Been working on a Playbook to store the self signed certificate I generate for my LIma Virtual Machein on my MacBook. The playbook runs fine, but the certidicate never gets added to the macOS’ Keychain as a trusted certicate. As a matter of fact it never gets added. I know it is possible as it is done with Laravel Valet.
Any ideas what is wrong with this playbook?
---
- name: Generate SSL Certificates, Install CA, and Update Nginx Configuration
hosts: lima
become: true
vars:
# Root CA Certificate Paths
ca_key_path: "/etc/ssl/private/lima-vm-ca.key"
ca_cert_path: "/etc/ssl/certs/lima-vm-ca.pem"
# Site-Specific Certificate Paths
server_key_path: "/etc/ssl/private/server.key"
server_cert_path: "/etc/ssl/certs/server.pem"
server_csr_path: "/etc/ssl/private/server.csr"
# Dynamic Nginx Configuration Path based on http_host
nginx_config_path: "/etc/nginx/sites-available/{{ http_host }}"
# Local path for CA certificate on macOS (using absolute path)
local_ca_cert_path: "{{ lookup('env', 'HOME') }}/Downloads/lima-vm-ca.pem"
# Lima SSH Configuration
lima_ssh_key: "{{ lookup('env', 'HOME') }}/.lima/_config/user"
lima_user: "lima"
lima_port: 60022 # Default Lima SSH port
tasks:
# Ensure SSL directories exist
- name: Create directory for CA key
file:
path: "{{ ca_key_path | dirname }}"
state: directory
mode: '0755'
- name: Create directory for site-specific key and certificate
file:
path: "{{ server_key_path | dirname }}"
state: directory
mode: '0755'
# Generate Root CA Certificate (general for Lima VM)
- name: Generate CA private key
command: openssl genrsa -out "{{ ca_key_path }}" 2048
args:
creates: "{{ ca_key_path }}"
- name: Set CA key permissions
file:
path: "{{ ca_key_path }}"
owner: root
group: root
mode: '0600'
- name: Generate CA certificate (PEM format)
command: >
openssl req -x509 -new -nodes -key "{{ ca_key_path }}" -sha256 -days 3650
-out "{{ ca_cert_path }}"
-subj "/C=US/ST=State/L=City/O=MyOrg/CN=LimaVM-CA"
args:
creates: "{{ ca_cert_path }}"
# Generate Site-Specific SSL Certificate
- name: Generate server private key
command: openssl genrsa -out "{{ server_key_path }}" 2048
args:
creates: "{{ server_key_path }}"
- name: Generate server CSR
command: >
openssl req -new -key "{{ server_key_path }}" -out "{{ server_csr_path }}"
-subj "/C=US/ST=State/L=City/O=MyOrg/CN={{ http_host }}"
args:
creates: "{{ server_csr_path }}"
- name: Generate server certificate signed by CA
command: >
openssl x509 -req -in "{{ server_csr_path }}" -CA "{{ ca_cert_path }}"
-CAkey "{{ ca_key_path }}" -CAcreateserial -out "{{ server_cert_path }}"
-days 3650 -sha256
args:
creates: "{{ server_cert_path }}"
# Set permissions for SSL certificate and key files
- name: Set permissions for SSL certificate and key files
file:
path: "{{ item.path }}"
owner: root
group: root
mode: "{{ item.mode }}"
loop:
- { path: "{{ server_cert_path }}", mode: '0644' }
- { path: "{{ server_key_path }}", mode: '0600' }
- { path: "{{ ca_cert_path }}", mode: '0644' }
- { path: "{{ server_csr_path }}", mode: '0644' }
# Configure UFW to allow HTTPS on port 443
- name: Allow HTTPS traffic on port 443
ufw:
rule: allow
port: 443
proto: tcp
# Ensure local directory for CA certificate exists
- name: Ensure local directory for CA certificate exists
ansible.builtin.file:
path: "{{ lookup('env', 'HOME') }}/Downloads"
state: directory
mode: '0755'
delegate_to: localhost
become: false
# Copy the CA certificate in PEM format to the local machine
- name: Fetch CA certificate to local machine
fetch:
src: "{{ ca_cert_path }}"
dest: "{{ local_ca_cert_path }}"
flat: yes
become: true
# Install CA on macOS in System Keychain
- name: Install CA on macOS
when: ansible_facts['os_family'] == 'Darwin'
block:
- name: Check if certificate is already installed
local_action: shell security find-certificate -c "LimaVM-CA" -a /Library/Keychains/System.keychain | grep -q "LimaVM-CA"
register: cert_check
ignore_errors: yes
become: false
- name: Create temporary script for certificate installation
local_action:
module: copy
content: |
#!/bin/bash
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "{{ local_ca_cert_path }}"
dest: /tmp/install_cert.sh
mode: '0755'
when: cert_check.rc != 0
become: false
- name: Install certificate (will prompt for sudo password)
local_action: command osascript -e 'do shell script "/tmp/install_cert.sh" with administrator privileges'
when: cert_check.rc != 0
become: false
- name: Clean up temporary script
local_action:
module: file
path: /tmp/install_cert.sh
state: absent
when: cert_check.rc != 0
become: false
# Install CA on Windows (runs on host machine)
- name: Install CA on Windows
when: ansible_facts['os_family'] == 'Windows'
