certificates snippets

How to use Ansible Vault to store SSL certificates

Tagged ssl, certificates, ansible, vault  Languages bash


In playbook.yml, list the file where we'll put the SSL certificates:

- hosts: servers
    - vault/certs/{{ domain }}.yml # Private SSL certificates

Ansible Vault

Next, create an encrypted Ansible vault (one per domain):

$ ansible-vault create vault/certs/xxx.com.yml

Put the following in the vault/certs/xxx.com.yml:

  - name: "xxx.com.pem"
    content: |
      -----BEGIN CERTIFICATE-----
  - name: "login.xxx.com.pem"
    content: |
      -----BEGIN CERTIFICATE-----

The last thing we need to do is copy the certificates from the Ansible Vault to the server (roles/ssl_certs/tasks/main.yml):

- name: Copy private SSL certificates from Ansible Vault
  tags: ssl_certs
    content: "{{ item.content }}"
    dest: "/etc/ssl/private/{{ item.name }}"
    owner: root
    group: root
    mode: "u=rw,g=r,o="
  sudo: yes
    # Certificates are stored encrypted in vault/certs/{{ domain }}.yml
    - "{{ certificates }}"


Use ask-vault-pass to specify the Ansible Vault's password at deployment:

$ ansible-playbook -i inventory/hosts --limit server1 --tags "ssl_certs" playbook.yml -v --ask-vault-pass

How to view a list of a site's acceptable client certificates

Tagged ca, certificates, client certificate, openssl, ssl  Languages bash

To view a list of acceptable client certificates, execute:

$ openssl s_client -connect golang.org:443

The output is a list of acceptable CA names:

Acceptable client certificate CA names
/C=FI/ST=Finland/O=Vaestorekisterikeskus CA/OU=XYZ/CN=ÅÄÖ

or, if no client certificates are accepted:

No client certificate CA names sent

To log client certificate information with haproxy:

  bind *:443 ssl crt xyz.com.pem ca-file vrk-ca.pem verify optional crt-ignore-err all crl-file vrk-revocation-list.pem
  # See https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/
  http-request set-header X-SSL                  %[ssl_fc]
  http-request set-header X-SSL-Client-Verify    %[ssl_c_verify]
  http-request set-header X-SSL-Client-DN        %{+Q}[ssl_c_s_dn]
  http-request set-header X-SSL-Client-CN        %{+Q}[ssl_c_s_dn(cn)]
  http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
  http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
  http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]

  log-format "%ci:%cp [%t] %ft %b/%s %Tq/%Tw/%Tc/%Tr/%Tt %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]} %{+Q}r"

Also see https://tools.ietf.org/html/rfc5246#page-53