Difference between revisions of "Ansible Update Certificate Trust"
Jump to navigation
Jump to search
(Created page with "``` ansible-playbook -i hosts.yaml -e ansible_password=$USERPASS -e ansible_user=$USERNAME ca-cert.yaml -e ansible_become_password=$USERPASS ``` hosts.yaml ``` ungrouped: h...") |
|||
| Line 1: | Line 1: | ||
| + | # Ansible | ||
| + | |||
| + | ### Cert Files | ||
| + | Cert file(s) in files folder, in this case files/rootca1.crt | ||
| + | |||
| + | ### Run | ||
``` | ``` | ||
ansible-playbook -i hosts.yaml -e ansible_password=$USERPASS -e ansible_user=$USERNAME ca-cert.yaml -e ansible_become_password=$USERPASS | ansible-playbook -i hosts.yaml -e ansible_password=$USERPASS -e ansible_user=$USERNAME ca-cert.yaml -e ansible_become_password=$USERPASS | ||
``` | ``` | ||
| − | hosts.yaml | + | |
| + | ### hosts.yaml | ||
``` | ``` | ||
ungrouped: | ungrouped: | ||
| Line 10: | Line 17: | ||
``` | ``` | ||
| − | ca-cert.yaml | + | |
| + | ### Windows.yaml 5986 is best | ||
| + | ``` | ||
| + | ca_dir: "/usr/local/share/ca-certificates" | ||
| + | ca_update_cmd: "/usr/sbin/update-ca-certificates" | ||
| + | ansible_connection: winrm | ||
| + | # ansible_port: 5986 | ||
| + | ansible_winrm_transport: ntlm | ||
| + | ansible_winrm_scheme: http | ||
| + | ansible_port: 5985 | ||
| + | ``` | ||
| + | |||
| + | |||
| + | ### Debian.yaml | ||
| + | ``` | ||
| + | ca_dir: "/usr/local/share/ca-certificates" | ||
| + | ca_update_cmd: "/usr/sbin/update-ca-certificates" | ||
| + | ``` | ||
| + | |||
| + | |||
| + | ### RedHat.yaml | ||
| + | ``` | ||
| + | ca_dir: "/etc/pki/ca-trust/source/anchors" | ||
| + | ca_update_cmd: "/usr/bin/update-ca-trust" | ||
| + | ``` | ||
| + | |||
| + | |||
| + | |||
| + | ### ca-cert.yaml | ||
``` | ``` | ||
| + | --- | ||
| + | - name: Update Linux & Windows CA Trusted Stores | ||
| + | gather_facts: no | ||
| + | hosts: all | ||
| + | vars_files: | ||
| + | - "{{ ansible_os_family }}.yaml" | ||
| + | tasks: | ||
| + | - name: nc22 | ||
| + | ansible.builtin.shell: "nc -z -w 2 {{ inventory_hostname }} 22" | ||
| + | register: nc22 | ||
| + | delegate_to: localhost | ||
| + | failed_when: false | ||
| + | no_log: True | ||
| + | - name: Set fact | ||
| + | when: nc22.rc == 0 | ||
| + | ansible.builtin.set_fact: | ||
| + | tcp22: true | ||
| + | - name: Set fact | ||
| + | when: nc22.rc == 1 | ||
| + | ansible.builtin.set_fact: | ||
| + | tcp22: false | ||
| + | - name: nc5986 | ||
| + | ansible.builtin.shell: "nc -z -w 2 {{ inventory_hostname }} 5986" | ||
| + | register: nc5986 | ||
| + | delegate_to: localhost | ||
| + | failed_when: false | ||
| + | no_log: True | ||
| + | - name: Set fact | ||
| + | when: nc5986.rc == 0 | ||
| + | ansible.builtin.set_fact: | ||
| + | tcp5986: true | ||
| + | - name: Set fact | ||
| + | when: nc5986.rc == 1 | ||
| + | ansible.builtin.set_fact: | ||
| + | tcp5986: false | ||
| + | - name: nc5985 | ||
| + | ansible.builtin.shell: "nc -z -w 2 {{ inventory_hostname }} 5985" | ||
| + | register: nc5985 | ||
