Trellis CA Certificates

This is a Trellis Ansible Role that lets you add custom CA Certificates to OpenSSL's Trusted Store. It’s great for use with Digital Ocean Managed Databases which need SSL/TLS connections for MySQL.

Requirements

• Trellis
• Ubuntu 18.04

Installation

Add to requirements

To add this role to your project, include it in your trellis/galaxy.yml file:

# trellis/galaxy.yml
- name: trellis-ca-certificates
  src: craigpearson.trellis_ca_certificates

Include in provision playbook

To use this feature on your staging or production servers, add it to trellis/server.yml:

# trellis/server.yml
...
- name: WordPress Server - Install LEMP Stack with PHP 7.3 and MariaDB MySQL
  hosts: web:&{{ env }}
  become: yes
  roles:
    - { role: common, tags: [common] }
    ...
    - { role: sshd, tags: [sshd] }
    - { role: trellis-ca-certificates, tags: [ca-certificates] } # Recommended inclusion point
    - { role: mariadb, tags: [mariadb] }

If you want this feature on your development server, add it to trellis/dev.yml.

Set certificates to include

On your production server, add the certificates in trellis/group_vars/production/main.yml:

# trellis/group_vars/production/main.yml
trellis_ca_certificates_trusted:
  # Local Source:         trellis/certs/production/example-certificate.crt
  # Remote Destination:   /usr/local/share/ca-certificates/database.crt
  - name: database
    src: example-certificate.crt

Include .crt files

By default, this role looks in trellis/certs for your certificates. Here’s an example structure:

trellis/
├── bin/
├── certs/                            # → Source certificates folder
│   ├── development/                  # → Development certificates
│   ├── staging/                      # → Staging certificates
│   └── production/                   # → Production certificates
│       └── example-certificate.crt
└── deploy-hooks/

Now, all that's left to do is provision your servers.

Role Variables

Configure custom certificates

You need to specify the trusted source list for your certificates in trellis/group_vars/{{ env }}/main.yml, where {{ env }} is your environment (development, staging, or production).

Note: The source certificate name will be changed to the name you specify in the destination. Here’s an example:

# This is an example of possible values; defaults to []
trellis_ca_certificates_trusted:
  # Local Source:         trellis/certs/{{ env }}/example-certificate.crt
  # Remote Destination:   /usr/local/share/ca-certificates/database.crt
  - name: database
    src: example-certificate.crt
  # Local Source:         trellis/certs/{{ env }}/db-master.crt
  # Remote Destination:   /usr/local/share/ca-certificates/database/master.crt
  - name: database/master
    src: db-master.crt
  # Local Source:         trellis/certs/{{ env }}/db-slave.crt
  # Remote Destination:   /usr/local/share/ca-certificates/database/slave.crt
  - name: database/slave
    src: db-slave.crt

Source directory

If you want to keep your certificate files in a folder other than trellis/certs/{{ env }}, specify it like this:

# Defaults to trellis/certs/env - where env is development, staging or production
trellis_ca_certificates_local_dir: custom-local-directory/{{ env }}

Remote destination directory

You shouldn’t need to change this unless your remote OpenSSL is set up to look for certificates in a different directory:

# Defaults to OpenSSL Trusted store on Ubuntu 18.04
trellis_ca_certificates_remote_dir: /usr/local/share/ca-certificates