Once upon a time, Markus Schaufler <markus.schauf...@digit-all.at> said:
> I've changed the cert to an official cert using the howto at
> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html
Based on that page and trial & error, I use the following Ansible
playbook to deploy a Let's Encrypt cert to an oVirt engine. I'm
managing certs from a central VM that uses DNS auth rather than web, and
my ansible-playbook call sets certpath to $RENEWED_LINEAGE.
************************************************************************
# Configure oVirt for a third-party cert and deploy a Let's Encrypt cert
- hosts: all
handlers:
- name: restart httpd
service:
name: httpd.service
state: restarted
- name: update java trust
command: /usr/bin/update-ca-trust
- name: restart ovirt engine service
service:
name: ovirt-engine.service
state: restarted
- name: restart ovirt websocket proxy
service:
name: ovirt-websocket-proxy.service
state: restarted
- name: restart ovirt imageio proxy
service:
name: ovirt-imageio-proxy.service
state: restarted
- name: restart ovirt ovn provider
service:
name: ovirt-provider-ovn.service
state: restarted
tasks:
########################################################################
# Configure various oVirt things to use our installed cert rather than
# the engine-CA-signed cert
- name: configure ovirt trust
copy:
content:
"ENGINE_HTTPS_PKI_TRUST_STORE=\"/etc/pki/java/cacerts\"\nENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=\"\"\n"
dest: /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
notify:
- restart ovirt engine service
- name: configure ovirt websocket proxy
copy:
content:
"SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer\nSSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass\n"
dest: /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/99-custom-cert.conf
notify:
- restart ovirt websocket proxy
- name: configure ovirt imageio proxy key
replace:
path: /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
backup: yes
regexp: '^(ssl_key_file =
/etc/pki/ovirt-engine/keys/)imageio-proxy.key.nopass'
replace: '\1apache.key.nopass'
notify:
- restart ovirt imageio proxy
- name: configure ovirt imageio proxy cert
replace:
path: /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
regexp: '^(ssl_cert_file = /etc/pki/ovirt-engine/certs/)imageio-proxy.cer'
replace: '\1apache.cer'
notify:
- restart ovirt imageio proxy
- name: configure ovirt ovn provider CA
copy:
content: "[OVIRT]\novirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt\n"
dest: /etc/ovirt-provider-ovn/conf.d/99-system-ca.conf
notify:
- restart ovirt ovn provider
########################################################################
# Install updated CA/cert/key
- name: add lets-encrypt ca to java trust
copy:
src: "{{ certpath }}/chain.pem"
dest: /etc/pki/ca-trust/source/anchors/letsencrypt-ca.pem
notify:
- update java trust
- restart ovirt engine service
- name: update ovirt engine ca chain
copy:
src: "{{ certpath }}/chain.pem"
dest: /etc/pki/ovirt-engine/apache-ca.pem
backup: yes
notify:
- restart httpd
- restart ovirt engine service
- name: update ovirt engine key
copy:
src: "{{ certpath }}/privkey.pem"
dest: /etc/pki/ovirt-engine/keys/apache.key.nopass
backup: yes
mode: 0440
group: ovirt
notify:
- restart httpd
- restart ovirt websocket proxy
- restart ovirt imageio proxy
- name: update ovirt engine cert
copy:
src: "{{ certpath }}/cert.pem"
dest: /etc/pki/ovirt-engine/certs/apache.cer
backup: yes
notify:
- restart httpd
- restart ovirt websocket proxy
- restart ovirt imageio proxy
- name: find old ansible backups
find:
age: '91d'
paths: /etc/pki/ovirt-engine
recurse: yes
patterns:
- apache-ca.pem.[1-9]*~
- apache.key.nopass.[1-9]*~
- apache.cer.[1-9]*~
register: backups
- name: delete backups
file:
path: '{{ item.path }}'
state: absent
loop: '{{ backups.files|flatten(levels=1) }}'
************************************************************************
--
Chris Adams <c...@cmadams.net>
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KR6SX7XU3RA3KM7AKOWEL2SX76WPV3JG/
