aboutsummaryrefslogtreecommitdiff
path: root/roles/signed_certificate/tasks
diff options
context:
space:
mode:
authorGravatar Jonas Gunz <himself@jonasgunz.de> 2022-09-20 18:11:00 +0200
committerGravatar Jonas Gunz <himself@jonasgunz.de> 2022-09-20 18:11:00 +0200
commite56713301b19c67480d84b55dd513575b50cfd42 (patch)
tree335eb6d29bc208d9c8057bb83c08311b4cf0316d /roles/signed_certificate/tasks
parent216bc43ef7a270925ac597806c06030354ba9149 (diff)
downloadansible_collection-e56713301b19c67480d84b55dd513575b50cfd42.tar.gz
ACME for signed_certificate
Diffstat (limited to 'roles/signed_certificate/tasks')
-rw-r--r--roles/signed_certificate/tasks/letsencrypt.yml81
-rw-r--r--roles/signed_certificate/tasks/main.yml27
-rw-r--r--roles/signed_certificate/tasks/selfsigned.yml25
-rw-r--r--roles/signed_certificate/tasks/sign_selfsigned.yml (renamed from roles/signed_certificate/tasks/sign.yml)2
4 files changed, 112 insertions, 23 deletions
diff --git a/roles/signed_certificate/tasks/letsencrypt.yml b/roles/signed_certificate/tasks/letsencrypt.yml
new file mode 100644
index 0000000..9d84bd3
--- /dev/null
+++ b/roles/signed_certificate/tasks/letsencrypt.yml
@@ -0,0 +1,81 @@
+---
+- name: Create CSR
+ community.crypto.openssl_csr_pipe:
+ privatekey_path: '{{ key_path }}/{{ cert_name }}.key'
+ common_name: '{{ common_name }}'
+ subject_alt_name: '{{ alt_name }}'
+ register: request
+ become: yes
+
+- name: Create a challenge using account key file.
+ community.crypto.acme_certificate:
+ account_key_content: '{{ acme.account_key }}'
+ modify_account: False
+ dest: '{{ cert_path }}/{{ cert_name }}.pem'
+ fullchain_dest: '{{ cert_path }}/{{ cert_name }}.fullchain.pem'
+ csr_content: '{{ request.csr }}'
+ challenge: dns-01
+ acme_directory: '{{ acme.directory }}'
+ acme_version: 2
+ remaining_days: '{{ acme.renew_at }}'
+ register: dns_challenge
+
+- name: Create DNS Challenge DNS Entry in LiveDNS
+ community.general.gandi_livedns:
+ domain: '{{ acme.gandi.domain }}'
+ record: '{{ item.key }}.'
+ type: TXT
+ ttl: 300
+ values: "{{ item.value | map('regex_replace', '^(.*)$', '\"\\1\"' ) | list }}"
+ api_key: '{{ acme.gandi.api_key }}'
+ state: present
+ loop: "{{ dns_challenge.challenge_data_dns | dict2items }}"
+ when: dns_challenge is changed
+
+- name: Wait a bit
+ pause:
+ seconds: 20
+ when: dns_challenge is changed
+
+- name: Validate the challenge and install certificates and chain
+ community.crypto.acme_certificate:
+ account_key_content: '{{ acme.account_key }}'
+ modify_account: False
+ csr_content: '{{ request.csr }}'
+ dest: '{{ cert_path }}/{{ cert_name }}.pem'
+ fullchain_dest: '{{ cert_path }}/{{ cert_name }}.fullchain.pem'
+ challenge: dns-01
+ acme_directory: '{{ acme.directory }}'
+ acme_version: 2
+ remaining_days: '{{ acme.renew_at }}'
+ data: '{{ dns_challenge }}'
+ register: dns_challenge
+ when: dns_challenge is changed
+ become: yes
+
+- name: Remove DNS Challenge DNS Entry in LiveDNS
+ community.general.gandi_livedns:
+ domain: '{{ acme.gandi.domain }}'
+ record: '{{ item.key }}.'
