From 0e7633683267708356130aaf3ccae07237d49af4 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 9 Jun 2021 13:22:10 +0200 Subject: ws cleanup --- roles/acmetool/base/tasks/main.yml | 4 +- roles/acmetool/base/tasks/selfsigned.yml | 248 +++++++++++++++---------------- 2 files changed, 126 insertions(+), 126 deletions(-) (limited to 'roles/acmetool') diff --git a/roles/acmetool/base/tasks/main.yml b/roles/acmetool/base/tasks/main.yml index f19002b3..5ad03257 100644 --- a/roles/acmetool/base/tasks/main.yml +++ b/roles/acmetool/base/tasks/main.yml @@ -7,8 +7,8 @@ - name: install needed packages apt: name: - - acmetool - - "{{ python_basename }}-openssl" + - acmetool + - "{{ python_basename }}-openssl" state: present - name: create initial directory structure diff --git a/roles/acmetool/base/tasks/selfsigned.yml b/roles/acmetool/base/tasks/selfsigned.yml index 7ba829e6..0d444b83 100644 --- a/roles/acmetool/base/tasks/selfsigned.yml +++ b/roles/acmetool/base/tasks/selfsigned.yml @@ -17,129 +17,129 @@ - name: create selfsigned interim certificate when: not existing_selfsigned_interim_cert_id or not existing_selfsigned_interim_cert_stat.stat.exists block: - - name: create temporary directory - tempfile: - path: /var/lib/acme/tmp - prefix: selfsigned-interim-cert- - state: directory - register: tmpdir - - - name: set tmpdir variable - set_fact: - tmpdir: "{{ tmpdir.path }}" - - - name: generate private key for selfsigned interim certificate - openssl_privatekey: - path: "{{ tmpdir }}/privkey" - mode: 0600 - - - name: generate csr for selfsigned interim certificate - openssl_csr: - path: "{{ tmpdir }}/csr" - privatekey_path: "{{ tmpdir }}/privkey" - common_name: "{{ ansible_fqdn }}" - - - ### this is needed because strftime filter in ansible is exceptionally stupid - ### see: https://github.com/ansible/ansible/issues/39835 - - name: get remote date-time 10s ago - command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ' - register: remote_datetime_10sago - - - name: get remote date-time now - command: date -u '+%Y%m%d%H%M%SZ' - register: remote_datetime_now - - - name: generate selfsigned interim certificate - openssl_certificate: - path: "{{ tmpdir }}/cert" - privatekey_path: "{{ tmpdir }}/privkey" - csr_path: "{{ tmpdir }}/csr" - provider: selfsigned - ## make sure the certificate is not valid anymore to force acmetool to create a new cert - selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}" - selfsigned_not_after: "{{ remote_datetime_now.stdout }}" - - - name: remove csr for selfsigned interim certificate - file: - path: "{{ tmpdir }}/csr" - state: absent - - - name: copy selfsigned interim certificate for fullchain - command: "cp '{{ tmpdir }}/cert' '{{ tmpdir }}/fullchain'" - - - name: create additional empty files - loop: - - chain - - selfsigned - copy: - content: "" - dest: "{{ tmpdir }}/{{ item }}" - - ### TODO: remove this once acmetool respects it's own storage layout - ### see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates - - name: generate fake url file - copy: - content: "https://acme.example.com/acme/cert/self-signed\n" - dest: "{{ tmpdir }}/url" - - - name: get key id - shell: "openssl x509 -in '{{ tmpdir }}/cert' -noout -pubkey | openssl enc -base64 -d | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" - register: selfsigned_interim_key_id - - - name: set selfsigned_interim_key_id variable - set_fact: - selfsigned_interim_key_id: "{{ selfsigned_interim_key_id.stdout }}" - - - name: create directory for private key of selfsigned interim certificate - file: - path: "/var/lib/acme/keys/{{ selfsigned_interim_key_id }}" - state: directory - mode: 0700 - - - name: move private key to its directory - command: "mv '{{ tmpdir }}/privkey' '/var/lib/acme/keys/{{ selfsigned_interim_key_id }}/privkey'" - - - name: create symlink to privkey - file: - src: "../../keys/{{ selfsigned_interim_key_id }}/privkey" - dest: "{{ tmpdir }}/privkey" - state: link - - # - name: get certificate id - # shell: "openssl x509 -in '{{ tmpdir }}/cert' -outform der | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" - # register: selfsigned_interim_cert_id - - # - name: set selfsigned_interim_cert_id variable - # set_fact: - # selfsigned_interim_cert_id: "selfsigned-{{ selfsigned_interim_cert_id.stdout }}" - - ### TODO: replace with the above once acmetool respects it's own storage layout - ### see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates - - name: get certificate id - shell: "cat '{{ tmpdir }}/url' | tr -d '\n' | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" - register: selfsigned_interim_cert_id - - - name: set selfsigned_interim_cert_id variable - set_fact: - selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}" - - - name: set