Generate and Deploy a SSL Certificate for Apache2

Owned by John Simmons (Unlicensed), created
Last updated: 03 May 2024 by Joseph (Pepe) Kelly
2 min read

When the Apache servers need their SSL certificates renewed, please just follow this guide and it should be nice and easy (easier ….)

 Instructions

On a Ubuntu Linux machine (prod, stage, blue, green, Jenkins, personal PC etc)

  1. Run the ansible playbook in the TIS-DEVOPS repo in the ansible/tasks directory called “ssl-cert-generation-part-1.yml

  2. This will create a folder in the /tmp directory called certs and will have a new private key in there and a certificate signing request.

  3. Open the Certificate Signing Request (CSR) with a text editor and copy all of the information in the file.

  4. now go to the SSL providers control panel (current Namecheap) and start the activation process by pasting the CSR info into the relevant text box.

  5. You will probably have to set up a record DNS entry in the tis.nhs.uk Route53 DNS settings on AWS to confirm that we are allowed to create certs for this domain.

  6. Once the cert has been authorised and you are able to download it, take the zip file created and place it in the same directory that the CSR was created in (/tmp/certs)

  7. Now run the ansible playbook in the TIS-DEVOPS repo in the ansible/tasks directory called “ssl-cert-generation-part-2.yml

  8. This will extract all the certs from the zip file, do a file conversion for one of the files and rename the certs to the same as we currently use in apache, it will tidy up the directory also so that there will only be 3 files left in that directory. fullchain.pem, privkey.pem and STAR_tis_nhs_uk.crt

  9. Add these files to the TIS-DEVOPS git repo in the following location TIS-DEVOPS/ansible/files/ssl

  10. Now encrypt the certs with the following command ansible-vault encrypt fullchain.pem privkey.pem STAR_tis_nhs_uk.crt

  11. Once encrypted (certs will look like this: $ANSIBLE_VAULT;1.1;AES2563738653439633763666 …..) then push the changes to a new branch and get them merged into the main branch.

  12. You can now start to replace the existing certs by running the following playbook: ssl-replace.yml in the ansible tasks directory with the following command: ansible-playbook -i ../inventory/stage ssl-replace.yml You can add the --check flag to run the command to see what will change without actually changing anything before running the command fully.

  13. Change the commenting line in the ssl-replace.yml file that starts hosts: to switch to the apps servers blue,green (that will run with the inventory of stage, prod and nimdta) and the jenkins,monserver hosts that will need the build inventory specified.

Any time you run an ansible playbook you can add the --check flag, but be warned, if a following stage needs something that's not been created like a file or folder for example, then the job will crash as it cant test. Then its just time for a leap of faith

Slack: https://hee-nhs-tis.slack.com/
Jira issues: https://hee-tis.atlassian.net/issues/?filter=14213