Once upon a time, Markus Schaufler <markus.schaufler(a)digit-all.at&gt; said: Based on that page and trial & error, I use the following Ansible playbook to deploy a Let's Encrypt cert to an oVirt engine. I'm managing certs from a central VM that uses DNS auth rather than web, and my ansible-playbook call sets certpath to $RENEWED_LINEAGE. ************************************************************************ # Configure oVirt for a third-party cert and deploy a Let's Encrypt cert - hosts: all handlers: - name: restart httpd service: name: httpd.service state: restarted - name: update java trust command: /usr/bin/update-ca-trust - name: restart ovirt engine service service: name: ovirt-engine.service state: restarted - name: restart ovirt websocket proxy service: name: ovirt-websocket-proxy.service state: restarted - name: restart ovirt imageio proxy service: name: ovirt-imageio-proxy.service state: restarted - name: restart ovirt ovn provider service: name: ovirt-provider-ovn.service state: restarted tasks: ######################################################################## # Configure various oVirt things to use our installed cert rather than # the engine-CA-signed cert - name: configure ovirt trust copy: content: "ENGINE_HTTPS_PKI_TRUST_STORE=\"/etc/pki/java/cacerts\"\nENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=\"\"\n" dest: /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf notify: - restart ovirt engine service - name: configure ovirt websocket proxy copy: content: "SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer\nSSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass\n" dest: /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/99-custom-cert.conf notify: - restart ovirt websocket proxy - name: configure ovirt imageio proxy key replace: path: /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf backup: yes regexp: '^(ssl_key_file = /etc/pki/ovirt-engine/keys/)imageio-proxy.key.nopass' replace: '\1apache.key.nopass' notify: - restart ovirt imageio proxy - name: configure ovirt imageio proxy cert replace: path: /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf regexp: '^(ssl_cert_file = /etc/pki/ovirt-engine/certs/)imageio-proxy.cer' replace: '\1apache.cer' notify: - restart ovirt imageio proxy - name: configure ovirt ovn provider CA copy: content: "[OVIRT]\novirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt\n" dest: /etc/ovirt-provider-ovn/conf.d/99-system-ca.conf notify: - restart ovirt ovn provider ######################################################################## # Install updated CA/cert/key - name: add lets-encrypt ca to java trust copy: src: "{{ certpath }}/chain.pem" dest: /etc/pki/ca-trust/source/anchors/letsencrypt-ca.pem notify: - update java trust - restart ovirt engine service - name: update ovirt engine ca chain copy: src: "{{ certpath }}/chain.pem" dest: /etc/pki/ovirt-engine/apache-ca.pem backup: yes notify: - restart httpd - restart ovirt engine service - name: update ovirt engine key copy: src: "{{ certpath }}/privkey.pem" dest: /etc/pki/ovirt-engine/keys/apache.key.nopass backup: yes mode: 0440 group: ovirt notify: - restart httpd - restart ovirt websocket proxy - restart ovirt imageio proxy - name: update ovirt engine cert copy: src: "{{ certpath }}/cert.pem" dest: /etc/pki/ovirt-engine/certs/apache.cer backup: yes notify: - restart httpd - restart ovirt websocket proxy - restart ovirt imageio proxy - name: find old ansible backups find: age: '91d' paths: /etc/pki/ovirt-engine recurse: yes patterns: - apache-ca.pem.[1-9]*~ - apache.key.nopass.[1-9]*~ - apache.cer.[1-9]*~ register: backups - name: delete backups file: path: '{{ item.path }}' state: absent loop: '{{ backups.files|flatten(levels=1) }}' ************************************************************************ -- Chris Adams <cma(a)cmadams.net&gt;