blob: 6508676dbec49bb938d784986864bbc6bd7616a0 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
---
- name: install python-cryptography
apt:
name: "{{ python_basename }}-cryptography"
state: present
- name: create base directory
file:
path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}"
state: directory
- name: create server cert/key directory
file:
path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server"
state: directory
owner: root
group: root
mode: 0750
- name: create private key for server certificate
openssl_privatekey:
path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/key.pem"
type: RSA
size: 4096
owner: root
group: root
mode: 0400
notify: restart openvpn-server
- name: create signing request for server certificate
openssl_csr:
path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/csr.pem"
privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/key.pem"
CN: "{{ inventory_hostname }}"
key_usage:
- digitalSignature
- keyEncipherment
key_usage_critical: yes
extended_key_usage:
- serverAuth
extended_key_usage_critical: yes
basic_constraints:
- 'CA:FALSE'
basic_constraints_critical: yes
- name: slurp CSR
slurp:
src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/csr.pem"
register: openvpn_server_csr
- name: check if server certificate exists
stat:
path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
register: openvpn_server_cert
- name: read server certificate validity
when: openvpn_server_cert.stat.exists
openssl_certificate_info:
path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
valid_at:
ten_years: '+3650d' ## 10 years
register: openvpn_server_cert_info
- name: slurp existing server certificate
when: openvpn_server_cert.stat.exists
slurp:
src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
register: openvpn_server_cert_current
- name: generate server certificate
delegate_to: "{{ openvpn_zone.ca_host }}"
community.crypto.x509_certificate_pipe:
content: "{{ openvpn_server_cert_current.content | default('') | b64decode }}"
csr_content: "{{ openvpn_server_csr.content | b64decode }}"
provider: ownca
ownca_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
ownca_privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca/key.pem"
ownca_digest: sha256
ownca_not_after: "+18250d" ## 50 years
force: "{{ openvpn_server_cert.stat.exists and (not openvpn_server_cert_info.valid_at.ten_years) }}"
register: openvpn_server_cert
- name: store server certificate
copy:
content: "{{ openvpn_server_cert.certificate }}"
dest: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
notify: restart openvpn-server
- name: slurp CA certificate
delegate_to: "{{ openvpn_zone.ca_host }}"
slurp:
src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
register: openvpn_server_ca_certificate
- name: install CA certificate
copy:
content: "{{ openvpn_server_ca_certificate.content | b64decode }}"
dest: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
- name: generate Diffie-Hellman parameters
openssl_dhparam:
path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/dhparams.pem"
size: 2048
notify: restart openvpn-server
|
