Generate a certificate for Squid using Ansible

Hi,

I’m currently writing an Ansible playbook to automate the installation of a router & transparent proxy running Rocky Linux. I already have this configuration running in our local school, though I’ve done the installation by hand. I’ve documented everything on my tech blog, step by step.

At one point I have to create a certificate like this:

# openssl req -new -newkey rsa:4096 -sha256 -days 3650 -nodes -x509 \
  -extensions v3_ca -keyout certificat.pem -out certificat.pem
Generating a RSA private key
.......................++++
.........++++
writing new private key to 'certificat.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: FR
State or Province Name (full name) []: Gard
Locality Name (eg, city) [Default City]: Montpezat
Organization Name (eg, company) [Default Company Ltd]: Microlinux
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: squidbox.sandbox.lan
Email Address []: info@microlinux.fr

And then I have to convert this into DER format:

# openssl x509 -in certificat.pem -outform DER -out certificat.der

I don’t know how to go about this with Ansible. There seem to be several certificate-related Ansible modules out there, but I don’t know which one to choose.

So far I managed to translate pretty much everything in my Squid setup into an Ansible playbook. Right now I have a bit of a roadblock with these two steps. I’d be thankful for a little help here.

Cheers,

Niki

Have you considered the community.crypto.openssl_privatekey module and the corresponding community.crypto.openssl_publickey module?

If they are not the right ones I would expect other community.crypo modules should work for this?

I tried the following approach:

    - name: Create certificate directory
      ansible.builtin.file:
        path: /etc/squid/ssl_cert
        state: directory
        owner: squid
        group: squid
        mode: 0755

    - name: Generate self-signed certificate
      community.crypto.x509_certificate:
        path: /etc/squid/ssl_cert/certificat.pem
        privatekey_path: /etc/squid/ssl_cert/certificat.pem
        provider: selfsigned
        selfsigned_version: 3
        selfsigned_digest: sha256
        selfsigned_not_after: "+3650d"
        selfsigned_not_before: "-1d"
        subject:
          C: FR
          ST: Gard
          L: Montpezat
          O: Microlinux
          CN: squidbox.sandbox.lan
          emailAddress: info@microlinux.fr

Unfortunately there’s no subject parameter or equivalent for this module.

Any suggestions ?

Generate a certificate signing request, see the how to create self-signed certificates page and the two modules, community.crypto.openssl_csr module and community.crypto.openssl_csr_pipe module?