Quick overview of automating HTTPS with Ansible - using self-signed certs, 'BYOC', or Let's Encrypt. Given at the Ansible St. Louis meetup on Feb 12, 2018.
4. What's required for HTTPS?
• OpenSSL (usually)
• Webserver support (Apache, Nginx, Node,
Lightthpd, Caddy, etc.)
• A certificate and key!
5. What can Ansible automate?
• OpenSSL (usually)
• Webserver support (Apache, Nginx, Node,
Lightthpd, Caddy, etc.)
• A certificate and key!
6. Server setup for HTTPS
• Check Ansible Galaxy for tuned/easy-to-use roles
• I'm a little biased, but at least check out
geerlingguy.nginx, geerlingguy.apache...
• Use SSL Labs' server test to validate
7. BYOC
• "Bring your own cert"
• Downside: Manual or out-of-band updates
• E.g.
- copy:
content: "{{ my_cert }}"
dest: /path/to/cert.crt
- copy:
content: /local/path/to/cert.crt
dest: /path/to/cert.crt
8. ACM (or equivalent)
• Generate certs via APIs
• Downside: tied to specific services
• AWS CloudFormation template to generate
AWS::CertificateManager::Certificate
• Use Ansible's cloudformation module
9. Let's Encrypt
• Free certs for all!
• Downside: requires public-facing server
• E.g.
geerlingguy.certbot
Ansible letsencrypt module
10. Local / Self-Signed
• Free certs for all!
• Downside: browser support == headaches
• E.g.
See my blog post
Ansible openssl_* modules