blob: 9a8d1bde1fb4b577e8414885fb4f863e8b6d8617 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
---
- name: compute path to static-ca certificate directory
set_fact:
static_ca_cert_path: "{{ static_ca_cert_config.path | default([static_ca_cert_base_dir, static_ca_cert_name] | path_join) }}"
- name: create directory for static-ca certificate
file:
path: "{{ static_ca_cert_path }}"
state: directory
mode: "{{ static_ca_cert_config.mode | default('0700') }}"
owner: "{{ static_ca_cert_config.owner | default(omit) }}"
group: "{{ static_ca_cert_config.group | default(omit) }}"
notify:
- reload services for x509 certificates
- restart services for x509 certificates
- name: generate key for static-ca certificate
openssl_privatekey:
path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
mode: "{{ static_ca_cert_config.key.mode | default('0600') }}"
owner: "{{ static_ca_cert_config.key.owner | default(omit) }}"
group: "{{ static_ca_cert_config.key.group | default(omit) }}"
type: "{{ static_ca_cert_config.key.type | default(omit) }}"
size: "{{ static_ca_cert_config.key.size | default(omit) }}"
notify:
- reload services for x509 certificates
- restart services for x509 certificates
register: _static_ca_key_
- name: generate csr for static-ca certificate
community.crypto.openssl_csr:
path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
privatekey_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
create_subject_key_identifier: "{{ static_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}"
common_name: "{{ static_ca_cert_config.cert.common_name | default(static_ca_cert_name) }}"
subject_alt_name: "{{ ['DNS:'] | product(static_ca_cert_hostnames) | map('join') | union(static_ca_cert_config.cert.san_extra | default([])) | list }}"
subject_alt_name_critical: yes
use_common_name_for_san: no
country_name: "{{ static_ca_cert_config.cert.country_name | default(omit) }}"
locality_name: "{{ static_ca_cert_config.cert.locality_name | default(omit) }}"
organization_name: "{{ static_ca_cert_config.cert.organization_name | default(omit) }}"
organizational_unit_name: "{{ static_ca_cert_config.cert.organizational_unit_name | default(omit) }}"
state_or_province_name: "{{ static_ca_cert_config.cert.state_or_province_name | default(omit) }}"
basic_constraints: "{{ static_ca_cert_config.cert.basic_constraints | default(omit) }}"
basic_constraints_critical: "{{ static_ca_cert_config.cert.basic_constraints_critical | default(omit) }}"
key_usage: "{{ static_ca_cert_config.cert.key_usage | default(omit) }}"
key_usage_critical: "{{ static_ca_cert_config.cert.key_usage_critical | default(omit) }}"
extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}"
extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
- name: check if static-ca certificate already exists
stat:
path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
register: _static_ca_cert_file_
- name: check validity of existing static-ca certificate
when: _static_ca_cert_file_.stat.exists
openssl_certificate_info:
path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
valid_at:
renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}"
register: _static_ca_cert_info_
- name: generate static-ca certificate
community.crypto.x509_certificate:
path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
csr_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
provider: ownca
ownca_content: "{{ static_ca_cert_config.ca.cert_content }}"
ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}"
ownca_digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}"
ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}"
ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}"
force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}"
notify:
- reload services for x509 certificates
- restart services for x509 certificates
register: _static_ca_cert_
- name: install CA certificate
copy:
content: "{{ static_ca_cert_config.ca.cert_content }}"
dest: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-ca-crt.pem"
- name: export paths to certificate files
set_fact:
x509_certificate_path_key: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
x509_certificate_path_cert: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
x509_certificate_path_chain: ""
x509_certificate_path_fullchain: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
x509_certificate_path_ca_cert: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-ca-crt.pem"
- name: generate custom post-renewal script
when: x509_certificate_renewal is defined
template:
src: updated.sh.j2
dest: "{{ static_ca_cert_path }}/updated.sh"
mode: 0755
- name: call custom post-renewal script
when:
- x509_certificate_renewal is defined
- (_static_ca_key_ is changed) or (_static_ca_cert_ is changed)
command: "{{ static_ca_cert_path }}/updated.sh"
|
