# Automation with Ansible This is an example how our own installation works. Ansible can be started manually on a worksation of a sysadmin or on AWX. So we need a "central server" that manages and holds all certifiactes. In cm.sh is a queuing to handle only one certificate. Multiple simoultanous calls of cm.sh - from multiple machines or becaus of parallel tasks in your playbook are no problem.  The following snippets give you an idea how it is done. Even if it is not a comlete source with all values of the variables. ## 1. Execute cm.sh The Ansible instances start the `cm.sh` as SSH command. This triggers the the creation or renew of a certificate - whatever is needed. ```yaml - name: 'on {{ ssl_master_certhost }} - start {{ ssl_certman_dir }}/cm.sh ensure ...' shell: | ssh {{ ssl_master_user }}@{{ ssl_master_certhost }} {{ ssl_certman_dir }}/cm.sh ensure {{ ssl_fqdn }} {{ ssl_aliases | join(' ')}} become_user: "{{ lookup('env','USER') }}" delegate_to: localhost # maybe you need to set # become: true|false ``` ## 2. Rsync certs locally With rsync it syncs the certificate folder locally to the Ansible machine. ```yaml - name: "sync certs locally" shell: | rsync -rav {{ ssl_master_user }}@{{ ssl_master_certhost }}:{{ ssl_master_install_dir }}/certs/ {{ ssl_certs_local_dir }} become_user: "{{ lookup('env','USER') }}" delegate_to: localhost # maybe you need to set # become: true|false ``` ## 3. Deploy files Now we can use normal Ansible copy mechanisms to brin these files to the target system. ```yaml - name: Install key + certificate for {{ ssl_fqdn }} + intermediate CA copy: src: '{{ item[0] }}' dest: '{{ item[1] }}' mode: '{{ item[2] }}' backup: true notify: "{{ ssl_change_notify | default([]) }}" loop: - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.cert.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.cert.cer' , '0444'] - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.fullchain.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.fullchain.cer' , '0444'] - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.key.pem', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.key.pem' , '0400'] - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.haproxy.pem', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.haproxy.pem' , '0444'] - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.ca.cer', '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.ca.cer' , '0444'] # ^ # | # filestructure after ACME.SH dump ```