Try SpotterManage self-signed device certificates
| "added in version" 1.0.0 of f5networks.f5_modules"
Authors: Wojciech Wypior (@wojtek0806)
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections:
- name: f5networks.f5_modules
version: 1.28.0Module used to create and/or renew self-signed device certificates for BIG-IP.
- name: Update expired certificate
bigip_device_certificate:
days_valid: 365
provider:
password: secret
server: lb.mydomain.com
user: admin
transport: cli
server_port: 22
delegate_to: localhost
- name: Update expired certificate non-default names
bigip_device_certificate:
days_valid: 60
cert_name: custom.crt
key_name: custom.key
provider:
password: secret
server: lb.mydomain.com
user: admin
transport: cli
server_port: 22
delegate_to: localhost
- name: Force update not expired certificate
bigip_device_certificate:
days_valid: 365
force: true
provider:
password: secret
server: lb.mydomain.com
user: admin
transport: cli
server_port: 22
delegate_to: localhost
- name: Create a new certificate to replace expired certificate
bigip_device_certificate:
days_valid: 365
new_cert: true
issuer:
country: US
state: WA
common_name: foobar.foo.local
provider:
password: secret
server: lb.mydomain.com
user: admin
transport: cli
server_port: 22
delegate_to: localhost
- name: Force create a new custom named certificate to replace not expired certificate
bigip_device_certificate:
days_valid: 365
cert_name: custom.crt
key_name: custom.key
new_cert: true
force: true
issuer:
country: US
state: WA
common_name: foobar.foo.local
key_size: 2048
provider:
password: secret
server: lb.mydomain.com
user: admin
transport: cli
server_port: 22
delegate_to: localhost
force:
default: false
description:
- When C(true), will update or overwrite the existing certificate when it is not expired
on the device.
- When C(false), the certificate will only be updated/overwritten if expired.
- Generally should be C(true) only in cases where you need to update certificate that
is about to expire.
- This option is also needed when generating a new certificate to replace non-expired
one.
type: bool
issuer:
description:
- Certificate properties, required when generating new certificates.
suboptions:
common_name:
description:
- Specifies the Common Name attribute for the certificate.
type: str
country:
description:
- Specifies the Country name attribute for the certificate.
type: str
division:
description:
- Specifies the department name attribute for the certificate.
type: str
email:
description:
- Specifies the email address of the domain administrator.
type: str
locality:
description:
- Specifies the city or town name for the certificate.
type: str
organization:
description:
- Specifies the Organization attribute for the certificate.
type: str
state:
description:
- Specifies the State or Province attribute for the certificate.
type: str
type: dict
key_name:
default: server.key
description:
- Specifies the full name of the key file.
- If the name is not default C(server.key), the module will configure C(httpd) to
use them prior to restarting the C(httpd) daemon.
type: str
key_size:
choices:
- 512
- 1024
- 2048
- 4096
default: 2048
description:
- Specifies the desired key size in bits.
- Mandatory option when generating a new certificate.
type: int
new_cert:
default: false
description:
- Specifies if the module should generate a new certificate.
- When C(true), the device certificate and key will be replaced.
type: bool
provider:
description:
- A dict object containing connection details.
suboptions:
auth_provider:
description:
- Configures the auth provider for to obtain authentication tokens from the remote
device.
- This option is really used when working with BIG-IQ devices.
type: str
no_f5_teem:
default: false
description:
- If C(yes), TEEM telemetry data is not sent to F5.
- You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF).
- Previously used variable C(F5_TEEM) is deprecated as its name was confusing.
type: bool
password:
aliases:
- pass
- pwd
description:
- The password for the user account used to connect to the BIG-IP.
- You may omit this option by setting the environment variable C(F5_PASSWORD).
required: true
type: str
server:
description:
- The BIG-IP host.
- You may omit this option by setting the environment variable C(F5_SERVER).
required: true
type: str
server_port:
default: 22
description:
- The BIG-IP server port.
- You may omit this option by setting the environment variable C(F5_SERVER_PORT).
type: int
ssh_keyfile:
description:
- Specifies the SSH keyfile to use to authenticate the connection to the remote
device. This argument is only used for I(cli) transports.
- You may omit this option by setting the environment variable C(ANSIBLE_NET_SSH_KEYFILE).
type: path
timeout:
description:
- Specifies the timeout in seconds for communicating with the network device for
either connecting or sending commands. If the timeout is exceeded before the
operation is completed, the module will error.
type: int
transport:
choices:
- cli
default: cli
description:
- Configures the transport connection to use when connecting to the remote device.
type: str
user:
description:
- The username to connect to the BIG-IP with. This user must have administrative
privileges on the device.
- You may omit this option by setting the environment variable C(F5_USER).
required: true
type: str
validate_certs:
default: true
description:
- If C(no), SSL certificates are not validated. Use this only on personally controlled
sites using self-signed certificates.
- You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS).
type: bool
type: dict
version_added: 1.0.0
version_added_collection: f5networks.f5_modules
cert_name:
default: server.crt
description:
- Specifies the full name of the certificate file.
- If the name is not default C(server.crt), the module will configure C(httpd) to
use them prior to restarting the C(httpd) daemon.
type: str
days_valid:
description:
- Specifies the interval for which the self-signed certificate is valid.
- 'The maximum value is 25 years: C(9125) days'
required: true
type: int
add_to_trusted:
default: false
description:
- Specifies if the certificate should be added to the trusted client and server certificate
files.
type: bool
cert_name:
description: The full name of the certificate file.
returned: changed
sample: common.crt
type: str
days_valid:
description: The interval for which the self-signed certificate is valid.
returned: changed
sample: 365
type: int
issuer:
contains:
common_name:
description: The Common Name attribute of the certificate.
returned: changed
sample: foo.bar.local
type: str
country:
description: The Country name attribute of the certificate.
returned: changed
sample: US
type: str
division:
description: The department name attribute of the certificate.
returned: changed
sample: IT
type: str
email:
description: The domain administrator's email address.
returned: changed
sample: admin@foo.bar.local
type: str
locality:
description: The city or town name attribute of the certificate.
returned: changed
sample: Seattle
type: str
organization:
description: The Organization attribute of the certificate.
returned: changed
sample: F5
type: str
state:
description: The State or Province attribute of the certificate.
returned: changed
sample: WA
type: str
description: Specifies certificate properties.
returned: changed
type: complex
key_name:
description: The full name of the key file.
returned: changed
sample: common.key
type: str
key_size:
description: The desired key size in bits.
returned: changed
sample: 2048
type: int