add support for self signed cert

2020-04-29 18:50:26 +02:00 · 2020-04-29 18:50:26 +02:00 · e1f4ba7c1a
commit e1f4ba7c1a
parent a76851a021
5 changed files with 53 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -85,6 +85,11 @@ challangeserver: []

 #### Selfsigned

+```
+# how long should the certificate be valid?
+not_after: "+3650d"
+```
+
 ## Paths

 Certificates are stored at a defined location:
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -4,7 +4,8 @@ certificates:
      remainingdays: 28
      challange: dns-01
      challangeserver: []
-    selfsigned: ~
+    selfsigned:
+      not_after: "+3650d"
  defaults:
    country: "SU"
    province: "CYBER"
--- a/tasks/common_cert.yml
+++ b/tasks/common_cert.yml
@ -18,6 +18,9 @@
 - debug:
    verbosity: 1
    var: cert_backend
+- debug:
+    verbosity: 1
+    var: certificates.certs[certname]

 - name: "generate key for {{ certname }}"
  openssl_privatekey:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -16,6 +16,10 @@
    owner: root
    group: ssl-cert

+- debug:
+    verbosity: 2
+    var: certificates
+
 - import_tasks: letsencrypt_setup.yml
 - include_tasks: "{{ certificates.certs[certname].backend|default(certificates.defaults.backend) }}_cert.yml"
  loop: "{{ certificates.certs.keys()|list }}"
--- a/tasks/selfsigned_cert.yml
+++ b/tasks/selfsigned_cert.yml
@ -0,0 +1,39 @@
+- include_tasks: common_cert.yml
+
+- name: "sign certificate for {{ certname }}"
+  register: selfsignedsign
+  openssl_certificate:
+    path: "{{ cert.certpath }}"
+    privatekey_path: "{{ cert.keypath }}"
+    csr_path: "{{ cert.csrpath }}"
+    provider: selfsigned
+    selfsigned_not_after: "{{ cert_backend.not_after }}"
+
+- name: "generate concatinated versions (chain) for {{ certname }}"
+  shell: "umask 0137; cat {{ cert.certpath }} > {{ cert.chainpath }}"
+  args:
+    creates: "{{ cert.chainpath }}"
+
+- name: "set permission for concatinated versions (chain) for {{ certname }}"
+  file:
+    path: "{{ cert.chainpath }}"
+    mode: 0644
+    owner: root
+    group: ssl-cert
+
+- name: "generate concatinated versions (full) for {{ certname }}"
+  shell: "umask 0137; cat {{ cert.chainpath }} {{ cert.keypath }} > {{ cert.fullpath }}"
+  args:
+    creates: "{{ cert.fullpath }}"
+
+- name: "set permissions for concatinated versions (full) for {{ certname }}"
+  file:
+    path: "{{ cert.fullpath }}"
+    mode: 0640
+    owner: root
+    group: ssl-cert
+
+- set_fact:
+    certchanged: "{{ selfsignedsign is changed }}"
+- name: handle postflight
+  include: common_post.yml