Ansible で CentOS 7 の自己署名の SSL 証明書を作成するタスク 2 種の方法をメモ

まとめ

sudo bash /etc/pki/tls/certs/make-dummy-cert filename を使う方法

  • PRIVATE KEY と CERTIFICATE が一つのファイルに出力される。
  • Nginx 設定ファイルで使えるようにするために、シンボリックリンクを作って ssl_certificate と ssl_certificate_key に指定する。

Ansible の openssl_privatekey, openssl_csr, openssl_certificate モジュールを使う方法

sudo bash /etc/pki/tls/certs/make-dummy-cert filename を使うプレイブック

---
- name: generate a Self Signed OpenSSL certificate
  command: /etc/pki/tls/certs/make-dummy-cert /etc/nginx/conf.d/fullchain.pem
  args:
      creates: /etc/nginx/conf.d/fullchain.pem

- name: create a symbolic link
  file:
    src: /etc/nginx/conf.d/fullchain.pem
    dest: /etc/nginx/conf.d/privkey.pem
    owner: root
    group: root
    state: link
  ignore_errors: yes

Ansible の openssl_privatekey, openssl_csr, openssl_certificate モジュールを使うプレイブック

---
- name: generate an OpenSSL private key
  openssl_privatekey:
    path: /etc/nginx/conf.d/privkey.pem

- name: generate an OpenSSL CSR.
  openssl_csr:
    path: /etc/nginx/conf.d/dummy.csr
    privatekey_path: /etc/nginx/conf.d/privkey.pem
    common_name: dummy

- name: generate a Self Signed OpenSSL certificate
  openssl_certificate:
    path: /etc/nginx/conf.d/fullchain.pem
    privatekey_path: /etc/nginx/conf.d/privkey.pem
    csr_path: /etc/nginx/conf.d/dummy.csr
    provider: selfsigned

補足。 sudo bash /etc/pki/tls/certs/make-dummy-cert filename で作成されるファイルの実際の例

[centos@ip-172-26-1-202 certs]$ # 中身
[centos@ip-172-26-1-202 certs]$ cat /etc/pki/tls/certs/make-dummy-cert
#!/bin/sh
umask 077

answers() {
        echo --
        echo SomeState
        echo SomeCity
        echo SomeOrganization
        echo SomeOrganizationalUnit
        echo localhost.localdomain
        echo root@localhost.localdomain
}

if [ $# -eq 0 ] ; then
        echo $"Usage: `basename $0` filename [...]"
        exit 0
fi

for target in $@ ; do
        PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
        PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
        trap "rm -f $PEM1 $PEM2" SIGINT
        answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
        cat $PEM1 >  ${target}
        echo ""   >> ${target}
        cat $PEM2 >> ${target}
        rm -f $PEM1 $PEM2
done
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$ # 実行
[centos@ip-172-26-1-202 certs]$ sudo bash /etc/pki/tls/certs/make-dummy-cert /tmp/sample
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$ # 作成された SSL 証明書の内容確認
[centos@ip-172-26-1-202 certs]$ sudo cat /tmp/sample
-----BEGIN PRIVATE KEY-----
MII ...略... g==
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MII ...略... qc=
-----END CERTIFICATE-----
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$ sudo openssl x509 -text -fingerprint -noout -in /tmp/sample
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c4:04:77:a1:bc:08:1f:33
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
        Validity
            Not Before: Jan 11 01:47:45 2020 GMT
            Not After : Jan 10 01:47:45 2021 GMT
        Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:99:37:52:c2:3e:32:8d:57:5c:c4:a4:12:a2:f2:
                    fd:d9:18:64:29:47:42:77:5b:b7:17:46:31:a4:27:
                    a2:93:38:ef:5b:82:8f:00:62:31:b3:ef:63:e2:ba:
                    41:56:06:52:fa:a7:3d:98:b1:20:3b:9c:21:fe:42:
                    46:34:3a:72:98:10:7a:ef:f8:a8:9d:80:b2:ba:f3:
                    17:b7:e7:46:e8:91:f0:4a:a7:9a:37:00:47:11:c3:
                    65:10:45:d1:64:2f:d2:5f:b6:a8:8f:cc:43:a8:36:
                    4c:57:b6:81:f0:65:71:72:3a:df:33:f7:1a:2f:94:
                    61:f0:90:34:b4:a3:5d:cb:ef:3e:97:41:4c:2b:f6:
                    ba:5e:54:07:44:b5:26:2e:b5:ec:b3:a8:7c:5c:7f:
                    29:b5:f9:c0:47:73:1e:14:45:3c:30:1f:d2:fb:08:
                    17:91:36:ce:62:1d:94:6a:82:31:3a:cc:15:ad:34:
                    16:e2:ee:9d:ab:54:ae:17:2f:04:e8:3e:ee:8b:ea:
                    1b:8c:1f:5b:d9:0c:98:38:9b:7d:40:17:80:41:06:
                    9d:f8:cc:bc:d6:a8:c6:35:02:2a:86:0f:d3:8d:dd:
                    be:16:ae:07:60:5c:03:44:41:64:72:eb:0f:12:80:
                    e3:a5:5d:ce:1c:54:18:ea:f0:b2:02:3d:11:55:2f:
                    32:1f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                9B:30:41:31:F0:CE:16:BB:FD:4B:E3:85:E8:88:FF:70:78:6B:1A:DF
            X509v3 Authority Key Identifier:
                keyid:9B:30:41:31:F0:CE:16:BB:FD:4B:E3:85:E8:88:FF:70:78:6B:1A:DF

