diff options
Diffstat (limited to 'roles/signed_certificate')
| -rw-r--r-- | roles/signed_certificate/defaults/main.yml | 15 | ||||
| -rw-r--r-- | roles/signed_certificate/tasks/main.yml | 50 | ||||
| -rw-r--r-- | roles/signed_certificate/tasks/sign.yml | 31 |
3 files changed, 96 insertions, 0 deletions
diff --git a/roles/signed_certificate/defaults/main.yml b/roles/signed_certificate/defaults/main.yml new file mode 100644 index 0000000..c46ef37 --- /dev/null +++ b/roles/signed_certificate/defaults/main.yml @@ -0,0 +1,15 @@ +--- +cert_name: '{{ ansible_facts.fqdn }}' +key_path: '/etc/ssl/private/' +cert_path: '/etc/ssl/certs/' +alt_name: '{{ "DNS:" + ansible_facts.fqdn }}' +owner: root +group: root + +signed_certificate: + issuer_cn: '' + renew_at: '+5d' + valid_for: '+30d' + privkey_path: '/invalid' + privkey_passphrase: '' + cert_content: '' diff --git a/roles/signed_certificate/tasks/main.yml b/roles/signed_certificate/tasks/main.yml new file mode 100644 index 0000000..3e1a7b2 --- /dev/null +++ b/roles/signed_certificate/tasks/main.yml @@ -0,0 +1,50 @@ +--- +- name: Unset cert_changed flag + set_fact: + cert_changed: False + +- name: Instaall crypt libs + apt: + name: + - python3-cryptography + become: yes + +- name: Check for OpenSSL Private Key + community.crypto.openssl_privatekey_info: + path: '{{ key_path }}/{{ cert_name }}.key' + ignore_errors: yes + become: yes + register: key_check + +- name: Create OpenSSL Private Key + community.crypto.openssl_privatekey: + path: '{{ key_path }}/{{ cert_name }}.key' + owner: '{{ owner }}' + group: '{{ group }}' + become: yes + when: key_check.failed + +- name: Read existing Certificate + community.crypto.x509_certificate_info: + path: '{{ cert_path }}/{{ cert_name }}.pem' + valid_at: + point_1: '{{ signed_certificate.renew_at }}' + ignore_errors: yes + become: yes + register: existing_cert + +- name: Check certificate + assert: + that: + - existing_cert.valid_at.point_1 + - not existing_cert.failed + - existing_cert.subject.commonName == ansible_facts.fqdn + - existing_cert.issuer.commonName == '{{ signed_certificate.issuer_cn }}' + success_msg: Certificate is valid + fail_msg: Certificate is not valid. creating a new one. + ignore_errors: yes + register: cert_assert + +- name: Trigger Cert generation + include: sign.yml + when: cert_assert.failed diff --git a/roles/signed_certificate/tasks/sign.yml b/roles/signed_certificate/tasks/sign.yml new file mode 100644 index 0000000..b99df32 --- /dev/null +++ b/roles/signed_certificate/tasks/sign.yml @@ -0,0 +1,31 @@ +--- +- name: Create CSR + community.crypto.openssl_csr_pipe: + privatekey_path: '{{ key_path }}/{{ cert_name }}.key' + common_name: '{{ ansible_facts.fqdn }}' + subject_alt_name: '{{ alt_name }}' + register: request + become: yes + +- name: Sign OpenSSL Certificate + community.crypto.x509_certificate_pipe: + provider: ownca + ownca_privatekey_path: '{{ signed_certificate.privkey_path }}' + ownca_privatekey_passphrase: '{{ signed_certificate.privkey_passphrase }}' + ownca_content: '{{ signed_certificate.cert_content }}' + ownca_not_after: '{{ signed_certificate.valid_for }}' + csr_content: '{{ request.csr }}' + delegate_to: localhost + register: cert + +- name: Install Signed OpenSSL Certificate + copy: + dest: '{{ cert_path }}/{{ cert_name }}.pem' + content: '{{ cert.certificate }}' + owner: '{{ owner }}' + group: '{{ group }}' + become: yes + +- name: Set cert_changed flag + set_fact: + cert_changed: True |