ansible snippets

How to use Ansible Vault to store SSL certificates

Tagged ssl, certificates, ansible, vault  Languages bash

Playbook

In playbook.yml, list the file where we'll put the SSL certificates:

---
- hosts: servers
  roles:
...
  vars_files:
    - vault/certs/{{ domain }}.yml # Private SSL certificates

Ansible Vault

Next, create an encrypted Ansible vault (one per domain):

$ ansible-vault create vault/certs/xxx.com.yml

Put the following in the vault/certs/xxx.com.yml:

certificates:
  - name: "xxx.com.pem"
    content: |
      -----BEGIN CERTIFICATE-----
  - name: "login.xxx.com.pem"
    content: |
      -----BEGIN CERTIFICATE-----

The last thing we need to do is copy the certificates from the Ansible Vault to the server (roles/ssl_certs/tasks/main.yml):

- name: Copy private SSL certificates from Ansible Vault
  tags: ssl_certs
  copy:
    content: "{{ item.content }}"
    dest: "/etc/ssl/private/{{ item.name }}"
    owner: root
    group: root
    mode: "u=rw,g=r,o="
  sudo: yes
  with_items:
    # Certificates are stored encrypted in vault/certs/{{ domain }}.yml
    - "{{ certificates }}"

Usage

Use ask-vault-pass to specify the Ansible Vault's password at deployment:

$ ansible-playbook -i inventory/hosts --limit server1 --tags "ssl_certs" playbook.yml -v --ask-vault-pass

How to fix "Permission denied (publickey)." Ansible and "git clone" issue

Tagged git, ansible  Languages bash

If you have a "git clone" command like this in Ansible:

- name: Update code
  git: >
    repo={{ git_url }}
    dest={{ this_release_path }}
    version={{ git_version }}
    accept_hostkey=yes
  register: git

And the playbook is set to use sudo for all commands.

And you get this error:

stderr: Cloning into 'jeb-bush'...
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

FATAL: all hosts have already failed -- aborting

It could be that you need to add "sudo: no" to the task.

- name: Update code
  sudo: no
  git: >
    repo={{ git_url }}
    dest={{ this_release_path }}
    version={{ git_version }}
    accept_hostkey=yes
  register: git