openssl genrsa require password in ansible script

[Pradeep Drall]

when I run below mentioned commands to generate RSA and csr in linux prompt , its require a password (Enter pass phrase for pradeep.key) and mention there "abc" password. Please do let me know how to capture this password in ansible script. When I mention -des3 then its require the password and its mandatory part. 

1. openssl genrsa -des3 -out pradeep.key 2048

2. openssl req -new -key pradeep.key -out pradeepcsr.csr -config set.txt

3. openssl pkcs12 -export -out pradeep.p12 -inkey pradeep.key -in cert.pem

Generating RSA private key, 2048 bit long modulus

...........................................................................+++

.....................................+++

e is 65537 (0x10001)

Enter pass phrase for pradeep.key:

Verifying - Enter pass phrase for pradeep.key:

I mentioned below ansible script :

command: openssl genrsa \ 

        -des3 \    

        -out "/app/ex.key" 2048

command: openssl req \

        -new \

        -subj '/C=US/ST=Florida/L=atlanta View/O=xx/CN=abc'

        -key "/app/ex.key" \

        -out "/app/ex.csr"

Secondly, can we do this part with any ansible module, I tried with openssl_privatekey but its not cover all above details. 

[Stephane Emilien]

Hello,

Did you have issue generating your keys and csr via the openssl modules?

Because the following should correspond to your case (and work with ansible >=2.4):

  - openssl_privatekey:
      path: /app/ex.key
      passphrase: abcd
      cipher: des3
      size: 2048

  - openssl_csr:
      path: /app/ex.csr
      privatekey_path: /app/ex.key
      privatekey_passphrase: abcd
      common_name: abc
      state_or_province_name: Florida
      locality_name: atlanta View
      organization_name: xx
      country_name: US

If you really want to go the other route, take a look at the expect module (link)

Below is an example:

  - expect:
      command: openssl genrsa -des3 -out /tmp/pradeep.key 2048
      responses:
        Enter pass phrase: abcd

The questions are by default quite fuzzy so in this case we're using it as a substring (matches both: "Enter pass phrase for " and "Verifying - Enter pass phrase for")

No modules are yet available in the release version for pkcs12 management.

   You may need to go the expect route or use the OpenSSL's passin/passout options

PS: There is also a module available in the devel branch https://github.com/ansible/ansible/pull/27320 if you want to try out

- SDE

[Pradeep Drall]

Thanks for your response. 

I tried with expect module but getting below mentioned error 

"msg": "The pexpect python module is required"

//

---

- hosts: all

  gather_facts: no

  tasks:

   - expect:

      command: openssl genrsa -des3 -out /app/pradeep.key 2048

      responses:

        Enter pass phrase: pradeep

 #  - name: Generate RSA Key "openssl genrsa -des3 -out ex.key 2048"

  #   expect:  

  #    command: openssl genrsa \   

   #     -des3   

    #    -out "/app/ex.key" 2048

    #  args:

     #   creates: "/app/ex.key"

     # responses:

      #  Enter pass phrase: pradeep

 #    register: cert_output

 #  - debug:

  #      var: cert_output.stdout_lines

     ignore_errors: yes

//

[Kai Stian Olstad]

On Sunday, 2 September 2018 18.34.35 CEST Pradeep Drall wrote:
> Thanks for your response.
>
> I tried with expect module but getting below mentioned error
>
> "msg": "The pexpect python module is required"

As the documentation and the message say you need install the python module pexpect on the host(s).
https://docs.ansible.com/ansible/latest/modules/expect_module.html#requirements


--
Kai Stian Olstad