From 5756978238ad7b7f2fe8dc46d511cfbd5245c0c3 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 16 Aug 2023 23:38:07 +0200
Subject: uacme roles almost done

---
 roles/x509/uacme/cert/prepare/tasks/main.yml | 88 ++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 roles/x509/uacme/cert/prepare/tasks/main.yml

(limited to 'roles/x509/uacme/cert/prepare/tasks')

diff --git a/roles/x509/uacme/cert/prepare/tasks/main.yml b/roles/x509/uacme/cert/prepare/tasks/main.yml
new file mode 100644
index 00000000..06b9f146
--- /dev/null
+++ b/roles/x509/uacme/cert/prepare/tasks/main.yml
@@ -0,0 +1,88 @@
+---
+- name: create directory for uacme-controlled certificate
+  file:
+    path: "/var/lib/uacme.d/{{ uacme_cert_name }}"
+    state: directory
+
+- name: generate key for uacme-controlled certificate
+  openssl_privatekey:
+    path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
+    mode: "{{ uacme_cert_config.key.mode | default('0600') }}"
+    owner: "{{ uacme_cert_config.key.owner | default(omit) }}"
+    group: "{{ uacme_cert_config.key.group | default(omit) }}"
+    type: "{{ uacme_cert_config.key.type | default(omit) }}"
+    size: "{{ uacme_cert_config.key.size | default(omit) }}"
+  notify: "{{ x509_notify_on_change | default(omit) }}"
+
+- name: generate csr for uacme-controlled certificate
+  community.crypto.openssl_csr:
+    path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}.csr"
+    mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
+    owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
+    group: "{{ uacme_cert_config.cert.group | default(omit) }}"
+    privatekey_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
+    common_name: "{{ uacme_cert_hostnames[0] }}"
+    subject_alt_name: "{{ ['DNS:'] | product(uacme_cert_hostnames) | map('join') | list }}"
+    subject_alt_name_critical: yes
+    use_common_name_for_san: no
+
+- name: test if uacme-controlled certificate already exists
+  stat:
+    path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"
+  register: uacme_cert_file
+
+- name: generate selfsigned interim certificate
+  when: not uacme_cert_file.stat.exists
+  block:
+  ### this is needed because strftime filter in ansible is exceptionally stupid
+  ### see: https://github.com/ansible/ansible/issues/39835
+  - name: get remote date-time 10s ago
+    command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ'
+    register: remote_datetime_10sago
+    changed_when: false
+
+  - name: get remote date-time now
+    command: date -u '+%Y%m%d%H%M%SZ'
+    register: remote_datetime_now
+    changed_when: false
+
+  - name: generate selfsigned interim certificate
+    community.crypto.x509_certificate:
+      path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"
+      mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
+      owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
+      group: "{{ uacme_cert_config.cert.group | default(omit) }}"
+      privatekey_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
+      csr_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}.csr"
+      provider: selfsigned
+      ## make sure the certificate is not valid anymore to force uacme to create a new cert
+      selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}"
+      selfsigned_not_after: "{{ remote_datetime_now.stdout }}"
+      return_content: yes
+    register: uacme_cert_selfsigned
+    notify: "{{ x509_notify_on_change | default(omit) }}"
+
+  - name: make sure cert-only file exists
+    copy:
+      content: "{{ uacme_cert_selfsigned.certificate }}"
+      dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
+      mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
+      owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
+      group: "{{ uacme_cert_config.cert.group | default(omit) }}"
+    notify: "{{ x509_notify_on_change | default(omit) }}"
+
+  - name: make sure the chain file exists
+    copy:
+      content: ""
+      dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
+      mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
+      owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
+      group: "{{ uacme_cert_config.cert.group | default(omit) }}"
+    notify: "{{ x509_notify_on_change | default(omit) }}"
+
+- name: export paths to certificate files
+  set_fact:
+    x509_certificate_path_key: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
+    x509_certificate_path_cert: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
+    x509_certificate_path_chain: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
+    x509_certificate_path_fullchain: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"
-- 
cgit v1.2.3