Installs TLS (SSL) certificates to the target, in one of two ways depending on configuration:
- Installs your provided TLS certificate, private key, and CA certificate bundle to target system.
- Deploys a new self-signed certificate + key to target system.
In either case, automatically creates a "full chain" file (containing certificate + CA bundle, suitable for use with Nginx) as well.
Supports Ubuntu 12+ and CentOS 5+, adding support for other distros would be easy.
Caveats / notices:
On CentOS, file permissions for the private key are set to owner root and mode 600, because the enclosing /etc/pki/tls/private is permissively visible. (Compare to Ubuntu where the system-wide /etc/ssl/private directory already has restricted permissions.) Beyond that, this role does not do anything with file permissions, like configuring additional users/groups which can read the private key. That is left for the deployer to handle in a playbook. This role also does not configure other services that use the installed certificates.
If using this role to deploy a provided certificate then openssl must be available on the deployment host.
If using this role to create and deploy a self-signed certificate then openssl must be available on the target host.
(These are likely already true for any modern Linux system.)
| Variable | Required | Default | Choices | Comments |
|---|---|---|---|---|
| TLS_PRIVKEY_SRC_FILE | no | Path to private key on deployer system | ||
| TLS_CERT_SRC_FILE | no | Path to certificate on deployer system | ||
| TLS_CACHAIN_SRC_FILE | no | Path to CA chain on deployer system | ||
| TLS_DEST_BASENAME | no | provided cert CN* | Base filename of installed certificate | |
| TLS_CREATE_SELFSIGNED | no | false | true, false | Explicitly creates self-signed certificate |
| TLS_CERT_DEST_DIR | no | (distro-specific) | Directory for certificates on target host | |
| TLS_PRIVKEY_DEST_DIR | no | (distro-specific) | Directory for private keys on target host | |
| TLS_SUBJECT_ALTERNATE_NAME | no | ansible_fqdn | The fully qualified domain behind the generated certficate |
If you specify at least a TLS_PRIVKEY_SRC_FILE, TLS_CERT_SRC_FILE, and TLS_CACHAIN_SRC_FILE, then the provided files will be installed to the target. (Ansible will look in "files" directory relative to playbook if you specify a bare filename or relative path.) If these variables are not set by the deployer, then the role will create a self-signed certificate instead, with files selfsigned.crt and selfsigned.key. You can explicitly set TLS_CREATE_SELFSIGNED: true to override the default behavior and force creation of a self-signed certificate.
TLS_SUBJECT_ALTERNATE_NAME is the Subject Alternate Name (SAN) for the generated certificate. This field indicates the host behind the certificate. A valid example would be 'local.atmo.cloud'. The Chrome browser recently made this field mandatory. If you would like to learn about the history read this SO answer.
* If the deployer provides a certificate, then the certificate's indicated CN (domain) will be used as the base name of the files on the target (e.g. example.com.key, example.com.crt, example.com.cachain.crt, and example.com.fullchain.crt for example.com). If this role creates a self-signed certificate, the files will be named with "selfsigned" as the base name. In either case, setting TLS_DEST_BASENAME overrides this filename.
** By default, certificates and private keys are placed in the distro-specific system-wide default directories (but this can be overridden).
None
If you already have a certificate to install:
- hosts: all
roles:
- tls-cert
vars:
- TLS_PRIVKEY_SRC_FILE: example.com.key
- TLS_CERT_SRC_FILE: example.com.crt
- TLS_CACHAIN_SRC_FILE: example.com.cachain.crt
If you want to create a self-signed certificate, just call the role with no variables:
- hosts: all
roles:
- tls-cert
See license.md
Chris Martin
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent