x509/(selfsinged|ownca): add renew handling

author: Christian Pointner <equinox@spreadspace.org> 2023-09-12 16:12:56 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2023-09-12 16:12:56 +0200
commit: 438f3c23b695baf149a7458c75bf0ab2bd0d9aca (patch)
tree: f7eb1f17b4e6cb60593dca229a4c5551e77ab181 /roles/x509
parent: x509/certificates: generic config handling (diff)
4 files changed, 32 insertions, 0 deletions
diff --git a/roles/x509/ownca/cert/prepare/defaults/main.yml b/roles/x509/ownca/cert/prepare/defaults/main.yml
index 89dced63..30241273 100644
--- a/roles/x509/ownca/cert/prepare/defaults/main.yml
+++ b/roles/x509/ownca/cert/prepare/defaults/main.yml
@@ -4,6 +4,7 @@ ownca_cert_name: "{{ x509_certificate_name | default(ownca_cert_hostnames[0]) }}
 
 ownca_cert_base_dir: "/etc/ssl"
 
+ownca_cert_default_renew_margin: "+30d"
 ownca_cert_config: "{{ x509_certificate_config }}"
 # ownca_cert_config:
 #   path: "{{ ownca_cert_base_dir }}/{{ ownca_cert_name }}"
@@ -52,3 +53,4 @@ ownca_cert_config: "{{ x509_certificate_config }}"
 #     digest: SHA256
 #     not_before: +0h
 #     not_after: +520w
+#     renew_margin: +42d
diff --git a/roles/x509/ownca/cert/prepare/tasks/main.yml b/roles/x509/ownca/cert/prepare/tasks/main.yml
index 6eb3525f..dc8b68a6 100644
--- a/roles/x509/ownca/cert/prepare/tasks/main.yml
+++ b/roles/x509/ownca/cert/prepare/tasks/main.yml
@@ -47,6 +47,19 @@
     extended_key_usage: "{{ ownca_cert_config.cert.extended_key_usage | default(omit) }}"
     extended_key_usage_critical: "{{ ownca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
 
+- name: check if ownca certificate already exists
+  stat:
+    path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
+  register: _ownca_cert_file_
+
+- name: check validity of existing ownca certificate
+  when: _ownca_cert_file_.stat.exists
+  openssl_certificate_info:
+    path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
+    valid_at:
+      renew_margin: "{{ ownca_cert_config.cert.renew_margin | default(ownca_cert_default_renew_margin) }}"
+  register: _ownca_cert_info_
+
 - name: generate ownca certificate
   community.crypto.x509_certificate:
     path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
@@ -60,6 +73,7 @@
     ownca_digest: "{{ ownca_cert_config.cert.digest | default(omit) }}"
     ownca_not_before: "{{ ownca_cert_config.cert.not_before | default(omit) }}"
     ownca_not_after: "{{ ownca_cert_config.cert.not_after | default(omit) }}"
+    force: "{{ _ownca_cert_file_.stat.exists and (not _ownca_cert_info_.valid_at.renew_margin) }}"
   notify: reload services for x509 certificates
 
 - name: export paths to certificate files
diff --git a/roles/x509/selfsigned/cert/prepare/defaults/main.yml b/roles/x509/selfsigned/cert/prepare/defaults/main.yml
index e45343e5..e970684f 100644
--- a/roles/x509/selfsigned/cert/prepare/defaults/main.yml
+++ b/roles/x509/selfsigned/cert/prepare/defaults/main.yml
@@ -4,6 +4,7 @@ selfsigned_cert_name: "{{ x509_certificate_name | default(selfsigned_cert_hostna
 
 selfsigned_cert_base_dir: "/etc/ssl"
 
+selfsigned_cert_default_renew_margin: "+30d"
 selfsigned_cert_config: "{{ x509_certificate_config }}"
 # selfsigned_cert_config:
 #   path: "{{ selfsigned_cert_base_dir }}/{{ selfsigned_cert_name }}"
@@ -43,3 +44,4 @@ selfsigned_cert_config: "{{ x509_certificate_config }}"
 #     digest: SHA256
 #     not_before: +0h
 #     not_after: +520w
+#     renew_margin: +42d
diff --git a/roles/x509/selfsigned/cert/prepare/tasks/main.yml b/roles/x509/selfsigned/cert/prepare/tasks/main.yml
index 72999807..dead5dd5 100644
--- a/roles/x509/selfsigned/cert/prepare/tasks/main.yml
+++ b/roles/x509/selfsigned/cert/prepare/tasks/main.yml
@@ -47,6 +47,19 @@
     extended_key_usage: "{{ selfsigned_cert_config.cert.extended_key_usage | default(omit) }}"
     extended_key_usage_critical: "{{ selfsigned_cert_config.cert.extended_key_usage_critical | default(omit) }}"
 
+- name: check if selfsigned certificate already exists
+  stat:
+    path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem"
+  register: _selfsigned_cert_file_
+
+- name: check validity of existing selfsigned certificate
+  when: _selfsigned_cert_file_.stat.exists
+  openssl_certificate_info:
+    path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem"
+    valid_at:
+      renew_margin: "{{ selfsigned_cert_config.cert.renew_margin | default(selfsigned_cert_default_renew_margin) }}"
+  register: _selfsigned_cert_info_
+
 - name: generate selfsigned certificate
   community.crypto.x509_certificate:
     path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem"
@@ -59,6 +72,7 @@
     selfsigned_digest: "{{ selfsigned_cert_config.cert.digest | default(omit) }}"
     selfsigned_not_before: "{{ selfsigned_cert_config.cert.not_before | default(omit) }}"
     selfsigned_not_after: "{{ selfsigned_cert_config.cert.not_after | default(omit) }}"
+    force: "{{ _selfsigned_cert_file_.stat.exists and (not _selfsigned_cert_info_.valid_at.renew_margin) }}"
   notify: reload services for x509 certificates
 
 - name: export paths to certificate files
author	Christian Pointner <equinox@spreadspace.org>	2023-09-12 16:12:56 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2023-09-12 16:12:56 +0200
commit	438f3c23b695baf149a7458c75bf0ab2bd0d9aca (patch)
tree	f7eb1f17b4e6cb60593dca229a4c5551e77ab181 /roles/x509
parent	x509/certificates: generic config handling (diff)