Automation with Ansible

Edit on Gitlab

Table of Contents

Automation with Ansible

This is an example how our own installation works.

Ansible can be started manually on a worksation of a sysadmin or on AWX. So we need a “central server” that manages and holds all certifiactes.

In cm.sh is a queuing to handle only one certificate. Multiple simoultanous calls of cm.sh - from multiple machines or becaus of parallel tasks in your playbook are no problem.

Workflow with Ansible

The following snippets give you an idea how it is done. Even if it is not a comlete source with all values of the variables.

1. Execute cm.sh

The Ansible instances start the cm.sh as SSH command. This triggers the the creation or renew of a certificate - whatever is needed.

- name: 'on {{ ssl_master_certhost }} - start {{ ssl_certman_dir }}/cm.sh ensure ...'
  shell: | 
    ssh {{ ssl_master_user }}@{{ ssl_master_certhost }} {{ ssl_certman_dir }}/cm.sh ensure {{ ssl_fqdn }} {{ ssl_aliases | join(' ')}}
  become_user: "{{ lookup('env','USER') }}"
  delegate_to: localhost
  # maybe you need to set
  # become: true|false

2. Rsync certs locally

With rsync it syncs the certificate folder locally to the Ansible machine.

- name: "sync certs locally"
  shell: | 
    rsync -rav {{ ssl_master_user }}@{{ ssl_master_certhost }}:{{ ssl_master_install_dir }}/certs/ {{ ssl_certs_local_dir }}
  become_user: "{{ lookup('env','USER') }}"
  delegate_to: localhost
  # maybe you need to set
  # become: true|false

3. Deploy files

Now we can use normal Ansible copy mechanisms to brin these files to the target system.

- name: Install key + certificate for {{ ssl_fqdn }} + intermediate CA
  copy:
    src:  '{{ item[0] }}'
    dest: '{{ item[1] }}'
    mode: '{{ item[2] }}'
    backup: true
  notify: "{{ ssl_change_notify | default([]) }}"
  loop:
    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.cert.cer',       '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.cert.cer'      , '0444']
    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.fullchain.cer',  '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.fullchain.cer' , '0444']
    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.key.pem',        '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.key.pem'       , '0400']
    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.haproxy.pem',    '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.haproxy.pem'   , '0444']
    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.ca.cer',         '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.ca.cer'        , '0444']
    #                              ^
    #                              |
    #                              filestructure after ACME.SH dump