infra/ansible-role-certificates
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

support ownca certificates

Browse source
This commit is contained in:
nd 2020-05-21 14:57:00 +02:00
parent e1f4ba7c1a
commit 87e3f3dd39
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
4 changed files with 159 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

35
README.md
View file

@ -11,6 +11,7 @@ All configuration is to be placed inside the `certificates` dict.
backends: backends:
letsencrypt: *letsencrypt-backend-config* letsencrypt: *letsencrypt-backend-config*
selfsigned: *selfsigned-backend-config* selfsigned: *selfsigned-backend-config*
ownca: *ownca-backend-config*
# default options for certificates # default options for certificates
defaults: defaults:
@ -57,7 +58,7 @@ san: []
# services to restart if this certificate changes # services to restart if this certificate changes
depending_services: [] depending_services: []
# which backend to use, can be 'selfsigned' or 'letsencrypt' # which backend to use, can be 'selfsigned', 'letsencrypt' or 'ownca''
backend: 'selfsigned' backend: 'selfsigned'
# overwrite a backend setting for this certificate # overwrite a backend setting for this certificate
@ -85,11 +86,34 @@ challangeserver: []
#### Selfsigned #### Selfsigned
*selfsigned-backend-config*
``` ```
# how long should the certificate be valid? # how long should the certificate be valid?
not_after: "+3650d" not_after: "+3650d"
``` ```
#### Own CA
*ownca-backend-config*
```
# how long should the certificate be valid?
not_after: "+3650d"
# how long should the ca itself be valid?
ca_not_after: "+3650d"
# delegate the CA to another host. Set to Null to disable and have the ca on the same host this role runs
remote: Null
# base path to store the ca in
basepatht: "/etc/ssl/ca"
# name of the ca, used in paths
name: "ownca"
```
## Paths ## Paths
Certificates are stored at a defined location: Certificates are stored at a defined location:
@ -99,3 +123,12 @@ Certificates are stored at a defined location:
* CSR: `/etc/ssl/<certname>.csr` * CSR: `/etc/ssl/<certname>.csr`
* chain: `/etc/ssl/<certname>.chain.crt` * chain: `/etc/ssl/<certname>.chain.crt`
* key, certificate and chain combined: `/etc/ssl/private/<certname>.complete.pem` * key, certificate and chain combined: `/etc/ssl/private/<certname>.complete.pem`
Please note that "chain" contains the ca for self signed and "ownca" certificates to work around some stupid bugs.
On the CA host for self signed certs those paths are used:
* ca base path: `<ownca.basepath>/<ownca.name>`
* ca key: `<basepath>/ca.key`
* ca cert: `<basepath>/ca.crt`
* all signed certs: `<basepath>/signed/<certname>`

6
defaults/main.yml
View file

@ -6,6 +6,12 @@ certificates:
challangeserver: [] challangeserver: []
selfsigned: selfsigned:
not_after: "+3650d" not_after: "+3650d"
ownca:
not_after: "+3650d"
ca_not_after: "+3650d"
remote: ~
basepath: /etc/ssl/ca
name: ownca
defaults: defaults:
country: "SU" country: "SU"
province: "CYBER" province: "CYBER"

1
tasks/common_cert.yml
View file

@ -3,6 +3,7 @@
- set_fact: - set_fact:
cert_paths: cert_paths:
csrpath: "{{ basepath + '/' + certname + '.csr' }}" csrpath: "{{ basepath + '/' + certname + '.csr' }}"
capath: "{{ basepath + '/' + certname + '.ca' }}"
keypath: "{{ basepath + '/private/' + certname + '.key' }}" keypath: "{{ basepath + '/private/' + certname + '.key' }}"
certpath: "{{ basepath + '/' + certname + '.crt' }}" certpath: "{{ basepath + '/' + certname + '.crt' }}"
chainpath: "{{ basepath + '/' + certname + '.chain.crt' }}" chainpath: "{{ basepath + '/' + certname + '.chain.crt' }}"

