Using Ansible To Manage Trust-Point Certificates In Cisco ASA
For some time now, I was looking for a way to Integrate Let’s Encrypt (LE) with My Cisco ASA, and use LE to issue the certificates for the VPN. And now Ansible is in a good place with its Network Modules to allow this without much of a problem.
I won’t go over the procedure of how I issue/renew the certificates, I will just mention that I use the DNS alias option, as I find it the most useful option, as it doesn’t require me to punch holes in my firewall to allow incoming connection to validate the requests.
My Playbook looks like this,
--- # see: # - https://docs.ansible.com/ansible/latest/modules/asa_config_module.html # - https://docs.ansible.com/ansible/latest/modules/asa_command_module.html - name: Config CiscoASA hosts: CiscoASA connection: network_cli gather_facts: false become: true become_method: enable vars: ansible_user: ansible ansible_password: "in line or use vault!" cert_file: "vpn.pfx" cert_pass: "in line or use vault!" config_file: "asa.conf" tasks: - name: Get Certificate set_fact: cert: > {{ (lookup('file', cert_file) | b64encode | regex_replace('(.{1,64})', '\1|')).split('|') | list + [ 'quit' ] }} tags: [ cert ] - name: Create A TrustPoint asa_config: lines: - crypto ca trustpoint SSL-Trustpoint-Ansible after: - enrollment terminal - name: Import A New Certificate Into The TrustPoint asa_config: replace: block parents: "crypto ca import SSL-Trustpoint-Ansible pkcs12 {{ cert_pass }} nointeractive" lines: "{{ cert }}" notify: - Set SSL Trust-Point handlers: - name: Set SSL Trust-Point asa_config: save: true lines: - ssl trust-point SSL-Trustpoint-Ansible inside - ssl trust-point SSL-Trustpoint-Ansible outside
Extra
Generate PFX from Cert and Key
#!/bin/bash CA=ca.cer #fullchain.cer CER=vpn.cer KEY=vpn.key OUT=vpn.pfx openssl pkcs12 -export \ -inkey ${KEY} \ -in ${CER} \ -certfile ${CA} \ -out ${OUT}
ok so I’m trying to run this script as you have it, running into the following issue. I had an issue with the %gt; but removed the “;”
The offending line appears to be:
cert: >
” {{ (lookup(‘file’, cert_file) | b64encode | regex_replace(‘(.{1,510})’, ‘\1|’)).split(‘|’) | list }} ”
^ here
I fixed the code a bit (WordPress was messing with the encoding), try again.
thank you, that fixed that piece. Last part I’m running into is below, might be related to the setup I have
MSG:
An unhandled exception occurred while running the lookup plugin 'file'. Error was a , original message: 'utf8' codec can't decode byte 0x82 in position 1: invalid start byte
That seems to be a problem with Ansible `file` filter, try googling the error, from what I found there some issues in the GitHub page for Ansible about this subject.
* https://github.com/ansible/ansible/issues/41146
* https://github.com/ansible/ansible/issues/43667
* https://github.com/ansible/ansible/issues/23903
Also check the new section I added called “Generate PFX from Cert and Key” for how I create the pfx file to load.
thank you!
What version of Python are you using?
Thanks for the reply, I successfully ran the playbook using Python3.
I am also running into the same error.