mirror of https://github.com/de-it-krachten/ansible-role-openssl synced 2026-05-14 03:41:51 +00:00

No description

Jinja 100%

Find a file

semantic-release-bot 6a6095e62c chore(release): 1.12.0 [skip ci] # [1.12.0](https://github.com/de-it-krachten/ansible-role-openssl/compare/v1.11.1...v1.12.0) (2026-05-01) ### Features * Added support for Ubuntu 26.04 LTS ([`a11f5b3`](`a11f5b3e90`)) * Drop support for openSUSE Leap 15 ([`9abff53`](`9abff53518`)) * Drop support for SUSE Linux Enterprise 15 ([`4db1479`](`4db14794f3`))		2026-05-01 17:49:19 +00:00
.github/workflows	Update CI	2026-04-28 14:54:28 +02:00
defaults	fix: Add support for synology	2025-10-11 13:47:16 +02:00
meta	Update CI	2026-03-14 19:49:18 +01:00
molecule/default	Update CI	2026-04-28 14:54:28 +02:00
tasks	Update CI	2025-10-13 19:42:22 +02:00
templates	Initial commit	2021-11-10 13:01:04 +01:00
.ansible-lint	Fix CI	2026-03-16 22:36:59 +01:00
.cicd	Update CI	2026-04-28 14:54:28 +02:00
.cicd.overwrite	Update CI	2026-03-14 19:49:18 +01:00
.collections	Update CI	2026-04-28 14:54:28 +02:00
.gitignore	feat: Update supported platforms & CI	2024-12-29 11:38:33 +01:00
.releaserc.yml	Update CI	2025-10-13 19:42:22 +02:00
.roles	feat: Update CI to latest standards	2022-10-07 23:27:45 +02:00
.yamllint	feat: Update supported platforms & CI	2024-12-29 11:38:33 +01:00
CHANGELOG.md	chore(release): 1.12.0 [skip ci]	2026-05-01 17:49:19 +00:00
README.md	Update CI	2026-04-28 14:54:28 +02:00

README.md

ansible-role-openssl

Manage openssl and set-up keys & certificates

TODO

Create server certificate sign-request for external CA
Setup optional internal Certificate Authority
Setup client/server certificates, signed by the internal CA

Dependencies

Roles

None

Collections

community.crypto
community.general

Platforms

Supported platforms

Red Hat Enterprise Linux 8¹
Red Hat Enterprise Linux 9¹
Red Hat Enterprise Linux 10¹
RockyLinux 8
RockyLinux 9
RockyLinux 10
OracleLinux 8
OracleLinux 9
OracleLinux 10
AlmaLinux 8
AlmaLinux 9
AlmaLinux 10
Debian 11 (Bullseye)
Debian 12 (Bookworm)
Debian 13 (Trixie)
Ubuntu 22.04 LTS
Ubuntu 24.04 LTS
Ubuntu 26.04 LTS
Fedora 42
Fedora 43
Alpine 3
Docker dind (CI only)

Note: ¹ : no automated testing is performed on these platforms

Role Variables

defaults/main.yml


# OpenSSL packages
openssl_packages:
  - openssl

# Pip to use
openssl_pip_executable: pip3

# Type of key to create
openssl_type: self-signed

# FQDN of the server to create it for
openssl_fqdn: "{{ inventory_hostname }}"

# Additional/alternate names
openssl_fqdn_additional: []

# Directory to put keys & certificates into
openssl_dir: /etc/ssl

# Key + cetificate paths
openssl_dirs:
  - path: "{{ openssl_dir }}"
    mode: '0755'
  - path: "{{ openssl_dir }}/private"
    mode: '0710'
  - path: "{{ openssl_dir }}/certs"
    mode: '0755'

# SSL private key
openssl_server_key: "{{ openssl_dir }}/private/{{ openssl_fqdn }}.key"

# SSL certificate
openssl_server_crt: "{{ openssl_dir }}/certs/{{ openssl_fqdn }}.crt"

# SSL sign request
openssl_server_csr: "{{ openssl_dir }}/private/{{ openssl_fqdn }}.csr"

# Custom CA
openssl_ca_domain: example.com
openssl_ca_name: example-com
openssl_ca_dir: /etc/ssl-ca
openssl_ca_dirs:
  - path: "{{ openssl_ca_dir }}"
    mode: '0755'
  - path: "{{ openssl_ca_dir }}/private"
    mode: '0710'
  - path: "{{ openssl_ca_dir }}/certs"
    mode: '0755'
openssl_ca_key: "{{ openssl_ca_dir }}/private/ca-{{ openssl_ca_name }}.key"
openssl_ca_crt: "{{ openssl_ca_dir }}/certs/ca-{{ openssl_ca_name }}.crt"
openssl_ca_pass: my-very-secret

defaults/Alpine.yml


# List of required OS packages
openssl_packages:
  - openssl

# List of cryptography packages
openssl_cryptography_packages:
  - py3-cryptography

defaults/family-Debian.yml


# Certificate + key locations
openssl_dirs:
  - path: "{{ openssl_dir }}"
    mode: '0755'
  - path: "{{ openssl_dir }}/private"
    group: ssl-cert
    mode: '0710'
  - path: "{{ openssl_dir }}/certs"
    mode: '0755'

# List of required OS packages
openssl_packages:
  - openssl
  - ssl-cert
  - python3-pip

# List of cryptography packages
openssl_cryptography_packages:
  - python3-cryptography

defaults/family-RedHat-7.yml


# Certificate + key locations
openssl_dir: /etc/pki/tls

# List of required OS packages
openssl_packages:
  - openssl
  - python-pip

# List of cryptography packages
openssl_cryptography_packages:
  - python-cryptography

defaults/family-RedHat.yml


# Certificate + key locations
openssl_dir: /etc/pki/tls

# List of required OS packages
openssl_packages:
  - openssl
  - python3-pip

# List of cryptography packages
openssl_cryptography_packages:
  - python3-cryptography

defaults/Fedora.yml


# Certificate + key locations
openssl_dir: /etc/pki/tls

# List of required OS packages
openssl_packages:
  - openssl
  - python3-pip

# List of cryptography packages
openssl_cryptography_packages:
  - python3-cryptography

defaults/OtherLinux.yml


openssl_packages: []
openssl_pip_executable: ""

Example Playbook

molecule/default/converge.yml


- name: sample playbook for role 'openssl'
  hosts: ca
  become: 'yes'
  vars:
    python38: false
    python39: false
  roles:
    - deitkrachten.python
  tasks:
    - name: Include role 'openssl'
      ansible.builtin.include_role:
        name: openssl
      vars:
        openssl_type: ca
- name: sample playbook for role 'openssl'
  hosts: servers
  become: 'yes'
  vars:
    python38: false
    python39: false
    openssl_fqdn: server.example.com
    openssl_fqdn_additional:
      - vhost1.example.com
      - vhost2.example.com
  roles:
    - deitkrachten.python
  tasks:
    - name: Include role 'openssl'
      ansible.builtin.include_role:
        name: openssl
      vars:
        openssl_type: server