Managing SSL/TLS Trust with Ansible on Windows Hosts

Discover how to seamlessly manage SSL/TLS trust on Windows hosts using the win_resources variable of the Ansible role.

Projects: c2platform/rws/ansible-gis, c2platform.core, c2platform.wincore

In the setup described in Create a Simple Software Repository for Ansible, the download nodes gsd-ansible-download1, gsd-ansible-download2, gsd-ansible-download3 establish a SSL/TLS trust with the software server gsd-ansible-repo, ensuring error-free software downloads.

The gsd-rproxy1 node within the ansible-gis project doubles as a CA Server, detailed in Managing Server Certificates as a Certificate Authority. Here, the download nodes use the root CA certificate from this Ansible-based CA server to establish trust via the role.

Let’s review how Ansible is used to reach this result.

Ansible Inventory and Playbook

The Ansible inventory project c2platform/rws/ansible-gis includes important files as follows:

plays/mgmt/ansible_repo.ymlContains a playbook section for download nodes.
group_vars/ansible_download/main.ymlConfigures the download nodes.

Download Node Playbook

The playbook ansible_repo.yml targets download nodes within the ansible_download group. It employs the role for establishing trust and the role for secure binary downloads of Tomcat, relying on this trust setup. Using, downloads proceed without SSL/TLS certificate errors.

- name: Tomcat on MS Windows
  hosts: ansible_download
    - v2

    - { role: c2platform.core.secrets, tags: ["common", "vault", "download"] }
    - { role:, tags: ["windows"] }
    - { role:, tags: ["download"] }

Configuration for Downloads

Configuration specifics for download nodes are found in group_vars/ansible_download/main.yml. It outlines the win_resources variable, including an item for managing the certificate store through the role, which leverages the module for such operations.

    - name: C2 Trust Relationship
      type: win_certificate_store
      path: C:\vagrant\.ca\c2\c2.crt
      store_name: Root
      store_location: LocalMachine

The downloads that need to be performed by the role are configured using the download_files dictionary.