From be0860d705146d7b345db408a90493421446da8d Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Fri, 23 Dec 2022 15:08:01 +0100
Subject: x509/uacme: implement self-signed interim certificate

---
 roles/x509/uacme/base/tasks/main.yml       |  7 ++---
 roles/x509/uacme/base/tasks/selfsigned.yml | 47 ++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 4 deletions(-)
 create mode 100644 roles/x509/uacme/base/tasks/selfsigned.yml

diff --git a/roles/x509/uacme/base/tasks/main.yml b/roles/x509/uacme/base/tasks/main.yml
index b40c52b5..3d1c8404 100644
--- a/roles/x509/uacme/base/tasks/main.yml
+++ b/roles/x509/uacme/base/tasks/main.yml
@@ -41,11 +41,10 @@
     dest: /etc/nginx/snippets/uacme.conf
     content: |
       location /.well-known/acme-challenge/ {
-        alias {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge/') }};
+        alias {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge') }}/;
       }
 
-## TODO: implement this
-# - name: generate selfsigned interim certificate
-#   include_tasks: selfsigned.yml
+- name: generate selfsigned interim certificate
+  include_tasks: selfsigned.yml
 
 ## TODO: add global automatic refresher?
diff --git a/roles/x509/uacme/base/tasks/selfsigned.yml b/roles/x509/uacme/base/tasks/selfsigned.yml
new file mode 100644
index 00000000..fff77d42
--- /dev/null
+++ b/roles/x509/uacme/base/tasks/selfsigned.yml
@@ -0,0 +1,47 @@
+---
+- name: create directories for selfsigned interim certificate
+  loop:
+  - path: private/.self-signed
+    mode: "0700"
+  - path: .self-signed
+    mode: "0755"
+  loop_control:
+    label: "{{ item.path }}"
+  file:
+    path: "/var/lib/uacme.d/{{ item.path }}"
+    state: directory
+    mode: "{{ item.mode }}"
+
+- name: generate private key for selfsigned interim certificate
+  openssl_privatekey:
+    path: /var/lib/uacme.d/private/.self-signed/key.pem
+    mode: 0600
+
+- name: generate csr for selfsigned interim certificate
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: /var/lib/uacme.d/private/.self-signed/key.pem
+    common_name: "{{ ansible_fqdn }}"
+  register: selfsigned_interim_cert_req
+  changed_when: false
+
+### this is needed because strftime filter in ansible is exceptionally stupid
+### see: https://github.com/ansible/ansible/issues/39835
+- name: get remote date-time 10s ago
+  command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ'
+  register: remote_datetime_10sago
+  changed_when: false
+
+- name: get remote date-time now
+  command: date -u '+%Y%m%d%H%M%SZ'
+  register: remote_datetime_now
+  changed_when: false
+
+- name: generate selfsigned interim certificate
+  community.crypto.x509_certificate:
+    path: /var/lib/uacme.d/.self-signed/cert.pem
+    privatekey_path: /var/lib/uacme.d/private/.self-signed/key.pem
+    csr_content: "{{ selfsigned_interim_cert_req.csr }}"
+    provider: selfsigned
+    ## make sure the certificate is not valid anymore to force uacme to create a new cert
+    selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}"
+    selfsigned_not_after: "{{ remote_datetime_now.stdout }}"
-- 
cgit v1.2.3