Using ansible to provision local certificates using letsencrypt

Over the weekend, I ran into a bit of a non-standard use case for LetsEncrypt(LE). Basically I have some vmware esxi and other boxes that aren’t capable of running letsencrypt certbotm but I wanted to give them valid certificates. Certbot is awesome and definitely the easiest way to get LE up and running for 99% of the folks out there. However, the most common way certbot validates domains/hostnames is by using the http validation and using its own directory.

There is also the ability to use DNS/Route53 inside certbot for validation, but if I am setting up a separate box to do that and having to wire it into Ansible, might as well use the builtin modules. Since my hosts won’t be exposed to the internet, using the http method is a bit difficult. Additionally, my website is hosted on a CDN, which adds a layer of complexity as well.

The way I figured, was I had a few different approaches to getting the certs:

  1. Setup certbot on a separate box, using dns validation
  2. Setup certbot to push the http content to the cdn
  3. Use ansible to manage the entire workflow

When I started putting my head in on this, I decided that I would probably have the production certificate that is used as the primary source of truth and potentially run all the letsencrypt commands on the remote host. This requires a few libraries to be installed (pyOpenSSL and letsencrypt), but would allow anyone to run the role from any system without risk of clobbering over the laptops. As it so happens, I don’t have a very standard environment and there are ESXi boxes that don’t have any way of installing certbot to install/upgrade the certificates.

Basically my solution was as follows:

  1. Have a box that is used to have the master certificate store (private keys, csrs, public keys)
  2. Sync from master cert store to box running playbook
  3. Run LE commands on local certificates
  4. If there are any changes on the run, for example if a cert is renewed, push the keys to the master store
  5. Delete local keys

Below is the role that I use to generate keys using this method.

Avatar photo James is a security nerd with a technology problem. Follow him on Twitter TwitterTweet