summaryrefslogtreecommitdiff
path: root/roles/x509/uacme/cert/prepare/tasks/main.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/x509/uacme/cert/prepare/tasks/main.yml')
-rw-r--r--roles/x509/uacme/cert/prepare/tasks/main.yml112
1 files changed, 112 insertions, 0 deletions
diff --git a/roles/x509/uacme/cert/prepare/tasks/main.yml b/roles/x509/uacme/cert/prepare/tasks/main.yml
new file mode 100644
index 00000000..a83651b3
--- /dev/null
+++ b/roles/x509/uacme/cert/prepare/tasks/main.yml
@@ -0,0 +1,112 @@
+---
+- name: create directory for uacme-controlled certificate
+ file:
+ path: "/var/lib/uacme.d/{{ uacme_cert_name }}"
+ state: directory
+
+- name: generate key for uacme-controlled certificate
+ openssl_privatekey:
+ path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
+ mode: "{{ uacme_cert_config.key.mode | default('0600') }}"
+ owner: "{{ uacme_cert_config.key.owner | default(omit) }}"
+ group: "{{ uacme_cert_config.key.group | default(omit) }}"
+ type: "{{ uacme_cert_config.key.type | default(omit) }}"
+ size: "{{ uacme_cert_config.key.size | default(omit) }}"
+ notify: reload services for x509 certificates
+
+- name: generate csr for uacme-controlled certificate
+ community.crypto.openssl_csr:
+ path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}.csr"
+ mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
+ owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
+ group: "{{ uacme_cert_config.cert.group | default(omit) }}"
+ privatekey_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
+ common_name: "{{ uacme_cert_hostnames[0] }}"
+ subject_alt_name: "{{ ['DNS:'] | product(uacme_cert_hostnames) | map('join') | list }}"
+ subject_alt_name_critical: yes
+ use_common_name_for_san: no
+
+- name: test if uacme-controlled certificate already exists
+ stat:
+ path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"
+ register: uacme_cert_file
+
+- name: generate selfsigned interim certificate
+ when: not uacme_cert_file.stat.exists
+ block:
+ ### this is needed because strftime filter in ansible is exceptionally stupid
+ ### see: https://github.com/ansible/ansible/issues/39835
+ - name: get remote date-time 10s ago
+ command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ'
+ register: remote_datetime_10sago
+ changed_when: false
+
+ - name: get remote date-time now
+ command: date -u '+%Y%m%d%H%M%SZ'
+ register: remote_datetime_now
+ changed_when: false
+
+ - name: generate selfsigned interim certificate
+ community.crypto.x509_certificate:
+ path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"
+ mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
+ owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
+ group: "{{ uacme_cert_config.cert.group | default(omit) }}"
+ privatekey_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
+ csr_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}.csr"
+ provider: selfsigned
+ ## make sure the certificate is not valid anymore to force uacme to create a new cert
+ selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}"
+ selfsigned_not_after: "{{ remote_datetime_now.stdout }}"
+ return_content: yes
+ register: uacme_cert_selfsigned
+ notify: reload services for x509 certificates
+
+ - name: make sure cert-only file exists
+ copy:
+ content: "{{ uacme_cert_selfsigned.certificate }}"
+ dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
+ mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
+ owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
+ group: "{{ uacme_cert_config.cert.group | default(omit) }}"
+ notify: reload services for x509 certificates
+
+ - name: make sure the chain file exists
+ copy:
+ content: ""
+ dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
+ mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
+ owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
+ group: "{{ uacme_cert_config.cert.group | default(omit) }}"
+ notify: reload services for x509 certificates
+
+- name: export paths to certificate files
+ set_fact:
+ x509_certificate_path_key: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
+ x509_certificate_path_cert: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
+ x509_certificate_path_chain: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
+ x509_certificate_path_fullchain: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"
+
+- name: install script to be called when new certificate is generated
+ template:
+ src: updated.sh.j2
+ dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh"
+ mode: 0755
+
+- name: install systemd unit snippet
+ when: "x509_certificate_renewal is defined and 'install' in x509_certificate_renewal"
+ copy:
+ dest: "/etc/systemd/system/uacme-reconcile.service.d/{{ x509_certificate_name }}.conf"
+ content: |
+ [Service]
+ {% for path in (x509_certificate_renewal.install | map(attribute='dest') | map('dirname') | unique | list) %}
+ ReadWritePaths={{ path }}
+ {% endfor %}
+ notify: reload systemd
+
+- name: remove systemd unit snippet
+ when: "x509_certificate_renewal is undefined or 'install' not in x509_certificate_renewal"
+ file:
+ path: "/etc/systemd/system/uacme-reconcile.service.d/{{ x509_certificate_name }}.conf"
+ state: absent
+ notify: reload systemd
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-05 15:25:03 +0000