Managing SSL/TLS Trust with Ansible on Windows Hosts

Discover how to seamlessly manage SSL/TLS trust on Windows hosts using the win_resources variable of the c2platform.wincore.win Ansible role.

Projects: c2platform/rws/ansible-gis, c2platform.core, c2platform.wincore


In the setup described in Create a Simple Software Repository for Ansible, the download nodes gsd-ansible-download1, gsd-ansible-download2, gsd-ansible-download3 establish a SSL/TLS trust with the software server gsd-ansible-repo, ensuring error-free software downloads.

The gsd-rproxy1 node within the ansible-gis project doubles as a CA Server, detailed in Managing Server Certificates as a Certificate Authority. Here, the download nodes use the root CA certificate from this Ansible-based CA server to establish trust via the c2platform.wincore.win role.

Let’s review how Ansible is used to reach this result.

Ansible Inventory and Playbook

The Ansible inventory project c2platform/rws/ansible-gis includes important files as follows:

FileDescription
plays/mgmt/ansible_repo.ymlContains a playbook section for download nodes.
group_vars/ansible_download/main.ymlConfigures the download nodes.

Download Node Playbook

The playbook ansible_repo.yml targets download nodes within the ansible_download group. It employs the c2platform.wincore.win role for establishing trust and the c2platform.wincore.download role for secure binary downloads of Tomcat, relying on this trust setup. Using c2platform.wincore.download, downloads proceed without SSL/TLS certificate errors.

- name: Tomcat on MS Windows
  hosts: ansible_download
  tags:
    - v2

  roles:
    - { role: c2platform.core.secrets, tags: ["common", "vault", "download"] }
    - { role: c2platform.wincore.win, tags: ["windows"] }
    - { role: c2platform.wincore.download, tags: ["download"] }

Configuration for Downloads

Configuration specifics for download nodes are found in group_vars/ansible_download/main.yml. It outlines the win_resources variable, including an item for managing the certificate store through the c2platform.wincore.win role, which leverages the ansible.windows.win_certificate_store module for such operations.

win_resources:
  ansible_download:
    - name: C2 Trust Relationship
      type: win_certificate_store
      path: C:\vagrant\.ca\c2\c2.crt
      store_name: Root
      store_location: LocalMachine

The downloads that need to be performed by the c2platform.wincore.download role are configured using the download_files dictionary.



Last modified November 13, 2024: translate false C2-587 (af41e45)