TLSA with Ansible
Generate TLSA records in your coffee break
Here's a fast way to generate TLSA records using Ansible. The snippets below will collect the relevant information and show you how you could update DNS within the same playbook.
I'm using the SPKI field to generate the records because that's trivial to extract using core Ansible modules.
1---
2 - name: Collect certificate information for DV certifcate
3 openssl_certificate_info:
4 path: /etc/certificates/example.com.crt
5 register: dv_cert_info
6 tags:
7 - end_entity
8
9 - name: Generate TLSA value for DV with SPKI and sha256 hash
10 set_fact:
11 ee_tlsa: "3 1 1 {{dv_cert_info.public_key_fingerprints.sha256| replace(':','') }}"
12 tags:
13 - end_entity
14
15 - name: Collect certificate information for TA certifcate
16 openssl_certificate_info:
17 path: /etc/certificates/chain.crt
18 register: ta_cert_info
19 tags:
20 - trust_anchor
21
22 - name: Generate TLSA value for TA with SPKI and sha256 hash
23 set_fact:
24 ta_tlsa: "2 1 1 {{ta_cert_info.public_key_fingerprints.sha256| replace(':','') }}"
25 tags:
26 - trust_anchor
Is that all?
With the records generated you can now use Ansible to update DNS or write them out for another process to do that. I'll update DNS
1 - name: Add HTTPS TLSA record to DNS
2 vars:
3 record: '_443._tcp.example.com.'
4 nsupdate:
5 key_name: 'tsig_key'
6 key_secret: '1234567890'
7 key_algorithm: 'hmac-sha256'
8 server: 'ns1-primary.example.com'
9 record: "{{ record }}"
10 type: "TLSA"
11 value: "{{ [ee_tlsa, ta_tlsa] }}"
12 ttl: "60"
Next Steps:
Each service for which you have a TLSA record should have already been updated to use the certificates just added into DNS.
I'll post more articles about glueing this together into a sensible collection of playbooks soon.
Update its here: Practical TLSA