我想创建一个自签名证书以将其与 stunnel 一起使用,以便在 Redis 服务器和客户端之间安全地传输我的 Redis 流量。我正在使用此命令生成证书,它工作正常。
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/stunnel/redis-server.key -out /etc/stunnel/redis-server.crt
由于我使用 Ansible 进行配置,我想知道如何使用模块将其转换为更 Ansible 的方式。实际上有一个名为 openssl_certificate Ansible 模块的模块,它声明 “此模块允许(重新)生成 OpenSSL 证书。”。我尝试使用该模块生成证书,但无法让它工作。
- name: Generate a Self Signed OpenSSL certificate
openssl_certificate:
path: /etc/stunnel/redis-server.crt
privatekey_path: /etc/stunnel/redis-server.key
csr_path: /etc/stunnel/redis-server.csr
provider: selfsigned
从文档来看,我无法指定以下参数
-x509 -nodes -days 3650 -newkey rsa:2048
。当然,我也可以拆分密钥和证书生成,但这仍然不允许我使用 Ansible 模块,对吗?
给出的例子:
openssl genrsa -out /etc/stunnel/key.pem 4096
openssl req -new -x509 -key /etc/stunnel/key.pem -out /etc/stunnel/cert.pem -days 1826
我想了解以下事项:
- openssl_privatekey:
path: /etc/stunnel/redis-server.key
size: 2048
- openssl_csr:
path: /etc/stunnel/redis-server.csr
privatekey_path: /etc/stunnel/redis-server.key
- openssl_certificate:
provider: selfsigned
path: /etc/stunnel/redis-server.crt
privatekey_path: /etc/stunnel/redis-server.key
csr_path:/etc/stunnel/redis-server.csr
您可以通过 2 个步骤实现此目的(使用 Ansible 5.7.1 进行测试):
- name: Ensure private key is present
community.crypto.openssl_privatekey:
path: /etc/stunnel/redis-server.key
size: 2048
mode: "0600"
type: RSA
- name: Ensure self-signed cert is present
community.crypto.x509_certificate:
path: /etc/stunnel/redis-server.crt
privatekey_path: /etc/stunnel/redis-server.key
provider: selfsigned
selfsigned_not_after: "+3650d" # this is the default
mode: "0644"
如果您在私钥生成任务中没有设置密码,则默认为无密码。
正如@nondefinistic之前提到的,您可以通过
selfsigned_not_after
设置到期日期。
mode
参数设置密钥和证书文件的文件权限。尽可能设置权限是一种常见的最佳实践,并且默认情况下也会通过 ansible-lint
进行检查。
来源:
对于其他人和未来的我来说,这是一个带有 CRT 的扩展示例,用于设置自签名证书的主题和组织名称。
- name: Generate a self-signed private key
community.crypto.openssl_privatekey:
path: "{{ nginx_ssl_certificate_key }}"
size: 4096
mode: 0600
type: RSA
state: present
- name: Create certificate signing request (CSR) for self-signed certificate
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ nginx_ssl_certificate_key }}"
common_name: "{{ cert_common_name }}"
organization_name: "{{ cert_organization_name }}"
register: csr
- name: Generate a self-signed SSL/TLS certificate (valid for 10 years)
community.crypto.x509_certificate:
path: "{{ nginx_ssl_certificate }}"
privatekey_path: "{{ nginx_ssl_certificate_key }}"
csr_content: "{{ csr.csr }}"
provider: selfsigned
selfsigned_not_after: "+3650d"
mode: 0644
希望这对其他人有帮助。