Simple Ansible playbook to replace Apache and Nginx SSL certificates
- This takes SSL certificates and keys copied into
install/roles/sslcerts/filesand copies them to servers that match their name.- e.g.
host-01.pem(certificate) andhost-01.key(certificate key)
- e.g.
- This then restarts each respective webserver type you are using.
| SSL Component | File System Path |
|---|---|
| Apache Cert | /etc/pki/tls/certs/servername.pem |
| Apache Key | /etc/pki/tls/private/servername.key |
| Nginx Cert | /etc/pki/tls/certs/servername.pem |
| Nginx Key | /etc/pki/tls/certs/servername.key |
- You can change this to your liking in
install/group_vars/all.yml
- Edit the
hostsinventory as follows, depending on nginx or Apache
[apache]
host-01
[nginx]
host-02
- Generate certificates and keys via your preferred method and name them appropriately.
install/roles/sslcerts/files
├── host-01.key
├── host-01.pem
├── host-02.key
└── host-02.pem
- Run the playbook:
ansible-playbook -i hosts install/sslcerts.yml
- Make sure you modify your web server(s) to expect these filenames based on their FQDN or domain.
- You can easily generate your own TLS certificate/key with one command for testing:
servername=$(hostname)
mkdir -p /etc/pki/tls/certs ; cd /etc/pki/tls/certs
openssl req -x509 -newkey rsa:4096 -keyout $servername.key -out $servername.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
- Consider using Ansible Vault to store/manage certificate files
- Inspect the local certificates to make sure they match the target domains