diff options
author | Jonas Gunz <himself@jonasgunz.de> | 2022-09-20 18:11:00 +0200 |
---|---|---|
committer | Jonas Gunz <himself@jonasgunz.de> | 2022-09-20 18:11:00 +0200 |
commit | e56713301b19c67480d84b55dd513575b50cfd42 (patch) | |
tree | 335eb6d29bc208d9c8057bb83c08311b4cf0316d /roles/signed_certificate/tasks | |
parent | 216bc43ef7a270925ac597806c06030354ba9149 (diff) | |
download | ansible_collection-e56713301b19c67480d84b55dd513575b50cfd42.tar.gz |
ACME for signed_certificate
Diffstat (limited to 'roles/signed_certificate/tasks')
-rw-r--r-- | roles/signed_certificate/tasks/letsencrypt.yml | 81 | ||||
-rw-r--r-- | roles/signed_certificate/tasks/main.yml | 27 | ||||
-rw-r--r-- | roles/signed_certificate/tasks/selfsigned.yml | 25 | ||||
-rw-r--r-- | roles/signed_certificate/tasks/sign_selfsigned.yml (renamed from roles/signed_certificate/tasks/sign.yml) | 2 |
4 files changed, 112 insertions, 23 deletions
diff --git a/roles/signed_certificate/tasks/letsencrypt.yml b/roles/signed_certificate/tasks/letsencrypt.yml new file mode 100644 index 0000000..9d84bd3 --- /dev/null +++ b/roles/signed_certificate/tasks/letsencrypt.yml @@ -0,0 +1,81 @@ +--- +- name: Create CSR + community.crypto.openssl_csr_pipe: + privatekey_path: '{{ key_path }}/{{ cert_name }}.key' + common_name: '{{ common_name }}' + subject_alt_name: '{{ alt_name }}' + register: request + become: yes + +- name: Create a challenge using account key file. + community.crypto.acme_certificate: + account_key_content: '{{ acme.account_key }}' + modify_account: False + dest: '{{ cert_path }}/{{ cert_name }}.pem' + fullchain_dest: '{{ cert_path }}/{{ cert_name }}.fullchain.pem' + csr_content: '{{ request.csr }}' + challenge: dns-01 + acme_directory: '{{ acme.directory }}' + acme_version: 2 + remaining_days: '{{ acme.renew_at }}' + register: dns_challenge + +- name: Create DNS Challenge DNS Entry in LiveDNS + community.general.gandi_livedns: + domain: '{{ acme.gandi.domain }}' + record: '{{ item.key }}.' + type: TXT + ttl: 300 + values: "{{ item.value | map('regex_replace', '^(.*)$', '\"\\1\"' ) | list }}" + api_key: '{{ acme.gandi.api_key }}' + state: present + loop: "{{ dns_challenge.challenge_data_dns | dict2items }}" + when: dns_challenge is changed + +- name: Wait a bit + pause: + seconds: 20 + when: dns_challenge is changed + +- name: Validate the challenge and install certificates and chain + community.crypto.acme_certificate: + account_key_content: '{{ acme.account_key }}' + modify_account: False + csr_content: '{{ request.csr }}' + dest: '{{ cert_path }}/{{ cert_name }}.pem' + fullchain_dest: '{{ cert_path }}/{{ cert_name }}.fullchain.pem' + challenge: dns-01 + acme_directory: '{{ acme.directory }}' + acme_version: 2 + remaining_days: '{{ acme.renew_at }}' + data: '{{ dns_challenge }}' + register: dns_challenge + when: dns_challenge is changed + become: yes + +- name: Remove DNS Challenge DNS Entry in LiveDNS + community.general.gandi_livedns: + domain: '{{ acme.gandi.domain }}' + record: '{{ item.key }}.' + type: TXT + api_key: '{{ acme.gandi.api_key }}' + state: absent + loop: "{{ dns_challenge.challenge_data_dns | dict2items }}" + when: dns_challenge is changed + +# =========================== + +- name: Adjust file permissions + file: + path: '{{ item }}' + owner: '{{ owner }}' + group: '{{ group }}' + loop: + - '{{ cert_path }}/{{ cert_name }}.pem' + - '{{ cert_path }}/{{ cert_name }}.fullchain.pem' + become: yes + +- name: Set cert_changed flag + set_fact: + cert_changed: True + when: dns_challenge is changed diff --git a/roles/signed_certificate/tasks/main.yml b/roles/signed_certificate/tasks/main.yml index 4e214d2..4fb424d 100644 --- a/roles/signed_certificate/tasks/main.yml +++ b/roles/signed_certificate/tasks/main.yml @@ -35,27 +35,10 @@ become: yes when: not key_check.failed -- name: Read Existing Certificate - community.crypto.x509_certificate_info: - path: '{{ cert_path }}/{{ cert_name }}.pem' - valid_at: - point_1: '{{ signed_certificate.renew_at }}' - ignore_errors: yes - become: yes - register: existing_cert - -- name: Check Certificate - assert: - that: - - existing_cert.valid_at.point_1 - - not existing_cert.failed - - existing_cert.subject.commonName == ansible_facts.fqdn - - existing_cert.issuer.commonName == '{{ signed_certificate.issuer_cn }}' - success_msg: Certificate is valid - fail_msg: Certificate is not valid. creating a new one. - ignore_errors: yes - register: cert_assert +- name: Trigger Cert Generation + include_tasks: selfsigned.yml + when: use_acme == false - name: Trigger Cert Generation - include: sign.yml - when: cert_assert.failed + include_tasks: letsencrypt.yml + when: use_acme == true diff --git a/roles/signed_certificate/tasks/selfsigned.yml b/roles/signed_certificate/tasks/selfsigned.yml new file mode 100644 index 0000000..7b0957c --- /dev/null +++ b/roles/signed_certificate/tasks/selfsigned.yml @@ -0,0 +1,25 @@ +--- +- name: Read Existing Certificate + community.crypto.x509_certificate_info: + path: '{{ cert_path }}/{{ cert_name }}.pem' + valid_at: + point_1: '{{ signed_certificate.renew_at }}' + ignore_errors: yes + become: yes + register: existing_cert + +- name: Check Certificate + assert: + that: + - existing_cert.valid_at.point_1 + - not existing_cert.failed + - existing_cert.subject.commonName == common_name + - existing_cert.issuer.commonName == '{{ signed_certificate.issuer_cn }}' + success_msg: Certificate is valid + fail_msg: Certificate is not valid. creating a new one. + ignore_errors: yes + register: cert_assert + +- name: Trigger Cert Generation + include_tasks: sign_selfsigned.yml + when: cert_assert.failed diff --git a/roles/signed_certificate/tasks/sign.yml b/roles/signed_certificate/tasks/sign_selfsigned.yml index b99df32..fb610f6 100644 --- a/roles/signed_certificate/tasks/sign.yml +++ b/roles/signed_certificate/tasks/sign_selfsigned.yml @@ -2,7 +2,7 @@ - name: Create CSR community.crypto.openssl_csr_pipe: privatekey_path: '{{ key_path }}/{{ cert_name }}.key' - common_name: '{{ ansible_facts.fqdn }}' + common_name: '{{ common_name }}' subject_alt_name: '{{ alt_name }}' register: request become: yes |