infra/ansible-role-certificates
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added support to override backend values on a per certificate basis

Browse source
This commit is contained in:
nd 2020-04-26 12:03:11 +02:00
parent abb03d4435
commit a76851a021
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
4 changed files with 22 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -56,6 +56,12 @@ san: []
# services to restart if this certificate changes # services to restart if this certificate changes
depending_services: [] depending_services: []
# which backend to use, can be 'selfsigned' or 'letsencrypt'
backend: 'selfsigned'
# overwrite a backend setting for this certificate
backend_override: {}
``` ```
### Backends ### Backends

1
defaults/main.yml
View file

@ -15,4 +15,5 @@ certificates:
cn: ~ cn: ~
san: [] san: []
depending_services: [] depending_services: []
backend: 'letsencrypt'
certs: {} certs: {}

7
tasks/common_cert.yml
View file

@ -8,11 +8,16 @@
chainpath: "{{ basepath + '/' + certname + '.chain.crt' }}" chainpath: "{{ basepath + '/' + certname + '.chain.crt' }}"
fullpath: "{{ basepath + '/private/' + certname + '.complete.pem' }}" fullpath: "{{ basepath + '/private/' + certname + '.complete.pem' }}"
- set_fact: - set_fact:
cert: "{{ {}|combine(certificates.defaults, cert_paths, certificates.certs[certname]|d({}), {'name': certname} ) }}" cert: "{{ {}|combine(certificates.defaults, cert_paths, certificates.certs[certname]|d({}), {'name': certname}, recursive=True ) }}"
- set_fact:
cert_backend: "{{ {}|combine(certificates.backends[cert.backend], cert.backend_override|d({}), recursive=True) }}"
- debug: - debug:
verbosity: 1 verbosity: 1
var: cert var: cert
- debug:
verbosity: 1
var: cert_backend
- name: "generate key for {{ certname }}" - name: "generate key for {{ certname }}"
openssl_privatekey: openssl_privatekey:

18
tasks/letsencrypt_cert.yml
View file

@ -1,7 +1,7 @@
- include_tasks: common_cert.yml - include_tasks: common_cert.yml
- set_fact: - set_fact:
external_challange_type: "{{ map_challange_type_letsencrypt[certificates.backends.letsencrypt.challange]|d(certificates.backends.letsencrypt.challange) }}" external_challange_type: "{{ map_challange_type_letsencrypt[cert_backend.challange]|d(cert_backend.challange) }}"
- name: "get challange for {{ certname }}" - name: "get challange for {{ certname }}"
acme_certificate: &acmetask acme_certificate: &acmetask
@ -13,7 +13,7 @@
csr: "{{ cert.csrpath }}" csr: "{{ cert.csrpath }}"
dest: "{{ cert.certpath }}" dest: "{{ cert.certpath }}"
fullchain_dest: "{{ cert.chainpath }}" fullchain_dest: "{{ cert.chainpath }}"
remaining_days: "{{ certificates.backends.letsencrypt.remainingdays }}" remaining_days: "{{ cert_backend.remainingdays }}"
challenge: "{{ external_challange_type }}" challenge: "{{ external_challange_type }}"
deactivate_authzs: yes deactivate_authzs: yes
register: challenge register: challenge
@ -21,9 +21,9 @@
- name: "setup challenge server for {{ certname }} (dns challange)" - name: "setup challenge server for {{ certname }} (dns challange)"
when: when:
- challenge is changed - challenge is changed
- certificates.backends.letsencrypt.challange == "dns-01" - cert_backend.challange == "dns-01"
delegate_to: "{{ item.0 }}" delegate_to: "{{ item.0 }}"
loop: "{{ certificates.backends.letsencrypt.challangeserver|product(challenge.challenge_data.keys()|list)|list }}" loop: "{{ cert_backend.challangeserver|product(challenge.challenge_data.keys()|list)|list }}"
command: command:
argv: argv:
- "/usr/local/bin/pdns.py" - "/usr/local/bin/pdns.py"
@ -33,24 +33,24 @@
- name: "setup challenge server for {{ certname }} (manual dns challange)" - name: "setup challenge server for {{ certname }} (manual dns challange)"
when: when:
- challenge is changed - challenge is changed
- certificates.backends.letsencrypt.challange == "dns-01-manual" - cert_backend.challange == "dns-01-manual"
loop: "{{ challenge.challenge_data_dns|d({})|dict2items }}" loop: "{{ challenge.challenge_data_dns|d({})|dict2items }}"
debug: debug:
msg: "add the following dns record: '{{ item.key }}.': { TXT: '{{ item.value[0] }}' }" msg: "add the following dns record: '{{ item.key }}.': { TXT: {{ item.value }} }"
- name: wait for challenges in dns (manual dns challange) - name: wait for challenges in dns (manual dns challange)
pause: pause:
prompt: "When the relevant lines were added to dns and synced, press enter" prompt: "When the relevant lines were added to dns and synced, press enter"
when: when:
- challenge is changed - challenge is changed
- certificates.backends.letsencrypt.challange == "dns-01-manual" - cert_backend.challange == "dns-01-manual"
- name: "setup challenge server for {{ certname }} (http challange)" - name: "setup challenge server for {{ certname }} (http challange)"
when: when:
- challenge is changed - challenge is changed
- certificates.backends.letsencrypt.challange == "http-01" - cert_backend.challange == "http-01"
delegate_to: "{{ item.0 }}" delegate_to: "{{ item.0 }}"
loop: "{{ certificates.backends.letsencrypt.challangeserver|product(challenge.challenge_data.keys()|list)|list }}" loop: "{{ cert_backend.challangeserver|product(challenge.challenge_data.keys()|list)|list }}"
copy: copy:
dest: "/var/www/letsencrypt/{{ challenge.challenge_data[item.1]['http-01'].resource | basename }}" dest: "/var/www/letsencrypt/{{ challenge.challenge_data[item.1]['http-01'].resource | basename }}"
content: "{{ challenge.challenge_data[item.1]['http-01'].resource_value }}" content: "{{ challenge.challenge_data[item.1]['http-01'].resource_value }}"