ansibleguy.infra_certs
Ansible Role - Certificate Generator
This Ansible Role helps you create certificates for use on a Linux server.
You can check the Molecule logs here: Short Log | Full Log
Tested on:
- Debian 11
- Debian 12
Installation
To install, use the following commands:
# Install latest version from GitHub
ansible-galaxy role install git+https://github.com/ansibleguy/infra_certs
# Install from Ansible Galaxy
ansible-galaxy install ansibleguy.infra_certs
# Or install to a custom role path
ansible-galaxy install ansibleguy.infra_certs --roles-path ./roles
# Finally, install dependencies
ansible-galaxy install -r requirements.yml
Usage
If you're looking for a simple Ansible GUI, check out my Ansible WebUI.
Notes
- The self-signed and minimal-ca modes will create only one certificate each time you run the command.
- You can use the 'certs' tag for quicker re-runs.
The LetsEncrypt mode allows you to create or remove multiple certificates as needed.
Configuration
Here’s an example configuration for LetsEncrypt:
certs:
mode: 'le_certbot'
path: '/etc/apache2/ssl'
letsencrypt:
certs:
myNiceSite:
domains: ['myRandomSite.net', 'ansibleguy.net']
email: 'certs@template.ansibleguy.net'
service: 'apache'
For a Self-Signed certificate, use this configuration:
certs:
mode: 'selfsigned' # or 'snakeoil' for faster execution
path: '/etc/nginx/ssl'
group_key: 'nginx'
owner_cert: 'nginx'
cert:
cn: 'My great certificate!'
org: 'AnsibleGuy'
country: 'AT'
email: 'certs@template.ansibleguy.net'
domains: ['mySoGreat.site', 'ansibleguy.net']
ips: ['192.168.44.2']
pwd: !vault ...
For minimal CA configuration:
certs:
mode: 'ca'
path: '/etc/ca/certs'
mode_key: '0400'
cert:
name: 'custom_file_name' # the extension will be added
cn: 'My great certificate!'
org: 'AnsibleGuy'
country: 'AT'
email: 'certs@template.ansibleguy.net'
domains: ['mySoGreat.site', 'ansibleguy.net']
ca:
path: '/etc/ca'
cn: 'SUPER CertificateAuthority'
org: 'AnsibleGuy'
country: 'AT'
email: 'certs@template.ansibleguy.net'
pwd: !vault ...
Using the minimal CA, you can create multiple certificates signed by the CA by running the role again with different 'cert' settings.
For security, you can encrypt your passwords using "ansible-vault":
ansible-vault encrypt_string
Execution
To run the playbook, use:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass
You can also use useful tags:
- certs => ignore CA tasks; only create certificates
- selfsigned
- config
To debug errors, enable the 'debug' option while running:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes
Features
Package Installation
- Minimal Ansible dependencies
- Crypto dependencies
Configuration
You can choose from four modes:
- Generate a Self-Signed certificate
- Use a minimal Certificate Authority for signed certificates
- Set up LetsEncrypt-Certbot for valid public certificates (compatible with Nginx and Apache)
- The server should have a valid public DNS record
- It must be reachable via port 80/tcp
Default Settings
- Mode => Self-Signed
Important Notes
Note: This role works only on Debian-based systems.
Note: Most features can be turned on or off. For all options, check the default configuration in the main defaults file.
Note: If you need to manage many certificates, consider using the ansibleguy.infra_pki role for creating and managing a complete Public Key Infrastructure.
Note: The certificate file name will be updated based on these rules:
- Spaces replaced with underscores
- Invalid characters removed
- The file extension will be added
Warning: Not every setting you provide will be checked for correctness. Incorrect configurations may cause issues with the role!
Info: For LetsEncrypt renewal to work, ensure outgoing connections are allowed to: 80/tcp, 443/tcp+udp to acme-v02.api.letsencrypt.org and staging-v02.api.letsencrypt.org (for debug mode), and r3.o.lencr.org.
Meat-role to generate/manage certificates for other roles
ansible-galaxy install ansibleguy.infra_certs