“Ansible is a simple automation language that can perfectly describe an IT application infrastructure. It’s easy-to-learn, self-documenting, and doesn’t require a grad-level computer science degree to read. Automation shouldn’t be more complex than the tasks it’s replacing.”
Every secure and trusted application or infrastructure needs to have proper certificate management and automation. Ansible can be used as your automation tool for the complete certificate lifecycle management (similar to Automation of Terraform certificates).
The Ansible playbook
Ansible modules execute tasks. One or more Ansible tasks can be combined to make a play. Two or more plays can be combined to create an Ansible playbook. Ansible playbooks are lists of tasks that automatically execute against hosts or group of hosts.
Each module within an Ansible playbook performs a specific task. For the certificate management and automation related tasks it can perform for example:
- cryptographic key management to generate key pair
- certificate signing requests and enrollment
- distribution of end entity and CA certificates
- renewal and revocation of certificates
We will explore more Ansible ACME modules that can handle communication with ACME compliant server and manage certificate lifecycle.
Ansible ACME modules
Community driven Ansible ACME module lets you to manage certificates through the ACME protocol.
The current implementation supports the http-01, dns-01 and tls-alpn-01 challenges to prove the ownership of the domain, private key, and other identifiers. It contains the following modules:
- community.crypto.acme_account for registration and management of ACME account
- community.crypto.acme_certificate for certificate management operations on ACME server
- community.crypto.acme_certificate_revoke to allow revocation of issued certificates
- community.crypto.acme_inspect for inspecting and debugging issues with ACME
Once integrated into the playbooks, it can fully automate private key management, certificate provisioning, and distribution of certificates to end entities, which is very common scenario.
The Ansible playbook can also periodically check for the certificate expiration and revocation, and if it is needed, automatically execute action to renew certificate and apply the changes to the application or infrastructure.
Challenge distribution
One of the key steps for the successful validation of challenges by the ACME server is their proper distribution. This depends on the supported challenge validation method.
If you choose http-01, Ansible should publish the challenge on your web server. If you choose dns-01, Ansible should be able to write TXT record in DNS resolver.
Challenge distribution and cleanup is not handled by the Ansible ACME modules automatically, however, there are other community modules that can be used to achieve it, for example community.general.nsupdate for managing DNS records.
Ansible + CZERTAINLY
CZERTAINLY platform supports ACME implementation according to the RFC 8555. Therefore, it can be used as ACME server for Ansible ACME module to manage certificates.
Advantage of using CZERTAINLY is the agility and abstraction of the certificate management service. This means, that once Ansible integrates with CZERTAINLY, it can literally manage and automate any certificate type for any use case.
If there is a change in the certificate management service, it does not have impact on Ansible and its managed applications or infrastructures.
See Ansible ACME module integration guide and learn how it can be applied in your infrastructure as code!
Get more information about the CZERTAINLY
CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.