Hello the list,
I'm quite new in Ansible world and I just wrote an Ansible role and
playbook to handle my Let's Encrypt SSL certificates.
Here is my role :
---
# create/update SSL/TLS certificate using letsencrypt service
#
- name: check & install openssl package
apt:
update_cache: yes
cache_valid_time: 3600
name: openssl
- name: copy the accountkey
copy:
src: 'letsencrypt_account.key'
dest: '/tmp/letsencrypt_account.key'
owner: root
group: root
mode: 0400
delegate_to: 127.0.0.1
- name: check if the private key exists
stat:
path: "{{ ssl_cert_key }}"
register: sslcert_key_exists
- name: create RSA private key if not exist
command: "openssl genrsa -out {{ ssl_cert_key }} 2048"
when: sslcert_key_exists.stat.exists != True
- name: check if the CRT exists
stat:
path: "{{ ssl_cert_crt }}"
register: sslcert_crt_exists
- name: create an initial csr
shell: 'openssl req -key {{ ssl_cert_key }} -new -out {{ ssl_cert_csr }}
-subj "/C=FR/ST=Bouches du Rhone/L=Fuveau/O=Ricozome/OU=mailgate/CN={{
ansible_hostname }}.ricozome.net"
-reqexts SAN
-config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName={{
ssl_cert_subjectAltName }}"))'
args:
executable: /bin/bash
when: sslcert_crt_exists.stat.exists != True
- name: create the CSR from the existing certificate
command: "openssl x509 -in {{ ssl_cert_crt }} -signkey {{ ssl_cert_key }}
-x509toreq -out {{ ssl_cert_csr }}"
when: sslcert_crt_exists.stat.exists == True
- name: check SSL certificate
letsencrypt:
acme_directory: "{{ ssl_acme_directory }}"
challenge: 'dns-01'
account_key: '/tmp/letsencrypt_account.key'
account_email: "{{ ssl_cert_email }}"
csr: "{{ ssl_cert_csr }}"
dest: "{{ ssl_cert_crt }}"
remaining_days: 10
register: sslcert_challenge
- name: create nsupdate request
template:
src: nsupdate.j2
dest: "/tmp/nsupdate_{{ ansible_hostname }}.tmp"
delegate_to: 127.0.0.1
when: sslcert_challenge|changed
- name: add letsencrypt challenge DNS record
command: "nsupdate -k {{ ssl_nsupdate_key}} /tmp/nsupdate_{{
ansible_hostname }}.tmp"
delegate_to: 127.0.0.1
when: sslcert_challenge|changed
register: sslcert_challenge_replied
- name: reply to letsencrypt challenge
letsencrypt:
acme_directory: "{{ ssl_acme_directory }}"
challenge: 'dns-01'
account_key: '/tmp/letsencrypt_account.key'
csr: "{{ ssl_cert_csr }}"
dest: "{{ ssl_cert_crt }}"
data: "{{ sslcert_challenge }}"
when: sslcert_challenge_replied
register: sslcert_updated
And here is my playbook
---
- name: Let's Encrypt certificate maintenance
hosts: seamus
vars:
ssl_cert_key: '/etc/ssl/private/letsencrypt_seamus_https.key'
ssl_cert_csr: '/tmp/letsencrypt_seamus_https.csr'
ssl_cert_crt: '/etc/ssl/certs/letsencrypt_seamus_https.pem'
ssl_cert_fullchain_crt:
'/etc/ssl/certs/letsencrypt_seamus_https_fullchain.pem'
ssl_cert_email: '[email protected]'
ssl_cert_subjectAltName:
'DNS:example.com,DNS:seamus.example.com,DNS:webmail.example.com'
ssl_nsupdate_key: '/home/rico/scripts/dns/Kexample.com.+157+40531.key'
ssl_acme_directory: 'https://acme-v01.api.letsencrypt.org/directory'
roles:
- role: sslcert
tasks:
- name: restart nginx
systemd:
name: nginx
state: reloaded
when: sslcert_updated
As you can see, I declare variables used by my sslcert role in the
playbook, then I call the role, and everything run smoothly.
But now I would like to use my role to generale more than once per server :
for a given server, I have to generate *many* certificates because it run
TLS/SMTP, and IMAP over SSL, and SASL LDAP, and I want one cert per service
!
How can I archieve this with a single playbook ?
Thanks for your suggestions,
Eric
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/e5aac02e-5926-45d6-ab33-fad95bc5d928%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
