Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
IML Open Source
certman
Commits
d6713d91
Commit
d6713d91
authored
Apr 22, 2022
by
Hahn Axel (hahn)
Browse files
update docs
parent
73a3a6b5
Changes
6
Hide whitespace changes
Inline
Side-by-side
docs/30_Usage.md
View file @
d6713d91
...
...
@@ -129,6 +129,14 @@ In a scenario of automatic deployment with Ansible or Puppet you don't want to f
creates (or renews if close to expiriation) a certificate with 2 hostnames in it.
This ensure action handles the logic if a certificate must be
*
created (if it does not exist) or
*
renewed (it already exists) or
*
re-created (the list of dns names in the certificate was changed)
It detects if a domain in the certificate can use a txt record or needs dns auth mode.
## Show certificate data
Use the listing
`[APPPATH]/cm.sh list`
or maybe filter it
`[APPPATH]/cm.sh list | grep "mail."`
...
...
docs/50_Automation_with_Ansible.md
0 → 100644
View file @
d6713d91
# Automation with Ansible
This is an example how our own installation works.
Ansible can be started manually on a worksation of a sysadmin or on AWX. So we need a
"central server" that manages and holds all certifiactes.
In cm.sh is a queuing to handle only one certificate. Multiple simoultanous
calls of cm.sh - from multiple machines or becaus of parallel tasks in your
playbook are no problem.

The following snippets give you an idea how it is done. Even if it is not
a comlete source with all values of the variables.
## 1. Execute cm.sh
The Ansible instances start the
`cm.sh`
as SSH command. This triggers the the creation or
renew of a certificate - whatever is needed.
```
yaml
-
name
:
'
on
{{
ssl_master_certhost
}}
-
start
{{
ssl_certman_dir
}}/cm.sh
ensure
...'
shell
:
|
ssh {{ ssl_master_user }}@{{ ssl_master_certhost }} {{ ssl_certman_dir }}/cm.sh ensure {{ ssl_fqdn }} {{ ssl_aliases | join(' ')}}
become_user
:
"
{{
lookup('env','USER')
}}"
delegate_to
:
localhost
# maybe you need to set
# become: true|false
```
## 2. Rsync certs locally
With rsync it syncs the certificate folder locally to the Ansible machine.
```
yaml
-
name
:
"
sync
certs
locally"
shell
:
|
rsync -rav {{ ssl_master_user }}@{{ ssl_master_certhost }}:{{ ssl_master_install_dir }}/certs/ {{ ssl_certs_local_dir }}
become_user
:
"
{{
lookup('env','USER')
}}"
delegate_to
:
localhost
# maybe you need to set
# become: true|false
```
## 3. Deploy files
Now we can use normal Ansible copy mechanisms to brin these files to the target system.
```
yaml
-
name
:
Install key + certificate for {{ ssl_fqdn }} + intermediate CA
copy
:
src
:
'
{{
item[0]
}}'
dest
:
'
{{
item[1]
}}'
mode
:
'
{{
item[2]
}}'
backup
:
true
notify
:
"
{{
ssl_change_notify
|
default([])
}}"
loop
:
-
[
'
{{
ssl_certs_local_dir
}}/{{
ssl_fqdn
}}/{{
ssl_fqdn
}}.cert.cer'
,
'
{{
CONST.ssl.certdir
}}/{{
ssl_fqdn
}}.cert.cer'
,
'
0444'
]
-
[
'
{{
ssl_certs_local_dir
}}/{{
ssl_fqdn
}}/{{
ssl_fqdn
}}.fullchain.cer'
,
'
{{
CONST.ssl.certdir
}}/{{
ssl_fqdn
}}.fullchain.cer'
,
'
0444'
]
-
[
'
{{
ssl_certs_local_dir
}}/{{
ssl_fqdn
}}/{{
ssl_fqdn
}}.key.pem'
,
'
{{
CONST.ssl.certdir
}}/{{
ssl_fqdn
}}.key.pem'
,
'
0400'
]
-
[
'
{{
ssl_certs_local_dir
}}/{{
ssl_fqdn
}}/{{
ssl_fqdn
}}.haproxy.pem'
,
'
{{
CONST.ssl.certdir
}}/{{
ssl_fqdn
}}.haproxy.pem'
,
'
0444'
]
-
[
'
{{
ssl_certs_local_dir
}}/{{
ssl_fqdn
}}/{{
ssl_fqdn
}}.ca.cer'
,
'
{{
CONST.ssl.certdir
}}/{{
ssl_fqdn
}}.ca.cer'
,
'
0444'
]
# ^
# |
# filestructure after ACME.SH dump
```
docs/_index.md
View file @
d6713d91
...
...
@@ -87,3 +87,9 @@ to verify when what was done what for a given domain.
Automation is wonderful. You create systems and certificates for them on the fly.
And you destroy test machines. A parameter "list-old" shows certiciates that were not renewed
anymore and are older 90 days.
## Overview
This is an overview of the components for issuing a certificate that take part:

\ No newline at end of file
docs/images/cert-manager-components.png
0 → 100644
View file @
d6713d91
63.3 KB
docs/images/lets-encrypt-workflow-ansible.png
0 → 100644
View file @
d6713d91
93.4 KB
docs/style.css
View file @
d6713d91
...
...
@@ -34,7 +34,17 @@
/* ---------- tags ---------- */
body
,
*
{
color
:
var
(
--color
);
}
a
.Brand
::before
{
background
:
rgb
(
255
,
0
,
51
);
color
:
#fff
;
font-family
:
arial
;
font-weight
:
bold
;
padding
:
0.5em
0.3em
;
content
:
'IML'
;
margin-right
:
0.4em
;
}
body
,
*
{
color
:
var
(
--color
);}
body
{
background
:
var
(
--bg-body
);}
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment