2018-04-22 11:02:16 +02:00
---
2021-01-24 00:20:24 +01:00
- name : Ensure the custom directories to host certificates are present
become : yes
file :
state : directory
recurse : yes
2021-01-24 13:16:15 +01:00
path : "{{ gen_tls_remote_certs_dir }}/{{ item.path }}"
2021-01-24 00:20:24 +01:00
mode : "{{ item.mode }}"
owner : root
group : root
loop :
- {path: local/certs, mode : "0755" }
- {path: local/private, mode : "0700" }
- name : Check if the server private key exists
delegate_to : localhost
stat :
2021-01-24 13:16:15 +01:00
path : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key"
2021-01-24 00:20:24 +01:00
register : server_key
- name : Create PEM private key for server
delegate_to : localhost
community.crypto.openssl_privatekey :
2021-01-24 13:16:15 +01:00
path : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key"
2021-01-24 00:20:24 +01:00
when : not server_key.stat.exists
register : server_key_file
- name : Copy the key on the server
become : yes
copy :
2021-01-24 13:16:15 +01:00
src : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key"
dest : "{{ gen_tls_remote_certs_dir }}/local/certs/"
2021-01-24 00:20:24 +01:00
mode : 0644
owner : root
group : root
when : server_key_file.changed
- name : Check if the server CSR exists
delegate_to : localhost
stat :
2021-01-24 13:16:15 +01:00
path : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr"
2021-01-24 00:20:24 +01:00
register : server_csr
- name : Create CSR for server cert
delegate_to : localhost
community.crypto.openssl_csr :
2021-01-24 13:16:15 +01:00
path : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr"
privatekey_path : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key"
2021-01-24 00:20:24 +01:00
common_name : "{{ inventory_hostname_short }}"
when :
- not server_csr.stat.exists
2021-01-24 13:16:15 +01:00
- gen_tls_generate_server_cert
- not gen_tls_server_enable_san
2021-01-24 00:20:24 +01:00
- name : Create CSR for server cert
delegate_to : localhost
community.crypto.openssl_csr :
2021-01-24 13:16:15 +01:00
path : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr"
privatekey_path : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key"
2021-01-24 00:20:24 +01:00
common_name : "{{inventory_hostname_short}}"
2021-01-24 18:30:36 +01:00
subject_alt_name : "{% if gen_tls_tld is defined %}DNS:{{ inventory_hostname_short }}.{{ gen_tls_tld }},{% endif %}DNS:{{inventory_hostname}},DNS:{{inventory_hostname_short}},IP:{{(alt_interface_ip is defined) | ternary(alt_interface_ip, ansible_default_ipv4.address)}},IP:0.0.0.0,IP:127.0.0.1"
2021-01-24 00:20:24 +01:00
when :
- not server_csr.stat.exists
2021-01-24 13:16:15 +01:00
- gen_tls_generate_server_cert
- gen_tls_server_enable_san
2021-01-24 00:20:24 +01:00
- name : Check if the server cert exists
delegate_to : localhost
stat :
2021-01-24 13:16:15 +01:00
path : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.pem"
2021-01-24 00:20:24 +01:00
register : server_crt
- name : Create and sign server cert request by CA
delegate_to : localhost
community.crypto.x509_certificate :
2021-01-24 13:16:15 +01:00
path : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.pem"
csr_path : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr"
ownca_not_after : "+{{ gen_tls_server_valid_days }}d"
ownca_path : "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}"
ownca_privatekey_path : "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}"
2021-01-24 00:20:24 +01:00
provider : ownca
ignore_errors : true
when :
- not server_crt.stat.exists
2021-01-24 13:16:15 +01:00
- gen_tls_generate_server_cert
2021-01-24 00:20:24 +01:00
register : server_cert_file
- name : Copy the certificate to the remote machine
become : yes
copy :
2021-01-24 13:16:15 +01:00
src : "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.pem"
dest : "{{ gen_tls_remote_certs_dir }}/local/private"
2021-01-24 00:20:24 +01:00
mode : 0600
owner : root
group : root
when : server_cert_file.changed