blob: 13dd60968e6b8f6ade8323d28a14163a7b7fcddd (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
---
- name: compute path to managed-ca certificate directory
set_fact:
managed_ca_cert_path: "{{ managed_ca_cert_config.path | default([managed_ca_cert_base_dir, managed_ca_cert_name] | path_join) }}"
- name: create directory for managed-ca certificate
file:
path: "{{ managed_ca_cert_path }}"
state: directory
mode: "{{ managed_ca_cert_config.mode | default('0700') }}"
owner: "{{ managed_ca_cert_config.owner | default(omit) }}"
group: "{{ managed_ca_cert_config.group | default(omit) }}"
notify:
- reload services for x509 certificates
- restart services for x509 certificates
- name: generate key for managed-ca certificate
openssl_privatekey:
path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-key.pem"
mode: "{{ managed_ca_cert_config.key.mode | default('0600') }}"
owner: "{{ managed_ca_cert_config.key.owner | default(omit) }}"
group: "{{ managed_ca_cert_config.key.group | default(omit) }}"
type: "{{ managed_ca_cert_config.key.type | default(omit) }}"
size: "{{ managed_ca_cert_config.key.size | default(omit) }}"
notify:
- reload services for x509 certificates
- restart services for x509 certificates
register: _managed_ca_key_
- name: generate csr for managed-ca certificate
community.crypto.openssl_csr:
path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-csr.pem"
mode: "{{ managed_ca_cert_config.cert.mode | default('0644') }}"
owner: "{{ managed_ca_cert_config.cert.owner | default(omit) }}"
group: "{{ managed_ca_cert_config.cert.group | default(omit) }}"
privatekey_path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-key.pem"
create_subject_key_identifier: "{{ managed_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
digest: "{{ managed_ca_cert_config.cert.digest | default(omit) }}"
common_name: "{{ managed_ca_cert_config.cert.common_name | default(managed_ca_cert_name) }}"
subject_alt_name: "{{ ['DNS:'] | product(managed_ca_cert_hostnames) | map('join') | union(managed_ca_cert_config.cert.san_extra | default([])) | list }}"
subject_alt_name_critical: yes
use_common_name_for_san: no
country_name: "{{ managed_ca_cert_config.cert.country_name | default(omit) }}"
locality_name: "{{ managed_ca_cert_config.cert.locality_name | default(omit) }}"
organization_name: "{{ managed_ca_cert_config.cert.organization_name | default(omit) }}"
organizational_unit_name: "{{ managed_ca_cert_config.cert.organizational_unit_name | default(omit) }}"
state_or_province_name: "{{ managed_ca_cert_config.cert.state_or_province_name | default(omit) }}"
basic_constraints: "{{ managed_ca_cert_config.cert.basic_constraints | default(omit) }}"
basic_constraints_critical: "{{ managed_ca_cert_config.cert.basic_constraints_critical | default(omit) }}"
key_usage: "{{ managed_ca_cert_config.cert.key_usage | default(omit) }}"
key_usage_critical: "{{ managed_ca_cert_config.cert.key_usage_critical | default(omit) }}"
extended_key_usage: "{{ managed_ca_cert_config.cert.extended_key_usage | default(omit) }}"
extended_key_usage_critical: "{{ managed_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
- name: slurp csr for managed-ca certificate
slurp:
src: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-csr.pem"
register: _managed_ca_csr_
- name: check if managed-ca certificate already exists
stat:
path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
register: _managed_ca_cert_file_
- name: check validity of existing managed-ca certificate
when: _managed_ca_cert_file_.stat.exists
openssl_certificate_info:
path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
valid_at:
renew_margin: "{{ managed_ca_cert_config.cert.renew_margin | default(managed_ca_cert_default_renew_margin) }}"
register: _managed_ca_cert_info_
- name: slurp existing managed-ca certificate
when: _managed_ca_cert_file_.stat.exists
slurp:
src: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
register: _managed_ca_cert_current_
- name: generate managed-ca certificate
delegate_to: "{{ managed_ca_cert_config.ca.host }}"
community.crypto.x509_certificate_pipe:
content: "{{ _managed_ca_cert_current_.content | default('') | b64decode }}"
csr_content: "{{ _managed_ca_csr_.content | b64decode }}"
provider: ownca
ownca_path: "/etc/ssl/managed-ca/{{ managed_ca_cert_config.ca.name }}/crt.pem"
ownca_privatekey_path: "/etc/ssl/managed-ca/{{ managed_ca_cert_config.ca.name }}/key.pem"
ownca_digest: "{{ managed_ca_cert_config.cert.digest | default(omit) }}"
ownca_not_before: "{{ managed_ca_cert_config.cert.not_before | default(omit) }}"
ownca_not_after: "{{ managed_ca_cert_config.cert.not_after | default(omit) }}"
force: "{{ _managed_ca_cert_file_.stat.exists and (not _managed_ca_cert_info_.valid_at.renew_margin) }}"
register: _managed_ca_cert_new_
- name: store managed-ca certificate
copy:
content: "{{ _managed_ca_cert_new_.certificate }}"
dest: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
mode: "{{ managed_ca_cert_config.cert.mode | default('0644') }}"
owner: "{{ managed_ca_cert_config.cert.owner | default(omit) }}"
group: "{{ managed_ca_cert_config.cert.group | default(omit) }}"
register: _managed_ca_cert_
notify:
- reload services for x509 certificates
- restart services for x509 certificates
- name: slurp managed-ca CA certificate
delegate_to: "{{ managed_ca_cert_config.ca.host }}"
slurp:
src: "/etc/ssl/managed-ca/{{ managed_ca_cert_config.ca.name }}/crt.pem"
register: _managed_ca_ca_cert_
- name: install CA certificate
copy:
content: "{{ _managed_ca_ca_cert_.content | b64decode }}"
dest: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-ca-crt.pem"
- name: export paths to certificate files
set_fact:
x509_certificate_path_key: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-key.pem"
x509_certificate_path_cert: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
x509_certificate_path_chain: ""
x509_certificate_path_fullchain: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
x509_certificate_path_ca_cert: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-ca-crt.pem"
- name: generate custom post-renewal script
when: x509_certificate_renewal is defined
template:
src: updated.sh.j2
dest: "{{ managed_ca_cert_path }}/updated.sh"
mode: 0755
- name: call custom post-renewal script
when:
- x509_certificate_renewal is defined
- (_managed_ca_key_ is changed) or (_managed_ca_cert_ is changed)
command: "{{ managed_ca_cert_path }}/updated.sh"
|
