My CA issues certificates for my TLS-encrypted connections. For example, for rsyslog, stunnel, or Prometheus node exporter. I configure all these services with Ansible roles. However, I have a fundamental problem with the process, especially when a service is run root-less.
If my playbook obtains the certificate first, the user with which the service is executed is not yet known. However, this user must become the owner of the certificate key files.
Conversely, the role for the service cannot be fully executed because a certificate that does not yet exist would lead to a runtime error.
Without Ansible as an administrator, I would perform the process in three steps:
I’m not sure I 100% understand what you’re describing because the scenario you’re outlining is a bit too generic to really grasp what your issue is, and from what I gather you already have the solution in your post.
My understanding is that you want to have an Ansible playbook install an application or service, then after install, you want to install CA-signed SSL certs for the app, but you’re running in to a chicken-and-egg scenario regarding certificate ownership since the service-specific accounts don’t exist until the app is installed.
Without Ansible as an administrator, I would perform the process in three steps:
Install and configure the service.
Obtain and install the certificate.
Configure the certificate files for the service.
As far as I can figure, you’d do this same step-by-step in an Ansible playbook. Hence my confusion as to what your question is, as it seems like you already have the answer. You’d probably want to run some checks before obtaining and installing the cert just so you don’t send the same cert to your CA to be signed in order to keep idempotency in Ansible.