From 18e0446c9c545f396d7737b406e6e207748e7926 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 22 Dec 2022 13:01:30 +0100 Subject: move acmetool to new x509 subdir --- roles/acmetool/base/tasks/selfsigned.yml | 145 ------------------------------- 1 file changed, 145 deletions(-) delete mode 100644 roles/acmetool/base/tasks/selfsigned.yml (limited to 'roles/acmetool/base/tasks/selfsigned.yml') diff --git a/roles/acmetool/base/tasks/selfsigned.yml b/roles/acmetool/base/tasks/selfsigned.yml deleted file mode 100644 index 449fbdb9..00000000 --- a/roles/acmetool/base/tasks/selfsigned.yml +++ /dev/null @@ -1,145 +0,0 @@ ---- -- name: get id of existing selfsigned interim certificate - ansible.builtin.shell: cat /var/lib/acme/.selfsigned-interim-cert || true - changed_when: false - check_mode: false - register: existing_selfsigned_interim_cert_id - -- name: set existing_selfsigned_interim_cert_id variable - ansible.builtin.set_fact: - existing_selfsigned_interim_cert_id: "{{ existing_selfsigned_interim_cert_id.stdout }}" - -- name: check if selfsigned interim certificate does exist - ansible.builtin.stat: - path: "/var/lib/acme/certs/{{ existing_selfsigned_interim_cert_id }}" - register: existing_selfsigned_interim_cert_stat - -- name: create selfsigned interim certificate - when: not existing_selfsigned_interim_cert_id or not existing_selfsigned_interim_cert_stat.stat.exists - block: - - name: create temporary directory - ansible.builtin.tempfile: - path: /var/lib/acme/tmp - prefix: selfsigned-interim-cert- - state: directory - register: tmpdir - - - name: set tmpdir variable - ansible.builtin.set_fact: - tmpdir: "{{ tmpdir.path }}" - - - name: generate private key for selfsigned interim certificate - ansible.builtin.openssl_privatekey: - path: "{{ tmpdir }}/privkey" - mode: 0600 - - - name: generate csr for selfsigned interim certificate - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ tmpdir }}/privkey" - common_name: "{{ ansible_fqdn }}" - register: selfsigned_interim_cert_req - - - ### this is needed because strftime filter in ansible is exceptionally stupid - ### see: https://github.com/ansible/ansible/issues/39835 - - name: get remote date-time 10s ago - ansible.builtin.command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ' - register: remote_datetime_10sago - - - name: get remote date-time now - ansible.builtin.command: date -u '+%Y%m%d%H%M%SZ' - register: remote_datetime_now - - - name: generate selfsigned interim certificate - community.crypto.x509_certificate_pipe: - privatekey_path: "{{ tmpdir }}/privkey" - csr_content: "{{ selfsigned_interim_cert_req.csr }}" - provider: selfsigned - ## make sure the certificate is not valid anymore to force acmetool to create a new cert - selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}" - selfsigned_not_after: "{{ remote_datetime_now.stdout }}" - register: selfsigned_interim_cert - - - name: install selfsigned interim certificate and fullchain - loop: - - cert - - fullchain - ansible.builtin.copy: - content: "{{ selfsigned_interim_cert.certificate }}" - dest: "{{ tmpdir }}/{{ item }}" - - - name: create additional empty files - loop: - - chain - - selfsigned - ansible.builtin.copy: - content: "" - dest: "{{ tmpdir }}/{{ item }}" - - ### TODO: remove this once acmetool respects it's own storage layout - ### see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates - - name: generate fake url file - ansible.builtin.copy: - content: "https://acme.example.com/acme/cert/self-signed\n" - dest: "{{ tmpdir }}/url" - - - name: get key id - ansible.builtin.shell: "openssl x509 -in '{{ tmpdir }}/cert' -noout -pubkey | openssl enc -base64 -d | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" - register: selfsigned_interim_key_id - - - name: set selfsigned_interim_key_id variable - ansible.builtin.set_fact: - selfsigned_interim_key_id: "{{ selfsigned_interim_key_id.stdout }}" - - - name: create directory for private key of selfsigned interim certificate - ansible.builtin.file: - path: "/var/lib/acme/keys/{{ selfsigned_interim_key_id }}" - state: directory - mode: 0700 - - - name: move private key to its directory - ansible.builtin.command: "mv '{{ tmpdir }}/privkey' '/var/lib/acme/keys/{{ selfsigned_interim_key_id }}/privkey'" - - - name: create symlink to privkey - ansible.builtin.file: - src: "../../keys/{{ selfsigned_interim_key_id }}/privkey" - dest: "{{ tmpdir }}/privkey" - state: link - - # - name: get certificate id - # ansible.builtin.shell: "openssl x509 -in '{{ tmpdir }}/cert' -outform der | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" - # register: selfsigned_interim_cert_id - - # - name: set selfsigned_interim_cert_id variable - # ansible.builtin.set_fact: - # selfsigned_interim_cert_id: "selfsigned-{{ selfsigned_interim_cert_id.stdout }}" - - ### TODO: replace with the above once acmetool respects it's own storage layout - ### see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates - - name: get certificate id - ansible.builtin.shell: "cat '{{ tmpdir }}/url' | tr -d '\n' | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" - register: selfsigned_interim_cert_id - - - name: set selfsigned_interim_cert_id variable - ansible.builtin.set_fact: - selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}" - - - name: set permissions for selfsigned interim certificate directory - ansible.builtin.file: - path: "{{ tmpdir }}" - mode: 0755 - state: directory - - - name: move selfsigned interim certificate directory into place - ansible.builtin.command: "mv '{{ tmpdir }}' '/var/lib/acme/certs/{{ selfsigned_interim_cert_id }}'" - - - name: write cert-id of selfsigned interim certificate to state directory - ansible.builtin.copy: - content: "{{ selfsigned_interim_cert_id }}" - dest: /var/lib/acme/.selfsigned-interim-cert - - rescue: - - name: remove temporary directory for selfsigned interim certificate - ansible.builtin.file: - path: "{{ tmpdir }}" - state: absent -- cgit v1.2.3