使用ansible ,利用openssl 签发IP地址,要求: 1、有检测openssl 是否安装 2、环境是centos7 3、CA机构,邮箱,证书名称 这些通过变量维护 4、证书有效期10年
Ai.小助手: 下面是一个示例Playbook,可以使用Ansible和OpenSSL来签发IP地址的证书,并检查目标主机上是否安装了OpenSSL。同时,根据变量值生成证书和密钥,并将其复制到目标主机上。证书有效期为10年。
代码语言:javascript复制---
- name: Generate and distribute SSL certificate for IP address
hosts: web_servers
vars:
ssl_cert_path: "/etc/ssl/private"
ssl_cert_name: "{{ cert_name }}"
ssl_cert_subject: "/C=CN/ST=Beijing/L=Beijing/O=Example Inc./OU=IT Department/CN={{ ansible_default_ipv4.address }}"
ssl_ca_path: "/etc/ssl/private"
ssl_ca_name: "{{ ca_name }}"
ssl_ca_subject: "/C=CN/ST=Beijing/L=Beijing/O=Example Inc./OU=IT Department/CN={{ ca_name }}"
ssl_email: "{{ email }}"
tasks:
- name: Check if OpenSSL is installed
become: true
stat:
path: /usr/bin/openssl
register: openssl_check
- name: Install OpenSSL package
become: true
yum:
name: openssl
state: present
when: openssl_check.stat.exists == False
vars:
ansible_python_interpreter: /usr/bin/python3
- name: Generate CA key
openssl_privatekey:
path: "{{ ssl_ca_path }}/{{ ssl_ca_name }}.key"
size: 4096
passphrase: "{{ ca_passphrase }}"
cipher: AES256
- name: Generate CA certificate
openssl_certificate:
path: "{{ ssl_ca_path }}/{{ ssl_ca_name }}.crt"
privatekey_path: "{{ ssl_ca_path }}/{{ ssl_ca_name }}.key"
provider: selfsigned
subject: "{{ ssl_ca_subject }}"
not_before: "-365"
not_after: " 3650"
extensions:
- basicConstraints=CA:true
- keyUsage=keyCertSign,cRLSign
- name: Generate private key
openssl_privatekey:
path: "{{ ssl_cert_path }}/{{ ssl_cert_name }}.key"
size: 2048
passphrase: "{{ cert_passphrase }}"
cipher: AES256
- name: Generate CSR
openssl_csr:
path: "{{ ssl_cert_path }}/{{ ssl_cert_name }}.csr"
privatekey_path: "{{ ssl_cert_path }}/{{ ssl_cert_name }}.key"
subject: "{{ ssl_cert_subject }}"
extensions:
- subjectAltName=IP:{{ ansible_default_ipv4.address }},email:{{ ssl_email }}
- name: Generate certificate
openssl_certificate:
path: "{{ ssl_cert_path }}/{{ ssl_cert_name }}.crt"
privatekey_path: "{{ ssl_cert_path }}/{{ ssl_cert_name }}.key"
csr_path: "{{ ssl_cert_path }}/{{ ssl_cert_name }}.csr"
provider: selfsigned
ca_cert_path: "{{ ssl_ca_path }}/{{ ssl_ca_name }}.crt"
ca_privatekey_path: "{{ ssl_ca_path }}/{{ ssl_ca_name }}.key"
ca_passphrase: "{{ ca_passphrase }}"
not_before: "-365"
not_after: " 3650"
extensions:
- subjectAltName=IP:{{ ansible_default_ipv4.address }},email:{{ ssl_email }}
- name: Copy certificate to remote host
copy:
src: "{{ ssl_cert_path }}/{{ ssl_cert_name }}.crt"
dest: "/etc/ssl/certs/{{ ssl_cert_name }}.crt"
mode: "0644"
- name: Copy private key to remote host
copy:
src: "{{ ssl_cert_path }}/{{ ssl_cert_name }}.key"
dest: "/etc/ssl/private/{{ ssl_cert_name }}.key"
mode: "0600"在上面的Playbook中,我们首先使用Ansible的stat模块检查目标主机上是否已经安装了OpenSSL。如果不存在,则使用yum模块安装OpenSSL。然后,我们使用openssl
使用ansible,要求: 1、下发脚本 2、执行脚本并输出到以服务器ip命名的文件中去 3、将文件拷贝到本地
为了实现你的要求,你可以使用 Ansible 的一些模块,例如 copy, script, fetch 和 shell。这些模块可以帮你在目标服务器上分发脚本,执行脚本,并将结果保存在指定的文件中,然后将这些文件复制回本地。以下是一个示例的 Ansible playbook:
---
- hosts: your_target_hosts
gather_facts: no
tasks:
- name: 下发脚本到目标主机
copy:
src: /local/path/to/your/script.sh
dest: /remote/path/to/script.sh
mode: 0755
- name: 执行脚本并将输出存入以服务器IP命名的文件中
shell: /remote/path/to/script.sh > /remote/path/to/output/{{ inventory_hostname }}.txt
register: shell_output
- name: debug shell output
debug:
var: shell_output.stdout_lines
- name: 将文件拷贝回本地
fetch:
src: /remote/path/to/output/{{ inventory_hostname }}.txt
dest: /local/path/to/output/
flat: yes在这个 playbook 中,your_target_hosts 是你的目标服务器,你需要在你的 inventory 文件中定义。/local/path/to/your/script.sh 是你要下发的脚本在本地的路径,/remote/path/to/script.sh 是这个脚本在目标服务器上的路径。然后使用 shell 模块执行这个脚本并将输出存入一个文件中,文件以服务器的 IP ()命名。最后,fetch 模块会将这个文件复制回本地。
你需要将这个 playbook 保存为一个 .yml 或 .yaml 文件,然后使用以下命令运行它:
ansible-playbook your_playbook.yaml注意,这个 playbook 假设你已经设置好了 SSH 公钥认证,因此你可以无密码登录到你的目标服务器。如果你还没有设置,你需要先设置 SSH 公钥认证。
