まとめ
sudo bash /etc/pki/tls/certs/make-dummy-cert filename
を使う方法
- PRIVATE KEY と CERTIFICATE が一つのファイルに出力される。
- Nginx 設定ファイルで使えるようにするために、シンボリックリンクを作って ssl_certificate と ssl_certificate_key に指定する。
Ansible の openssl_privatekey, openssl_csr, openssl_certificate モジュールを使う方法
sudo bash /etc/pki/tls/certs/make-dummy-cert filename
を使うプレイブック
---
- name: generate a Self Signed OpenSSL certificate
command: /etc/pki/tls/certs/make-dummy-cert /etc/nginx/conf.d/fullchain.pem
args:
creates: /etc/nginx/conf.d/fullchain.pem
- name: create a symbolic link
file:
src: /etc/nginx/conf.d/fullchain.pem
dest: /etc/nginx/conf.d/privkey.pem
owner: root
group: root
state: link
ignore_errors: yes
Ansible の openssl_privatekey, openssl_csr, openssl_certificate モジュールを使うプレイブック
---
- name: generate an OpenSSL private key
openssl_privatekey:
path: /etc/nginx/conf.d/privkey.pem
- name: generate an OpenSSL CSR.
openssl_csr:
path: /etc/nginx/conf.d/dummy.csr
privatekey_path: /etc/nginx/conf.d/privkey.pem
common_name: dummy
- name: generate a Self Signed OpenSSL certificate
openssl_certificate:
path: /etc/nginx/conf.d/fullchain.pem
privatekey_path: /etc/nginx/conf.d/privkey.pem
csr_path: /etc/nginx/conf.d/dummy.csr
provider: selfsigned
補足。 sudo bash /etc/pki/tls/certs/make-dummy-cert filename
で作成されるファイルの実際の例
[centos@ip-172-26-1-202 certs]$ # 中身
[centos@ip-172-26-1-202 certs]$ cat /etc/pki/tls/certs/make-dummy-cert
#!/bin/sh
umask 077
answers() {
echo --
echo SomeState
echo SomeCity
echo SomeOrganization
echo SomeOrganizationalUnit
echo localhost.localdomain
echo root@localhost.localdomain
}
if [ $# -eq 0 ] ; then
echo $"Usage: `basename $0` filename [...]"
exit 0
fi
for target in $@ ; do
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
trap "rm -f $PEM1 $PEM2" SIGINT
answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
cat $PEM1 > ${target}
echo "" >> ${target}
cat $PEM2 >> ${target}
rm -f $PEM1 $PEM2
done
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$ # 実行
[centos@ip-172-26-1-202 certs]$ sudo bash /etc/pki/tls/certs/make-dummy-cert /tmp/sample
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$ # 作成された SSL 証明書の内容確認
[centos@ip-172-26-1-202 certs]$ sudo cat /tmp/sample
-----BEGIN PRIVATE KEY-----
