#Installing server SSL certs

Hi, I'm trying to automate installing new letsencrypt server certs on FAS8200 ontap Version 9.16.1P5, cluster level for the admin interface. Currently using ansible netapp.ontap collection, but I'd be happy to switch to raw REST/requests or terraform if that's easier or better. I'm having trouble. Before going into the trouble, can anybody provide, or reference, any examples of installing server certs successfully? All the examples I can find are installing client auth certs, and all my attempts to install server certs have not been successful yet.
Thanks

FWIW, here is my playbook. I get Error \"unable to get issuer certificate\" while verifying the certificate chain at depth 1.. Even though I've specified the intermediate. Do I need to first create the intermediate on the netapp, and then create the server cert as a second task?

- name: Install SSL Certificate on NetApp
  hosts: localhost
  connection: local    # don't try to ssh to localhost
  gather_facts: no
  collections:
    - netapp.ontap

  vars:
    ansible_python_interpreter: "{{ playbook_dir }}/venv/bin/python"
    netapp_hostname: "{{ lookup('env', 'NETAPP_HOSTNAME') }}"
    cert_dir: "/etc/letsencrypt/live/{{ netapp_hostname }}"

  tasks:
    - name: Install certificate
      na_ontap_security_certificates:
        state: present
        use_rest: always
        hostname: "{{ netapp_hostname }}"
        username: "{{ lookup('env', 'NETAPP_USERNAME') }}"
        password: "{{ lookup('env', 'NETAPP_PASSWORD') }}"

        name: "{{ netapp_hostname }}"
        type: server
        common_name: "{{ netapp_hostname }}"
        public_certificate: "{{ lookup('file', cert_dir + '/cert.pem') }}"
        private_key: "{{ lookup('file', cert_dir + '/privkey.pem') }}"
        intermediate_certificates: "{{ lookup('file', cert_dir + '/chain.pem') }}"

        # The very first time you connect to a system, you'll need this to be `false` to prevent
        # cert checking while connecting to https://netapp_hostname. After a valid cert is installed
        # once, you can always assume there's a valid cert present.
        # validate_certs: false

@torpid lark You can find the server certificate installation details in the module examples, the intermediate certificate should be passed as a list of certificates,
PFA

Thanks! I got the cert uploaded, but now I have a new problem. There doesn't seem to be any ansible way to activate the new cert. The only solution I can find is using na_ontap_command basically to get a command-line.

Even if that's the best option available, I'm surprised you have to specify the CA, and serial of your cert. You can't just specify the name of the cert that was just uploaded a minute ago.

Is this really the best way?

- name: Enable server certificate on vserver
  netapp.ontap.na_ontap_command:
    commands:
      - security ssl modify -vserver vs0 -ca www.example.com -serial 4F4EB629 -server-enabled true
  hostname: "{{ netapp_hostname }}"
  username: "{{ netapp_username }}"
  password: "{{ netapp_password }}"
  validate_certs: false

@torpid lark Could you please check na_ontap_svm module. There is an option to set web services.

It seems like this should do it, but I can't find any examples online, can't find a way to confirm if I should use a blank string for the name, and I'm very hesitant to just experiment on the production storage.

    - name: Set new certificate as active for cluster management
      netapp.ontap.na_ontap_svm:
        hostname: "{{ netapp_hostname }}"
        username: "{{ netapp_username }}"
        password: "{{ netapp_password }}"
        use_rest: always
        name: ""              # empty for cluster/admin SVM
        web:
          certificate: "{{ netapp_hostname + '_' + new_cert_hash }}"

Cluster certificate is activated with the na_ontap_cluster module. You need the certificate uuid which is returned by the na_ontap_security_certificates module on install.