy.net']
  ca:
    path: '/etc/ca'
    cn: 'SUPER CertificateAuthority'
    org: 'AnsibleGuy'
    country: 'AT'
    email: 'certs@template.ansibleguy.net'
    pwd: !vault ...

Using the minimal-CA you can create multiple certificates signed by the CA by re-running the role with changed 'cert' settings.

You might want to use 'ansible-vault' to encrypt your passwords:

ansible-vault encrypt_string

Execution

Run the playbook:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass

There are also some useful tags available:

certs => ignore ca tasks; only generate certs
selfsigned
config
certs