| + | delegate_to: localhost | ||
| + | failed_when: false | ||
| + | no_log: True | ||
| + | - name: Set fact | ||
| + | when: nc5985.rc == 0 | ||
| + | ansible.builtin.set_fact: | ||
| + | tcp5985: true | ||
| + | - name: Set fact | ||
| + | when: nc5985.rc == 1 | ||
| + | ansible.builtin.set_fact: | ||
| + | tcp5985: false | ||
| + | # - name: Print version | ||
| + | # when: tcp22 | ||
| + | # debug: | ||
| + | # msg: "yes" | ||
| + | - name: 5985 set facts/variables | ||
| + | ansible.builtin.set_fact: | ||
| + | ansible_connection: winrm | ||
| + | ansible_winrm_transport: ntlm | ||
| + | ansible_winrm_scheme: http | ||
| + | ansible_port: 5985 | ||
| + | # cacheable: yes | ||
| + | when: not tcp5986 and tcp5985 | ||
| + | - name: 5986 set facts/variables | ||
| + | ansible.builtin.set_fact: | ||
| + | ansible_connection: winrm | ||
| + | ansible_winrm_transport: ntlm | ||
| + | ansible_winrm_scheme: https | ||
| + | ansible_port: 5986 | ||
| + | # cacheable: yes | ||
| + | when: tcp5986 | ||
| + | - name: Gathering facts | ||
| + | setup: | ||
| + | when: not tcp5986 and tcp22 | ||
| + | - name: Add New Internal Root CA to Linux CA Trust Store | ||
| + | when: not tcp5986 | ||
| + | become: true | ||
| + | ansible.builtin.template: | ||
| + | src: files/rootca1.crt | ||
| + | dest: "{{ ca_dir }}/rootca1.crt" | ||
| + | register: add_rootca1 | ||
| + | - name: Update CA | ||
| + | become: true | ||
| + | ansible.builtin.shell: "{{ ca_update_cmd }}" | ||
| + | when: add_rootca1.changed | ||
| + | - name: Linux Run Update CA | ||
| + | become: true | ||
| + | ansible.builtin.shell: "{{ ca_update_cmd }}" | ||
| + | when: add_rootca1.changed | ||
| + | - name: Windows Copy Internal Certificate Files | ||
| + | # when: nc5986.rc == 0 | ||
| + | # when: tcp5986.results.state == "started" | ||
| + | when: tcp5986 | ||
| + | ansible.windows.win_copy: | ||
| + | src: files | ||
| + | dest: C:\Temp\ | ||
| + | - name: Windows Add rootca1 to AuthRoot | ||
| + | when: tcp5986 | ||
| + | ansible.windows.win_certificate_store: | ||
| + | path: C:\Temp\files\rootca1.pem | ||
| + | state: present | ||
| + | store_location: LocalMachine | ||
| + | store_name: AuthRoot | ||
| + | |||
| + | |||
| + | # - name: SSH is open | ||
| + | # wait_for: | ||
| + | # host: "{{ inventory_hostname }}" | ||
| + | # port: 22 | ||
| + | # state: started | ||
| + | # delay: 0 | ||
| + | # timeout: 2 | ||
| + | # delegate_to: localhost | ||
| + | # register: tcp22chk | ||
| + | # failed_when: false | ||
| + | # no_log: True | ||
| + | |||
| + | # Prep | ||
| + | # apt install nc && parallel | ||
| + | # parallel nc -vzw 2 example.com ::: 80 443 10022 | ||
``` | ``` | ||
Revision as of 18:55, 22 December 2023
Ansible
Cert Files
Cert file(s) in files folder, in this case files/rootca1.crt
Run
ansible-playbook -i hosts.yaml -e ansible_password=$USERPASS -e ansible_user=$USERNAME ca-cert.yaml -e ansible_become_password=$USERPASS
hosts.yaml
ungrouped:
hosts:
foo.example.com:
Windows.yaml 5986 is best
