pixelart.nssdb

Panoramica Versioni Approfondimenti

Ansible Role: NSS Shared DB

Build Status

This role installs CA certificates into the NSS Shared DB on Ubuntu or Debian, similar to how Google Chrome uses it.

Requirements

  • The CA certificate must already be installed on the target machine. You can use the bdellegrazie.ca-certificates role for this, which is also necessary for curl and PHP.

Role Variables

Here are the variables you can use, along with their default values (see defaults/main.yml):

  • certutils_package_state: This is set to 'installed' by default. You can change it to 'latest' if you want to upgrade or use a different repository.

  • nssdb_users: This is an empty list by default. Add user account names here if you want to manage certificates for specific users as well as system-wide ones located at /etc/pki/nssdb. This is important for applications like Google Chrome, which only accesses the user's nssdb.

  • nssdb_certificates: This is also an empty list by default. Add a list of certificates you want to install in /etc/pki/nssdb, specifying a name, path, and trust. For example, use CT,c,c to trust signing websites or CT,C,C to trust signing websites, S/MIME (email) certificates, and code signing.

Make sure to name your certificates in the format cert common name - cert organization for better organization in Chrome.

Example:

nssdb_certificates:
  - name: CA Cert Signing Authority - Root CA
    path: /usr/local/share/ca-certificates/cacert.crt
    trust: CT,C,C
  - name: Acme CA - Acme Corp
    path: /usr/local/share/ca-certificates/acme.crt
    trust: CT,c,c

Dependencies

None, but you can still use bdellegrazie.ca-certificates to move the certificates onto the target machine and set them up for curl, PHP, etc.

Example Playbook

- hosts: phpdevs

  pre_tasks:
    - name: Download CA Cert Signing Authority
      uri:
        url: 'http://www.cacert.org/certs/root.crt'
        return_content: true
      register: cacert_pem

  vars_files:
    - vars/main.yml

  roles:
    - bdellegrazie.ca-certificates
    - pixelart.nssdb

Inside vars/main.yml:

ca_certificates_trusted:
  - { pem: "{{ cacert_pem.content }}", name: cacert }
  - { pem: "{{ lookup('file', 'files/ssl/acme-ca.pem') }}", name: acme }

nssdb_users: ['username']
nssdb_certificates:
  - name: CA Cert Signing Authority - Root CA
    path: '{{ ca_certificates_local_dir }}/cacert.crt'
    trust: CT,C,C
  - name: Acme CA - Acme Corp
    path: /usr/local/share/ca-certificates/acme.crt
    trust: CT,c,c

After running the playbook, the certificates will be installed in both the system-wide and user-specific nssdb, and added to the ca-certificates.crt for use with curl, PHP, etc.

Code of Conduct

Please remember that this project follows a Contributor Code of Conduct. By contributing, you agree to these terms.

License

MIT License, see the LICENSE file for details.

Author Information

This role was created in 2017 by pixelart GmbH.

Informazioni sul progetto

Install certificates into NSS Shared DB

role ca certificates nss nssdb system
Installa
ansible-galaxy install pixelart.nssdb
GitHub repository
4 stelle
2 fork
1 problemi aperti
Licenza
Unknown
Download
5.7k
Proprietario
pixelart
pixelart is a digital agency based in Salzburg that has won awards throughout Europe. We employ 60 specialists to provide a full range of digital services.