aboutsummaryrefslogtreecommitdiff
path: root/roles/signed_certificate/tasks/main.yml
blob: d5491acb66e9b8c97c9d0611e41ee2050aa2b477 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
---
- name: Unset cert_changed flag
  set_fact:
    cert_changed: False

- name: Instaall crypt libs
  apt:
    name:
      - python3-cryptography
  become: yes

- name: Check for OpenSSL Private Key
  community.crypto.openssl_privatekey_info:
    path: '{{ key_path }}/{{ cert_name }}.key'
  ignore_errors: yes
  become: yes
  register: key_check

- name: Create OpenSSL Private Key
  community.crypto.openssl_privatekey:
    path: '{{ key_path }}/{{ cert_name }}.key'
    owner: '{{ owner }}'
    group: '{{ group }}'
    mode: '640'
  become: yes
  when: key_check.failed

- name: Check file permissions for Key
  file:
    path: '{{ key_path }}/{{ cert_name }}.key'
    state: file
    owner: '{{ owner }}'
    group: '{{ group }}'
    mode: '640'
  become: yes
  when: not key_check.failed

- name: Read existing Certificate
  community.crypto.x509_certificate_info:
    path: '{{ cert_path }}/{{ cert_name }}.pem'
    valid_at:
      point_1: '{{ signed_certificate.renew_at }}'
  ignore_errors: yes
  become: yes
  register: existing_cert

- name: Check certificate
  assert:
    that:
      - existing_cert.valid_at.point_1
      - not existing_cert.failed
      - existing_cert.subject.commonName == ansible_facts.fqdn
      - existing_cert.issuer.commonName == '{{ signed_certificate.issuer_cn }}'
    success_msg: Certificate is valid
    fail_msg: Certificate is not valid. creating a new one.
  ignore_errors: yes
  register: cert_assert

- name: Trigger Cert generation
  include: sign.yml
  when: cert_assert.failed