diff options
Diffstat (limited to 'roles/x509/uacme')
-rw-r--r-- | roles/x509/uacme/base/defaults/main.yml | 2 | ||||
-rw-r--r-- | roles/x509/uacme/base/tasks/main.yml | 29 | ||||
-rw-r--r-- | roles/x509/uacme/base/tasks/selfsigned.yml | 47 | ||||
-rw-r--r-- | roles/x509/uacme/base/templates/uacme-reconcile.service.j2 | 18 | ||||
-rw-r--r-- | roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 | 32 | ||||
-rw-r--r-- | roles/x509/uacme/base/templates/uacme-reconcile.timer.j2 | 10 | ||||
-rw-r--r-- | roles/x509/uacme/cert/finalize/defaults/main.yml | 3 | ||||
-rw-r--r-- | roles/x509/uacme/cert/finalize/tasks/main.yml | 5 | ||||
-rw-r--r-- | roles/x509/uacme/cert/meta/main.yml | 4 | ||||
-rw-r--r-- | roles/x509/uacme/cert/prepare/defaults/main.yml | 15 | ||||
-rw-r--r-- | roles/x509/uacme/cert/prepare/handlers/main.yml | 10 | ||||
-rw-r--r-- | roles/x509/uacme/cert/prepare/tasks/main.yml | 112 | ||||
-rw-r--r-- | roles/x509/uacme/cert/prepare/templates/updated.sh.j2 | 33 |
13 files changed, 269 insertions, 51 deletions
diff --git a/roles/x509/uacme/base/defaults/main.yml b/roles/x509/uacme/base/defaults/main.yml index 50ac8019..264bc2d9 100644 --- a/roles/x509/uacme/base/defaults/main.yml +++ b/roles/x509/uacme/base/defaults/main.yml @@ -4,3 +4,5 @@ uacme_directory_server: "{{ acme_directory_server }}" ### this defaults to '/var/run/acme/acme-challenge' # uacme_challenge_webroot_path: "/path/to/acme-challenge" + +# uacme_eab: <keyid>:base64(<key>) diff --git a/roles/x509/uacme/base/tasks/main.yml b/roles/x509/uacme/base/tasks/main.yml index 3d1c8404..3473d541 100644 --- a/roles/x509/uacme/base/tasks/main.yml +++ b/roles/x509/uacme/base/tasks/main.yml @@ -7,7 +7,7 @@ state: present - name: create acme account key - command: "uacme -c /var/lib/uacme.d -a '{{ uacme_directory_server }}' -y new '{{ uacme_account_email }}'" + command: "uacme -c /var/lib/uacme.d -a '{{ uacme_directory_server }}' -y{% if uacme_eab is defined %} -e {{ uacme_eab }}{% endif %} new '{{ uacme_account_email }}'" args: creates: /var/lib/uacme.d/private/key.pem @@ -44,7 +44,28 @@ alias {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge') }}/; } -- name: generate selfsigned interim certificate - include_tasks: selfsigned.yml +- name: install reconcile script + template: + src: uacme-reconcile.sh.j2 + dest: /usr/local/bin/uacme-reconcile.sh + mode: 0755 -## TODO: add global automatic refresher? +- name: install systemd unit for automatic refresh + loop: + - service + - timer + template: + src: "uacme-reconcile.{{ item }}.j2" + dest: "/etc/systemd/system/uacme-reconcile.{{ item }}" + +- name: create system unit snippet directory + file: + path: /etc/systemd/system/uacme-reconcile.service.d/ + state: directory + +- name: make sure systemd timer for automatic refresh is enabled and started + systemd: + daemon_reload: yes + name: uacme-reconcile.timer + state: started + enabled: yes diff --git a/roles/x509/uacme/base/tasks/selfsigned.yml b/roles/x509/uacme/base/tasks/selfsigned.yml deleted file mode 100644 index fff77d42..00000000 --- a/roles/x509/uacme/base/tasks/selfsigned.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -- name: create directories for selfsigned interim certificate - loop: - - path: private/.self-signed - mode: "0700" - - path: .self-signed - mode: "0755" - loop_control: - label: "{{ item.path }}" - file: - path: "/var/lib/uacme.d/{{ item.path }}" - state: directory - mode: "{{ item.mode }}" - -- name: generate private key for selfsigned interim certificate - openssl_privatekey: - path: /var/lib/uacme.d/private/.self-signed/key.pem - mode: 0600 - -- name: generate csr for selfsigned interim certificate - community.crypto.openssl_csr_pipe: - privatekey_path: /var/lib/uacme.d/private/.self-signed/key.pem - common_name: "{{ ansible_fqdn }}" - register: selfsigned_interim_cert_req - changed_when: false - -### this is needed because strftime filter in ansible is exceptionally stupid -### see: https://github.com/ansible/ansible/issues/39835 -- name: get remote date-time 10s ago - command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ' - register: remote_datetime_10sago - changed_when: false - -- name: get remote date-time now - command: date -u '+%Y%m%d%H%M%SZ' - register: remote_datetime_now - changed_when: false - -- name: generate selfsigned interim certificate - community.crypto.x509_certificate: - path: /var/lib/uacme.d/.self-signed/cert.pem - privatekey_path: /var/lib/uacme.d/private/.self-signed/key.pem - csr_content: "{{ selfsigned_interim_cert_req.csr }}" - provider: selfsigned - ## make sure the certificate is not valid anymore to force uacme to create a new cert - selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}" - selfsigned_not_after: "{{ remote_datetime_now.stdout }}" diff --git a/roles/x509/uacme/base/templates/uacme-reconcile.service.j2 b/roles/x509/uacme/base/templates/uacme-reconcile.service.j2 new file mode 100644 index 00000000..c2fe917a --- /dev/null +++ b/roles/x509/uacme/base/templates/uacme-reconcile.service.j2 @@ -0,0 +1,18 @@ +[Unit] +Description=Reconcile Let's Encrypt certificates using uacme + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/uacme-reconcile.sh +TimeoutStartSec=5min +CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=strict +ReadWritePaths=/var/lib/uacme.d {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge') }} +ProtectHome=yes +ProtectKernelTunables=yes +ProtectControlGroups=yes +RestrictRealtime=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 diff --git a/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 b/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 new file mode 100644 index 00000000..ea02841d --- /dev/null +++ b/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 @@ -0,0 +1,32 @@ +#!/bin/bash + +declare -a csr_files +if [ -n "$1" ]; then + csr_files+=("/var/lib/uacme.d/$1/$1.csr") +else + readarray -d '' csr_files < <(find /var/lib/uacme.d -name "*.csr" -print0) +fi + +export UACME_CHALLENGE_PATH="{{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge') }}" + +failed=0 +for csr_file in "${csr_files[@]}"; do + id=$(basename -s .csr "$csr_file") + uacme -c /var/lib/uacme.d -a "{{ uacme_directory_server }}" -h /usr/share/uacme/uacme.sh -n issue "$csr_file" + case $? in + 0) + echo "$id successfully (re)issued." + if [ -x "/var/lib/uacme.d/$id/updated.sh" ]; then + /var/lib/uacme.d/$id/updated.sh + fi + ;; + 1) + echo "$id not updated." + ;; + *) + failed=1 + ;; + esac +done + +exit $failed diff --git a/roles/x509/uacme/base/templates/uacme-reconcile.timer.j2 b/roles/x509/uacme/base/templates/uacme-reconcile.timer.j2 new file mode 100644 index 00000000..6d37a162 --- /dev/null +++ b/roles/x509/uacme/base/templates/uacme-reconcile.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Reconcile Let's Encrypt certificates using uacme + +[Timer] +OnCalendar=*-*-* 00,12:00:00 +RandomizedDelaySec=1h +Persistent=yes + +[Install] +WantedBy=timers.target diff --git a/roles/x509/uacme/cert/finalize/defaults/main.yml b/roles/x509/uacme/cert/finalize/defaults/main.yml new file mode 100644 index 00000000..611dc6fc --- /dev/null +++ b/roles/x509/uacme/cert/finalize/defaults/main.yml @@ -0,0 +1,3 @@ +--- +uacme_cert_hostnames: "{{ x509_certificate_hostnames }}" +uacme_cert_name: "{{ x509_certificate_name | default(uacme_cert_hostnames[0]) }}" diff --git a/roles/x509/uacme/cert/finalize/tasks/main.yml b/roles/x509/uacme/cert/finalize/tasks/main.yml new file mode 100644 index 00000000..6578c418 --- /dev/null +++ b/roles/x509/uacme/cert/finalize/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: running uacme issue command + command: "/usr/local/bin/uacme-reconcile.sh '{{ uacme_cert_name }}'" + register: uacme_reconcile + changed_when: "'not updated.' not in uacme_reconcile.stdout" diff --git a/roles/x509/uacme/cert/meta/main.yml b/roles/x509/uacme/cert/meta/main.yml new file mode 100644 index 00000000..5106342c --- /dev/null +++ b/roles/x509/uacme/cert/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: x509/uacme/cert/prepare + - role: x509/uacme/cert/finalize diff --git a/roles/x509/uacme/cert/prepare/defaults/main.yml b/roles/x509/uacme/cert/prepare/defaults/main.yml new file mode 100644 index 00000000..b15c1e44 --- /dev/null +++ b/roles/x509/uacme/cert/prepare/defaults/main.yml @@ -0,0 +1,15 @@ +--- +uacme_cert_hostnames: "{{ x509_certificate_hostnames }}" +uacme_cert_name: "{{ x509_certificate_name | default(uacme_cert_hostnames[0]) }}" + +# uacme_cert_config: +# key: +# mode: "0640" +# owner: root +# group: www-data +# type: RSA +# size: 4096 +# cert: +# mode: "0644" +# owner: root +# group: www-data diff --git a/roles/x509/uacme/cert/prepare/handlers/main.yml b/roles/x509/uacme/cert/prepare/handlers/main.yml new file mode 100644 index 00000000..330bcd11 --- /dev/null +++ b/roles/x509/uacme/cert/prepare/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: reload services for x509 certificates + loop: "{{ x509_certificate_reload_services | default([]) }}" + service: + name: "{{ item }}" + state: reloaded diff --git a/roles/x509/uacme/cert/prepare/tasks/main.yml b/roles/x509/uacme/cert/prepare/tasks/main.yml new file mode 100644 index 00000000..a83651b3 --- /dev/null +++ b/roles/x509/uacme/cert/prepare/tasks/main.yml @@ -0,0 +1,112 @@ +--- +- name: create directory for uacme-controlled certificate + file: + path: "/var/lib/uacme.d/{{ uacme_cert_name }}" + state: directory + +- name: generate key for uacme-controlled certificate + openssl_privatekey: + path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem" + mode: "{{ uacme_cert_config.key.mode | default('0600') }}" + owner: "{{ uacme_cert_config.key.owner | default(omit) }}" + group: "{{ uacme_cert_config.key.group | default(omit) }}" + type: "{{ uacme_cert_config.key.type | default(omit) }}" + size: "{{ uacme_cert_config.key.size | default(omit) }}" + notify: reload services for x509 certificates + +- name: generate csr for uacme-controlled certificate + community.crypto.openssl_csr: + path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}.csr" + mode: "{{ uacme_cert_config.cert.mode | default('0644') }}" + owner: "{{ uacme_cert_config.cert.owner | default(omit) }}" + group: "{{ uacme_cert_config.cert.group | default(omit) }}" + privatekey_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem" + common_name: "{{ uacme_cert_hostnames[0] }}" + subject_alt_name: "{{ ['DNS:'] | product(uacme_cert_hostnames) | map('join') | list }}" + subject_alt_name_critical: yes + use_common_name_for_san: no + +- name: test if uacme-controlled certificate already exists + stat: + path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" + register: uacme_cert_file + +- name: generate selfsigned interim certificate + when: not uacme_cert_file.stat.exists + block: + ### this is needed because strftime filter in ansible is exceptionally stupid + ### see: https://github.com/ansible/ansible/issues/39835 + - name: get remote date-time 10s ago + command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ' + register: remote_datetime_10sago + changed_when: false + + - name: get remote date-time now + command: date -u '+%Y%m%d%H%M%SZ' + register: remote_datetime_now + changed_when: false + + - name: generate selfsigned interim certificate + community.crypto.x509_certificate: + path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" + mode: "{{ uacme_cert_config.cert.mode | default('0644') }}" + owner: "{{ uacme_cert_config.cert.owner | default(omit) }}" + group: "{{ uacme_cert_config.cert.group | default(omit) }}" + privatekey_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem" + csr_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}.csr" + provider: selfsigned + ## make sure the certificate is not valid anymore to force uacme to create a new cert + selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}" + selfsigned_not_after: "{{ remote_datetime_now.stdout }}" + return_content: yes + register: uacme_cert_selfsigned + notify: reload services for x509 certificates + + - name: make sure cert-only file exists + copy: + content: "{{ uacme_cert_selfsigned.certificate }}" + dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem" + mode: "{{ uacme_cert_config.cert.mode | default('0644') }}" + owner: "{{ uacme_cert_config.cert.owner | default(omit) }}" + group: "{{ uacme_cert_config.cert.group | default(omit) }}" + notify: reload services for x509 certificates + + - name: make sure the chain file exists + copy: + content: "" + dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem" + mode: "{{ uacme_cert_config.cert.mode | default('0644') }}" + owner: "{{ uacme_cert_config.cert.owner | default(omit) }}" + group: "{{ uacme_cert_config.cert.group | default(omit) }}" + notify: reload services for x509 certificates + +- name: export paths to certificate files + set_fact: + x509_certificate_path_key: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem" + x509_certificate_path_cert: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem" + x509_certificate_path_chain: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem" + x509_certificate_path_fullchain: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" + +- name: install script to be called when new certificate is generated + template: + src: updated.sh.j2 + dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh" + mode: 0755 + +- name: install systemd unit snippet + when: "x509_certificate_renewal is defined and 'install' in x509_certificate_renewal" + copy: + dest: "/etc/systemd/system/uacme-reconcile.service.d/{{ x509_certificate_name }}.conf" + content: | + [Service] + {% for path in (x509_certificate_renewal.install | map(attribute='dest') | map('dirname') | unique | list) %} + ReadWritePaths={{ path }} + {% endfor %} + notify: reload systemd + +- name: remove systemd unit snippet + when: "x509_certificate_renewal is undefined or 'install' not in x509_certificate_renewal" + file: + path: "/etc/systemd/system/uacme-reconcile.service.d/{{ x509_certificate_name }}.conf" + state: absent + notify: reload systemd diff --git a/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 new file mode 100644 index 00000000..275ca189 --- /dev/null +++ b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 @@ -0,0 +1,33 @@ +#!/bin/sh + +BASE_D="/var/lib/uacme.d/{{ uacme_cert_name }}" + +# split fullchain and fix permissions +awk '{if(length($0) > 0) print} /-----END CERTIFICATE-----/ { exit }' "$BASE_D/{{ uacme_cert_name }}-cert.pem" > "$BASE_D/crt.pem" +awk '(show==1) {if(length($0) > 0) print} /-----END CERTIFICATE-----/ { show=1 }' "$BASE_D/{{ uacme_cert_name }}-cert.pem" > "$BASE_D/chain.pem" +chmod "{{ uacme_cert_config.cert.mode | default('0644') }}" $BASE_D/{{ uacme_cert_name }}-cert.pem $BASE_D/crt.pem $BASE_D/chain.pem +{% if uacme_cert_config.cert.owner is defined %} +chown "{{ uacme_cert_config.cert.owner }}" $BASE_D/{{ uacme_cert_name }}-cert.pem $BASE_D/crt.pem $BASE_D/chain.pem +{% endif %} +{% if uacme_cert_config.cert.group is defined %} +chgrp "{{ uacme_cert_config.cert.group }}" $BASE_D/{{ uacme_cert_name }}-cert.pem $BASE_D/crt.pem $BASE_D/chain.pem +{% endif %} +{% if x509_certificate_renewal is defined and 'install' in x509_certificate_renewal %} +{% for file in x509_certificate_renewal.install %} + +install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'owner' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new" +{% for src in file.src %} +cat "{{ hostvars[inventory_hostname]['x509_certificate_path_' + src] }}" >> "{{ file.dest }}.new" +mv "{{ file.dest }}.new" "{{ file.dest }}" +{% endfor %} +{% endfor %} +{% endif %} + +## reload services +{% for service in (x509_certificate_reload_services | default([])) %} +systemctl reload "{{ service }}.service" +{% endfor %} +{% if x509_certificate_renewal is defined and 'reload' in x509_certificate_renewal %} + +{{ x509_certificate_renewal.reload | trim }} +{% endif %} |