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         7c:7f:d9:c1:60:3b:e2:2d:d9:56:26:98:42:74:3b:a0:e5:8b:
         22:0f:eb:cc:11:61:6c:78:bb:e1:73:c9:1f:6b:f4:03:24:57:
         fd:65:b2:c4:2a:19:83:57:97:11:95:cd:eb:37:00:0a:3a:45:
         93:fa:3f:26:05:00:30:a8:4c:ed:8a:32:ed:b9:f1:85:f0:50:
         7f:2e:49:18:dc:77:63:5a:3d:42:e1:fc:8d:20:e4:12:d3:30:
         b6:58:ba:60:a6:12:b7:f4:ac:1f:18:e1:97:ae:27:2a:56:27:
         e6:66:38:93:6b:a8:4d:68:49:6c:27:3d:64:d8:af:ec:11:29:
         45:68:9f:a5:6c:9f:66:62:88:2d:62:43:85:13:99:ca:a9:ab:
         43:99:6a:0c:a5:c4:c0:58:3e:04:b7:33:cd:84:71:05:4e:cd:
         5c:76:11:15:6c:d7:91:ae:78:e9:ff:c5:7b:d5:f4:5d:be:16:
         24:b8:4b:8e:67:6d:f5:5e:df:de:f1:55:30:c1:db:d7:5f:ef:
         b8:6f:ae:df:b8:25:52:54:44:e8:43:86:66:f0:8f:bc:9a:0d:
         11:e4:c8:cc:90:d6:16:8c:0b:41:8f:e7:3d:c7:f7:16:79:a9:
         34:3f:99:2f:18:1e:b6:3b:7f:06:c1:cd:0b:0c:ad:f2:91:87:
         62:63:62:a7
SHA1 Fingerprint=C6:D4:5C:A0:B4:74:CB:F4:CA:6A:99:2F:FC:A9:FA:B7:76:C9:7F:02
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$
[centos@ip-172-26-1-202 certs]$ sudo openssl rsa -text -noout -in /tmp/sample
Private-Key: (2048 bit)
modulus:
    00:99:37:52:c2:3e:32:8d:57:5c:c4:a4:12:a2:f2:
    fd:d9:18:64:29:47:42:77:5b:b7:17:46:31:a4:27:
    a2:93:38:ef:5b:82:8f:00:62:31:b3:ef:63:e2:ba:
    41:56:06:52:fa:a7:3d:98:b1:20:3b:9c:21:fe:42:
    46:34:3a:72:98:10:7a:ef:f8:a8:9d:80:b2:ba:f3:
    17:b7:e7:46:e8:91:f0:4a:a7:9a:37:00:47:11:c3:
    65:10:45:d1:64:2f:d2:5f:b6:a8:8f:cc:43:a8:36:
    4c:57:b6:81:f0:65:71:72:3a:df:33:f7:1a:2f:94:
    61:f0:90:34:b4:a3:5d:cb:ef:3e:97:41:4c:2b:f6:
    ba:5e:54:07:44:b5:26:2e:b5:ec:b3:a8:7c:5c:7f:
    29:b5:f9:c0:47:73:1e:14:45:3c:30:1f:d2:fb:08:
    17:91:36:ce:62:1d:94:6a:82:31:3a:cc:15:ad:34:
    16:e2:ee:9d:ab:54:ae:17:2f:04:e8:3e:ee:8b:ea:
