From f0718f3ceceec13a03b54b8d6d0abd2dac929fc3 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 20 Dec 2023 11:53:07 +0100 Subject: x509: add new role managed-ca --- roles/x509/managed-ca/base/tasks/main.yml | 5 + roles/x509/managed-ca/ca/defaults/main.yml | 16 +++ roles/x509/managed-ca/ca/tasks/main.yml | 58 ++++++++++ roles/x509/managed-ca/cert/finalize/tasks/main.yml | 2 + roles/x509/managed-ca/cert/meta/main.yml | 4 + .../x509/managed-ca/cert/prepare/defaults/main.yml | 49 ++++++++ .../x509/managed-ca/cert/prepare/handlers/main.yml | 16 +++ roles/x509/managed-ca/cert/prepare/tasks/main.yml | 123 +++++++++++++++++++++ .../cert/prepare/templates/updated.sh.j2 | 15 +++ 9 files changed, 288 insertions(+) create mode 100644 roles/x509/managed-ca/base/tasks/main.yml create mode 100644 roles/x509/managed-ca/ca/defaults/main.yml create mode 100644 roles/x509/managed-ca/ca/tasks/main.yml create mode 100644 roles/x509/managed-ca/cert/finalize/tasks/main.yml create mode 100644 roles/x509/managed-ca/cert/meta/main.yml create mode 100644 roles/x509/managed-ca/cert/prepare/defaults/main.yml create mode 100644 roles/x509/managed-ca/cert/prepare/handlers/main.yml create mode 100644 roles/x509/managed-ca/cert/prepare/tasks/main.yml create mode 100644 roles/x509/managed-ca/cert/prepare/templates/updated.sh.j2 (limited to 'roles/x509/managed-ca') diff --git a/roles/x509/managed-ca/base/tasks/main.yml b/roles/x509/managed-ca/base/tasks/main.yml new file mode 100644 index 00000000..e91eda4a --- /dev/null +++ b/roles/x509/managed-ca/base/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: install needed packages + apt: + name: "{{ python_basename }}-cryptography" + state: present diff --git a/roles/x509/managed-ca/ca/defaults/main.yml b/roles/x509/managed-ca/ca/defaults/main.yml new file mode 100644 index 00000000..09d021d1 --- /dev/null +++ b/roles/x509/managed-ca/ca/defaults/main.yml @@ -0,0 +1,16 @@ +--- +# managed_ca_authorities: +# foo: +# key: +# type: RSA +# size: 4096 +# cert: +# common_name: foo CA +# country_name: "AT" +# locality_name: "Graz" +# organization_name: "spreadspace" +# organizational_unit_name: "ansible" +# state_or_province_name: "Styria" +# digest: sha256 +# not_before: +0h +# not_after: +520w diff --git a/roles/x509/managed-ca/ca/tasks/main.yml b/roles/x509/managed-ca/ca/tasks/main.yml new file mode 100644 index 00000000..e675ad8c --- /dev/null +++ b/roles/x509/managed-ca/ca/tasks/main.yml @@ -0,0 +1,58 @@ +--- +- name: create mangaged-ca CA directories + loop: "{{ managed_ca_authorities | list }}" + file: + path: "/etc/ssl/managed-ca/{{ item }}" + state: directory + owner: root + group: root + mode: 0700 + +- name: create managed-ca CA private keys + loop: "{{ managed_ca_authorities | dict2items }}" + loop_control: + label: "{{ item.key }}" + openssl_privatekey: + path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem" + type: "{{ item.value.key.type | default(omit) }}" + size: "{{ item.value.key.size | default(omit) }}" + owner: root + group: root + mode: 0600 + +- name: create signing request for managed-ca CA certificates + loop: "{{ managed_ca_authorities | dict2items }}" + loop_control: + label: "{{ item.key }}" + openssl_csr: + path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem" + privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem" + common_name: "{{ item.value.cert.common_name | default(item.key) }}" + use_common_name_for_san: no + country_name: "{{ item.value.cert.country_name | default(omit) }}" + locality_name: "{{ item.value.cert.locality_name | default(omit) }}" + organization_name: "{{ item.value.cert.organization_name | default(omit) }}" + organizational_unit_name: "{{ item.value.cert.organizational_unit_name | default(omit) }}" + state_or_province_name: "{{ item.value.cert.state_or_province_name | default(omit) }}" + key_usage: + - cRLSign + - keyCertSign + key_usage_critical: yes + basic_constraints: + - 'CA:TRUE' + - 'pathlen:0' + basic_constraints_critical: yes + +- name: create managed-ca CA certificates + loop: "{{ managed_ca_authorities | dict2items }}" + loop_control: + label: "{{ item.key }}" + openssl_certificate: + path: "/etc/ssl/managed-ca/{{ item.key }}/crt.pem" + csr_path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem" + privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem" + provider: selfsigned + selfsigned_digest: "{{ item.value.cert.digest | default(omit) }}" + selfsigned_not_before: "{{ item.value.cert.not_before | default(omit) }}" + selfsigned_not_after: "{{ item.value.cert.not_after | default(omit) }}" + selfsigned_create_subject_key_identifier: always_create diff --git a/roles/x509/managed-ca/cert/finalize/tasks/main.yml b/roles/x509/managed-ca/cert/finalize/tasks/main.yml new file mode 100644 index 00000000..c5b6cafe --- /dev/null +++ b/roles/x509/managed-ca/cert/finalize/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# nothing to do here diff --git a/roles/x509/managed-ca/cert/meta/main.yml b/roles/x509/managed-ca/cert/meta/main.yml new file mode 100644 index 00000000..ce1e5477 --- /dev/null +++ b/roles/x509/managed-ca/cert/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: x509/managed-ca/cert/prepare + - role: x509/managed-ca/cert/finalize diff --git a/roles/x509/managed-ca/cert/prepare/defaults/main.yml b/roles/x509/managed-ca/cert/prepare/defaults/main.yml new file mode 100644 index 00000000..8664e7c9 --- /dev/null +++ b/roles/x509/managed-ca/cert/prepare/defaults/main.yml @@ -0,0 +1,49 @@ +--- +managed_ca_cert_hostnames: "{{ x509_certificate_hostnames }}" +managed_ca_cert_name: "{{ x509_certificate_name | default(managed_ca_cert_hostnames[0]) }}" + +managed_ca_cert_base_dir: "/etc/ssl" + +managed_ca_cert_default_renew_margin: "+30d" +managed_ca_cert_config: "{{ x509_certificate_config }}" +# managed_ca_cert_config: +# path: "{{ managed_ca_cert_base_dir }}/{{ managed_ca_cert_name }}" +# mode: "0750" +# owner: root +# group: www-data +# ca: +# host: inventory_name_of_ca_host +# name: my-ca +# key: +# mode: "0640" +# owner: root +# group: www-data +# type: RSA +# size: 4096 +# cert: +# mode: "0644" +# owner: root +# group: www-data +# common_name: foo +# san_extra: +# - "IP:192.0.2.1" +# country_name: "AT" +# locality_name: "Graz" +# organization_name: "spreadspace" +# organizational_unit_name: "ansible" +# state_or_province_name: "Styria" +# basic_constraints: +# - "CA:FALSE" +# basic_constraints_critical: no +# key_usage: +# - digitalSignature +# - keyAgreement +# key_usage_critical: yes +# extended_key_usage: +# - serverAuth +# extended_key_usage_critical: yes +# create_subject_key_identifier: yes +# digest: sha256 +# not_before: +0h +# not_after: +520w +# renew_margin: +42d diff --git a/roles/x509/managed-ca/cert/prepare/handlers/main.yml b/roles/x509/managed-ca/cert/prepare/handlers/main.yml new file mode 100644 index 00000000..589d6dde --- /dev/null +++ b/roles/x509/managed-ca/cert/prepare/handlers/main.yml @@ -0,0 +1,16 @@ +--- +- name: reload services for x509 certificates + loop: "{{ x509_certificate_reload_services | default([]) }}" + loop_control: + loop_var: x509_certificate_reload_service + service: + name: "{{ x509_certificate_reload_service }}" + state: reloaded + +- name: restart services for x509 certificates + loop: "{{ x509_certificate_restart_services | default([]) }}" + loop_control: + loop_var: x509_certificate_restart_service + service: + name: "{{ x509_certificate_restart_service }}" + state: restarted diff --git a/roles/x509/managed-ca/cert/prepare/tasks/main.yml b/roles/x509/managed-ca/cert/prepare/tasks/main.yml new file mode 100644 index 00000000..97292b04 --- /dev/null +++ b/roles/x509/managed-ca/cert/prepare/tasks/main.yml @@ -0,0 +1,123 @@ +--- +- name: compute path to managed-ca certificate directory + set_fact: + managed_ca_cert_path: "{{ managed_ca_cert_config.path | default([managed_ca_cert_base_dir, managed_ca_cert_name] | path_join) }}" + +- name: create directory for managed-ca certificate + file: + path: "{{ managed_ca_cert_path }}" + state: directory + mode: "{{ managed_ca_cert_config.mode | default('0700') }}" + owner: "{{ managed_ca_cert_config.owner | default(omit) }}" + group: "{{ managed_ca_cert_config.group | default(omit) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + +- name: generate key for managed-ca certificate + openssl_privatekey: + path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-key.pem" + mode: "{{ managed_ca_cert_config.key.mode | default('0600') }}" + owner: "{{ managed_ca_cert_config.key.owner | default(omit) }}" + group: "{{ managed_ca_cert_config.key.group | default(omit) }}" + type: "{{ managed_ca_cert_config.key.type | default(omit) }}" + size: "{{ managed_ca_cert_config.key.size | default(omit) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + register: _managed_ca_key_ + +- name: generate csr for managed-ca certificate + community.crypto.openssl_csr: + path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-csr.pem" + mode: "{{ managed_ca_cert_config.cert.mode | default('0644') }}" + owner: "{{ managed_ca_cert_config.cert.owner | default(omit) }}" + group: "{{ managed_ca_cert_config.cert.group | default(omit) }}" + privatekey_path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-key.pem" + create_subject_key_identifier: "{{ managed_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}" + digest: "{{ managed_ca_cert_config.cert.digest | default(omit) }}" + common_name: "{{ managed_ca_cert_config.cert.common_name | default(managed_ca_cert_name) }}" + subject_alt_name: "{{ ['DNS:'] | product(managed_ca_cert_hostnames) | map('join') | union(managed_ca_cert_config.cert.san_extra | default([])) | list }}" + subject_alt_name_critical: yes + use_common_name_for_san: no + country_name: "{{ managed_ca_cert_config.cert.country_name | default(omit) }}" + locality_name: "{{ managed_ca_cert_config.cert.locality_name | default(omit) }}" + organization_name: "{{ managed_ca_cert_config.cert.organization_name | default(omit) }}" + organizational_unit_name: "{{ managed_ca_cert_config.cert.organizational_unit_name | default(omit) }}" + state_or_province_name: "{{ managed_ca_cert_config.cert.state_or_province_name | default(omit) }}" + basic_constraints: "{{ managed_ca_cert_config.cert.basic_constraints | default(omit) }}" + basic_constraints_critical: "{{ managed_ca_cert_config.cert.basic_constraints_critical | default(omit) }}" + key_usage: "{{ managed_ca_cert_config.cert.key_usage | default(omit) }}" + key_usage_critical: "{{ managed_ca_cert_config.cert.key_usage_critical | default(omit) }}" + extended_key_usage: "{{ managed_ca_cert_config.cert.extended_key_usage | default(omit) }}" + extended_key_usage_critical: "{{ managed_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}" + +- name: slurp csr for managed-ca certificate + slurp: + src: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-csr.pem" + register: _managed_ca_csr_ + +- name: