Skip to content
Trellis Ansible role to add custom CA certficates to OpenSSL's trusted store. Ideal for using alongside Digital Ocean managed databases which require SSL/TLS.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
defaults
handlers
meta
tasks
tests
vars
LICENSE
README.md

README.md

Trells CA Certificates

Trellis Ansible Role to add custom CA Certficates to OpenSSL's Trusted Store. Perfect for using with Digital Ocean Managed Databases which require SSL/TLS connections for MySQL.

Requirements

Installation

Add to requirements

# trellis/galaxy.yml
- name: trellis-ca-certificates
  src: craigpearson.trellis_ca_certificates

Include in provision playbook

To add this functionality on your staging/production servers include this role in trellis/server.yml

# trellis/server.yml
...
- name: WordPress Server - Install LEMP Stack with PHP 7.3 and MariaDB MySQL
  hosts: web:&{{ env }}
  become: yes
  roles:
    - { role: common, tags: [common] }
    ...
    - { role: sshd, tags: [sshd] }
    - { role: trellis-ca-certificates, tags: [ca-certificates] } # Recommended inclusion point
    - { role: mariadb, tags: [mariadb] }

If you require this functionality on your development server you should also add this to trellis/dev.yml

Set certificates to include

In production we would add to trellis/group_vars/production/main.yml

# trellis/group_vars/production/main.yml
trellis_ca_certificates_trusted:
  # Local Source:         trellis/certs/production/example-certificate.crt
  # Remote Destination:   /usr/local/share/ca-certificates/database.crt
  - name: database
    src: example-certificate.crt

Include .crt files

By default this role looks in trellis/certs for your certificates, example:

trellis/
├── bin/
├── certs/                            # → Source certificates folder
│   ├── development/                  # → Development certificates
│   ├── staging/                      # → Staging certificates
│   └── production/                   # → Production certificates
│       └── example-certificate.crt
└── deploy-hooks/

Now all that's left is to provision

Role Variables

Configure custom certificates

The only variable required for configuration is the certificate trusted source list. This should be placed in trellis/group_vars/{{ env }}/main.yml where {{ env }} is development, staging, or production.

Note: Your source certificate is renamed and placed in the destination as specified in name, example:

# This is an example of possible values, this value defaults to []
trellis_ca_certificates_trusted:
  # Local Source:         trellis/certs/{{ env }}/example-certificate.crt
  # Remote Destination:   /usr/local/share/ca-certificates/database.crt
  - name: database
    src: example-certificate.crt
  # Local Source:         trellis/certs/{{ env }}/db-master.crt
  # Remote Destination:   /usr/local/share/ca-certificates/database/master.crt
  - name: database/master
  - src: db-master.crt
  # Local Source:         trellis/certs/{{ env }}/db-slave.crt
  # Remote Destination:   /usr/local/share/ca-certificates/database/slave.crt
  - name: database/slave
  - src: db-slave.crt

Source directory

To store your certificate files in a folder other than trellis/certs/{{ env }}:

# Defaults to trellis/certs/env - where env is development, staging or production
trellis_ca_certificates_local_dir: custom-local-directory/{{ env }}

Remote destination directory

Unless you have configured your remote OpenSSL to look for certs in a different directory you shouldn't need to change this

# Defaults to OpenSSL Trusted store on Ubuntu 18.04
trellis_ca_certificates_remote_dir: /usr/local/share/ca-certificates
You can’t perform that action at this time.