How to automate renewal/installation of CA signed certificate?

rcordova · ‎2022-03-17

Hello, I am trying to use the ansible module https://docs.ansible.com/ansible/2.10/collections/netapp/ontap/na_ontap_security_certificates_module.html

We’re updating an expiring signed certificate, which requires the deletion of an existing certificate, which stops the ssl service. If the service stops every time a certificate is deleted, how am I supposed to install the new one. The SSL service is down after deleting.

I have also tried using the netapp command line module which allows me to run the proper command "cert install (parameters)" but I cannot use this workaround because I cannot figure out how to get ansible to wait for the user inputs (I am prompted for my certificate and private key).

I have also made a post here: https://github.com/ansible-collections/netapp.ontap/issues/53 which shows my ansible playbook.

RobertBlackhart · ‎2022-03-17

The folks in that GitHub issue or in the #configurationmgmt channel of Slack will know best about the Anisible specifics. However, as far as a general workflow goes, I would expect it to be something like this:

Install the new certificate
Modify the web service to use the new certificate
Remove the old certificate

You may end up with a disconnection before you get a response to step 2, I'm not sure. You'd want to handle the error and retry in that case.

How to automate renewal/installation of CA signed certificate?

Renewing a CA-Signed Certificate in ActiveIQ Unified Manager

ONTAP 9.1 System Manager and CA signed certificates

SSL certificate problem: self signed certificate in certificate chain

Automate ACTIVE IQ SSL certificate

FPolicy server-auth mode failing when using third party CA signed certificates.