118
tasks/ownca_cert.yml Normal file
View file

@ -0,0 +1,118 @@
- include_tasks: common_cert.yml
- set_fact:
capath: "{{ cert_backend.basepath }}/{{ cert_backend.name }}"
- set_fact:
cacertpath: "{{ capath }}/ca.crt"
cakeypath: "{{ capath }}/ca.key"
cacsrpath: "{{ capath }}/ca.csr"
casignedpath: "{{ capath }}/signed"
remotecrtpath: "{{ capath }}/signed/{{ certname }}.crt"
remotecsrpath: "{{ capath }}/signed/{{ certname }}.csr"
- name: slurp csr for {{ certname }}
slurp:
src: "{{ cert.csrpath }}"
register: csrfile
- name: setup ca
delegate_to: "{{ cert_backend.remote|default(inventory_hostname, true) }}"
block:
- name: "setup base path for {{ cert_backend.name }} ({{ certname }})"
file:
path: "{{ cert_backend.basepath }}"
state: directory
mode: 755
owner: root
group: root
- name: "setup ca path for {{ cert_backend.name }} ({{ certname }})"
file:
path: "{{ capath }}"
state: directory
mode: 0755
owner: root
group: root
- name: "setup ca signed path for {{ cert_backend.name }} ({{ certname }})"
file:
path: "{{ casignedpath }}"
state: directory
mode: 0755
owner: root
group: root
- name: "setup ca key {{ cert_backend.name }} ({{ certname }})"
openssl_privatekey:
path: "{{ cakeypath }}"
size: 4096
type: RSA
mode: 0640
owner: root
group: root
- name: "setup ca csr for {{ cert_backend.name }} ({{ certname }})"
openssl_csr:
path: "{{ cacsrpath }}"
privatekey_path: "{{ cakeypath }}"
- name: "self sign ca crt for {{ cert_backend.name }} ({{ certname }})"
openssl_certificate:
path: "{{ cacertpath }}"
privatekey_path: "{{ cakeypath }}"
csr_path: "{{ cacsrpath }}"
provider: selfsigned
selfsigned_not_after: "{{ cert_backend.ca_not_after }}"
- name: slurp ca crt for {{ cert_backend.name }} ({{ certname }})"
slurp:
src: "{{ cacertpath }}"
register: cafile
- name: "write csr to ca folder ({{ certname }})"
copy:
content: "{{ csrfile['content'] | b64decode }}"
dest: "{{ remotecsrpath }}"
- name: "sign certificate for {{ certname }}"
register: casignedsign
openssl_certificate:
path: "{{ remotecrtpath }}"
csr_path: "{{ remotecsrpath }}"
ownca_path: "{{ cacertpath }}"
ownca_privatekey_path: "{{ cakeypath }}"
provider: ownca
ownca_not_after: "{{ cert_backend.not_after }}"
- name: "copy crt from ca for {{ certname }}"
slurp:
src: "{{ remotecrtpath }}"
register: crtfile
- name: "write crt ({{ certname }})"
copy:
content: "{{ crtfile['content'] | b64decode }}"
dest: "{{ cert.certpath }}"
- name: "write ca ({{ certname }})"
copy:
content: "{{ cafile['content'] | b64decode }}"
dest: "{{ cert.capath }}"
- name: "generate concatinated versions (chain) for {{ certname }}"
shell: "umask 0137; cat {{ cert.certpath }} {{ cert.capath }} > {{ cert.chainpath }}"
args:
creates: "{{ cert.chainpath }}"
- name: "set permission for concatinated versions (chain) for {{ certname }}"
file:
path: "{{ cert.chainpath }}"
mode: 0644
owner: root
group: ssl-cert
- name: "generate concatinated versions (full) for {{ certname }}"
shell: "umask 0137; cat {{ cert.chainpath }} {{ cert.keypath }} > {{ cert.fullpath }}"
args:
creates: "{{ cert.fullpath }}"
- name: "set permissions for concatinated versions (full) for {{ certname }}"
file:
path: "{{ cert.fullpath }}"
mode: 0640
owner: root
group: ssl-cert
- set_fact:
certchanged: "{{ casignedsign is changed }}"
- name: handle postflight
include: common_post.yml