diff options
author | Christian Pointner <equinox@spreadspace.org> | 2023-12-26 20:21:50 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2023-12-26 20:21:50 +0100 |
commit | ac078b957d38d2bc2f2b25b0d4294e2ac74fbe85 (patch) | |
tree | 434cc25bf84620a763d31dea2c7f6e9d8473f6f9 /roles/x509/static-ca/cert | |
parent | update chrony_exporter (diff) | |
parent | x509/static-ca: move certificate signing to localhost (diff) |
Merge branch 'topic/x509-static-ca-localsign'
Diffstat (limited to 'roles/x509/static-ca/cert')
-rw-r--r-- | roles/x509/static-ca/cert/prepare/tasks/main.yml | 32 |
1 files changed, 25 insertions, 7 deletions
diff --git a/roles/x509/static-ca/cert/prepare/tasks/main.yml b/roles/x509/static-ca/cert/prepare/tasks/main.yml index 9a8d1bde..4f618b51 100644 --- a/roles/x509/static-ca/cert/prepare/tasks/main.yml +++ b/roles/x509/static-ca/cert/prepare/tasks/main.yml @@ -52,6 +52,11 @@ extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}" extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}" +- name: slurp csr for static-ca certificate + slurp: + src: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem" + register: _static_ca_csr_ + - name: check if static-ca certificate already exists stat: path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" @@ -65,13 +70,17 @@ renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}" register: _static_ca_cert_info_ +- name: slurp existing static-ca certificate + when: _static_ca_cert_file_.stat.exists + slurp: + src: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + register: _static_ca_cert_current_ + - name: generate static-ca certificate - community.crypto.x509_certificate: - path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" - mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}" - owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}" - group: "{{ static_ca_cert_config.cert.group | default(omit) }}" - csr_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem" + delegate_to: localhost + community.crypto.x509_certificate_pipe: + content: "{{ _static_ca_cert_current_.content | default('') | b64decode }}" + csr_content: "{{ _static_ca_csr_.content | b64decode }}" provider: ownca ownca_content: "{{ static_ca_cert_config.ca.cert_content }}" ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}" @@ -79,10 +88,19 @@ ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}" ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}" force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}" + register: _static_ca_cert_new_ + +- name: install static-ca certificate + copy: + content: "{{ _static_ca_cert_new_.certificate }}" + dest: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}" + owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}" + group: "{{ static_ca_cert_config.cert.group | default(omit) }}" + register: _static_ca_cert_ notify: - reload services for x509 certificates - restart services for x509 certificates - register: _static_ca_cert_ - name: install CA certificate copy: |