Last active
January 9, 2022 18:31
-
-
Save JonTheNiceGuy/0f01fc931cc4aa430cd80c503b6946c1 to your computer and use it in GitHub Desktop.
A simple ansible playbook to create a new self-signed certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- hosts: localhost | |
vars: | |
- dnsname: your.dns.name | |
- tmppath: "./tmp/" | |
- crtpath: "{{ tmppath }}{{ dnsname }}.crt" | |
- pempath: "{{ tmppath }}{{ dnsname }}.pem" | |
- csrpath: "{{ tmppath }}{{ dnsname }}.csr" | |
- pfxpath: "{{ tmppath }}{{ dnsname }}.pfx" | |
- private_key_password: "password" | |
tasks: | |
- file: | |
path: "{{ tmppath }}" | |
state: absent | |
- file: | |
path: "{{ tmppath }}" | |
state: directory | |
- name: "Generate the private key file to sign the CSR" | |
openssl_privatekey: | |
path: "{{ pempath }}" | |
passphrase: "{{ private_key_password }}" | |
cipher: aes256 | |
- name: "Generate the CSR file signed with the private key" | |
openssl_csr: | |
path: "{{ csrpath }}" | |
privatekey_path: "{{ pempath }}" | |
privatekey_passphrase: "{{ private_key_password }}" | |
common_name: "{{ dnsname }}" | |
- name: "Sign the CSR file as a CA to turn it into a certificate" | |
openssl_certificate: | |
path: "{{ crtpath }}" | |
privatekey_path: "{{ pempath }}" | |
privatekey_passphrase: "{{ private_key_password }}" | |
csr_path: "{{ csrpath }}" | |
provider: selfsigned | |
- name: "Convert the signed certificate into a PKCS12 file with the attached private key" | |
openssl_pkcs12: | |
action: export | |
path: "{{ pfxpath }}" | |
name: "{{ dnsname }}" | |
privatekey_path: "{{ pempath }}" | |
privatekey_passphrase: "{{ private_key_password }}" | |
passphrase: password | |
certificate_path: "{{ crtpath }}" | |
state: present |
gnulux
commented
Jul 22, 2020
via email
You're totally right regarding the behavior of Ansible but not sure that
the shell module also copies the entire command on the remote server too.
have to check
indeed , delegate_to is the solution to keep my key in a secure way but
only if the key is kept in a vaulted file (don't want to store it on the
deployment host too) .
Perhaps a tool like Hachicorp Vault could be a solution.
Le mer. 22 juil. 2020 à 11:58, JonTheNiceGuy <notifications@github.com> a
écrit :
… ***@***.**** commented on this gist.
------------------------------
Understood. However, it's probably worth raising it as a feature request
on the Ansible project.
I should note, however, that although Ansible works by running commands
over SSH, the way it does that is to transfer a python script to the
managed node over SFTP to a temp directory, and then executes it. As such,
the Ansible task would have written your private key to the disk on your
managed node, albeit only for the duration of that task.
If you're significantly concerned about writing your private key to the
remote node, why not generate your certificates locally, using the delegate_to:
localhost command, like this:
- hosts: all
tasks:
- some_module:
argument: somevalue
delegate_to: localhost
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<https://gist.github.com/0f01fc931cc4aa430cd80c503b6946c1#gistcomment-3387470>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABLDWDGU7L7B5LEO6K3J5GTR42Z43ANCNFSM4PDYB7HQ>
.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment