使用 Ansible 创建具有多个主题替代名称的证书
Create a cert with multiple subject alt names with Ansible
我正在使用如下方块
- name: Ensure that the existing certificate has a certain domain in its subjectAltName
openssl_certificate:
path: /etc/ssl/crt/example.com.crt
provider: selfsigned
subject_alt_name:
- www.example.com
- test.example.com
要使用 Ansible 生成自签名证书,我想在我的清单文件中使用 ips 作为 subject_alt_names 类似
- name: Generate cert
openssl_certificate:
path: ssl/mongo-test.crt
privatekey_path: ssl/mongo-test.pem
csr_path: ssl/mongo-test.csr
provider: selfsigned
subject_alt_name:
- IP:{{hostvars[item].ansible_host}}
所以我最终得到
- name: Generate cert
openssl_certificate:
path: ssl/mongo-test.crt
privatekey_path: ssl/mongo-test.pem
csr_path: ssl/mongo-test.csr
provider: selfsigned
subject_alt_name:
- IP:10.136.31.37
- IP:10.136.29.52
- IP:10.136.30.53
如何让我所有的库存 ip 都进入 subject_alt_name 列表?
我试过使用 with_items 但它会为每个 ip 地址创建一个新证书,并且每次迭代都会覆盖最后一个。
我知道我不会直接回答你的问题,但我遇到了同样的问题,我选择了另一种方法,希望它也适用于你。
我创建了一个 openssl.conf
文件,其模板为 Jinja
:
[ req ]
prompt = no
distinguished_name = req_distinguished_name
{% if letsencrypt_sans_domains[item] is defined and letsencrypt_sans_domains[item] | length > 0 %}
req_extensions = req_ext
{% endif %}
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
O=Organization
L=Boston
ST=Massachusetts
C=US
CN={{ item }}
{% if letsencrypt_sans_domains[item] is defined and letsencrypt_sans_domains[item] | length > 0 %}
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = {{ item }}
{% set i = 2 %}
{% for domain in letsencrypt_sans_domains[item] %}
DNS.{{ i }} = {{ domain }}
{% set i = i + 1 %}
{% endfor %}
{% endif %}
然后我使用 template
模块部署文件并调用:
- name: "Generate CSR"
command: "openssl req -config openssl_req_{{ item }}.conf -nodes -new -newkey rsa:4096 -out {{ item }}.csr -keyout {{ item }}.key"
with_items: "{{ letsencrypt_domains | default([]) }}"
变量letsencrypt_sans_domains
和letsencrypt_domains
指向:
letsencrypt_domains: [
"a.b.com"
],
letsencrypt_sans_domains: {
"a.b.com": [ "b.b.com", "c.b.com", "d.b.com" ]
}
}
当然,如果 letsencrypt
是您的用例,您将需要回答所有 SAN 域的挑战
这可以通过
完成
- name: Generate an OpenSSL CSR with subjectAltName extension with dynamic list
openssl_csr:
path: /etc/ssl/csr/www.ansible.com.csr
privatekey_path: /etc/ssl/private/ansible.com.pem
subject_alt_name: "{{ item.value | map('regex_replace', '^', 'IP:') | list }}"
with_dict:
ips:
- 10.10.0.11
- 10.10.0.12
- 10.10.0.13
我正在使用如下方块
- name: Ensure that the existing certificate has a certain domain in its subjectAltName
openssl_certificate:
path: /etc/ssl/crt/example.com.crt
provider: selfsigned
subject_alt_name:
- www.example.com
- test.example.com
要使用 Ansible 生成自签名证书,我想在我的清单文件中使用 ips 作为 subject_alt_names 类似
- name: Generate cert
openssl_certificate:
path: ssl/mongo-test.crt
privatekey_path: ssl/mongo-test.pem
csr_path: ssl/mongo-test.csr
provider: selfsigned
subject_alt_name:
- IP:{{hostvars[item].ansible_host}}
所以我最终得到
- name: Generate cert
openssl_certificate:
path: ssl/mongo-test.crt
privatekey_path: ssl/mongo-test.pem
csr_path: ssl/mongo-test.csr
provider: selfsigned
subject_alt_name:
- IP:10.136.31.37
- IP:10.136.29.52
- IP:10.136.30.53
如何让我所有的库存 ip 都进入 subject_alt_name 列表?
我试过使用 with_items 但它会为每个 ip 地址创建一个新证书,并且每次迭代都会覆盖最后一个。
我知道我不会直接回答你的问题,但我遇到了同样的问题,我选择了另一种方法,希望它也适用于你。
我创建了一个 openssl.conf
文件,其模板为 Jinja
:
[ req ]
prompt = no
distinguished_name = req_distinguished_name
{% if letsencrypt_sans_domains[item] is defined and letsencrypt_sans_domains[item] | length > 0 %}
req_extensions = req_ext
{% endif %}
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
O=Organization
L=Boston
ST=Massachusetts
C=US
CN={{ item }}
{% if letsencrypt_sans_domains[item] is defined and letsencrypt_sans_domains[item] | length > 0 %}
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = {{ item }}
{% set i = 2 %}
{% for domain in letsencrypt_sans_domains[item] %}
DNS.{{ i }} = {{ domain }}
{% set i = i + 1 %}
{% endfor %}
{% endif %}
然后我使用 template
模块部署文件并调用:
- name: "Generate CSR"
command: "openssl req -config openssl_req_{{ item }}.conf -nodes -new -newkey rsa:4096 -out {{ item }}.csr -keyout {{ item }}.key"
with_items: "{{ letsencrypt_domains | default([]) }}"
变量letsencrypt_sans_domains
和letsencrypt_domains
指向:
letsencrypt_domains: [
"a.b.com"
],
letsencrypt_sans_domains: {
"a.b.com": [ "b.b.com", "c.b.com", "d.b.com" ]
}
}
当然,如果 letsencrypt
是您的用例,您将需要回答所有 SAN 域的挑战
这可以通过
完成 - name: Generate an OpenSSL CSR with subjectAltName extension with dynamic list
openssl_csr:
path: /etc/ssl/csr/www.ansible.com.csr
privatekey_path: /etc/ssl/private/ansible.com.pem
subject_alt_name: "{{ item.value | map('regex_replace', '^', 'IP:') | list }}"
with_dict:
ips:
- 10.10.0.11
- 10.10.0.12
- 10.10.0.13