ansible-pki
ansible-pki copied to clipboard
debops
Bootstrap and manage internal PKI, Certificate Authorities and OpenSSL/GnuTLS certificates
Changeing parameters for ACME has no effect. * Changing `acme-subject`, `acme_domains`, `acme_subdomains` or `acme_alt_names` has no effect, since these values is passed to the server only in `Create new PKI...
When changing the `pki_acme_ca` from testing to live, 1. certificates are not re-generated. Workaround: `rm default.key config/realm.conf acme/{error.log,*.pem}` 2. the nginx server is not reloaded (even after applying the workaround...
The 'Create PKI realms' task runs only on creation of realm., this is due to the "creates: '/etc/pki/realms/{{ item.name }}/default.key'" line. Is it necessary? I mean running the "pki-realm new-realm...
Based on IRC chat with drybjed I add this request here, and not to ansible-nginx. HPKP is a trust on first use security mechanism which protects HTTPS websites from impersonation...
I had a typo in a script of mine that accidentally passed a CIDR ip range instead of an IP as a subject_alt_name. Everything seemed to run normally, except the...
It seems the acme_challenge_dir is hard coded. The /usr/local/lib/pki/pki-realm script allows for overwriting args["acme_challenge_dir"], but that's not done when the "run" sub command is called: ``` # Execute PKI realm...
Currently, the realm key used for all certificates of this realm (internal, external, ACME) is created on realm creation. In the case of ACME and LE, the certificate is renewed...
As recommended/explained on [BetterCrypto.org](https://bettercrypto.org/static/applied-crypto-hardening.pdf) in "Random Number Generators" -> "Recommendations" VMs and embedded systems might have a low entropy pool. It would be nice to allow to generate realm private...
The execution of the following playbook... ``` yaml --- - name: PKI realms hosts: all become: True vars: custom_pki_realms: - name: 'k8s' subject_alt_names: - 'ip:{{ ansible_default_ipv4.address }}' - 'ip:{{ kubernetes_services_net...
When I declare a new realm in a playbook, the task `Sign certificate requests for current hosts` fails with the following error: ``` json fatal: [noah.host -> localhost]: FAILED! =>...