使用 Ansible 创建具有多个主题替代名称的证书

Create a cert with multiple subject alt names with Ansible

我正在使用如下方块

- name: Ensure that the existing certificate has a certain domain in its subjectAltName
  openssl_certificate:
    path: /etc/ssl/crt/example.com.crt
    provider: selfsigned
    subject_alt_name:
      - www.example.com
      - test.example.com

要使用 Ansible 生成自签名证书,我想在我的清单文件中使用 ips 作为 subject_alt_names 类似

- name: Generate cert
  openssl_certificate:
    path: ssl/mongo-test.crt
    privatekey_path: ssl/mongo-test.pem
    csr_path: ssl/mongo-test.csr
    provider: selfsigned
    subject_alt_name: 
      - IP:{{hostvars[item].ansible_host}}

所以我最终得到

- name: Generate cert
  openssl_certificate:
    path: ssl/mongo-test.crt
    privatekey_path: ssl/mongo-test.pem
    csr_path: ssl/mongo-test.csr
    provider: selfsigned
    subject_alt_name: 
      - IP:10.136.31.37
      - IP:10.136.29.52
      - IP:10.136.30.53

如何让我所有的库存 ip 都进入 subject_alt_name 列表?

我试过使用 with_items 但它会为每个 ip 地址创建一个新证书,并且每次迭代都会覆盖最后一个。

我知道我不会直接回答你的问题,但我遇到了同样的问题,我选择了另一种方法,希望它也适用于你。

我创建了一个 openssl.conf 文件,其模板为 Jinja:

[ req ]
prompt = no
distinguished_name = req_distinguished_name
{% if letsencrypt_sans_domains[item] is defined and letsencrypt_sans_domains[item] | length > 0 %}
req_extensions     = req_ext
{% endif %}

string_mask = utf8only
default_md = sha256

[ req_distinguished_name ]
O=Organization
L=Boston
ST=Massachusetts
C=US
CN={{ item }}

{% if letsencrypt_sans_domains[item] is defined and letsencrypt_sans_domains[item] | length > 0 %}
[ req_ext ]
subjectAltName          = @alt_names

[alt_names]
DNS.1 = {{ item }}
{% set i = 2 %}
{% for domain in letsencrypt_sans_domains[item] %}
DNS.{{ i }} = {{ domain }}
{% set i = i + 1 %}
{% endfor %}
{% endif %}

然后我使用 template 模块部署文件并调用:

- name: "Generate CSR"
  command: "openssl req -config openssl_req_{{ item }}.conf -nodes -new -newkey rsa:4096 -out {{ item }}.csr -keyout {{ item }}.key"
  with_items: "{{ letsencrypt_domains | default([]) }}"

变量letsencrypt_sans_domainsletsencrypt_domains指向:

letsencrypt_domains: [
  "a.b.com"
],
letsencrypt_sans_domains: {
  "a.b.com": [ "b.b.com", "c.b.com", "d.b.com" ]
}

}

当然,如果 letsencrypt 是您的用例,您将需要回答所有 SAN 域的挑战

这可以通过

完成
   - name: Generate an OpenSSL CSR with subjectAltName extension with dynamic list
      openssl_csr:
        path: /etc/ssl/csr/www.ansible.com.csr
        privatekey_path: /etc/ssl/private/ansible.com.pem
        subject_alt_name: "{{ item.value | map('regex_replace', '^', 'IP:') | list }}"
      with_dict:
        ips:
        - 10.10.0.11
        - 10.10.0.12
        - 10.10.0.13