{"id":23637029,"url":"https://github.com/ansibleguy/infra_certs","last_synced_at":"2025-08-31T12:30:29.688Z","repository":{"id":53920635,"uuid":"423999316","full_name":"ansibleguy/infra_certs","owner":"ansibleguy","description":"Ansible Role to generate certificates","archived":false,"fork":false,"pushed_at":"2024-08-05T19:54:42.000Z","size":120,"stargazers_count":3,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"latest","last_synced_at":"2024-08-05T23:08:21.317Z","etag":null,"topics":["ansible","ansible-role","automation","certbot","certificate","certificate-authority","certificates","iac","infrastructure-as-code","letsencrypt","pki","ssl","tls"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ansibleguy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"ko_fi":"ansible0guy","github":"ansibleguy"}},"created_at":"2021-11-02T21:07:44.000Z","updated_at":"2024-08-05T19:54:45.000Z","dependencies_parsed_at":"2024-07-20T17:49:16.258Z","dependency_job_id":"89988fa4-bfa1-499e-9913-529fb1d2dcbc","html_url":"https://github.com/ansibleguy/infra_certs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Finfra_certs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Finfra_certs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Finfra_certs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Finfra_certs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ansibleguy","download_url":"https://codeload.github.com/ansibleguy/infra_certs/tar.gz/refs/heads/latest","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":231590686,"owners_count":18396934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","automation","certbot","certificate","certificate-authority","certificates","iac","infrastructure-as-code","letsencrypt","pki","ssl","tls"],"created_at":"2024-12-28T06:17:29.661Z","updated_at":"2025-08-31T12:30:29.674Z","avatar_url":"https://github.com/ansibleguy.png","language":"Python","funding_links":["https://ko-fi.com/ansible0guy","https://github.com/sponsors/ansibleguy"],"categories":[],"sub_categories":[],"readme":"# Ansible Role - Certificate Generator\n\nAnsible Role to create certificates to use on a linux server.\n\n[![Lint](https://github.com/ansibleguy/infra_certs/actions/workflows/lint.yml/badge.svg)](https://github.com/ansibleguy/infra_certs/actions/workflows/lint.yml)\n[![Ansible Galaxy](https://badges.ansibleguy.net/galaxy.badge.svg)](https://galaxy.ansible.com/ui/standalone/roles/ansibleguy/infra_certs)\n\n**Molecule Integration-Tests**:\n\n* Status: [![Molecule Test Status](https://badges.ansibleguy.net/infra_certs.molecule.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2) |\n[![Functional-Tests](https://github.com/ansibleguy/infra_certs/actions/workflows/integration_test_result.yml/badge.svg)](https://github.com/ansibleguy/infra_certs/actions/workflows/integration_test_result.yml)\n* Logs: [API](https://ci.ansibleguy.net/api/job/ansible-test-molecule-infra_certs/logs?token=2b7bba30-9a37-4b57-be8a-99e23016ce70\u0026lines=1000) | [Short](https://badges.ansibleguy.net/log/molecule_infra_certs_test_short.log) | [Full](https://badges.ansibleguy.net/log/molecule_infra_certs_test.log)\n\nInternal CI: [Tester Role](https://github.com/ansibleguy/_meta_cicd) | [Jobs API](https://github.com/O-X-L/github-self-hosted-jobs-systemd)\n\n\n**Tested:**\n* Debian 11\n* Debian 12\n\n----\n\n## Install\n\n```bash\n# latest\nansible-galaxy role install git+https://github.com/ansibleguy/infra_certs\n\n# from galaxy\nansible-galaxy install ansibleguy.infra_certs\n\n# or to custom role-path\nansible-galaxy install ansibleguy.infra_certs --roles-path ./roles\n\n# install dependencies\nansible-galaxy install -r requirements.yml\n```\n\n----\n\n## Usage\n\n### Notes\nThe **self-signed and minimal-ca** modes will only create a single certificate per run.\n\nRe-runs can save some overhead by using the 'certs' tag.\n\n\nThe **LetsEncrypt** mode will create/remove multiple certificates as defined.