The primary purpose of DevOps is to automate code deployments and testing for more rapid software development. In most environments, SSL/TLS certificates are necessary for data encryption to avoid eavesdropping and man-in-the-middle attacks. For development environments, an SSL/TLS certificate might not be necessary, but you need one installed to avoid errors and bypass certificate validation in production code. A self-signed certificate will remediate development issues with SSL/TLS certificates so that they can be bypassed during testing. Ansible OpenSSL allows you to install a self-signed certificate for your development environment, but you first must create and install it.
Self-Signed vs. Certificate Authority (CA)
Before using a self-signed certificate, you should know the difference between installing a certificate from a CA and using self-signed certificates. Self-signed certificates are untrusted and should only be used in development environments. They are a workaround for SSL/TLS validation while you develop an application.
In a production environment, you generate private keys to create a CSR (certified signing request) signed and validated by a CA that then tells users and applications that the certificate should be trusted. If you use a self-signed certificate in production, users will receive warnings not to trust the host. Self-signed certificates can be used in phishing attacks, so modern browsers warn users not to trust a host without a valid CA-signed certificate.
In a development environment, a self-signed certificate might be necessary, but know that they should never be used in production.
Creating a Self-Signed Certificate
The first step before certificate creation is to ensure Ansible is installed. Run the following command to get the Ansible version:
$ ansible --version
Next, you need to install the pyOpenSSL dependency to generate keys. Run the following command to install pyOpenSSL with pip (replace pip3 with pip if you are using version 2.x):
$ sudo pip3 install pyOpenSSL
Ansible relies on three modules to create keys and set up the self-signed certificate. Ensure that these three modules are installed:
To generate a certificate, you first need to create private keys. Private keys are what decrypts data on the server, and they are used to create public keys used by client applications (e.g., web browsers). The initial step in encrypted communication uses an asymmetric cipher (e.g., RSA) to transfer a symmetric key to the server, which is why you need a private-public key pair. The client machine uses the server’s public keys to encrypt the symmetric key and passes it across the network to the server. The server decrypts the symmetric key with its private keys, and then a session is created where all data between the client and the host are encrypted with the symmetric key. Without the initial private-public key pair, the symmetric key would be vulnerable to eavesdropping and could be intercepted in a man-in-the-middle attack.
Creation of a self-signed certificate uses the following general steps:
- Create private keys using openssl_privatekey
- Create a CSR using openssl_csr
- Generate the self-signed certificate using openssl_certificate
The first step is to generate private keys, shown below:
The above command creates a 2048-bit private RSA key. You can eliminate the size variable to create the default 4096-bit key, but this is likely not necessary in development. RSA is standard for most key generations, but you can alternatively use the type: parameter to use a different algorithm.
With the private key created, you can now create a CSR using the following command:
In the above command, the private key is used to create the ansible_server.csr file. In a production environment, you would send this CSR file to the certificate authority of your choice to sign the key and verify that it’s valid, but since we’re creating a self-signed certificate, the next step is to install a self-signed certificate generated with the following command:
openssl_certificate: provider: selfsigned path: /etc/ansible/ansible_server.crt privatekey_path: /etc/ansible/ansible_server.key csr_path: /etc/ansible/ansible_server.csr
After this step, you can use the CRT file to set up encrypted connections on your server. Every certificate has an expiration date, usually a year from the time it was created. You must renew the certificate before it expires. Should you forget to renew the certificate, you will receive errors in production or in your development environment. Forgetting to renew an expired certificate can crash services and cause critical downtime for applications running in production or development. Common browsers such as Chrome warn users when server certificates have expired. You can avoid these errors by monitoring your SSL/TLS certificates expiration dates and renewing them before they expire.