#install "server" type certificate

Has anyone done server type certificate install through ansible? The documentation in https://galaxy.ansible.com/ui/repo/published/netapp/ontap/content/module/na_ontap_security_certificates/?keywords=cer has only examples for "client-ca" type install, which I already have it working.

To install "server" type certificate, netapp documentation shows that in ca-signed certificate scenario, you have to install the server certificate, server private key, and CA intermediate certificates (usually 2, one intermedieate, one root).

so "public_certificate" is content of server certificate, "private_key" is server private key (generated at CSR request). "intermediate_certificates": how do I supply the content? The 2 signing certificate chain (intermediate and root)?

Thanks for the help,
John

Hi Johnz
Checking from our end, will update you

did you try just base64 encoding the certificates and putting them in that list?

Hi John,
Can you please try creating intermediate and root certificate using openssl and import it in ontap?

The intermediates are expected as a list. Example:

- netapp.ontap.na_ontap_security_certificates: state: present name: "{{ cluster }}_{{ '%04X' % cert_details.serial_number }}" # ontap stores cert serial in hex common_name: "{{ cluster }}" public_certificate: "{{ certificate_pem_string }}" private_key: "{{ key_pem_string }}" intermediate_certificates: - "{{ issuer_cert_pem_string }}" - "{{ root_cert_pem_string }}" type: server

FYI, (for intermediate certs) https://github.com/ansible-collections/netapp.ontap/issues/206

I wonder if I don't specify intermediate_certificates, will it still work? Let me test it out.

if signing CA certificates already in cmode cluster's server-ca type certificates, do we still need to specify intermediate_certificates?

I've tested installation without supplying "intermediate_certificates", and it seems to work.

However, setting the new certificate to be used as server certificate does not work, even though ansible reported "changed". "security ssl show" still shows the old certificate, and after I delete old certs, connection is lost.

    - name: set install certificate for ssl
      connection: local
      na_ontap_rest_cli:
        <<: *login
        command: "security/ssl"
        verb: "PATCH"
        params:
          vserver: "{{ cluster }}"
          common_name: "{{ cert_info.cn }}"
          serial: "{{ cert_info.serial }}"
          ca: "{{ cert_info.ca }}"
        body:
          server_enabled: true
          client_enabled: true

What could be the issue?

ah, you not only need to install the certificate, you also need to tell the web server to use it

the CLI command is security ssl modify -ca ... -serial ...

and if you don't install the intermediate certificates, your web clients (browsers) might not accept the certificate because they cannot validate the full chain up to the root certificate. You would need to install the intermediate certificate in the client's truststore in that case

right, the above snippet should run equivalent of "security ssl modify ..." for me, but it made no changes.

figured out. anything i change need to be in body. so move common_name, serial, ca to body works.

yeah, your snippet only said "enable SSL" but it was already enabled so it didn't change anything. I didn't even look at the "params" section as that is used to select the entity to be changed, not to provide the new values 🙂

Cluster cert can be changed with the na_ontap_cluster module, but certificate REST UUID is necessary.

` - name: Import new certificate to ONTAP
netapp.ontap.na_ontap_security_certificates:
state: present
name: "foo"
common_name: "foo"
...
type: server
register: installed

• name: Change web server configuration to use new certificate
  netapp.ontap.na_ontap_cluster:
  state: present
  certificate:
  uuid: "{{ installed.ontap_info.records[0].uuid }}"`

May I ask where you get the "cert_details" variable from?
I'm looking for a way to extract the serial number to use it as a name like you do here.

I use the community.crypto.x509_certificate_info module