    1b:8c:1f:5b:d9:0c:98:38:9b:7d:40:17:80:41:06:
    9d:f8:cc:bc:d6:a8:c6:35:02:2a:86:0f:d3:8d:dd:
    be:16:ae:07:60:5c:03:44:41:64:72:eb:0f:12:80:
    e3:a5:5d:ce:1c:54:18:ea:f0:b2:02:3d:11:55:2f:
    32:1f
publicExponent: 65537 (0x10001)
privateExponent:
    00:86:d2:64:d3:a2:31:8f:a8:51:6c:83:c8:16:75:
    66:24:d3:ce:c7:77:fa:27:d7:9f:cc:2e:2b:5e:7c:
    b6:15:80:a3:37:4e:32:91:ae:d6:77:b4:6e:9b:c3:
    33:dd:03:e1:9e:c8:ed:6d:e0:67:31:ad:19:48:88:
    7f:08:54:6a:24:1f:54:5e:b7:db:80:05:10:c1:6b:
    49:f2:bc:e3:eb:a1:07:e6:59:87:5d:60:b4:29:10:
    5c:6d:2e:52:ac:2b:5c:9e:76:b7:eb:19:5e:6b:b5:
    a4:06:07:06:5e:48:95:c4:63:c3:a7:11:88:8c:57:
    b0:bb:23:da:0d:1e:38:5a:4b:86:a6:3a:ef:bb:17:
    6b:6c:cb:e5:29:0e:43:5a:42:74:10:fb:c9:cd:01:
    34:e5:2e:c4:e8:b1:9e:2d:00:5e:d4:06:b1:53:4b:
    a4:35:da:65:c0:46:ae:f0:f3:9a:1e:4d:45:c3:ad:
    18:ec:0c:08:6a:90:73:34:66:81:5d:31:ba:69:e6:
    34:fd:ab:bf:42:c8:85:dc:11:e6:e3:a9:99:79:52:
    ec:86:9f:ed:15:4f:f7:2a:8b:a8:0e:0f:1c:61:e1:
    a9:4d:53:1c:40:49:95:94:ab:71:78:64:a2:dc:4b:
    90:17:46:dc:99:85:30:32:40:e2:b5:6e:a6:73:bd:
    27:29
prime1:
    00:c6:97:fa:fe:b1:e4:84:a8:b6:a4:48:52:b9:0a:
    7b:69:78:16:14:d8:46:06:a9:1a:47:b8:9a:a9:e1:
    f0:b0:12:56:02:93:bc:0b:57:ad:16:fb:a0:2e:83:
    26:9f:72:24:31:69:59:d9:65:6e:d7:41:61:0b:c3:
    73:de:cc:bf:8d:f0:6e:d7:0a:aa:6c:3d:b1:c4:ea:
    4f:92:fe:61:5c:ee:a9:91:0e:07:54:c1:dd:9a:ea:
    61:7c:05:09:19:f2:ea:56:e1:74:70:e0:fc:37:98:
    bf:c8:b1:1f:03:3e:0b:cb:c1:a9:27:04:43:ca:ff:
    19:0d:e3:24:5c:b6:9f:d8:a5
prime2:
    00:c5:81:62:00:c2:7d:89:66:3a:7c:d0:1c:76:c1:
    1c:d3:a5:42:5f:4f:39:73:d9:7b:8f:20:ff:3a:f1:
    43:78:84:0f:1e:df:be:79:0e:7f:77:dd:55:0b:a1:
    9b:93:b1:6c:94:87:99:3f:ac:73:b3:f8:99:64:61:
    35:a3:83:9a:82:d4:8a:0f:2b:8d:4d:79:6a:07:f0:
