Create the ca cnf file: file.managed: - name: /etc/rancher/ssl/rancher-ca.cnf - source: salt://rancher/files/rancher-ca.cnf - user: root - group: root - makedirs: True - mode: "0600" - dir_mode: "0755" Create rancher CA key: x509.private_key_managed: - name: /etc/rancher/ssl/rancher-ca.key - passphrase: {{ pillar['rancher']['ca_passphrase'] }} - bits: 2048 - owner: root - group: root - mode: "0600" Create rancher CA certificate: cmd.run: - name: openssl req -config rancher-ca.cnf -key rancher-ca.key -new -x509 -days 3650 -sha256 -out rancher-ca.crt -passin pass:{{ pillar['rancher']['ca_passphrase'] }} - cwd: /etc/rancher/ssl - onchanges: - file: Create the ca cnf file Create rancher-server key: x509.private_key_managed: - name: /etc/rancher/ssl/rancher-server.key - bits: 2048 - owner: root - group: root - mode: "0600" Create the server cnf file: file.managed: - name: /etc/rancher/ssl/rancher-server.cnf - source: salt://rancher/files/rancher-server.cnf.jinja - template: jinja - user: root - group: root - mode: "0600" Create the rancher-server signing request: cmd.run: - name: openssl req -new -key rancher-server.key -config rancher-server.cnf -out rancher-server.csr - cwd: /etc/rancher/ssl - onchanges: - file: Create the server cnf file Set permission on rancher-server singing request: file.managed: - name: /etc/rancher/ssl/rancher-server.csr - replace: False - user: root - group: root - mode: "0600" Create the rancher-server certificate: cmd.run: - name: openssl x509 -req -in rancher-server.csr -CA rancher-ca.crt -CAkey rancher-ca.key -CAcreateserial --extfile rancher-server.cnf -extensions v3_req -out rancher-server.crt -days 3650 -sha256 -passin pass:{{ pillar['rancher']['ca_passphrase'] }} - cwd: /etc/rancher/ssl - onchanges: - cmd: Create the rancher-server signing request Set permission on rancher-server certificate: file.managed: - name: /etc/rancher/ssl/rancher-server.crt - replace: False - user: root - group: root - mode: "0600" Set permission on rancher CA serial: file.managed: - name: /etc/rancher/ssl/rancher-ca.srl - replace: False - user: root - group: root - mode: "0600"