blob: f71acec15991726d43bfe39ced727b05d6e57049 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
---
- name: compute path to selfsigned certificate directory
set_fact:
selfsigned_cert_path: "{{ selfsigned_cert_config.path | default([selfsigned_cert_base_dir, selfsigned_cert_name] | path_join) }}"
- name: create directory for selfsigned certificate
file:
path: "{{ selfsigned_cert_path }}"
state: directory
mode: "{{ selfsigned_cert_config.mode | default('0700') }}"
owner: "{{ selfsigned_cert_config.owner | default(omit) }}"
group: "{{ selfsigned_cert_config.group | default(omit) }}"
notify:
- reload services for x509 certificates
- restart services for x509 certificates
- name: generate key for selfsigned certificate
openssl_privatekey:
path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-key.pem"
mode: "{{ selfsigned_cert_config.key.mode | default('0600') }}"
owner: "{{ selfsigned_cert_config.key.owner | default(omit) }}"
group: "{{ selfsigned_cert_config.key.group | default(omit) }}"
type: "{{ selfsigned_cert_config.key.type | default(omit) }}"
size: "{{ selfsigned_cert_config.key.size | default(omit) }}"
notify:
- reload services for x509 certificates
- restart services for x509 certificates
register: _selfsigned_key_
- name: generate csr for selfsigned certificate
community.crypto.openssl_csr:
path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-csr.pem"
mode: "{{ selfsigned_cert_config.cert.mode | default('0644') }}"
owner: "{{ selfsigned_cert_config.cert.owner | default(omit) }}"
group: "{{ selfsigned_cert_config.cert.group | default(omit) }}"
privatekey_path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-key.pem"
create_subject_key_identifier: "{{ selfsigned_cert_config.cert.create_subject_key_identifier | default(omit) }}"
digest: "{{ selfsigned_cert_config.cert.digest | default(omit) }}"
common_name: "{{ selfsigned_cert_config.cert.common_name | default(selfsigned_cert_name) }}"
subject_alt_name: "{{ ['DNS:'] | product(selfsigned_cert_hostnames) | map('join') | union(selfsigned_cert_config.cert.san_extra | default([])) | list }}"
subject_alt_name_critical: yes
use_common_name_for_san: no
country_name: "{{ selfsigned_cert_config.cert.country_name | default(omit) }}"
locality_name: "{{ selfsigned_cert_config.cert.locality_name | default(omit) }}"
organization_name: "{{ selfsigned_cert_config.cert.organization_name | default(omit) }}"
organizational_unit_name: "{{ selfsigned_cert_config.cert.organizational_unit_name | default(omit) }}"
state_or_province_name: "{{ selfsigned_cert_config.cert.state_or_province_name | default(omit) }}"
basic_constraints: "{{ selfsigned_cert_config.cert.basic_constraints | default(omit) }}"
basic_constraints_critical: "{{ selfsigned_cert_config.cert.basic_constraints_critical | default(omit) }}"
key_usage: "{{ selfsigned_cert_config.cert.key_usage | default(omit) }}"
key_usage_critical: "{{ selfsigned_cert_config.cert.key_usage_critical | default(omit) }}"
extended_key_usage: "{{ selfsigned_cert_config.cert.extended_key_usage | default(omit) }}"
extended_key_usage_critical: "{{ selfsigned_cert_config.cert.extended_key_usage_critical | default(omit) }}"
- name: check if selfsigned certificate already exists
stat:
path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem"
register: _selfsigned_cert_file_
- name: check validity of existing selfsigned certificate
when: _selfsigned_cert_file_.stat.exists
openssl_certificate_info:
path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem"
valid_at:
renew_margin: "{{ selfsigned_cert_config.cert.renew_margin | default(selfsigned_cert_default_renew_margin) }}"
register: _selfsigned_cert_info_
- name: generate selfsigned certificate
community.crypto.x509_certificate:
path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem"
mode: "{{ selfsigned_cert_config.cert.mode | default('0644') }}"
owner: "{{ selfsigned_cert_config.cert.owner | default(omit) }}"
group: "{{ selfsigned_cert_config.cert.group | default(omit) }}"
privatekey_path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-key.pem"
csr_path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-csr.pem"
provider: selfsigned
selfsigned_digest: "{{ selfsigned_cert_config.cert.digest | default(omit) }}"
selfsigned_not_before: "{{ selfsigned_cert_config.cert.not_before | default(omit) }}"
selfsigned_not_after: "{{ selfsigned_cert_config.cert.not_after | default(omit) }}"
force: "{{ _selfsigned_cert_file_.stat.exists and (not _selfsigned_cert_info_.valid_at.renew_margin) }}"
notify:
- reload services for x509 certificates
- restart services for x509 certificates
register: _selfsigned_cert_
- name: export paths to certificate files
set_fact:
x509_certificate_path_key: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-key.pem"
x509_certificate_path_cert: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem"
x509_certificate_path_chain: ""
x509_certificate_path_fullchain: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem"
- name: generate custom post-renewal script
when: x509_certificate_renewal is defined
template:
src: updated.sh.j2
dest: "{{ selfsigned_cert_path }}/updated.sh"
mode: 0755
- name: call custom post-renewal script
when:
- x509_certificate_renewal is defined
- (_selfsigned_key_ is changed) or (_selfsigned_cert_ is changed)
command: "{{ selfsigned_cert_path }}/updated.sh"
|
