From 0c469b73df57b25a96e77e0b9ae09ab7cd1bf128 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 22 Dec 2022 22:22:09 +0100 Subject: acmetool: minor refactroing --- roles/x509/acmetool/base/tasks/selfsigned.yml | 48 +++++++++++++-------------- 1 file changed, 24 insertions(+), 24 deletions(-) (limited to 'roles/x509/acmetool/base/tasks/selfsigned.yml') diff --git a/roles/x509/acmetool/base/tasks/selfsigned.yml b/roles/x509/acmetool/base/tasks/selfsigned.yml index 449fbdb9..9b1af903 100644 --- a/roles/x509/acmetool/base/tasks/selfsigned.yml +++ b/roles/x509/acmetool/base/tasks/selfsigned.yml @@ -1,16 +1,16 @@ --- - name: get id of existing selfsigned interim certificate - ansible.builtin.shell: cat /var/lib/acme/.selfsigned-interim-cert || true + shell: cat /var/lib/acme/.selfsigned-interim-cert || true changed_when: false check_mode: false register: existing_selfsigned_interim_cert_id - name: set existing_selfsigned_interim_cert_id variable - ansible.builtin.set_fact: + set_fact: existing_selfsigned_interim_cert_id: "{{ existing_selfsigned_interim_cert_id.stdout }}" - name: check if selfsigned interim certificate does exist - ansible.builtin.stat: + stat: path: "/var/lib/acme/certs/{{ existing_selfsigned_interim_cert_id }}" register: existing_selfsigned_interim_cert_stat @@ -18,18 +18,18 @@ when: not existing_selfsigned_interim_cert_id or not existing_selfsigned_interim_cert_stat.stat.exists block: - name: create temporary directory - ansible.builtin.tempfile: + tempfile: path: /var/lib/acme/tmp prefix: selfsigned-interim-cert- state: directory register: tmpdir - name: set tmpdir variable - ansible.builtin.set_fact: + set_fact: tmpdir: "{{ tmpdir.path }}" - name: generate private key for selfsigned interim certificate - ansible.builtin.openssl_privatekey: + openssl_privatekey: path: "{{ tmpdir }}/privkey" mode: 0600 @@ -43,11 +43,11 @@ ### this is needed because strftime filter in ansible is exceptionally stupid ### see: https://github.com/ansible/ansible/issues/39835 - name: get remote date-time 10s ago - ansible.builtin.command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ' + command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ' register: remote_datetime_10sago - name: get remote date-time now - ansible.builtin.command: date -u '+%Y%m%d%H%M%SZ' + command: date -u '+%Y%m%d%H%M%SZ' register: remote_datetime_now - name: generate selfsigned interim certificate @@ -64,7 +64,7 @@ loop: - cert - fullchain - ansible.builtin.copy: + copy: content: "{{ selfsigned_interim_cert.certificate }}" dest: "{{ tmpdir }}/{{ item }}" @@ -72,74 +72,74 @@ loop: - chain - selfsigned - ansible.builtin.copy: + copy: content: "" dest: "{{ tmpdir }}/{{ item }}" ### TODO: remove this once acmetool respects it's own storage layout ### see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates - name: generate fake url file - ansible.builtin.copy: + copy: content: "https://acme.example.com/acme/cert/self-signed\n" dest: "{{ tmpdir }}/url" - name: get key id - ansible.builtin.shell: "openssl x509 -in '{{ tmpdir }}/cert' -noout -pubkey | openssl enc -base64 -d | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" + shell: "openssl x509 -in '{{ tmpdir }}/cert' -noout -pubkey | openssl enc -base64 -d | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" register: selfsigned_interim_key_id - name: set selfsigned_interim_key_id variable - ansible.builtin.set_fact: + set_fact: selfsigned_interim_key_id: "{{ selfsigned_interim_key_id.stdout }}" - name: create directory for private key of selfsigned interim certificate - ansible.builtin.file: + file: path: "/var/lib/acme/keys/{{ selfsigned_interim_key_id }}" state: directory mode: 0700 - name: move private key to its directory - ansible.builtin.command: "mv '{{ tmpdir }}/privkey' '/var/lib/acme/keys/{{ selfsigned_interim_key_id }}/privkey'" + command: "mv '{{ tmpdir }}/privkey' '/var/lib/acme/keys/{{ selfsigned_interim_key_id }}/privkey'" - name: create symlink to privkey - ansible.builtin.file: + file: src: "../../keys/{{ selfsigned_interim_key_id }}/privkey" dest: "{{ tmpdir }}/privkey" state: link # - name: get certificate id - # ansible.builtin.shell: "openssl x509 -in '{{ tmpdir }}/cert' -outform der | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" + # shell: "openssl x509 -in '{{ tmpdir }}/cert' -outform der | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" # register: selfsigned_interim_cert_id # - name: set selfsigned_interim_cert_id variable - # ansible.builtin.set_fact: + # set_fact: # selfsigned_interim_cert_id: "selfsigned-{{ selfsigned_interim_cert_id.stdout }}" ### TODO: replace with the above once acmetool respects it's own storage layout ### see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates - name: get certificate id - ansible.builtin.shell: "cat '{{ tmpdir }}/url' | tr -d '\n' | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" + shell: "cat '{{ tmpdir }}/url' | tr -d '\n' | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'" register: selfsigned_interim_cert_id - name: set selfsigned_interim_cert_id variable - ansible.builtin.set_fact: + set_fact: selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}" - name: set permissions for selfsigned interim certificate directory - ansible.builtin.file: + file: path: "{{ tmpdir }}" mode: 0755 state: directory - name: move selfsigned interim certificate directory into place - ansible.builtin.command: "mv '{{ tmpdir }}' '/var/lib/acme/certs/{{ selfsigned_interim_cert_id }}'" + command: "mv '{{ tmpdir }}' '/var/lib/acme/certs/{{ selfsigned_interim_cert_id }}'" - name: write cert-id of selfsigned interim certificate to state directory - ansible.builtin.copy: + copy: content: "{{ selfsigned_interim_cert_id }}" dest: /var/lib/acme/.selfsigned-interim-cert rescue: - name: remove temporary directory for selfsigned interim certificate - ansible.builtin.file: + file: path: "{{ tmpdir }}" state: absent -- cgit v1.2.3