Using Ansible To Manage Trust-Point Certificates In Cisco ASA
For some time now, I was looking for a way to Integrate Let’s Encrypt (LE) with My Cisco ASA, and use LE to issue the certificates for the VPN. And now Ansible is in a good place with its Network Modules to allow this without much of a problem.
I won’t go over the procedure of how I issue/renew the certificates, I will just mention that I use the DNS alias option, as I find it the most useful option, as it doesn’t require me to punch holes in my firewall to allow incoming connection to validate the requests.
My Playbook looks like this,
---
# see:
# - https://docs.ansible.com/ansible/latest/modules/asa_config_module.html
# - https://docs.ansible.com/ansible/latest/modules/asa_command_module.html
- name: Config CiscoASA
hosts: CiscoASA
connection: network_cli
gather_facts: false
become: true
become_method: enable
vars:
ansible_user: ansible
ansible_password: "in line or use vault!"
cert_file: "vpn.pfx"
cert_pass: "in line or use vault!"
config_file: "asa.conf"
tasks:
- name: Get Certificate
set_fact:
cert: >
{{ (lookup('file', cert_file) | b64encode | regex_replace('(.{1,64})', '\1|')).split('|') | list + [ 'quit' ] }}
tags: [ cert ]
- name: Create A TrustPoint
asa_config:
lines:
- crypto ca trustpoint SSL-Trustpoint-Ansible
after:
- enrollment terminal
- name: Import A New Certificate Into The TrustPoint
asa_config:
replace: block
parents: "crypto ca import SSL-Trustpoint-Ansible pkcs12 {{ cert_pass }} nointeractive"
lines: "{{ cert }}"
notify:
- Set SSL Trust-Point
handlers:
- name: Set SSL Trust-Point
asa_config:
save: true
lines:
- ssl trust-point SSL-Trustpoint-Ansible inside
- ssl trust-point SSL-Trustpoint-Ansible outside
Extra
Generate PFX from Cert and Key
#!/bin/bash
CA=ca.cer
#fullchain.cer
CER=vpn.cer
KEY=vpn.key
OUT=vpn.pfx
openssl pkcs12 -export \
-inkey ${KEY} \
-in ${CER} \
-certfile ${CA} \
-out ${OUT}
ok so I’m trying to run this script as you have it, running into the following issue. I had an issue with the %gt; but removed the “;”
The offending line appears to be:
cert: >
” {{ (lookup(‘file’, cert_file) | b64encode | regex_replace(‘(.{1,510})’, ‘\1|’)).split(‘|’) | list }} ”
^ here
I fixed the code a bit (WordPress was messing with the encoding), try again.
thank you, that fixed that piece. Last part I’m running into is below, might be related to the setup I have
MSG:
An unhandled exception occurred while running the lookup plugin 'file'. Error was a , original message: 'utf8' codec can't decode byte 0x82 in position 1: invalid start byte
That seems to be a problem with Ansible `file` filter, try googling the error, from what I found there some issues in the GitHub page for Ansible about this subject.
* https://github.com/ansible/ansible/issues/41146
* https://github.com/ansible/ansible/issues/43667
* https://github.com/ansible/ansible/issues/23903
Also check the new section I added called “Generate PFX from Cert and Key” for how I create the pfx file to load.
thank you!
What version of Python are you using?
Thanks for the reply, I successfully ran the playbook using Python3.
I am also running into the same error.