infra/ansible-role-certificates
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible-role-certificates/tasks/ownca_cert.yml
psy 1b7bb11f08
replace include with include-tasks
2023-12-04 21:42:58 +01:00

137 lines
4.1 KiB
YAML
Raw Blame History

- include_tasks: common_cert.yml
- name: store ca base path
set_fact:
capath: "{{ cert_backend.basepath }}/{{ cert_backend.name }}"
- name: store ca sub paths
set_fact:
cacertpath: "{{ capath }}/ca.crt"
cakeypath: "{{ capath }}/ca.key"
cacsrpath: "{{ capath }}/ca.csr"
casignedpath: "{{ capath }}/signed"
remotecrtpath: "{{ capath }}/signed/{{ certname }}.crt"
remotecsrpath: "{{ capath }}/signed/{{ certname }}.csr"
- name: slurp csr for {{ certname }}
slurp:
src: "{{ cert.csrpath }}"
register: csrfile
- name: slurp key for {{ certname }}
slurp:
src: "{{ cert.keypath }}"
register: keyfile
- name: setup ca
delegate_to: "{{ cert_backend.remote|default(inventory_hostname, true) }}"
block:
- name: "setup base path for {{ cert_backend.name }} ({{ certname }})"
file:
path: "{{ cert_backend.basepath }}"
state: directory
mode: 0755
owner: root
group: root
- name: "setup ca path for {{ cert_backend.name }} ({{ certname }})"
file:
path: "{{ capath }}"
state: directory
mode: 0755
owner: root
group: root
- name: "setup ca signed path for {{ cert_backend.name }} ({{ certname }})"
file:
path: "{{ casignedpath }}"
state: directory
mode: 0755
owner: root
group: root
- name: "setup ca key {{ cert_backend.name }} ({{ certname }})"
openssl_privatekey:
path: "{{ cakeypath }}"
size: 4096
type: RSA
mode: 0640
owner: root
group: root
- name: "setup ca csr for {{ cert_backend.name }} ({{ certname }})"
openssl_csr:
path: "{{ cacsrpath }}"
privatekey_path: "{{ cakeypath }}"
basic_constraints: "CA:TRUE"
key_usage:
- digitalSignature
- keyCertSign
- cRLSign
key_usage_critical: yes
basic_constraints_critical: yes
use_common_name_for_san: false
common_name: "Root CA: {{ cert_backend.name }}"
- name: "self sign ca crt for {{ cert_backend.name }} ({{ certname }})"
openssl_certificate:
path: "{{ cacertpath }}"
privatekey_path: "{{ cakeypath }}"
csr_path: "{{ cacsrpath }}"
provider: selfsigned
selfsigned_not_after: "{{ cert_backend.ca_not_after }}"
selfsigned_create_subject_key_identifier: always_create
- name: "slurp ca crt for {{ cert_backend.name }} ({{ certname }})"
slurp:
src: "{{ cacertpath }}"
register: cafile
- name: "write csr to ca folder ({{ certname }})"
copy:
content: "{{ csrfile.content | b64decode }}"
dest: "{{ remotecsrpath }}"
mode: 0644
owner: root
group: root
- name: "sign certificate for {{ certname }}"
register: casignedsign
openssl_certificate:
path: "{{ remotecrtpath }}"
csr_path: "{{ remotecsrpath }}"
ownca_path: "{{ cacertpath }}"
ownca_privatekey_path: "{{ cakeypath }}"
provider: ownca
ownca_not_after: "{{ cert_backend.not_after }}"
ownca_create_subject_key_identifier: always_create
- name: "copy crt from ca for {{ certname }}"
slurp:
src: "{{ remotecrtpath }}"
register: crtfile
- name: "write crt ({{ certname }})"
copy:
content: "{{ crtfile.content | b64decode }}"
dest: "{{ cert.certpath }}"
mode: 0644
owner: root
group: root
- name: "write ca ({{ certname }})"
copy:
content: "{{ cafile.content | b64decode }}"
dest: "{{ cert.capath }}"
mode: 0644
owner: root
group: root
- name: "generate concatinated versions (chain) for {{ certname }}"
copy:
content: "{{ crtfile.content | b64decode }}{{ cafile.content | b64decode }}"
dest: "{{ cert.chainpath }}"
mode: 0644
owner: root
group: ssl-cert
- name: "generate concatinated versions (full) for {{ certname }}"
copy:
content: "{{ crtfile.content | b64decode }}{{ cafile.content | b64decode }}{{ keyfile.content | b64decode }}"
dest: "{{ cert.fullpath }}"
mode: 0640
owner: root
group: ssl-cert
- name: store if the cert was changed
set_fact:
certchanged: "{{ casignedsign is changed }}"
- name: handle postflight
include_tasks: common_post.yml
Reference in a new issue View git blame Copy permalink