    1c:d6:9b:4a:77:62:c4:cb:23:dd:7b:33:11:79:4f:
    b3:ce:a3:de:44:f0:cc:82:da:d7:ae:2d:b4:31:5e:
    84:b5:f3:f9:fa:0a:ea:2b:4c:4c:f3:68:e6:b0:56:
    d4:52:1f:fc:b7:a5:27:60:73
exponent1:
    00:85:4b:75:38:86:86:6f:54:1e:62:dd:f8:48:22:
    f4:fa:b1:93:80:a2:39:3e:37:3a:60:71:53:be:3a:
    dc:a6:11:68:91:8a:3f:69:0d:8c:2c:24:f0:3a:c7:
    e4:a0:98:a8:1a:52:2f:f0:6e:d8:9a:ba:53:3c:e6:
    0f:5b:b7:e9:ca:87:5a:9e:13:96:97:d8:40:fd:7e:
    97:b2:7d:f3:33:c1:2d:27:23:57:60:58:4f:39:af:
    9f:86:f2:8a:4d:54:72:5d:a6:2d:d5:a5:ed:24:13:
    ee:85:f1:fc:72:dc:ae:66:30:b2:2c:71:fc:5e:c0:
    22:3c:e3:fc:80:0e:43:f3:d1
exponent2:
    3f:fd:e5:b4:fd:4f:13:5f:8d:ff:b6:a6:22:4b:fb:
    7d:0f:84:6b:c1:0d:8a:5d:a2:cd:03:11:ef:15:10:
    99:51:a0:5c:8e:7d:f6:57:1e:31:c6:02:b2:1c:10:
    7e:4f:f4:30:43:a7:01:9c:6c:78:99:49:89:de:7d:
    34:97:85:4e:72:72:b0:eb:99:82:ca:9d:f2:28:78:
    0f:88:8d:1e:15:60:51:b9:33:1f:a1:b2:3d:ad:f7:
    42:32:91:e7:a0:65:82:d8:49:1d:64:2d:87:f9:69:
    e2:52:44:62:21:7b:31:c0:2d:06:88:ac:85:e1:fc:
    35:07:ac:28:0c:58:af:c5
coefficient:
    00:ba:75:26:83:2a:5e:d2:1b:58:46:31:b0:1d:02:
    fc:84:90:7b:e2:1f:d5:8e:54:ca:ec:6f:a2:ea:8b:
    40:b0:80:54:27:aa:0b:7a:f7:43:65:55:f6:c0:e6:
    c7:5d:a2:02:6b:ee:a6:27:88:ff:c7:e3:e6:e7:1e:
    f9:70:ed:96:07:e7:db:a7:b3:66:08:05:6b:e3:db:
    40:02:b7:05:fd:52:7d:d5:35:51:bc:d9:4d:24:ca:
    c2:de:2e:38:13:36:b0:de:fb:6d:01:85:e3:b6:3b:
    31:66:36:05:dd:bc:cc:f6:ec:47:63:51:71:92:ed:
    2a:a0:7e:61:88:c6:ea:62:72
[centos@ip-172-26-1-202 certs]$

おわりに

今回作成した SSL 証明書は仮のもので、もちろん本番用には使えません。

後から Let’s Encrypt の SSL 証明書へ差し替えるまでの繋ぎとして使えそうだと思い、タスクを定義してみました。

CentOS 7 のシェルスクリプトを使う方法よりも、 Ansible モジュールを使った方法の方が汎用的かなあと思います。けれども、 Ubuntu なら ssl-cert パッケージを導入すれば snakeoil というダミーの証明書を手軽に入手できますし、、、迷うところではあります。

次のページが参考になりました。ありがとうございます!

以上です。

コメントを残す

コメントを残す