check if managed-ca certificate already exists + stat: + path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem" + register: _managed_ca_cert_file_ + +- name: check validity of existing managed-ca certificate + when: _managed_ca_cert_file_.stat.exists + openssl_certificate_info: + path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem" + valid_at: + renew_margin: "{{ managed_ca_cert_config.cert.renew_margin | default(managed_ca_cert_default_renew_margin) }}" + register: _managed_ca_cert_info_ + +- name: slurp existing existing managed-ca certificate + when: _managed_ca_cert_file_.stat.exists + slurp: + src: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem" + register: _managed_ca_cert_current_ + +- name: generate managed-ca certificate + delegate_to: "{{ managed_ca_cert_config.ca.host }}" + community.crypto.x509_certificate_pipe: + content: "{{ _managed_ca_cert_current_.content | default('') | b64decode }}" + csr_content: "{{ _managed_ca_csr_.content | b64decode }}" + provider: ownca + ownca_path: "/etc/ssl/managed-ca/{{ managed_ca_cert_config.ca.name }}/crt.pem" + ownca_privatekey_path: "/etc/ssl/managed-ca/{{ managed_ca_cert_config.ca.name }}/key.pem" + ownca_digest: "{{ managed_ca_cert_config.cert.digest | default(omit) }}" + ownca_not_before: "{{ managed_ca_cert_config.cert.not_before | default(omit) }}" + ownca_not_after: "{{ managed_ca_cert_config.cert.not_after | default(omit) }}" + force: "{{ _managed_ca_cert_file_.stat.exists and (not _managed_ca_cert_info_.valid_at.renew_margin) }}" + register: _managed_ca_cert_new_ + +- name: store managed-ca certificate + copy: + content: "{{ _managed_ca_cert_new_.certificate }}" + dest: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem" + mode: "{{ managed_ca_cert_config.cert.mode | default('0644') }}" + owner: "{{ managed_ca_cert_config.cert.owner | default(omit) }}" + group: "{{ managed_ca_cert_config.cert.group | default(omit) }}" + register: _managed_ca_cert_ + notify: + - reload services for x509 certificates + - restart services for x509 certificates + +- name: export paths to certificate files + set_fact: + x509_certificate_path_key: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-key.pem" + x509_certificate_path_cert: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem" + x509_certificate_path_chain: "" + x509_certificate_path_fullchain: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem" + +- name: generate custom post-renewal script + when: x509_certificate_renewal is defined + template: + src: updated.sh.j2 + dest: "{{ managed_ca_cert_path }}/updated.sh" + mode: 0755 + +- name: call custom post-renewal script + when: + - x509_certificate_renewal is defined + - (_managed_ca_key_ is changed) or (_managed_ca_cert_ is changed) + command: "{{ managed_ca_cert_path }}/updated.sh" diff --git a/roles/x509/managed-ca/cert/prepare/templates/updated.sh.j2 b/roles/x509/managed-ca/cert/prepare/templates/updated.sh.j2 new file mode 100644 index 00000000..f0757832 --- /dev/null +++ b/roles/x509/managed-ca/cert/prepare/templates/updated.sh.j2 @@ -0,0 +1,15 @@ +#!/bin/sh +{% if 'install' in x509_certificate_renewal %} +{% for file in x509_certificate_renewal.install %} + +install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'group' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new" +{% for src in file.src %} +cat "{{ lookup('vars', 'x509_certificate_path_' + src) }}" >> "{{ file.dest }}.new" +{% endfor %} +mv "{{ file.dest }}.new" "{{ file.dest }}" +{% endfor %} +{% endif %} +{% if 'reload' in x509_certificate_renewal %} + +{{ x509_certificate_renewal.reload | trim }} +{% endif %} -- cgit v1.2.3