Using Ansible To Manage Trust-Point Certificates In Cisco ASA

For some time now, I was looking for a way to Integrate Let’s Encrypt (LE) with My Cisco ASA, and use LE to issue the certificates for the VPN. And now Ansible is in a good place with its Network Modules to allow this without much of a problem.

I won’t go over the procedure of how I issue/renew the certificates, I will just mention that I use the DNS alias option, as I find it the most useful option, as it doesn’t require me to punch holes in my firewall to allow incoming connection to validate the requests.

My Playbook looks like this,

---
# see:
# - https://docs.ansible.com/ansible/latest/modules/asa_config_module.html
# - https://docs.ansible.com/ansible/latest/modules/asa_command_module.html

- name: Config CiscoASA
  hosts: CiscoASA
  connection: network_cli
  gather_facts: false
  become: true
  become_method: enable
  vars:
    ansible_user: ansible
    ansible_password: "in line or use vault!"
    cert_file: "vpn.pfx"
    cert_pass: "in line or use vault!"
    config_file: "asa.conf"

  tasks:

    - name: Get Certificate
      set_fact:
        cert: >
          {{ (lookup('file', cert_file) | b64encode | regex_replace('(.{1,64})', '\1|')).split('|') | list + [ 'quit' ] }}
      tags: [ cert ]

    - name: Create A TrustPoint
      asa_config:
        lines:
          - crypto ca trustpoint SSL-Trustpoint-Ansible
        after:
          - enrollment terminal

    - name: Import A New Certificate Into The TrustPoint
      asa_config:
        replace: block
        parents: "crypto ca import SSL-Trustpoint-Ansible pkcs12 {{ cert_pass }} nointeractive"
        lines: "{{ cert }}"
      notify:
        - Set SSL Trust-Point

  handlers:

    - name: Set SSL Trust-Point
      asa_config:
        save: true
        lines:
          - ssl trust-point SSL-Trustpoint-Ansible inside
          - ssl trust-point SSL-Trustpoint-Ansible outside

Extra

Generate PFX from Cert and Key

#!/bin/bash

CA=ca.cer
#fullchain.cer
CER=vpn.cer
KEY=vpn.key
OUT=vpn.pfx

openssl pkcs12 -export \
-inkey ${KEY} \
-in ${CER} \
-certfile ${CA} \
-out ${OUT}

You may also like...

9 Responses

  1. James A Sumitra says:

    ok so I’m trying to run this script as you have it, running into the following issue. I had an issue with the %gt; but removed the “;”

    The offending line appears to be:

    cert: &gt
    ” {{ (lookup(‘file’, cert_file) | b64encode | regex_replace(‘(.{1,510})’, ‘\1|’)).split(‘|’) | list }} ”
    ^ here

  2. James Sumitra says:

    thank you, that fixed that piece. Last part I’m running into is below, might be related to the setup I have

    MSG:

    An unhandled exception occurred while running the lookup plugin 'file'. Error was a , original message: 'utf8' codec can't decode byte 0x82 in position 1: invalid start byte

  3. Joshua Holbert says:

    I am also running into the same error.

    Error was a , original message: ''utf8'' codec can''t decode byte 0x82 in position 1: invalid start byte'

Leave a Reply

Your email address will not be published. Required fields are marked *