Ansible Update Certificate Trust
Jump to navigation
Jump to search
Ansible
Cert Files
Cert file(s) in files folder, in this case files/rootca1.crt
Run
ansible-playbook -i hosts.yaml -e ansible_password=$USERPASS -e ansible_user=$USERNAME ca-cert.yaml -e ansible_become_password=$USERPASS
hosts.yaml
ungrouped:
hosts:
foo.example.com:
Windows.yaml 5986 is best
ca_dir: "/usr/local/share/ca-certificates" ca_update_cmd: "/usr/sbin/update-ca-certificates" ansible_connection: winrm # ansible_port: 5986 ansible_winrm_transport: ntlm ansible_winrm_scheme: http ansible_port: 5985
Debian.yaml
ca_dir: "/usr/local/share/ca-certificates" ca_update_cmd: "/usr/sbin/update-ca-certificates"
RedHat.yaml
ca_dir: "/etc/pki/ca-trust/source/anchors" ca_update_cmd: "/usr/bin/update-ca-trust"
ca-cert.yaml
---
- name: Update Linux & Windows CA Trusted Stores
gather_facts: no
hosts: all
vars_files:
- "{{ ansible_os_family }}.yaml"
tasks:
- name: nc22
ansible.builtin.shell: "nc -z -w 2 {{ inventory_hostname }} 22"
register: nc22
delegate_to: localhost
failed_when: false
no_log: True
- name: Set fact
when: nc22.rc == 0
ansible.builtin.set_fact:
tcp22: true
- name: Set fact
when: nc22.rc == 1
ansible.builtin.set_fact:
tcp22: false
- name: nc5986
ansible.builtin.shell: "nc -z -w 2 {{ inventory_hostname }} 5986"
register: nc5986
delegate_to: localhost
failed_when: false
no_log: True
- name: Set fact
when: nc5986.rc == 0
ansible.builtin.set_fact:
tcp5986: true
- name: Set fact
when: nc5986.rc == 1
ansible.builtin.set_fact:
tcp5986: false
- name: nc5985
ansible.builtin.shell: "nc -z -w 2 {{ inventory_hostname }} 5985"
register: nc5985
delegate_to: localhost
failed_when: false
no_log: True
- name: Set fact
when: nc5985.rc == 0
ansible.builtin.set_fact:
tcp5985: true
- name: Set fact
when: nc5985.rc == 1
ansible.builtin.set_fact:
tcp5985: false
# - name: Print version
# when: tcp22
# debug:
# msg: "yes"
- name: 5985 set facts/variables
ansible.builtin.set_fact:
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_scheme: http
ansible_port: 5985
# cacheable: yes
when: not tcp5986 and tcp5985
- name: 5986 set facts/variables
ansible.builtin.set_fact:
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_scheme: https
ansible_port: 5986
# cacheable: yes
when: tcp5986
- name: Gathering facts
setup:
when: not tcp5986 and tcp22
- name: Add New Internal Root CA to Linux CA Trust Store
when: not tcp5986
become: true
ansible.builtin.template:
src: files/rootca1.crt
dest: "{{ ca_dir }}/rootca1.crt"
register: add_rootca1
- name: Update CA
become: true
ansible.builtin.shell: "{{ ca_update_cmd }}"
when: add_rootca1.changed
- name: Linux Run Update CA
become: true
ansible.builtin.shell: "{{ ca_update_cmd }}"
when: add_rootca1.changed
- name: Windows Copy Internal Certificate Files
# when: nc5986.rc == 0
# when: tcp5986.results.state == "started"
when: tcp5986
ansible.windows.win_copy:
src: files
dest: C:\Temp\
- name: Windows Add rootca1 to AuthRoot
when: tcp5986
ansible.windows.win_certificate_store:
path: C:\Temp\files\rootca1.pem
state: present
store_location: LocalMachine
store_name: AuthRoot
- name: Pause for cache
ansible.builtin.pause:
# minutes: 1
seconds: 1
- name: Windows Powershell test URL via invoke-webrequest
when: tcp5986
ansible.windows.win_powershell:
script: |
(invoke-webrequest -uri "https://example.com/").StatusCode
register: results
changed_when: false
- name: Error in invoke-webrequest results
when: tcp5986
failed_when: results.error | length > 0
debug:
var: results
- name: Linux test URL via curl
when: tcp22 and not tcp5986
changed_when: false
ansible.builtin.shell: "curl https://example.com/"
Notes
# The host started option returns asymmetrical values based on success or failure that makes it difficult to use variables for setting facts of tcp open or closed so using nc/netcat instead
# - name: SSH is open
# wait_for:
# host: "{{ inventory_hostname }}"
# port: 22
# state: started
# delay: 0
# timeout: 2
# delegate_to: localhost
# register: tcp22chk
# failed_when: false
# no_log: True
# Prep
# apt install nc && parallel
# parallel nc -vzw 2 example.com ::: 80 443 10022