As we have to deal with ssl certificates for our customers on a daily basis we regularly need to create or renew certificates and also distribute these certificates to our servers.
Sometimes delays occur during certificate orders or we simply forgot to monitor the certificate expiration time (shame on us). How cool would it be to do this stuff automatically, to not have to rely on a human to remember when it is time to renew a certificate and do it with some kind of selfservice? Another nice side effect would be the increased security as certificates are only valid for 90 days.
Our first step towards this vision was done in the end of 2019 with an Ansible role which used certbot to issue certificates and some basic ansible modules to distribute the files to the servers.
This helped us a lot and made us faster most of the time. But we had several problems with this. For one, we did only integrate the possibility for HTTP challenges and thus couldn’t issue wildcard certificates. Second, the usage of certbot was not what is called the Ansible Way. Also certbot is another package we would have to update and have an eye on all the time. It was also a bit clunky with all its configuration options.
So we sat down again and expanded the role with the posibility to do DNS challenges. Thanks Sebastian Gumprich this was implemented with plain ansible modules and the use of our DNS providers AutoDNS API. These steps were more convincing to us and therefore we also refactored the HTTP part to work this way.
After testing and integrating it in one of our services we decided to migrate the role to an Ansible collection and also publish it on Github and Ansible Galaxy. Our hope was to help others with the same task and develop the role further.
We already had some more improvements for the collection in our minds. For example some kind of modularization for different services which are used in the HTTP and DNS challenges.
The first step into this direction was done shortly after publishing the collection at Github from Michaela Mattes. She implemented the posibility to use AzureDNS for DNS challenges.
If you are asking what happened to the distribution of the certificates to the servers:
We dropped it (for now)! There are so many possible ways and targets to distribute the files that we decided to not implement it in the collection and let users take care of this for themselves.
In conjunction with Gitlab or any other scheduling capable system you can fully automate the tasks of issueing and distributing the certificates.
Here is one example playbook for issueing a wildcard certificate:
- name: create the certificate for *.example.com
private_key_content: !vault |
dns_password: !vault |
More examples can be found in the collection.
If you want to be part of this, find bugs or want to support us feel free to create issues or pull requests directly at Github.
This article was written by Andres Hering, T-Systems Multimedia Solutions specialist for system engineering.