Uncategorized

Sectigo Ansible

Ansible playbook for generating certificate from Sectigo

- name: Create cert
  hosts: localhost
  connection: local
  
  tasks:
    - name: generate privatekey
      openssl_privatekey:
        path: "/var/lib/awx/projects/cert_project_sectigo/key/{{ common }}.pem"
        size: 2048
      tags:
        - sslstandard

    - name: generate csr 
      openssl_csr:
        path: "/var/lib/awx/projects/cert_project_sectigo/csr/{{ common }}.csr"
        privatekey_path: "/var/lib/awx/projects/cert_project_sectigo/key/{{ common }}.pem"
        common_name: "{{ common }}"
      tags:
        - sslstandard

    - name: get csr from file
      command: "cat /var/lib/awx/projects/cert_project_sectigo/csr/{{ common }}.csr"
      register: csrfromfile
      tags:
        - sslstandard

    - name: get csr without newline
      debug:
        msg: "{{ csrfromfile.stdout | replace('\n', '' )}}"
      register: csrwithoutnewline
      tags:
        - sslstandard

    - name: request certificate from sectigo
      uri:
        url: https://cert-manager.com/api/ssl/v1/enroll
        method: POST
        body_format: json
        body: "{{ lookup('template','ssl.j2') }}"
        force_basic_auth: yes 
        status_code: 200
        headers:
          Content-Type: application/json
          customerUri: sunet
          login: "{{ sectigo_username }}"
          password: "{{ sectigo_password }}"
      register: certresult
      tags:
        - sslstandard
      no_log: true
 
    - name: get certid
      debug:
        msg: "{{ certresult.json.sslId }}"
      tags:
        - sslstandard


    - name: wait for cert to be issued from sectigo
      uri:
        url: "https://cert-manager.com/api/ssl/v1/{{ certresult.json.sslId }}"
        method: GET
        body_format: json
        return_content: yes
        status_code: 200
        headers:
          Content-Type: application/json
          customerUri: sunet
          login: "{{ sectigo_username }}"
          password: "{{ sectigo_password }}"
      register: pendingstatus
      until: pendingstatus.json.status == "Issued"
      retries: 2
      delay: 30
      tags:
        - sslstandard
      no_log: true

    - name: download certificate in pem format
      uri:
        url: "https://cert-manager.com/api/ssl/v1/collect/{{ certresult.json.sslId }}/x509"
        dest: "/var/lib/awx/projects/cert_project_sectigo/downloaded_certs/{{ common }}.pem"
        method: GET
        headers:
          Content-Type: application/json
          customerUri: sunet
          login: "{{ sectigo_username }}"
          password: "{{ sectigo_password }}"
      register: download_status 
      tags:
        - sslstandard
      no_log: true

jinja2-template

{
    "orgId": xxxxx,
    "commonName": "{{ common }}",
    "numberServers":0,
    "serverType":-1, 
    {% if type == 'sslstandard' %}
       "certType":423,
    {% elif type == 'sslmultidomain' %}
       "certType":426,
       "subjAltNames": "{{ subjAltNames }}", 
    {% elif type == 'sslwildcard' %}
       "certType":424,
    {% endif %}
    "term":730,
    "comments":"{{ comments }}",
    "externalRequester":"{{ external }}", 
    "csr": "{{csrfromfile.stdout | replace('\n', '' )}}"
}