roles/acmetool/base/tasks/selfsigned.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

---
- name: get id of existing selfsigned interim certificate
  shell: cat /var/lib/acme/.selfsigned-interim-cert || true
  changed_when: false
  check_mode: false
  register: existing_selfsigned_interim_cert_id

- name: set existing_selfsigned_interim_cert_id variable
  set_fact:
    existing_selfsigned_interim_cert_id: "{{ existing_selfsigned_interim_cert_id.stdout }}"

- name: check if selfsigned interim certificate does exist
  stat:
    path: "/var/lib/acme/certs/{{ existing_selfsigned_interim_cert_id }}"
  register: existing_selfsigned_interim_cert_stat

- name: create selfsigned interim certificate
  when: not existing_selfsigned_interim_cert_id or not existing_selfsigned_interim_cert_stat.stat.exists
  block:
    - name: create temporary directory
      tempfile:
        path: /var/lib/acme/tmp
        prefix: selfsigned-interim-cert-
        state: directory
      register: tmpdir

    - name: set tmpdir variable
      set_fact:
        tmpdir: "{{ tmpdir.path }}"

    - name: generate private key for selfsigned interim certificate
      openssl_privatekey:
        path: "{{ tmpdir }}/privkey"
        mode: 0600

    - name: generate csr for selfsigned interim certificate
      openssl_csr:
        path: "{{ tmpdir }}/csr"
        privatekey_path: "{{ tmpdir }}/privkey"
        common_name: "{{ ansible_fqdn }}"


    ### this is needed because strftime filter in ansible is exceptionally stupid
    ### see: https://github.com/ansible/ansible/issues/39835
    - name: get remote date-time 10s ago
      command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ'
      register: remote_datetime_10sago

    - name: get remote date-time now
      command: date -u '+%Y%m%d%H%M%SZ'
      register: remote_datetime_now

    - name: generate selfsigned interim certificate
      openssl_certificate:
        path: "{{ tmpdir }}/cert"
        privatekey_path: "{{ tmpdir }}/privkey"
        csr_path: "{{ tmpdir }}/csr"
        provider: selfsigned
        ## make sure the certificate is not valid anymore to force acmetool to create a new cert
        selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}"
        selfsigned_not_after: "{{ remote_datetime_now.stdout }}"

    - name: remove csr for selfsigned interim certificate
      file:
        path: "{{ tmpdir }}/csr"
        state: absent

    - name: copy selfsigned interim certificate for fullchain
      command: "cp '{{ tmpdir }}/cert' '{{ tmpdir }}/fullchain'"

    - name: create additional empty files
      loop:
        - chain
        - selfsigned
      copy:
        content: ""
        dest: "{{ tmpdir }}/{{ item }}"

    ### TODO: remove this once acmetool respects it's own storage layout
    ###       see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates
    - name: generate fake url file
      copy:
        content: "https://acme.example.com/acme/cert/self-signed\n"
        dest: "{{ tmpdir }}/url"

    - name: get key id
      shell: "openssl x509 -in '{{ tmpdir }}/cert' -noout -pubkey | openssl enc -base64 -d | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
      register: selfsigned_interim_key_id

    - name: set selfsigned_interim_key_id variable
      set_fact:
        selfsigned_interim_key_id: "{{ selfsigned_interim_key_id.stdout }}"

    - name: create directory for private key of selfsigned interim certificate
      file:
        path: "/var/lib/acme/keys/{{ selfsigned_interim_key_id }}"
        state: directory
        mode: 0700

    - name: move private key to its directory
      command: "mv '{{ tmpdir }}/privkey' '/var/lib/acme/keys/{{ selfsigned_interim_key_id }}/privkey'"

    - name: create symlink to privkey
      file:
        src: "../../keys/{{ selfsigned_interim_key_id }}/privkey"
        dest: "{{ tmpdir }}/privkey"
        state: link

    # - name: get certificate id
    #   shell: "openssl x509 -in '{{ tmpdir }}/cert' -outform der | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
    #   register: selfsigned_interim_cert_id

    # - name: set selfsigned_interim_cert_id variable
    #   set_fact:
    #     selfsigned_interim_cert_id: "selfsigned-{{ selfsigned_interim_cert_id.stdout }}"

    ### TODO: replace with the above once acmetool respects it's own storage layout
    ###       see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates
    - name: get certificate id
      shell: "cat '{{ tmpdir }}/url' | tr -d '\n' | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
      register: selfsigned_interim_cert_id

    - name: set selfsigned_interim_cert_id variable
      set_fact:
        selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"

    - name: set permissions for selfsigned interim certificate directory
      file:
        path: "{{ tmpdir }}"
        mode: 0755
        state: directory

    - name: move selfsigned interim certificate directory into place
      command: "mv '{{ tmpdir }}' '/var/lib/acme/certs/{{ selfsigned_interim_cert_id }}'"

    - name: write cert-id of selfsigned interim certificate to state directory
      copy:
        content: "{{ selfsigned_interim_cert_id }}"
        dest: /var/lib/acme/.selfsigned-interim-cert

  rescue:
    - name: remove temporary directory for selfsigned interim certificate
      file:
        path: "{{ tmpdir }}"
        state: absent