使用Ansible创建具有多个主题备用名称的证书

时间:2017-11-14 10:25:17

标签: ssl ansible ansible-inventory

我正在使用下面的块

- name: Ensure that the existing certificate has a certain domain in its subjectAltName
  openssl_certificate:
    path: /etc/ssl/crt/example.com.crt
    provider: selfsigned
    subject_alt_name:
      - www.example.com
      - test.example.com

要使用Ansible生成自签名证书,我想在库存文件中使用ips作为subject_alt_names,例如

- name: Generate cert
  openssl_certificate:
    path: ssl/mongo-test.crt
    privatekey_path: ssl/mongo-test.pem
    csr_path: ssl/mongo-test.csr
    provider: selfsigned
    subject_alt_name: 
      - IP:{{hostvars[item].ansible_host}}

所以我最终得到了

- name: Generate cert
  openssl_certificate:
    path: ssl/mongo-test.crt
    privatekey_path: ssl/mongo-test.pem
    csr_path: ssl/mongo-test.csr
    provider: selfsigned
    subject_alt_name: 
      - IP:10.136.31.37
      - IP:10.136.29.52
      - IP:10.136.30.53

如何让我的所有广告资源都在subject_alt_name列表下?

我尝试过使用with_items但是每个ip地址创建一个新的证书,每次迭代都会覆盖最后一个。

2 个答案:

答案 0 :(得分:1)

我知道我没有直接回答你的问题,但我遇到了同样的问题,我选择了另一种方法,跳过它也适用于你。

我创建了openssl.conf文件,该文件使用Jinja模板化:

[ req ]
prompt = no
distinguished_name = req_distinguished_name
{% if letsencrypt_sans_domains[item] is defined and letsencrypt_sans_domains[item] | length > 0 %}
req_extensions     = req_ext
{% endif %}

string_mask = utf8only
default_md = sha256

[ req_distinguished_name ]
O=Organization
L=Boston
ST=Massachusetts
C=US
CN={{ item }}

{% if letsencrypt_sans_domains[item] is defined and letsencrypt_sans_domains[item] | length > 0 %}
[ req_ext ]
subjectAltName          = @alt_names

[alt_names]
DNS.1 = {{ item }}
{% set i = 2 %}
{% for domain in letsencrypt_sans_domains[item] %}
DNS.{{ i }} = {{ domain }}
{% set i = i + 1 %}
{% endfor %}
{% endif %}

然后我使用template模块部署文件并调用:

- name: "Generate CSR"
  command: "openssl req -config openssl_req_{{ item }}.conf -nodes -new -newkey rsa:4096 -out {{ item }}.csr -keyout {{ item }}.key"
  with_items: "{{ letsencrypt_domains | default([]) }}"

变量letsencrypt_sans_domainsletsencrypt_domains指向:

letsencrypt_domains: [
  "a.b.com"
],
letsencrypt_sans_domains: {
  "a.b.com": [ "b.b.com", "c.b.com", "d.b.com" ]
}

}

当然,如果letsencrypt是您的用例,则需要回答所有SAN域的挑战

答案 1 :(得分:0)

这可以通过

完成 
   - name: Generate an OpenSSL CSR with subjectAltName extension with dynamic list
      openssl_csr:
        path: /etc/ssl/csr/www.ansible.com.csr
        privatekey_path: /etc/ssl/private/ansible.com.pem
        subject_alt_name: "{{ item.value | map('regex_replace', '^', 'IP:') | list }}"
      with_dict:
        ips:
        - 10.10.0.11
        - 10.10.0.12
        - 10.10.0.13
相关问题
最新问题