Introduction to Ansible Transcripts
Lecture: SSL Certificates with the shell and stat Modules
Login or purchase this course to watch this video and the rest of the course contents.
0:00 All right, so we're making our first few steps towards completing our vision of the full deployment. First step, we set up Namecheap and we pointed it
0:08 to our web server. That way when someone accesses Ansible Ansibledeploymentexample.com, the domain name
0:14 system refers them to the IP address of our web server. Nginx is not yet configured to handle these requests but that's what we're going to do
0:21 the next few steps. We installed Let's Encrypt as a package on our server but we haven't yet gotten a certificate or set up our Nginx configuration.
0:28 That's our next step here that we need to do. Head back under roles/webserver/tasks. We're going to modify Nginx.
0:37 We're going to want to beef up our custom Nginx configuration. Right now we have that stored as app.conf instead of saying app, which is too generic.
0:46 Let's use a variable for our app_name. Okay, a few other steps that we want to take here. Nginx comes with a default configuration
0:56 which is why we had a landing page show up and we go directly to the IP address. We want to remove that.
1:13 We also use a run this step as a superuser. All right, a few more tasks here. We use the shell module to execute Let's Encrypt command.
1:34 We'll have another variable, fqdn is for fully qualified domain name. We'll be adding that to our variables file.
1:41 We also need a directory for serving up our certificate. I need an email address associated with the SSL certificate. Agree to the terms of service.
2:00 And we need superuser privileges to execute this. One more task and we need to generate a key to use as part of this SSL certificate.
2:07 Again, We'll use the shell module to do this.
2:25 All right, so we got some new tasks here. Now, the one downside of having some of these new tasks is they could take a really long time
2:30 to run, especially if we're trying to generate certificates each time that we want to handle our Ansible playbook.
2:35 There's a couple ways we could handle this. We could create a separate playbook that does this, we run once.
2:39 So something as part of an actual configuration. Or we can basically use if then conditionals. If we've already generated the certificate
2:46 we know don't need to do that one again. We can do that with the stat module. So we'll give this a try. And we're basically going to gather our own
2:54 fact about the situation, which is we're going to see if a certificate has already been created. That way we'll know is whether the path
3:06 has been created by Let's Encrypt with our fully qualified domain name. So we're registering a variable named certs
3:18 that we can check and we do need to be superuser to check whether that path has been created. And now we can use when, which is equivalent
3:27 to a if conditional in most programming languages and we can say let's only run this command when certificate does not exist.
3:38 We can do the same thing down here. That actually should say not certs, and again not does not exist. So these two tasks will be skipped
3:51 if we've already run this the first time and it's created the files for us. Super-handy to skip long-running steps in your Ansible playbooks.
3:58 With a few extra variables here that we're going to need to include as a part of our playbook so we've go fully qualified domain name
4:04 got web serve directory, SSL cert email and we have app name. Let's go ahead and add those to our playbook. app_name, Ansible appointment example
4:23 fully qualified domain name is going to be www.ansibledeploymentexample.com. We'll actually surround this by quotes.
4:44 One more web certificate email. We want to put in your email, firstname.lastname@example.org. We'll have several other variables that we need
4:51 to add in here but this'll be fine for now. We can also upgrade our playbook. So we have a more descriptive database name
5:05 and of course don't forget to change that database password. We'll also modify these two directories. And let's actually change the database name.
5:21 Has to be consistent here. Last deploy and app name. Change of last deploy. Well, user and deploy group the same
5:28 can actually ruse the same SSH key as we had before. And now we just need to get to upgrading our Nginx configuration file before we kick
5:40 this off and try it out again.