今天带大家实战一下如何通过ansible在windows 服务器上给iis web site安装证书。
前提条件:
准备一张pfx证书,可以通过openssl工具来生成,具体的步骤请参考帮助文档。
一台安装了iis 的windows 服务器
准备inventory文件
[windows]
solarwinds ansible_host=20.47.126.72 ansible_winrm_transport=ntlm
[windows:vars]
ansible_user=azureuser
ansible_password=<yourpassword>
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore请将主机名和ip 地址替换为您自己的。
定义playbook需要用到变量文件vars.yaml
---
certificate_source_path: "/Users/ninjamac/ansible"
certificate_target_path: "C:\Temp\cert"
certificate_name: "mycert"
certificate_password: "cert export password"
certificate_file_extension: "pfx"
store_name: "My"
iis_site_ports:
Site_XYZ: 443
Site_ABC: 81
iis_target_website_names:
- Site_XYZ
- Site_ABC
请将certificate_source_path和certificate_target_path替换为您自己的实际路径。我们定义了一个字典iis_site_ports,将站点名称和要绑定的端口做了映射。
创建playbook
1. 拷贝 SSL Certificate 文件到服务器
- name: Copy SSL certificate file to server
win_copy:
src: "{
{ certificate_source_path }}/{
{ certificate_name }}.{
{ certificate_file_extension }}"
dest: "{
{ certificate_target_path }}\{
{ certificate_name }}.{
{ certificate_file_extension }}"
此任务使用 Ansible win_copy 模块将 SSL 证书文件从指定的源位置传输到目标 Windows 服务器上的目标位置。源和目标的可变路径可确保剧本保持动态并适应不同的环境。
2. 导入受密码保护的 PFX 证书
- name: Import pfx certificate that is password protected
ansible.windows.win_certificate_store:
path: C:\Temp\cert\mycert.pfx
state: present
password: {
{certificate_password}}
store_location: LocalMachine
store_name: My
此任务利用 win_certificate_store 模块将 PFX 证书导入 Windows 证书存储区。该证书由其文件路径指定,并且需要密码才能访问。务必将证书导入正确的存储位置和存储名称,以确保 IIS 能够正确使用它进行 HTTPS 绑定。
3. 调试 Imported Certificate
- name: Debug Imported Certificate
debug:
var: imported_certificate
导入证书后,此调试任务会输出有关已导入证书的信息,以帮助验证操作是否成功。这对于排除导入过程中可能出现的任何问题非常有用。
4. 将证书绑定到网站(默认网站除外)
- name: Bind Certificate to Websites (except Default Web Site)
win_iis_webbinding:
name: "{
{ item.key }}"
certificate_hash: "{
{ imported_certificate.thumbprints[0] }}"
certificate_store_name: "{
{ store_name }}"
protocol: https
port: "{
{ item.value }}"
state: present
此关键任务将导入的 SSL 证书绑定到指定的 IIS 网站(默认网站除外)。它利用 win_iis_webbinding 模块,通过循环遍历 IIS 站点名称及其关联端口的字典。对于每个站点,它指定必要的参数,例如证书哈希和协议 (HTTPS),以确保正确应用 SSL 证书。
5. 重启网站(默认网站除外)
- name: Restart Websites (except Default Web Site)
win_iis_website:
name: "{
{ item }}"
state: started
when: "item != 'Default Web Site'"
最后,该 playbook 包含一个任务,用于重启指定的 IIS 网站以应用新配置的 SSL 绑定。这里使用了 win_iis_website 模块,并且条件确保默认网站被排除在重启操作之外。
整个playbook内容如下:
---
- name: Install SSL Certificate on Windows Server
hosts: solarwinds
vars_files:
- vars.yaml
tasks:
- name: Copy SSL certificate file to server
win_copy:
src: "{
{ certificate_source_path }}/{
{ certificate_name }}.{
{ certificate_file_extension }}"
dest: "{
{ certificate_target_path }}\{
{ certificate_name }}.{
{ certificate_file_extension }}"
- name: Import pfx certificate that is password protected
ansible.windows.win_certificate_store:
path: C:\Temp\cert\mycert.pfx
state: present
password: {
{certificate_password}}
store_location: LocalMachine
store_name: TrustedPublisher
register: imported_certificate
- name: Debug Imported Certificate
debug:
var: imported_certificate
- name: Bind Certificate to Websites (except Default Web Site)
win_iis_webbinding:
name: "{
{ item.key }}"
certificate_hash: "{
{ imported_certificate.thumbprints[0] }}"
certificate_store_name: "{
{ store_name }}"
protocol: https
port: "{
{ item.value }}"
state: present
loop: "{
{ iis_site_ports | dict2items }}"
- name: Restart Websites (except Default Web Site)
win_iis_website:
name: "{
{ item }}"
state: started
when: "item != 'Default Web Site'"
loop: "{
{ iis_target_website_names }}"运行playbook
(base) ninjamac@ninjamacdeMacBook-Air ansible % ansible-playbook --extra-vars "@vars.yaml" -i inventory.ini installcertoniis.yaml
暂无评论内容