permissions for selfsigned interim certificate directory - file: - path: "{{ tmpdir }}" - mode: 0755 - state: directory - - - name: move selfsigned interim certificate directory into place - command: "mv '{{ tmpdir }}' '/var/lib/acme/certs/{{ selfsigned_interim_cert_id }}'" - - - name: write cert-id of selfsigned interim certificate to state directory - copy: - content: "{{ selfsigned_interim_cert_id }}" - dest: /var/lib/acme/.selfsigned-interim-cert + - name: create temporary directory + tempfile: + path: /var/lib/acme/tmp + prefix: selfsigned-interim-cert- + state: directory + register: tmpdir + + - name: set tmpdir variable + set_fact: + tmpdir: "{{ tmpdir.path }}" + + - name: generate private key for selfsigned interim certificate + openssl_privatekey: + path: "{{ tmpdir }}/privkey" + mode: 0600 + + - name: generate csr for selfsigned interim certificate + openssl_csr: + path: "{{ tmpdir }}/csr" + privatekey_path: "{{ tmpdir }}/privkey" + common_name: "{{ ansible_fqdn }}" + + + ### this is needed because strftime filter in ansible is exceptionally stupid + ### see: https://github.com/ansible/ansible/issues/39835 + - name: get remote date-time 10s ago + command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ' + register: remote_datetime_10sago + + - name: get remote date-time now + command: date -u '+%Y%m%d%H%M%SZ' + register: remote_datetime_now + + - name: generate selfsigned interim certificate + openssl_certificate: + path: "{{ tmpdir }}/cert" + privatekey_path: "{{ tmpdir }}/privkey" + csr_path: "{{ tmpdir }}/csr" + provider: selfsigned + ## make sure the certificate is not valid anymore to force acmetool to create a new cert + selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}" + selfsigned_not_after: "{{ remote_datetime_now.stdout }}" + + - name: remove csr for selfsigned interim certificate + file: + path: "{{ tmpdir }}/csr" + state: absent + + - name: copy selfsigned interim certificate for fullchain + command: "cp '{{ tmpdir }}/cert' '{{ tmpdir }}/fullchain'" + + - name: create additional empty files + loop: + - chain + - selfsigned + copy: + content: "" + dest: "{{ tmpdir }}/{{ item }}" + + ### TODO: remove this once acmetool respects it's own storage layout + ### see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates + - name: generate fake url file + copy: + content: "https://acme.example.com/acme/cert/self-signed\n" + dest: "{{ tmpdir }}/url" + + - name: get key id + shell: "openssl x509 -in '{{ tmpdir }}/cert' -noout -pubkey | openssl enc -base64 -d | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" + register: selfsigned_interim_key_id + + - name: set selfsigned_interim_key_id variable + set_fact: + selfsigned_interim_key_id: "{{ selfsigned_interim_key_id.stdout }}" + + - name: create directory for private key of selfsigned interim certificate + file: + path: "/var/lib/acme/keys/{{ selfsigned_interim_key_id }}" + state: directory + mode: 0700 + + - name: move private key to its directory + command: "mv '{{ tmpdir }}/privkey' '/var/lib/acme/keys/{{ selfsigned_interim_key_id }}/privkey'" + + - name: create symlink to privkey + file: + src: "../../keys/{{ selfsigned_interim_key_id }}/privkey" + dest: "{{ tmpdir }}/privkey" + state: link + + # - name: get certificate id + # shell: "openssl x509 -in '{{ tmpdir }}/cert' -outform der | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" + # register: selfsigned_interim_cert_id + + # - name: set selfsigned_interim_cert_id variable + # set_fact: + # selfsigned_interim_cert_id: "selfsigned-{{ selfsigned_interim_cert_id.stdout }}" + + ### TODO: replace with the above once acmetool respects it's own storage layout + ### see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates + - name: get certificate id + shell: "cat '{{ tmpdir }}/url' | tr -d '\n' | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" + register: selfsigned_interim_cert_id + + - name: set selfsigned_interim_cert_id variable + set_fact: + selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}" + + - name: set permissions for selfsigned interim certificate directory + file: + path: "{{ tmpdir }}" + mode: 0755 + state: directory + + - name: move selfsigned interim certificate directory into place + command: "mv '{{ tmpdir }}' '/var/lib/acme/certs/{{ selfsigned_interim_cert_id }}'" + + - name: write cert-id of selfsigned interim certificate to state directory + copy: + content: "{{ selfsigned_interim_cert_id }}" + dest: /var/lib/acme/.selfsigned-interim-cert rescue: - - name: remove temporary directory for selfsigned interim certificate - file: - path: "{{ tmpdir }}" - state: absent + - name: remove temporary directory for selfsigned interim certificate + file: + path: "{{ tmpdir }}" + state: absent -- cgit v1.2.3