chrisvanmeer.certmonitor

Panoramica Versioni Approfondimenti

ansible-role-certmonitor

This role monitors when certificates expire on any host.

Requirements

No special requirements.

Role Variables

Here are the available variables with their default values (see defaults/main.yml):

certmonitor_include_paths_global:
  - /etc/pki
  - /etc/ssl
  - /opt

These are the default paths checked for certificates. They can be added to by group and host settings.

certmonitor_include_paths_group: []

You can add additional paths for a specific group here.

certmonitor_include_paths_host: []

You can add more paths for a specific host here.

certmonitor_include_patterns_global:
  - '.*\.crt$'
  - '.*\.pem$'

These are the file patterns checked for certificates. They can also be supplemented by group and host settings.

certmonitor_include_patterns_group: []

You can add patterns for a specific group here.

certmonitor_include_patterns_host: []

You can add patterns for a specific host here.

certmonitor_exclude_patterns_global:
  - '/etc/pki/product-default/.*\.pem$'
  - '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
  - '/etc/pki/ca-trust/extracted/pem/.*\.pem$'
  - '/etc/pki/fwupd.*\.pem$'
  - '/etc/pki/consumer/.*\.pem$'
  - '/etc/pki/entitlement/.*\.pem$'
  - '/etc/pki/nginx/dhparam.pem'
  - '/etc/pki/tls/certs/localhost.crt'
  - '.*-key\.pem$'
  - '.*\.key\.pem$'

These patterns will be excluded from checks, mainly default certificates and private keys. They can be added to with group and host settings too.

certmonitor_exclude_patterns_group: []

You can add exclusion patterns for a specific group here.

certmonitor_exclude_patterns_host: []

You can add exclusion patterns for a specific host here.

certmonitor_validity_check: "+2w"

This setting specifies how soon to check for expiring certificates, set to report those expiring within the next two weeks by default.

certmonitor_email_enabled: false

Email reporting is off by default. Set this to true to turn it on.

certmonitor_email_subject: "Expiring TLS Certificates"

The subject line for email reports.

certmonitor_email_subtype: "html"

Sets the email format to html. It can be switched to plain as well. You can change the email template as needed.

There are more email variables available; check the last task in the playbook for details.

certmonitor_local_reporting: false

If enabled, a file will be created at the specified location with the certificate subject as the name. This file helps monitoring systems like Zabbix to track certificate locations.

certmonitor_local_reporting_path: /tmp/certmonitor

This is where the files will be saved if local reporting is enabled.

Dependencies

This role requires the community.crypto.x509_certificate_info module for checking certificates and the community.general.mail module for email functions.

Example Playbook

Here's how you can use the role with specific variable settings:

- name: Certificate Monitoring
  hosts: all
  become: true

  vars:
    certmonitor_email_enabled: true
    certmonitor_email_subject: "Expiring TLS Certificates"
    certmonitor_email_sender: "[email protected]"
    certmonitor_email_recipient: "[email protected]"
    certmonitor_smtp_server: "smtp.yourdomain.com"
    certmonitor_smtp_port: 25

  roles:
     - role: chrisvanmeer.certmonitor

License

BSD

Author Information

Informazioni sul progetto

Certificate Monitoring

role certificates tls monitoring
Installa
ansible-galaxy install chrisvanmeer.certmonitor
GitHub repository
0 stelle
0 fork
0 problemi aperti
Licenza
Unknown
Download
1.6k
Proprietario