Reputation: 4642
Ansible: Create a Self-Signed SSL Certificate and Key
I want to create a self signed certificate to use it with stunnel, in order to securely tunnel my redis traffic between the redis server and client. I'm using this command to generate the certificate and it works fine.
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/stunnel/redis-server.key -out /etc/stunnel/redis-server.crt
Since I'm using Ansible for provisioning, I would like to know how I can convert this into a more Ansible way of doing, using a module. There actually is a module called the openssl_certificate Ansible module and it states "This module allows one to (re)generate OpenSSL certificates.". I tried to use the module to generate the certificate, but I couldn't get it to work.
- name: Generate a Self Signed OpenSSL certificate
openssl_certificate:
path: /etc/stunnel/redis-server.crt
privatekey_path: /etc/stunnel/redis-server.key
csr_path: /etc/stunnel/redis-server.csr
provider: selfsigned
From a look at the documentation, I can't specify the following arguments -x509 -nodes -days 3650 -newkey rsa:2048. Of course, I could also split the key and cert generation, but that still wouldn't allow me to use the Ansible module, correct?
Example given:
openssl genrsa -out /etc/stunnel/key.pem 4096
openssl req -new -x509 -key /etc/stunnel/key.pem -out /etc/stunnel/cert.pem -days 1826
I would like to know the following things:
- a) How can I get the same result from the original command, but using an Ansible module?
- b) Is there a better way to manage self signed certificates using Ansible?
Upvotes: 16
Views: 20936
Answers (3)
Reputation: 789
- openssl_privatekey:
path: /etc/stunnel/redis-server.key
size: 2048
- openssl_csr:
path: /etc/stunnel/redis-server.csr
privatekey_path: /etc/stunnel/redis-server.key
- openssl_certificate:
provider: selfsigned
selfsigned_not_after: "+3650d"
path: /etc/stunnel/redis-server.crt
privatekey_path: /etc/stunnel/redis-server.key
csr_path: /etc/stunnel/redis-server.csr
-newkey rsa:2048is dealt withsizeon openssl_privatekey-x509is default
Upvotes: 25
Reputation: 364
You can achieve this in 2 steps (tested with Ansible 5.7.1):
- name: Ensure private key is present
community.crypto.openssl_privatekey:
path: /etc/stunnel/redis-server.key
size: 2048
mode: "0600"
type: RSA
- name: Ensure self-signed cert is present
community.crypto.x509_certificate:
path: /etc/stunnel/redis-server.crt
privatekey_path: /etc/stunnel/redis-server.key
provider: selfsigned
selfsigned_not_after: "+3650d" # this is the default
mode: "0644"
If you don't set a passphrase in the private key generation task, it will be password-less by default.
As @nondeterministic mentioned before, you can set the expiration date via selfsigned_not_after.
The mode parameter sets the file permissions of the key and cert files. It's a common best practice to set the permissions whenever possible and it is also checked per default by ansible-lint.
Sources:
- https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_privatekey_module.html
- https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html
Upvotes: 8
Reputation: 41
For others and my future self, this is an extended example with a CRT to set the subject and organization name of the self-signed certificate.
- name: Generate a self-signed private key
community.crypto.openssl_privatekey:
path: "{{ nginx_ssl_certificate_key }}"
size: 4096
mode: 0600
type: RSA
state: present
- name: Create certificate signing request (CSR) for self-signed certificate
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ nginx_ssl_certificate_key }}"
common_name: "{{ cert_common_name }}"
organization_name: "{{ cert_organization_name }}"
register: csr
- name: Generate a self-signed SSL/TLS certificate (valid for 10 years)
community.crypto.x509_certificate:
path: "{{ nginx_ssl_certificate }}"
privatekey_path: "{{ nginx_ssl_certificate_key }}"
csr_content: "{{ csr.csr }}"
provider: selfsigned
selfsigned_not_after: "+3650d"
mode: 0644
Hopefully this is of help to someone else.
Upvotes: 4
Related Questions
- Copying SSL certificate with Ansible
- Copy the ssl certificate from a server to a host in ansible
- Install OpenSSL using Ansible playbook
- Ansible, how to trust certificates?
- Python Requests SSLError with internal CA
- Generating a certificate chain in Ansible
- Create an SSL key which signed by CA in CentOS
- Key Generation Using Ansible
- Automate deployment of SSL private key using Ansible
- Cannot add SSL certificate on ELB using Ansible