local_action:
module: win_certificate_store
state: present
store_name: Root
certificate_path: "{{ local_ca_cert_path }}"
# Deploy Nginx HTTPS configuration
- name: Deploy Nginx HTTPS configuration
template:
src: "roles/nginx/templates/nginx.conf-self-signed.j2"
dest: "{{ nginx_config_path }}"
notify: restart nginx
# Enable the Nginx site by creating a symlink in sites-enabled
- name: Enable Nginx site
file:
src: "{{ nginx_config_path }}"
dest: "/etc/nginx/sites-enabled/{{ http_host }}"
state: link
# Validate Nginx configuration before restart
- name: Validate Nginx configuration
command: nginx -t
changed_when: false
notify: restart nginx
handlers:
- name: restart nginx
service:
name: nginx
state: restarted
become: true
On last run it was fine:
ansible-playbook -i inventory lima-self-signed-ssl.yml
PLAY [Generate SSL Certificates, Install CA, and Update Nginx Configuration] *************************************
TASK [Gathering Facts] *******************************************************************************************
ok: [lima-vm]
TASK [Create directory for CA key] *******************************************************************************
ok: [lima-vm]
TASK [Create directory for site-specific key and certificate] ****************************************************
ok: [lima-vm]
TASK [Generate CA private key] ***********************************************************************************
ok: [lima-vm]
TASK [Set CA key permissions] ************************************************************************************
ok: [lima-vm]
TASK [Generate CA certificate (PEM format)] **********************************************************************
ok: [lima-vm]
TASK [Generate server private key] *******************************************************************************
ok: [lima-vm]
TASK [Generate server CSR] ***************************************************************************************
ok: [lima-vm]
TASK [Generate server certificate signed by CA] ******************************************************************
ok: [lima-vm]
TASK [Set permissions for SSL certificate and key files] *********************************************************
ok: [lima-vm] => (item={'path': '/etc/ssl/certs/server.pem', 'mode': '0644'})
ok: [lima-vm] => (item={'path': '/etc/ssl/private/server.key', 'mode': '0600'})
ok: [lima-vm] => (item={'path': '/etc/ssl/certs/lima-vm-ca.pem', 'mode': '0644'})
ok: [lima-vm] => (item={'path': '/etc/ssl/private/server.csr', 'mode': '0644'})
TASK [Allow HTTPS traffic on port 443] ***************************************************************************
ok: [lima-vm]
TASK [Ensure local directory for CA certificate exists] **********************************************************
ok: [lima-vm -> localhost]
TASK [Fetch CA certificate to local machine] *********************************************************************
ok: [lima-vm]
TASK [Check if certificate is already installed] *****************************************************************
skipping: [lima-vm]
TASK [Create directory for temporary files] **********************************************************************
skipping: [lima-vm]
TASK [Convert PEM to DER format] *********************************************************************************
skipping: [lima-vm]
TASK [Create temporary script for certificate installation] ******************************************************
skipping: [lima-vm]
TASK [Install certificate (will prompt for sudo password)] *******************************************************
skipping: [lima-vm]
TASK [Clean up temporary files] **********************************************************************************
skipping: [lima-vm]
TASK [Install CA on Windows] *************************************************************************************
skipping: [lima-vm]
TASK [Deploy Nginx HTTPS configuration] **************************************************************************
ok: [lima-vm]
TASK [Enable Nginx site] *****************************************************************************************
ok: [lima-vm]
TASK [Verify SSL certificate configuration] **********************************************************************
ok: [lima-vm]
TASK [Validate Nginx configuration] ******************************************************************************
ok: [lima-vm]
PLAY RECAP *******************************************************************************************************
lima-vm : ok=17 changed=0 unreachable=0 failed=0 skipped=7 rescued=0 ignored=0
but I do not get it added as certicate and so Chrome nor Safari accept the certificate.