\n\n\n### Config\n\nExample for LetsEncrypt config:\n\n```yaml\ncerts:\n  mode: 'le_certbot'\n  path: '/etc/apache2/ssl'\n  letsencrypt:\n    certs:\n      myNiceSite:\n        domains: ['myRandomSite.net', 'ansibleguy.net']\n        email: 'certs@template.ansibleguy.net'\n    service: 'apache'\n```\n\nExample for Self-Signed config:\n\n```yaml\ncerts:\n  mode: 'selfsigned'  # or 'snakeoil' (if faster)\n  # choose 'ca' instead if you use dns-names\n  #   some browsers won't let you connect when using self-signed ones\n  path: '/etc/nginx/ssl'\n  group_key: 'nginx'\n  owner_cert: 'nginx'\n  cert:\n    cn: 'My great certificate!'\n    org: 'AnsibleGuy'\n    country: 'AT'\n    email: 'certs@template.ansibleguy.net'\n    domains: ['mySoGreat.site', 'ansibleguy.net']\n    ips: ['192.168.44.2']\n    pwd: !vault ...\n```\n\nExample for minimal-CA config:\n\n```yaml\ncerts:\n  mode: 'ca'\n  path: '/etc/ca/certs'\n  mode_key: '0400'\n  cert:\n    name: 'custom_file_name'  # extension will be appended\n    cn: 'My great certificate!'\n    org: 'AnsibleGuy'\n    country: 'AT'\n    email: 'certs@template.ansibleguy.net'\n    domains: ['mySoGreat.site', 'ansibleguy.net']\n  ca:\n    path: '/etc/ca'\n    cn: 'SUPER CertificateAuthority'\n    org: 'AnsibleGuy'\n    country: 'AT'\n    email: 'certs@template.ansibleguy.net'\n    pwd: !vault ...\n```\n\nUsing the minimal-CA you can create multiple certificates signed by the CA by re-running the role with changed 'cert' settings.\n\n\nYou might want to use 'ansible-vault' to encrypt your passwords:\n```bash\nansible-vault encrypt_string\n```\n\n### Execution\n\nRun the playbook:\n```bash\nansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass\n```\n\nThere are also some useful **tags** available:\n* certs =\u003e ignore ca tasks; only generate certs\n* selfsigned\n* config\n* certs\n\nTo debug errors - you can set the 'debug' variable at runtime:\n```bash\nansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes\n```\n\n----\n\n## Functionality\n\n* **Package installation**\n  * Ansible dependencies (_minimal_)\n  * Crypto Dependencies\n\n\n* **Configuration**\n  * **Four Possible Modes**:\n    * Generate **Self-Signed** certificate\n    * Use a **minimal Certificate Authority** to create signed certificates\n    * Configure **LetsEncrypt-Certbot** to generate publicly valid certificates\n      * Supported for Nginx and Apache\n      * Host needs to have a valid public dns record pointed at it\n      * Needs to be publicly reachable over port 80/tcp\n\n\n  * **Default config**:\n    * Mode =\u003e Self-Signed\n\n----\n\n## Info\n\n* **Note:** this role currently only supports debian-based systems\n\n\n* **Note:** Most of the role's functionality can be opted in or out.\n\n  For all available options - see the default-config located in [the main defaults-file](https://github.com/ansibleguy/infra_certs/blob/latest/defaults/main/1_main.yml)!\n\n\n* **Note:** If you have the need to **mass manage certificates** - you might want to check out the [ansibleguy.infra_pki](https://github.com/ansibleguy/infra_pki) role that enables you to create and manage a full **P**ublic **K**ey **I**nfrastructure.\n\n\n* **Note:** The certificate file-name (_name variable as defined or else CommonName_) will be updated:\n  * spaces are transformed into underlines\n  * all Characters except \"0-9a-zA-Z.\" are removed\n  * the file-extension (_crt/chain.crt/key/csr_) will be appended\n\n\n* **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!\n\n\n* **Info:** For LetsEncrypt renewal to work, you must allow outgoing connections to:\n\n  80/tcp, 443/tcp+udp to acme-v02.api.letsencrypt.org, staging-v02.api.letsencrypt.org (_debug mode_) and r3.o.lencr.org\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fansibleguy%2Finfra_certs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fansibleguy%2Finfra_certs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fansibleguy%2Finfra_certs/lists"}