MII ...略... g==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII ...略... qc=
-----END CERTIFICATE-----
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$ sudo openssl x509 -text -fingerprint -noout -in /tmp/sample
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c4:04:77:a1:bc:08:1f:33
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
Validity
Not Before: Jan 11 01:47:45 2020 GMT
Not After : Jan 10 01:47:45 2021 GMT
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:99:37:52:c2:3e:32:8d:57:5c:c4:a4:12:a2:f2:
fd:d9:18:64:29:47:42:77:5b:b7:17:46:31:a4:27:
a2:93:38:ef:5b:82:8f:00:62:31:b3:ef:63:e2:ba:
41:56:06:52:fa:a7:3d:98:b1:20:3b:9c:21:fe:42:
46:34:3a:72:98:10:7a:ef:f8:a8:9d:80:b2:ba:f3:
17:b7:e7:46:e8:91:f0:4a:a7:9a:37:00:47:11:c3:
65:10:45:d1:64:2f:d2:5f:b6:a8:8f:cc:43:a8:36:
4c:57:b6:81:f0:65:71:72:3a:df:33:f7:1a:2f:94:
61:f0:90:34:b4:a3:5d:cb:ef:3e:97:41:4c:2b:f6:
ba:5e:54:07:44:b5:26:2e:b5:ec:b3:a8:7c:5c:7f:
29:b5:f9:c0:47:73:1e:14:45:3c:30:1f:d2:fb:08:
17:91:36:ce:62:1d:94:6a:82:31:3a:cc:15:ad:34:
16:e2:ee:9d:ab:54:ae:17:2f:04:e8:3e:ee:8b:ea:
1b:8c:1f:5b:d9:0c:98:38:9b:7d:40:17:80:41:06:
9d:f8:cc:bc:d6:a8:c6:35:02:2a:86:0f:d3:8d:dd:
be:16:ae:07:60:5c:03:44:41:64:72:eb:0f:12:80:
e3:a5:5d:ce:1c:54:18:ea:f0:b2:02:3d:11:55:2f:
32:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
9B:30:41:31:F0:CE:16:BB:FD:4B:E3:85:E8:88:FF:70:78:6B:1A:DF
X509v3 Authority Key Identifier:
keyid:9B:30:41:31:F0:CE:16:BB:FD:4B:E3:85:E8:88:FF:70:78:6B:1A:DF
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
7c:7f:d9:c1:60:3b:e2:2d:d9:56:26:98:42:74:3b:a0:e5:8b:
22:0f:eb:cc:11:61:6c:78:bb:e1:73:c9:1f:6b:f4:03:24:57:
fd:65:b2:c4:2a:19:83:57:97:11:95:cd:eb:37:00:0a:3a:45:
93:fa:3f:26:05:00:30:a8:4c:ed:8a:32:ed:b9:f1:85:f0:50:
7f:2e:49:18:dc:77:63:5a:3d:42:e1:fc:8d:20:e4:12:d3:30:
b6:58:ba:60:a6:12:b7:f4:ac:1f:18:e1:97:ae:27:2a:56:27:
e6:66:38:93:6b:a8:4d:68:49:6c:27:3d:64:d8:af:ec:11:29:
45:68:9f:a5:6c:9f:66:62:88:2d:62:43:85:13:99:ca:a9:ab:
43:99:6a:0c:a5:c4:c0:58:3e:04:b7:33:cd:84:71:05:4e:cd:
5c:76:11:15:6c:d7:91:ae:78:e9:ff:c5:7b:d5:f4:5d:be:16:
24:b8:4b:8e:67:6d:f5:5e:df:de:f1:55:30:c1:db:d7:5f:ef:
b8:6f:ae:df:b8:25:52:54:44:e8:43:86:66:f0:8f:bc:9a:0d:
11:e4:c8:cc:90:d6:16:8c:0b:41:8f:e7:3d:c7:f7:16:79:a9:
34:3f:99:2f:18:1e:b6:3b:7f:06:c1:cd:0b:0c:ad:f2:91:87:
62:63:62:a7
SHA1 Fingerprint=C6:D4:5C:A0:B4:74:CB:F4:CA:6A:99:2F:FC:A9:FA:B7:76:C9:7F:02
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$ sudo openssl rsa -text -noout -in /tmp/sample
Private-Key: (2048 bit)
modulus:
00:99:37:52:c2:3e:32:8d:57:5c:c4:a4:12:a2:f2:
fd:d9:18:64:29:47:42:77:5b:b7:17:46:31:a4:27:
a2:93:38:ef:5b:82:8f:00:62:31:b3:ef:63:e2:ba:
41:56:06:52:fa:a7:3d:98:b1:20:3b:9c:21:fe:42:
46:34:3a:72:98:10:7a:ef:f8:a8:9d:80:b2:ba:f3:
17:b7:e7:46:e8:91:f0:4a:a7:9a:37:00:47:11:c3:
65:10:45:d1:64:2f:d2:5f:b6:a8:8f:cc:43:a8:36:
4c:57:b6:81:f0:65:71:72:3a:df:33:f7:1a:2f:94:
61:f0:90:34:b4:a3:5d:cb:ef:3e:97:41:4c:2b:f6:
ba:5e:54:07:44:b5:26:2e:b5:ec:b3:a8:7c:5c:7f:
29:b5:f9:c0:47:73:1e:14:45:3c:30:1f:d2:fb:08:
17:91:36:ce:62:1d:94:6a:82:31:3a:cc:15:ad:34:
16:e2:ee:9d:ab:54:ae:17:2f:04:e8:3e:ee:8b:ea:
1b:8c:1f:5b:d9:0c:98:38:9b:7d:40:17:80:41:06:
9d:f8:cc:bc:d6:a8:c6:35:02:2a:86:0f:d3:8d:dd:
be:16:ae:07:60:5c:03:44:41:64:72:eb:0f:12:80:
e3:a5:5d:ce:1c:54:18:ea:f0:b2:02:3d:11:55:2f:
32:1f
publicExponent: 65537 (0x10001)
privateExponent:
00:86:d2:64:d3:a2:31:8f:a8:51:6c:83:c8:16:75:
66:24:d3:ce:c7:77:fa:27:d7:9f:cc:2e:2b:5e:7c:
b6:15:80:a3:37:4e:32:91:ae:d6:77:b4:6e:9b:c3:
33:dd:03:e1:9e:c8:ed:6d:e0:67:31:ad:19:48:88:
7f:08:54:6a:24:1f:54:5e:b7:db:80:05:10:c1:6b:
49:f2:bc:e3:eb:a1:07:e6:59:87:5d:60:b4:29:10:
5c:6d:2e:52:ac:2b:5c:9e:76:b7:eb:19:5e:6b:b5:
a4:06:07:06:5e:48:95:c4:63:c3:a7:11:88:8c:57:
b0:bb:23:da:0d:1e:38:5a:4b:86:a6:3a:ef:bb:17:
6b:6c:cb:e5:29:0e:43:5a:42:74:10:fb:c9:cd:01:
34:e5:2e:c4:e8:b1:9e:2d:00:5e:d4:06:b1:53:4b:
a4:35:da:65:c0:46:ae:f0:f3:9a:1e:4d:45:c3:ad:
18:ec:0c:08:6a:90:73:34:66:81:5d:31:ba:69:e6:
34:fd:ab:bf:42:c8:85:dc:11:e6:e3:a9:99:79:52:
ec:86:9f:ed:15:4f:f7:2a:8b:a8:0e:0f:1c:61:e1:
a9:4d:53:1c:40:49:95:94:ab:71:78:64:a2:dc:4b:
90:17:46:dc:99:85:30:32:40:e2:b5:6e:a6:73:bd:
27:29
prime1:
00:c6:97:fa:fe:b1:e4:84:a8:b6:a4:48:52:b9:0a:
7b:69:78:16:14:d8:46:06:a9:1a:47:b8:9a:a9:e1:
f0:b0:12:56:02:93:bc:0b:57:ad:16:fb:a0:2e:83:
26:9f:72:24:31:69:59:d9:65:6e:d7:41:61:0b:c3:
73:de:cc:bf:8d:f0:6e:d7:0a:aa:6c:3d:b1:c4:ea:
4f:92:fe:61:5c:ee:a9:91:0e:07:54:c1:dd:9a:ea:
61:7c:05:09:19:f2:ea:56:e1:74:70:e0:fc:37:98:
bf:c8:b1:1f:03:3e:0b:cb:c1:a9:27:04:43:ca:ff:
19:0d:e3:24:5c:b6:9f:d8:a5
prime2:
00:c5:81:62:00:c2:7d:89:66:3a:7c:d0:1c:76:c1:
1c:d3:a5:42:5f:4f:39:73:d9:7b:8f:20:ff:3a:f1:
43:78:84:0f:1e:df:be:79:0e:7f:77:dd:55:0b:a1:
9b:93:b1:6c:94:87:99:3f:ac:73:b3:f8:99:64:61:
35:a3:83:9a:82:d4:8a:0f:2b:8d:4d:79:6a:07:f0:
1c:d6:9b:4a:77:62:c4:cb:23:dd:7b:33:11:79:4f:
b3:ce:a3:de:44:f0:cc:82:da:d7:ae:2d:b4:31:5e:
84:b5:f3:f9:fa:0a:ea:2b:4c:4c:f3:68:e6:b0:56:
d4:52:1f:fc:b7:a5:27:60:73
exponent1:
00:85:4b:75:38:86:86:6f:54:1e:62:dd:f8:48:22:
f4:fa:b1:93:80:a2:39:3e:37:3a:60:71:53:be:3a:
dc:a6:11:68:91:8a:3f:69:0d:8c:2c:24:f0:3a:c7:
e4:a0:98:a8:1a:52:2f:f0:6e:d8:9a:ba:53:3c:e6:
0f:5b:b7:e9:ca:87:5a:9e:13:96:97:d8:40:fd:7e:
97:b2:7d:f3:33:c1:2d:27:23:57:60:58:4f:39:af:
9f:86:f2:8a:4d:54:72:5d:a6:2d:d5:a5:ed:24:13:
ee:85:f1:fc:72:dc:ae:66:30:b2:2c:71:fc:5e:c0:
22:3c:e3:fc:80:0e:43:f3:d1
exponent2:
3f:fd:e5:b4:fd:4f:13:5f:8d:ff:b6:a6:22:4b:fb:
7d:0f:84:6b:c1:0d:8a:5d:a2:cd:03:11:ef:15:10:
99:51:a0:5c:8e:7d:f6:57:1e:31:c6:02:b2:1c:10:
7e:4f:f4:30:43:a7:01:9c:6c:78:99:49:89:de:7d:
34:97:85:4e:72:72:b0:eb:99:82:ca:9d:f2:28:78:
0f:88:8d:1e:15:60:51:b9:33:1f:a1:b2:3d:ad:f7:
42:32:91:e7:a0:65:82:d8:49:1d:64:2d:87:f9:69:
e2:52:44:62:21:7b:31:c0:2d:06:88:ac:85:e1:fc:
35:07:ac:28:0c:58:af:c5
coefficient:
00:ba:75:26:83:2a:5e:d2:1b:58:46:31:b0:1d:02:
fc:84:90:7b:e2:1f:d5:8e:54:ca:ec:6f:a2:ea:8b:
40:b0:80:54:27:aa:0b:7a:f7:43:65:55:f6:c0:e6:
c7:5d:a2:02:6b:ee:a6:27:88:ff:c7:e3:e6:e7:1e:
f9:70:ed:96:07:e7:db:a7:b3:66:08:05:6b:e3:db:
40:02:b7:05:fd:52:7d:d5:35:51:bc:d9:4d:24:ca:
c2:de:2e:38:13:36:b0:de:fb:6d:01:85:e3:b6:3b:
31:66:36:05:dd:bc:cc:f6:ec:47:63:51:71:92:ed:
2a:a0:7e:61:88:c6:ea:62:72
[centos@ip-172-26-1-202 certs]$
おわりに
今回作成した SSL 証明書は仮のもので、もちろん本番用には使えません。
後から Let’s Encrypt の SSL 証明書へ差し替えるまでの繋ぎとして使えそうだと思い、タスクを定義してみました。
CentOS 7 のシェルスクリプトを使う方法よりも、 Ansible モジュールを使った方法の方が汎用的かなあと思います。けれども、 Ubuntu なら ssl-cert パッケージを導入すれば snakeoil というダミーの証明書を手軽に入手できますし、、、迷うところではあります。
次のページが参考になりました。ありがとうございます!
- CentOS 7 で仮のSSL証明書をとりあえず簡単に生成する方法 – 株式会社シーポイントラボ | 浜松のシステム開発会社
- [OpenSSL] pem ファイルとは?SSL証明書の中身を確認する方法|てくめも@ecoop.net
以上です。