infra/ansible-role-certificates
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible-role-certificates/README.md

2.1 KiB
Raw Blame History

Certificates

This module creates and signs Certificates using multiple backends, including letsencrypt.

Parameters

All configuration is to be placed inside the certificates dict.

# configuration for all backends, see below for options for all backends
backends:
  letsencrypt: *letsencrypt-backend-config*
  selfsigned: *selfsigned-backend-config*

# default options for certificates
defaults:
  country: "SU"
  province: "CYBER"
  city: "Cyberspace"
  org: "Tyrell Corporation"
  mail: "example@example.com"
  ou: "cyber"
  cn: ~
  san: []

# name: certificate name, value: config for a certificate. See below for definition  
certs: *certificate-config*

certificate-config: All settings here overwrite the default setting for a certificate.

# Country (string)
country: "SU"

# Province (string)
province: "CYBER"

# City (string)
city: "Cyberspace"

# Organisation (string)
org: "Tyrell Corporation"

# Mailaddress (string)
mail: "example@example.com"

# organizational unit name (string)
ou: "cyber"

# common name (string), will be set to first SAN if set to None
cn: ~

# subject alt names (list of strings)
san: []

# services to restart if this certificate changes
depending_services: []

# which backend to use, can be 'selfsigned' or 'letsencrypt'
backend: 'selfsigned'

# overwrite a backend setting for this certificate
backend_override: {}

Backends

Letsencrypt

letsencrypt-backend-config

# days of validity left on a certificate bevore it is renewed
remainingdays: 28

# challange type to use, can be:
# 'dns-01': use the dns challange and a custom power dns backend
# 'dns-01-manual': use the dns challange and manualy set the dns record
# 'http-01: use the http challange and deploy the challanges to a webserver
challange: dns-01

# servers to deploy a challange to
challangeserver: []

Selfsigned

Paths

Certificates are stored at a defined location:

  • key: /etc/ssl/private/<cetname>.key
  • certificate: /etc/ssl/<certname>.crt
  • CSR: /etc/ssl/<certname>.csr
  • chain: /etc/ssl/<certname>.chain.crt
  • key, certificate and chain combined: /etc/ssl/private/<certname>.complete.pem