SSL certificates can be sourced 2 ways:
- Self signed certificates (for Development, Test, CI, CD and other ephemeral environments)
- Trusted CA signed certificates (for Production)
Note that is is NOT the distribution phase to target nodes, merely the creation and storage of SSL certificates on the ansible host in a known location. The distribution of SSL certs and keys out into the DSE cluster is taken up by two additional roles: { role: security_create_keystores }
and { role: security_create_truststores }
- Configure default settings for your self signed certificate in: ansible/roles/security_create_root_certificate/defaults/main.yml
Pay special attention to the params:
ssl_certs_path_owner: "cassandra"
ssl_certs_path_group: "cassandra"
- In the
ansible/dse_security.yml
playbook add the following line in the area indicated by:EDIT LIST
{ role: security_create_root_certificate }
This will create a certificate and private key in the following directories on the ansible host (NOT the target nodes):
/etc/ssl/{myserver.mydomain.com}/myserver.mydomain.com.key
->{myserver.mydomain.com}
is passed in by{{ansible_fqdn}}
/etc/ssl/{myserver.mydomain.com}/myserver.mydomain.com.pem
This method takes a CA signed WILDCARD certificate (e.g. *.prod.mysite.net) and treats it as a root certificate, using it to sign individual certificates for each node, each node.
See /group_vars/all_example/vars.yml for details on these parameters:
- Set /group_vars/all/my.yml:{{my_is_self_signed_root_cert}} to false
- If no DNS resolution in cluster, set /group_vars/all/my.yml:{{my_etc_hosts_file_configure}} to true
- Configure /group_vars/all/my.yml:{{my_ssl_certs_common_name}} -> prod.mysite.net
- Configure /group_vars/all/my.yml:{{my_ssl_cluster_name}}
- Configure /group_vars/all/my.yml:{{my_ssl_certs_organization}}
- Configure /group_vars/all/my.yml:{{my_ssl_certs_country}}
- Configure /group_vars/all/my.yml:{{my_ssl_certs_root_directory}}
- Manually make the directory {{my_ssl_certs_root_directory}}/prod.mysite.net on the ansible host
- You need two and only two files: e.g prod.mysite.net.pem and prod.mysite.net.key
- The setting {{my_ssl_certs_common_name}} must match prod.mysite.net
- IMPORTANT: Your public certificate prod.mysite.net.pem must contain your wildcard certificate then any intermediary certificates in the correct order then your root certificate at the bottom, simply supplying the top level wildcard cetificate to the process will fail.
- Deploy your CA signed prod.mysite.net.pem and prod.mysite.net.key to directory path {{my_ssl_certs_root_directory}}/{{my_ssl_certs_common_name}} on the ansible host