Ansible Role: certkit_io.sync

An Ansible Role for Linux that installs a script which synchronizes SSL certificates managed by Certkit.io. It is published on Ansible Galaxy here.

NOTE: New Certkit Agent Role

We recommend you use our new agent based role certkit_io.agent to manage Certkit certificates. The Certkit agent allows easy management of multiple certificates and has closer integration with the Certkit application.

However, if certkit_io.sync is serving your needs, then there is no problem with you continuing to use it.

Overview

• Installs a simple synchronization script to whichever directory you specify.
• Builds a configuration file from variables you give it.
• Once installed, the script:
  • Syncs the latest certificate from CertKit into a local directory using minio-client.
  • Copies the certificate into place if it is changed or missing.
  • Optionally runs a post-update command (e.g. nginx -s reload).
  • Logs all activity to certkit.log (keeping last 2000 log lines)
  • Is periodically run on a Cron schedule.
• To sync multiple certificates, call the role multiple times. See the Syncing Multiple Certificates section.

Requirements

A Certkit account (Signup for free).

Installing the Role

Install using the ansible-galaxy CLI:

ansible-galaxy role install certkit_io.sync

Role Variables

All variables are listed below. They are all required, unless otherwise specified:

• certkit_bucket: The name of your certkit storage bucket. Get this from the Certkit UI.
• certkit_access_key: The access key for your certkit storage bucket. Get this from the Certkit UI.
• certkit_secret_key: The secret key for your certkit storage bucket. Get this from the Certkit UI.
• certkit_certificate_id: The ID of the certificate to sync. Get this from the Certkit UI.
• certkit_dir: The directory where the certkit sync script and config file will be placed. Arbitrary, pick what you'd like. Should be unique if multiple certkit scripts are installed on the same box!
• certkit_update_cmd: Certkit sync runs this command whenever the certificates are updated. Use to inform the server of a new certificate.
• certkit_pem_destination: File path where Certkit sync will write the certificate PEM file. This is wherever your server software expects the certificate to live.
• certkit_key_destination: File path where Certkit sync will save the certificate private key file. This is wherever your server software expects the certificate to live.

Dependencies

None.

Example Playbook

- hosts: all
  tasks:

    - include_role:
        name: certkit_io.sync
      vars:
        # Credentials from the CertKit UI
        certkit_bucket: certkit-1234
        certkit_access_key: YOUR_ACCESS_KEY
        certkit_secret_key: YOUR_SECRET_KEY

        # The ID of the certificate to sync.  Get this from the Certkit UI.
        certkit_certificate_id: ab12

        # The directory where the certkit sync script and config file will be placed. Arbitrary, pick what you'd like.
        # When syncing multiple certificates, each configuration should use a different directory.
        certkit_dir: /opt/certkit-nginx

        # When certificates are updated, this command will be run, nginx in this case. See our examples for how to notify other services.
        # IMPORTANT! - You may need to specify the full path to the executable. In many distros, Cron has no PATH configured.
        certkit_update_cmd: "/usr/sbin/nginx -s reload"

        # The PEM and KEY files will be moved here (and kept up to date). Place wherever your software expects them to be.
        certkit_pem_destination: "/etc/nginx/yourdomain.pem"
        certkit_key_destination: "/etc/nginx/yourdomain.key"

Syncing Multiple Certificates

Sync more than one certificate by simply calling the role again. These variables will differ between each certificate:

• certkit_certificate_id
• certkit_dir
• certkit_pem_destination
• certkit_key_destination

License

MIT / BSD