+ type: TXT
+ api_key: '{{ acme.gandi.api_key }}'
+ state: absent
+ loop: "{{ dns_challenge.challenge_data_dns | dict2items }}"
+ when: dns_challenge is changed
+
+# ===========================
+
+- name: Adjust file permissions
+ file:
+ path: '{{ item }}'
+ owner: '{{ owner }}'
+ group: '{{ group }}'
+ loop:
+ - '{{ cert_path }}/{{ cert_name }}.pem'
+ - '{{ cert_path }}/{{ cert_name }}.fullchain.pem'
+ become: yes
+
+- name: Set cert_changed flag
+ set_fact:
+ cert_changed: True
+ when: dns_challenge is changed
diff --git a/roles/signed_certificate/tasks/main.yml b/roles/signed_certificate/tasks/main.yml
index 4e214d2..4fb424d 100644
--- a/roles/signed_certificate/tasks/main.yml
+++ b/roles/signed_certificate/tasks/main.yml
@@ -35,27 +35,10 @@
become: yes
when: not key_check.failed
-- name: Read Existing Certificate
- community.crypto.x509_certificate_info:
- path: '{{ cert_path }}/{{ cert_name }}.pem'
- valid_at:
- point_1: '{{ signed_certificate.renew_at }}'
- ignore_errors: yes
- become: yes
- register: existing_cert
-
-- name: Check Certificate
- assert:
- that:
- - existing_cert.valid_at.point_1
- - not existing_cert.failed
- - existing_cert.subject.commonName == ansible_facts.fqdn
- - existing_cert.issuer.commonName == '{{ signed_certificate.issuer_cn }}'
- success_msg: Certificate is valid
- fail_msg: Certificate is not valid. creating a new one.
- ignore_errors: yes
- register: cert_assert
+- name: Trigger Cert Generation
+ include_tasks: selfsigned.yml
+ when: use_acme == false
- name: Trigger Cert Generation
- include: sign.yml
- when: cert_assert.failed
+ include_tasks: letsencrypt.yml
+ when: use_acme == true
diff --git a/roles/signed_certificate/tasks/selfsigned.yml b/roles/signed_certificate/tasks/selfsigned.yml
new file mode 100644
index 0000000..7b0957c
--- /dev/null
+++ b/roles/signed_certificate/tasks/selfsigned.yml
@@ -0,0 +1,25 @@
+---
+- name: Read Existing Certificate
+ community.crypto.x509_certificate_info:
+ path: '{{ cert_path }}/{{ cert_name }}.pem'
+ valid_at:
+ point_1: '{{ signed_certificate.renew_at }}'
+ ignore_errors: yes
+ become: yes
+ register: existing_cert
+
+- name: Check Certificate
+ assert:
+ that:
+ - existing_cert.valid_at.point_1
+ - not existing_cert.failed
+ - existing_cert.subject.commonName == common_name
+ - existing_cert.issuer.commonName == '{{ signed_certificate.issuer_cn }}'
+ success_msg: Certificate is valid
+ fail_msg: Certificate is not valid. creating a new one.
+ ignore_errors: yes
+ register: cert_assert
+
+- name: Trigger Cert Generation
+ include_tasks: sign_selfsigned.yml
+ when: cert_assert.failed
diff --git a/roles/signed_certificate/tasks/sign.yml b/roles/signed_certificate/tasks/sign_selfsigned.yml
index b99df32..fb610f6 100644
--- a/roles/signed_certificate/tasks/sign.yml
+++ b/roles/signed_certificate/tasks/sign_selfsigned.yml
@@ -2,7 +2,7 @@
- name: Create CSR
community.crypto.openssl_csr_pipe:
privatekey_path: '{{ key_path }}/{{ cert_name }}.key'
- common_name: '{{ ansible_facts.fqdn }}'
+ common_name: '{{ common_name }}'
subject_alt_name: '{{ alt_name }}'
register: request
become: yes