Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Ansible: Create a Self-Signed SSL Certificate and Key

Tags:

ssl

openssl

ansible

I want to create a self signed certificate to use it with stunnel, in order to securely tunnel my redis traffic between the redis server and client. I'm using this command to generate the certificate and it works fine.

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/stunnel/redis-server.key -out /etc/stunnel/redis-server.crt

Since I'm using Ansible for provisioning, I would like to know how I can convert this into a more Ansible way of doing, using a module. There actually is a module called the openssl_certificate Ansible module and it states "This module allows one to (re)generate OpenSSL certificates.". I tried to use the module to generate the certificate, but I couldn't get it to work.

- name: Generate a Self Signed OpenSSL certificate
  openssl_certificate:
    path: /etc/stunnel/redis-server.crt
    privatekey_path: /etc/stunnel/redis-server.key
    csr_path: /etc/stunnel/redis-server.csr
    provider: selfsigned

From a look at the documentation, I can't specify the following arguments -x509 -nodes -days 3650 -newkey rsa:2048. Of course, I could also split the key and cert generation, but that still wouldn't allow me to use the Ansible module, correct?

Example given: 

openssl genrsa -out /etc/stunnel/key.pem 4096

openssl req -new -x509 -key /etc/stunnel/key.pem -out /etc/stunnel/cert.pem -days 1826

I would like to know the following things:

  • a) How can I get the same result from the original command, but using an Ansible module?
  • b) Is there a better way to manage self signed certificates using Ansible?
like image 698
Tom Avatar asked May 28 '19 21:05

Tom

People also ask

How do I generate a self certified SSL certificate and key?

Right-click the openssl.exe file and select Run as administrator. Enter the following command to begin generating a certificate and private key: req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey. key -out certificate.

1 Answers

- openssl_privatekey:
    path: /etc/stunnel/redis-server.key
    size: 2048 

- openssl_csr:
    path: /etc/stunnel/redis-server.csr
    privatekey_path: /etc/stunnel/redis-server.key

- openssl_certificate:
    provider: selfsigned
    path: /etc/stunnel/redis-server.crt
    privatekey_path: /etc/stunnel/redis-server.key
    csr_path:/etc/stunnel/redis-server.csr
  • "-newkey rsa:2048" is dealt with "size" on privatekey
  • "-x509" is defaulted
  • "-nodes" and "-days 3650" I couldn't find
like image 81
Tyhal Avatar answered Sep 21 '22 11:09

Tyhal
Sign in to Comment

Related questions

Install self-signed certificate as a Trusted Root on Windows XP
Enable console logging for Eclipse itself (the platform)
Configuring HTTPS on Nginx and NodeJS
brew: no formula called ctls
What is the difference between SSL pinning (embedded in host) and normal certificates (presented by server)
How to turn off SSL check on Chrome and Firefox for localhost
Kubernetes error: Unable to connect to the server: dial tcp 127.0.0.1:8080
AWS SSL with Google Domain for static website in S3
Separate Applications Sharing the Same ASP.Net Session Cookie
Importing Thawte trial certificates into a Java keystore
Client SSL with Self Signed CA not working
Server Name Indication support in Net::HTTP?
How to let AVPlayer retrieve playlist secured by SSL?
Can a URL start with "//"? [duplicate]
How does SSL actually encrypt information? [closed]
SSL certificate generated with OpenSSL not working on NSS
How do I extract the pre-master secret using an OpenSSL-based client?
Certificate Invalid Issue with Alamofire 4.0
Python: Can't connect to HTTPS URL because the SSL module is not available
When do I need "Negotiate Client Certificate" to be set to Enabled?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!