ca_dir: "/usr/local/share/ca-certificates" ca_update_cmd: "/usr/sbin/update-ca-certificates" ansible_connection: winrm # ansible_port: 5986 ansible_winrm_transport: ntlm ansible_winrm_scheme: http ansible_port: 5985
Debian.yaml
ca_dir: "/usr/local/share/ca-certificates" ca_update_cmd: "/usr/sbin/update-ca-certificates"
RedHat.yaml
ca_dir: "/etc/pki/ca-trust/source/anchors" ca_update_cmd: "/usr/bin/update-ca-trust"
ca-cert.yaml
---
- name: Update Linux & Windows CA Trusted Stores
gather_facts: no
hosts: all
vars_files:
- "{{ ansible_os_family }}.yaml"
tasks:
- name: nc22
ansible.builtin.shell: "nc -z -w 2 {{ inventory_hostname }} 22"
register: nc22
delegate_to: localhost
failed_when: false
no_log: True
- name: Set fact
when: nc22.rc == 0
ansible.builtin.set_fact:
tcp22: true
- name: Set fact
when: nc22.rc == 1
ansible.builtin.set_fact:
tcp22: false
- name: nc5986
ansible.builtin.shell: "nc -z -w 2 {{ inventory_hostname }} 5986"
register: nc5986
delegate_to: localhost
failed_when: false
no_log: True
- name: Set fact
when: nc5986.rc == 0
ansible.builtin.set_fact:
tcp5986: true
- name: Set fact
when: nc5986.rc == 1
ansible.builtin.set_fact:
tcp5986: false
- name: nc5985
ansible.builtin.shell: "nc -z -w 2 {{ inventory_hostname }} 5985"
register: nc5985
delegate_to: localhost
failed_when: false
no_log: True
- name: Set fact
when: nc5985.rc == 0
ansible.builtin.set_fact:
tcp5985: true
- name: Set fact
when: nc5985.rc == 1
ansible.builtin.set_fact:
tcp5985: false
# - name: Print version
# when: tcp22
# debug:
# msg: "yes"
- name: 5985 set facts/variables
ansible.builtin.set_fact:
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_scheme: http
ansible_port: 5985
# cacheable: yes
when: not tcp5986 and tcp5985
- name: 5986 set facts/variables
ansible.builtin.set_fact:
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_scheme: https
ansible_port: 5986
# cacheable: yes
when: tcp5986
- name: Gathering facts
setup:
when: not tcp5986 and tcp22
- name: Add New Internal Root CA to Linux CA Trust Store
when: not tcp5986
become: true
ansible.builtin.template:
src: files/rootca1.crt
dest: "{{ ca_dir }}/rootca1.crt"
register: add_rootca1
- name: Update CA
become: true
ansible.builtin.shell: "{{ ca_update_cmd }}"
when: add_rootca1.changed
- name: Linux Run Update CA
become: true
ansible.builtin.shell: "{{ ca_update_cmd }}"
when: add_rootca1.changed
- name: Windows Copy Internal Certificate Files
# when: nc5986.rc == 0
# when: tcp5986.results.state == "started"
when: tcp5986
ansible.windows.win_copy:
src: files
dest: C:\Temp\
- name: Windows Add rootca1 to AuthRoot
when: tcp5986
ansible.windows.win_certificate_store:
path: C:\Temp\files\rootca1.pem
state: present
store_location: LocalMachine
store_name: AuthRoot
# - name: SSH is open
# wait_for:
# host: "{{ inventory_hostname }}"
# port: 22
# state: started
# delay: 0
# timeout: 2
# delegate_to: localhost
# register: tcp22chk
# failed_when: false
# no_log: True
# Prep
# apt install nc && parallel
# parallel nc -vzw 2 example.com ::: 80 443 10022