Forum Discussion
Greg_Jewett
Cirrus
CirrusAS3 w/ certificates and renewals..
So, I found myself in a little bit of a quandary with the use AS3 declarations to deploy our F5 configurations for our services. So to create a virtual server with SSL certificate and profiles, an...
I appreciate the response. We have already made an extensive investment in AS3, so we are not backing out of that. For the new setup, we are forgoing the Python script that we used in the past to renew certificates - due to it breaking the source of truth of AS3.
So I have some ideas, and we do have the Ansible Automation Platform (AAP), so I think we will be writing a playbook that will basically do the following:- Use a home-made python based AAP plugin that will scan all the files in our GitHub repository. It will return a list of files that have expired certificates within, based on a threshold date.
- Read in each file into a JSON variable, this would be the entire declaration. I am doing this, so it will be easy to literally pull out the certificate(s) into a separate variable using JSON/YAML references.
- Pull out the Common Name and any SANs from the existing certificate.
- Generate a new CSR / private key based on info above.
- Using ACME, generate a new certificate.
- Insert the certificate and new key into the JSON/YAML structure (again using the references, using an assignment).
- Write out the JSON/YAML structure to a file, and upload up to Github, replace what exists (new version, and all).
- Do a push and pull request (all automated).
- Then run the two plays I have that fetch the declaration from GitHub and deploy it (thus renewing the certificate) -- all using the source of truth.
I am sure you saw that I am uploading the certificate and key to the GitHub repository. Right now -- yes -- probably a bad practice, but one we are following until we get everything migrated. The GitHub repository is private to myself and the service owners (white list access only), which is a stopgap. During and after migration -- I will be working on pulling the private keys out, and putting references there instead, that I would read and fetch the appropriate private key from a safer storage location, and then insert it into a read in declaration -- then deploy it, all from memory, and the private key is purged from memory once the playbook ends.
Greg_JewettCirrus
CirrusI appreciate the response. We have already made an extensive investment in AS3, so we are not backing out of that. For the new setup, we are forgoing the Python script that we used in the past to renew certificates - due to it breaking the source of truth of AS3.
So I have some ideas, and we do have the Ansible Automation Platform (AAP), so I think we will be writing a playbook that will basically do the following:
- Use a home-made python based AAP plugin that will scan all the files in our GitHub repository. It will return a list of files that have expired certificates within, based on a threshold date.
- Read in each file into a JSON variable, this would be the entire declaration. I am doing this, so it will be easy to literally pull out the certificate(s) into a separate variable using JSON/YAML references.
- Pull out the Common Name and any SANs from the existing certificate.
- Generate a new CSR / private key based on info above.
- Using ACME, generate a new certificate.
- Insert the certificate and new key into the JSON/YAML structure (again using the references, using an assignment).
- Write out the JSON/YAML structure to a file, and upload up to Github, replace what exists (new version, and all).
- Do a push and pull request (all automated).
- Then run the two plays I have that fetch the declaration from GitHub and deploy it (thus renewing the certificate) -- all using the source of truth.
I am sure you saw that I am uploading the certificate and key to the GitHub repository. Right now -- yes -- probably a bad practice, but one we are following until we get everything migrated. The GitHub repository is private to myself and the service owners (white list access only), which is a stopgap. During and after migration -- I will be working on pulling the private keys out, and putting references there instead, that I would read and fetch the appropriate private key from a safer storage location, and then insert it into a read in declaration -- then deploy it, all from memory, and the private key is purged from memory once the playbook ends.
Zdenek
Cirrostratus
CirrostratusThanks, and I appreciate your answer :)
Regarding the private key, yeah that is probably optimal way to go if cert/key is to be placed into declaration. We would do it very similar way. But still, even though it is securely stored it has to be read, that means it is sent through the wire...
Once we deep dive into this, we will most probably go the way to keep certs and keys in Common partition, ideally the private key is not ever sent anywhere. But I realize I might be wrong and I like to see other people's approaches.
Thanks, and good luck with your solution.
Zdenek
- Greg_Jewett
Regarding the "wire", the Github repository / server we are using is internal to the University of Texas campus. It is a private server, we are not using the public GitHub.