summaryrefslogtreecommitdiff
path: root/roles/x509/static-ca/cert/prepare/tasks/main.yml
blob: 4f618b51c8c376cf564189008229c78dbf7fefc7 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
---
- name: compute path to static-ca certificate directory
  set_fact:
    static_ca_cert_path: "{{ static_ca_cert_config.path | default([static_ca_cert_base_dir, static_ca_cert_name] | path_join) }}"

- name: create directory for static-ca certificate
  file:
    path: "{{ static_ca_cert_path }}"
    state: directory
    mode: "{{ static_ca_cert_config.mode | default('0700') }}"
    owner: "{{ static_ca_cert_config.owner | default(omit) }}"
    group: "{{ static_ca_cert_config.group | default(omit) }}"
  notify:
  - reload services for x509 certificates
  - restart services for x509 certificates

- name: generate key for static-ca certificate
  openssl_privatekey:
    path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
    mode: "{{ static_ca_cert_config.key.mode | default('0600') }}"
    owner: "{{ static_ca_cert_config.key.owner | default(omit) }}"
    group: "{{ static_ca_cert_config.key.group | default(omit) }}"
    type: "{{ static_ca_cert_config.key.type | default(omit) }}"
    size: "{{ static_ca_cert_config.key.size | default(omit) }}"
  notify:
  - reload services for x509 certificates
  - restart services for x509 certificates
  register: _static_ca_key_

- name: generate csr for static-ca certificate
  community.crypto.openssl_csr:
    path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
    mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
    owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
    group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
    privatekey_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
    create_subject_key_identifier: "{{ static_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
    digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}"
    common_name: "{{ static_ca_cert_config.cert.common_name | default(static_ca_cert_name) }}"
    subject_alt_name: "{{ ['DNS:'] | product(static_ca_cert_hostnames) | map('join') | union(static_ca_cert_config.cert.san_extra | default([])) | list }}"
    subject_alt_name_critical: yes
    use_common_name_for_san: no
    country_name: "{{ static_ca_cert_config.cert.country_name | default(omit) }}"
    locality_name: "{{ static_ca_cert_config.cert.locality_name | default(omit) }}"
    organization_name: "{{ static_ca_cert_config.cert.organization_name | default(omit) }}"
    organizational_unit_name: "{{ static_ca_cert_config.cert.organizational_unit_name | default(omit) }}"
    state_or_province_name: "{{ static_ca_cert_config.cert.state_or_province_name | default(omit) }}"
    basic_constraints: "{{ static_ca_cert_config.cert.basic_constraints | default(omit) }}"
    basic_constraints_critical: "{{ static_ca_cert_config.cert.basic_constraints_critical | default(omit) }}"
    key_usage: "{{ static_ca_cert_config.cert.key_usage | default(omit) }}"
    key_usage_critical: "{{ static_ca_cert_config.cert.key_usage_critical | default(omit) }}"
    extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}"
    extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}"

- name: slurp csr for static-ca certificate
  slurp:
    src: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
  register: _static_ca_csr_

- name: check if static-ca certificate already exists
  stat:
    path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
  register: _static_ca_cert_file_

- name: check validity of existing static-ca certificate
  when: _static_ca_cert_file_.stat.exists
  openssl_certificate_info:
    path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
    valid_at:
      renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}"
  register: _static_ca_cert_info_

- name: slurp existing static-ca certificate
  when: _static_ca_cert_file_.stat.exists
  slurp:
    src: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
  register: _static_ca_cert_current_

- name: generate static-ca certificate
  delegate_to: localhost
  community.crypto.x509_certificate_pipe:
    content: "{{ _static_ca_cert_current_.content | default('') | b64decode }}"
    csr_content: "{{ _static_ca_csr_.content | b64decode }}"
    provider: ownca
    ownca_content: "{{ static_ca_cert_config.ca.cert_content }}"
    ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}"
    ownca_digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}"
    ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}"
    ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}"
    force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}"
  register: _static_ca_cert_new_

- name: install static-ca certificate
  copy:
    content: "{{ _static_ca_cert_new_.certificate }}"
    dest: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
    mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
    owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
    group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
  register: _static_ca_cert_
  notify:
  - reload services for x509 certificates
  - restart services for x509 certificates

- name: install CA certificate
  copy:
    content: "{{ static_ca_cert_config.ca.cert_content }}"
    dest: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-ca-crt.pem"

- name: export paths to certificate files
  set_fact:
    x509_certificate_path_key: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
    x509_certificate_path_cert: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
    x509_certificate_path_chain: ""
    x509_certificate_path_fullchain: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
    x509_certificate_path_ca_cert: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-ca-crt.pem"

- name: generate custom post-renewal script
  when: x509_certificate_renewal is defined
  template:
    src: updated.sh.j2
    dest: "{{ static_ca_cert_path }}/updated.sh"
    mode: 0755

- name: call custom post-renewal script
  when:
  - x509_certificate_renewal is defined
  - (_static_ca_key_ is changed) or (_static_ca_cert_ is changed)
  command: "{{ static_ca_cert_path }}/updated.sh"