我正在尝试使用 ansible 生成 openssl 自签名证书。
证书是通过以下操作生成的:
openssl req -x509 -newkey rsa:4096 -days 365 -nodes -sha256 -keyout certs/tls.key -out certs/tls.crt -subj "/CN=docker-registry" -addext "subjectAltName = DNS:docker-registry"
为了自动化此操作,我尝试创建一个 ansible 剧本:
- name: Create certificate signing request (CSR) for self-signed certificate
community.crypto.openssl_csr_pipe:
privatekey_path: /registry/certs/tls.key
common_name: docker-registry
subject_alt_name:
- "DNS:docker-registry"
register: csr
- name: Create self-signed certificate from CSR
community.crypto.x509_certificate:
path: /registry/certs/tls.crt
csr_content: "{{ csr.csr }}"
privatekey_path: /registry/certs/tls.crt
provider: selfsigned
但我不太确定这是否是正确的方法。我也不知道如何设置这些参数:
-newkey rsa:4096 -days 365 -nodes -sha256
。
-subj
是否正确设置了 common_name
?
path
和 privatekey_path
有什么区别?
“path”和“privatekey_path”值分别对应输出和私钥输入在磁盘上的路径。换句话说,“path”用于输出,“privatekey_path”作为 ansible 的输入。
据我所知,没有相当于“-nodes”的东西。这只是告诉 openssl 不要加密私钥。我没有看到任何迹象表明 ansible 默认会这样做。
最后,通过在请求中设置公用名、SAN 值和其他主题信息,证书的主题似乎已正确设置。我用自己的实验验证了类似的结果。
从文档here、here和here中获取线索,看起来这可能会满足您的需求:
- name: Create the private key
community.crypto.openssl_privatekey:
path: /registry/certs/tls.key
size: 4096
- name: Create certificate signing request (CSR) for self-signed certificate
community.crypto.openssl_csr_pipe:
privatekey_path: /registry/certs/tls.key
common_name: docker-registry
subject_alt_name:
- "DNS:docker-registry"
register: csr
- name: Create self-signed certificate from CSR
community.crypto.x509_certificate:
path: /registry/certs/tls.crt
csr_content: "{{ csr.csr }}"
privatekey_path: /registry/certs/tls.crt
provider: selfsigned
selfsigned_not_after: +365d # valid for one year
selfsigned_not_before: "-1d" # valid since yesterday
selfsigned_digest: "sha256" # this is the default and can be omitted
请注意您在
中设置的值openssl req ...
以上是在ansible play的不同部分设置的。
请注意,此链接将指导您从头开始创建私有 CA。