infra/ansible-role-certificates
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add support for self signed cert

Browse source
This commit is contained in:
nd 2020-04-29 18:50:26 +02:00
parent a76851a021
commit e1f4ba7c1a
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
5 changed files with 53 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -85,6 +85,11 @@ challangeserver: []
#### Selfsigned #### Selfsigned
```
# how long should the certificate be valid?
not_after: "+3650d"
```
## Paths ## Paths
Certificates are stored at a defined location: Certificates are stored at a defined location:

3
defaults/main.yml
View file

@ -4,7 +4,8 @@ certificates:
remainingdays: 28 remainingdays: 28
challange: dns-01 challange: dns-01
challangeserver: [] challangeserver: []
selfsigned: ~ selfsigned:
not_after: "+3650d"
defaults: defaults:
country: "SU" country: "SU"
province: "CYBER" province: "CYBER"

3
tasks/common_cert.yml
View file

@ -18,6 +18,9 @@
- debug: - debug:
verbosity: 1 verbosity: 1
var: cert_backend var: cert_backend
- debug:
verbosity: 1
var: certificates.certs[certname]
- name: "generate key for {{ certname }}" - name: "generate key for {{ certname }}"
openssl_privatekey: openssl_privatekey:

4
tasks/main.yml
View file

@ -16,6 +16,10 @@
owner: root owner: root
group: ssl-cert group: ssl-cert
- debug:
verbosity: 2
var: certificates
- import_tasks: letsencrypt_setup.yml - import_tasks: letsencrypt_setup.yml
- include_tasks: "{{ certificates.certs[certname].backend|default(certificates.defaults.backend) }}_cert.yml" - include_tasks: "{{ certificates.certs[certname].backend|default(certificates.defaults.backend) }}_cert.yml"
loop: "{{ certificates.certs.keys()|list }}" loop: "{{ certificates.certs.keys()|list }}"

39
tasks/selfsigned_cert.yml Normal file
View file

@ -0,0 +1,39 @@
- include_tasks: common_cert.yml
- name: "sign certificate for {{ certname }}"
register: selfsignedsign
openssl_certificate:
path: "{{ cert.certpath }}"
privatekey_path: "{{ cert.keypath }}"
csr_path: "{{ cert.csrpath }}"
provider: selfsigned
selfsigned_not_after: "{{ cert_backend.not_after }}"
- name: "generate concatinated versions (chain) for {{ certname }}"
shell: "umask 0137; cat {{ cert.certpath }} > {{ cert.chainpath }}"
args:
creates: "{{ cert.chainpath }}"
- name: "set permission for concatinated versions (chain) for {{ certname }}"
file:
path: "{{ cert.chainpath }}"
mode: 0644
owner: root
group: ssl-cert
- name: "generate concatinated versions (full) for {{ certname }}"
shell: "umask 0137; cat {{ cert.chainpath }} {{ cert.keypath }} > {{ cert.fullpath }}"
args:
creates: "{{ cert.fullpath }}"
- name: "set permissions for concatinated versions (full) for {{ certname }}"
file:
path: "{{ cert.fullpath }}"
mode: 0640
owner: root
group: ssl-cert
- set_fact:
certchanged: "{{ selfsignedsign is changed }}"
- name: handle postflight
include: common_post.yml