Ansible Role - Certificate Generator

This Ansible Role helps you create certificates for use on a Linux server.

You can check the Molecule logs here: Short Log | Full Log

Tested on:

• Debian 11
• Debian 12

Installation

To install, use the following commands:

# Install latest version from GitHub
ansible-galaxy role install git+https://github.com/ansibleguy/infra_certs

# Install from Ansible Galaxy
ansible-galaxy install ansibleguy.infra_certs

# Or install to a custom role path
ansible-galaxy install ansibleguy.infra_certs --roles-path ./roles

# Finally, install dependencies
ansible-galaxy install -r requirements.yml

Usage

If you're looking for a simple Ansible GUI, check out my Ansible WebUI.

Notes

• The self-signed and minimal-ca modes will create only one certificate each time you run the command.
• You can use the 'certs' tag for quicker re-runs.

The LetsEncrypt mode allows you to create or remove multiple certificates as needed.

Configuration

Here’s an example configuration for LetsEncrypt:

certs:
  mode: 'le_certbot'
  path: '/etc/apache2/ssl'
  letsencrypt:
    certs:
      myNiceSite:
        domains: ['myRandomSite.net', 'ansibleguy.net']
        email: '[email protected]'
    service: 'apache'

For a Self-Signed certificate, use this configuration:

certs:
  mode: 'selfsigned'  # or 'snakeoil' for faster execution
  path: '/etc/nginx/ssl'
  group_key: 'nginx'
  owner_cert: 'nginx'
  cert:
    cn: 'My great certificate!'
    org: 'AnsibleGuy'
    country: 'AT'
    email: '[email protected]'
    domains: ['mySoGreat.site', 'ansibleguy.net']
    ips: ['192.168.44.2']
    pwd: !vault ...

For minimal CA configuration:

certs:
  mode: 'ca'
  path: '/etc/ca/certs'
  mode_key: '0400'
  cert:
    name: 'custom_file_name'  # the extension will be added
    cn: 'My great certificate!'
    org: 'AnsibleGuy'
    country: 'AT'
    email: '[email protected]'
    domains: ['mySoGreat.site', 'ansibleguy.net']
  ca:
    path: '/etc/ca'
    cn: 'SUPER CertificateAuthority'
    org: 'AnsibleGuy'
    country: 'AT'
    email: '[email protected]'
    pwd: !vault ...

Using the minimal CA, you can create multiple certificates signed by the CA by running the role again with different 'cert' settings.

For security, you can encrypt your passwords using "ansible-vault":

ansible-vault encrypt_string

Execution

To run the playbook, use:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass

You can also use useful tags:

• certs => ignore CA tasks; only create certificates
• selfsigned
• config

To debug errors, enable the 'debug' option while running:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes

Features

• Package Installation

  • Minimal Ansible dependencies
  • Crypto dependencies

• Configuration

  • You can choose from four modes:

    • Generate a Self-Signed certificate
    • Use a minimal Certificate Authority for signed certificates
    • Set up LetsEncrypt-Certbot for valid public certificates (compatible with Nginx and Apache)
      • The server should have a valid public DNS record
      • It must be reachable via port 80/tcp

  • Default Settings

    • Mode => Self-Signed

Important Notes

• Note: This role works only on Debian-based systems.

• Note: Most features can be turned on or off. For all options, check the default configuration in the main defaults file.

• Note: If you need to manage many certificates, consider using the ansibleguy.infra_pki role for creating and managing a complete Public Key Infrastructure.

• Note: The certificate file name will be updated based on these rules:

  • Spaces replaced with underscores
  • Invalid characters removed
  • The file extension will be added

• Warning: Not every setting you provide will be checked for correctness. Incorrect configurations may cause issues with the role!

• Info: For LetsEncrypt renewal to work, ensure outgoing connections are allowed to: 80/tcp, 443/tcp+udp to acme-v02.api.letsencrypt.org and staging-v02.api.letsencrypt.org (for debug mode), and r3.o.lencr.org.