An Ansible Role which allows for maintaining SSL certificates via certbot or other clients on a single administrative machine, and pushing them to the servers.
With redundant servers becoming a norm even for small businesses, it is not unheard of to want to have the same certificate installed on a service running on two, three or more services for load ballancing or availability purposes. However, when combined with services such as Let's Encrypt's CA authority and clients such as certbot, there is still a disconnect when it comes to certificate maintenance. The certificates need to be renewed at a single point of authority and distributed from there. And that is where this role comes onto the stage.
This role has been developed using Ansible 2.9, and presently only works with RHEL/CentOS/Rocky between 6.x and 9.x. Adapting it to other distros, or even other OSes should not be an issue; it is just that I do not presently use anything else.
It also does not address the setup/execution of a client such as cerbot, nor does it address the initial "installation" of the certificates and the software configuration which goes with it. It mearly consolidates the renewal into one location where the certificates can be easily backed up, and where a single renewal for shared certificates can take place.
N.B. There is a near-term goal of hopefully adding support for the following:
- DELL DRAC 5 (using racadm)
- FreeBSD
- FreeNAS
- OPNSense
NOTE: This role uses the ansible-merge-vars plugin
to handle variables coming from the host variables as well as group variables
for an indeterminate number of groups. So for example, where
certificates__to_merge is used, this could also include variables such as
ldap_certificates__to_merge and web_certificates__to_merge, which will be
merged within the role, rather than having one variable which gets overwritten.
So, if a host has:
certificates__to_merge:
- certificate-a
- certificate-b
and one group to which it belongs has:
ldap_certificates__to_merge:
- certificate-c
and a second group has:
web_certificates__to_merge:
- certificate-b
- certificate-d
These will be combined into the variable certificates, which would be the same
as (order possibly varying):
certificates:
- certificate-a
- certificate-b
- certificate-c
- certificate-d
The following host/group-specific variables are used, and are defined either in the host variables, or in the variables for associated groups.
certificates__to_merge:
- www.example.com
or
certificates__to_merge:
- www.example.com
- foo.example.net
Defines the certificates to be distributed to a given host and/or group, merging as discussed above. It may be defined in any location where host/group variables may be defined. The values given must be a list.
certificate_services__to_merge:
- httpd
or
ldap_certificate_services__to_merge:
- slapd
The list of services which will be restarted if a new certificate is pushed to
the host. If no services are defined, then a default of httpd is used, but it should be
noted that if any service is specified in either the host or group variables and
httpd is needed, it must be explicitly specified.
NOTE: At this point, pushing a certificate for one service will result in
all services which use certificates being restarted. So the above would be
combined into the internal certificate_services variable, and slapd would be
restarted even if just a certificate associated with a web server was pushed.
See the examples found in the examples directory.
This software is open-sourced software licensed under the Apache 2.0 license.
This role was created 2018 Dec 1 by Douglas Needham.