Last active
January 9, 2022 18:31
A simple ansible playbook to create a new self-signed certificate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - hosts: localhost | |
| vars: | |
| - dnsname: your.dns.name | |
| - tmppath: "./tmp/" | |
| - crtpath: "{{ tmppath }}{{ dnsname }}.crt" | |
| - pempath: "{{ tmppath }}{{ dnsname }}.pem" | |
| - csrpath: "{{ tmppath }}{{ dnsname }}.csr" | |
| - pfxpath: "{{ tmppath }}{{ dnsname }}.pfx" | |
| - private_key_password: "password" | |
| tasks: | |
| - file: | |
| path: "{{ tmppath }}" | |
| state: absent | |
| - file: | |
| path: "{{ tmppath }}" | |
| state: directory | |
| - name: "Generate the private key file to sign the CSR" | |
| openssl_privatekey: | |
| path: "{{ pempath }}" | |
| passphrase: "{{ private_key_password }}" | |
| cipher: aes256 | |
| - name: "Generate the CSR file signed with the private key" | |
| openssl_csr: | |
| path: "{{ csrpath }}" | |
| privatekey_path: "{{ pempath }}" | |
| privatekey_passphrase: "{{ private_key_password }}" | |
| common_name: "{{ dnsname }}" | |
| - name: "Sign the CSR file as a CA to turn it into a certificate" | |
| openssl_certificate: | |
| path: "{{ crtpath }}" | |
| privatekey_path: "{{ pempath }}" | |
| privatekey_passphrase: "{{ private_key_password }}" | |
| csr_path: "{{ csrpath }}" | |
| provider: selfsigned | |
| - name: "Convert the signed certificate into a PKCS12 file with the attached private key" | |
| openssl_pkcs12: | |
| action: export | |
| path: "{{ pfxpath }}" | |
| name: "{{ dnsname }}" | |
| privatekey_path: "{{ pempath }}" | |
| privatekey_passphrase: "{{ private_key_password }}" | |
| passphrase: password | |
| certificate_path: "{{ crtpath }}" | |
| state: present |
From a quick scan of the openssl_certificate_module documentation it looks like you can't. It might be worth creating the file briefly and then removing it straight after the action?
Hi,
I used openssl stdin with -CAkey with ansible shell command instead. It
allows me to pass the key content without writing it on remote server.
Thanks
Le mar. 21 juil. 2020 à 18:42, JonTheNiceGuy <notifications@github.com> a
écrit :
… ***@***.**** commented on this gist.
------------------------------
From a quick scan of the openssl_certificate_module documentation
<https://docs.ansible.com/ansible/2.9/modules/openssl_certificate_module.html>
it looks like you can't. It might be worth creating the file briefly and
then removing it straight after the action?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<https://gist.github.com/0f01fc931cc4aa430cd80c503b6946c1#gistcomment-3386462>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABLDWDHWNMXT4OMNB5CUZ63R4XAQZANCNFSM4PDYB7HQ>
.
Understood. However, it's probably worth raising it as a feature request on the Ansible project.
I should note, however, that although Ansible works by running commands over SSH, the way it does that is to transfer a python script to the managed node over SFTP to a temp directory, and then executes it. As such, the Ansible task would have written your private key to the disk on your managed node, albeit only for the duration of that task.
If you're significantly concerned about writing your private key to the remote node, why not generate your certificates locally, using the delegate_to: localhost command, like this:
- hosts: all
tasks:
- some_module:
argument: somevalue
delegate_to: localhost
You're totally right regarding the behavior of Ansible but not sure that
the shell module also copies the entire command on the remote server too.
have to check
indeed , delegate_to is the solution to keep my key in a secure way but
only if the key is kept in a vaulted file (don't want to store it on the
deployment host too) .
Perhaps a tool like Hachicorp Vault could be a solution.
Le mer. 22 juil. 2020 à 11:58, JonTheNiceGuy <notifications@github.com> a
écrit :
… ***@***.**** commented on this gist.
------------------------------
Understood. However, it's probably worth raising it as a feature request
on the Ansible project.
I should note, however, that although Ansible works by running commands
over SSH, the way it does that is to transfer a python script to the
managed node over SFTP to a temp directory, and then executes it. As such,
the Ansible task would have written your private key to the disk on your
managed node, albeit only for the duration of that task.
If you're significantly concerned about writing your private key to the
remote node, why not generate your certificates locally, using the delegate_to:
localhost command, like this:
- hosts: all
tasks:
- some_module:
argument: somevalue
delegate_to: localhost
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<https://gist.github.com/0f01fc931cc4aa430cd80c503b6946c1#gistcomment-3387470>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABLDWDGU7L7B5LEO6K3J5GTR42Z43ANCNFSM4PDYB7HQ>
.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
thank for your share . Do you know if it's possible to use certificate file content instead of path . I don't want to store my private key on remote host. It could be forgotten
i mean:
openssl_certificate:
path: |
{{ csrcontent }}
privatekey_path: |
{{ private_key_content }}
privatekey_passphrase: "{{ private_key_password }}"
csr_path: "{{ csrcontent }}"
provider: selfsigned