diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-12-25 18:02:58 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-12-25 18:02:58 +0100 |
| commit | 5a438c406b6977c5da8fffc189aafeb72933d62f (patch) | |
| tree | c644b1bd5f7132d120e55f51385ca2429754318a /roles/x509/static-ca | |
| parent | mz-*: upgrade to openwrt 23.05.2 (diff) | |
x509/static-ca: move certificate signing to localhost
Diffstat (limited to 'roles/x509/static-ca')
| -rw-r--r-- | roles/x509/static-ca/cert/prepare/tasks/main.yml | 32 |
1 files changed, 25 insertions, 7 deletions
diff --git a/roles/x509/static-ca/cert/prepare/tasks/main.yml b/roles/x509/static-ca/cert/prepare/tasks/main.yml index 9a8d1bde..4f618b51 100644 --- a/roles/x509/static-ca/cert/prepare/tasks/main.yml +++ b/roles/x509/static-ca/cert/prepare/tasks/main.yml @@ -52,6 +52,11 @@ extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}" extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}" +- name: slurp csr for static-ca certificate + slurp: + src: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem" + register: _static_ca_csr_ + - name: check if static-ca certificate already exists stat: path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" @@ -65,13 +70,17 @@ renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}" register: _static_ca_cert_info_ +- name: slurp existing static-ca certificate + when: _static_ca_cert_file_.stat.exists + slurp: + src: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + register: _static_ca_cert_current_ + - name: generate static-ca certificate - community.crypto.x509_certificate: - path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" - mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}" - owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}" - group: "{{ static_ca_cert_config.cert.group | default(omit) }}" - csr_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem" + delegate_to: localhost + community.crypto.x509_certificate_pipe: + content: "{{ _static_ca_cert_current_.content | default('') | b64decode }}" + csr_content: "{{ _static_ca_csr_.content | b64decode }}" provider: ownca ownca_content: "{{ static_ca_cert_config.ca.cert_content }}" ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}" @@ -79,10 +88,19 @@ ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}" ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}" force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}" + register: _static_ca_cert_new_ + +- name: install static-ca certificate + copy: + content: "{{ _static_ca_cert_new_.certificate }}" + dest: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}" + owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}" + group: "{{ static_ca_cert_config.cert.group | default(omit) }}" + register: _static_ca_cert_ notify: - reload services for x509 certificates - restart services for x509 certificates - register: _static_ca_cert_ - name: install CA certificate copy: |