Ansible Role for Issuing SSL Certs
Derek Merck
derek_merck@brown.edu
Rhode Island Hospital and Brown University
Providence, RI
Configure and create SSL certificates for nginx.
Dependencies
Galaxy Roles
- geerlingguy.docker to setup the docker environment
- geerlingguy.pip to install Python reqs
Run with --skip-tags deps to skip installing dependency roles.
Remote Node
Role Variables
Global Vars
config_dir: "/config"
common_name: "example.com"
public_host_name: "www"
admin_email: "admin@{{ secured_common_name }}"Certificate Issuer
cert_type may be one of:
selfsignedletsencrypt-- uses uses Ansible's Let's-Encrypt package, appears to be brokencertbot-- uses certbot's Docker imagelocal-- tries to run certbot locally and copy certs to remote (for wildcards, may be broken)
As with most of the derek.merck roles, the role respects a number of common global settings that may be set in the playbook or inventory.
cert_type: "selfsigned"
do_api_tok: FalseCertbot Configuration
Set the challenge type:
standalone- simple, but no other server may be using port 80webroot- a bit of a pain to integrate with an existing server since it requires a challenge path redirectdo-dns(DigitalOcean dns) is easiest; it does not manipulate the local server settings, but you must get a token and define thedo_api_tokvariable in the playbook or inventory.
Defaults to the staging server (which will still be considered insecure, but has loose restrictions on requests for testing). Set the staging flag to False for production (and possibly set the force flag to True if certbot complains about switching away from a valid staging cert).
secured_cb_challenge: "standalone"
secured_cb_staging: True
secured_cb_force: FalseExample Playbook
- hosts: internet_servers
tasks:
- include_role:
name: derekmerck.secured
vars:
common_name: "example.com"
cert_type: "certbot"
secured_cb_type: "standalone"License
MIT