2018-04-22 11:02:16 +02:00
|
|
|
---
|
2021-01-24 00:20:24 +01:00
|
|
|
- name: Ensure the custom directories to host certificates are present
|
|
|
|
|
become: yes
|
|
|
|
|
file:
|
|
|
|
|
state: directory
|
|
|
|
|
recurse: yes
|
|
|
|
|
path: "/etc/ssl/{{ item.path }}"
|
|
|
|
|
mode: "{{ item.mode }}"
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
loop:
|
|
|
|
|
- {path: local/certs, mode: "0755"}
|
|
|
|
|
- {path: local/private, mode: "0700"}
|
|
|
|
|
|
|
|
|
|
- name: Check if the server private key exists
|
|
|
|
|
delegate_to: localhost
|
|
|
|
|
stat:
|
|
|
|
|
path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key"
|
|
|
|
|
register: server_key
|
|
|
|
|
|
|
|
|
|
- name: Create PEM private key for server
|
|
|
|
|
delegate_to: localhost
|
|
|
|
|
community.crypto.openssl_privatekey:
|
|
|
|
|
path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key"
|
|
|
|
|
when: not server_key.stat.exists
|
|
|
|
|
register: server_key_file
|
|
|
|
|
|
|
|
|
|
- name: Copy the key on the server
|
|
|
|
|
become: yes
|
|
|
|
|
copy:
|
|
|
|
|
src: "{{ cert_dir }}/{{ inventory_hostname_short }}.key"
|
|
|
|
|
dest: /etc/ssl/local/certs/
|
|
|
|
|
mode: 0644
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
when: server_key_file.changed
|
|
|
|
|
|
|
|
|
|
- name: Check if the server CSR exists
|
|
|
|
|
delegate_to: localhost
|
|
|
|
|
stat:
|
|
|
|
|
path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr"
|
|
|
|
|
register: server_csr
|
|
|
|
|
|
|
|
|
|
- name: Create CSR for server cert
|
|
|
|
|
delegate_to: localhost
|
|
|
|
|
community.crypto.openssl_csr:
|
|
|
|
|
path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr"
|
|
|
|
|
privatekey_path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key"
|
|
|
|
|
common_name: "{{ inventory_hostname_short }}"
|
|
|
|
|
when:
|
|
|
|
|
- not server_csr.stat.exists
|
|
|
|
|
- generate_server_cert
|
|
|
|
|
- not tls_server_enable_san
|
|
|
|
|
|
|
|
|
|
- name: Create CSR for server cert
|
|
|
|
|
delegate_to: localhost
|
|
|
|
|
community.crypto.openssl_csr:
|
|
|
|
|
path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr"
|
|
|
|
|
privatekey_path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key"
|
|
|
|
|
common_name: "{{inventory_hostname_short}}"
|
|
|
|
|
subject_alt_name: "DNS:{{inventory_hostname}},DNS:{{inventory_hostname_short}},IP:{{(alt_interface_ip is defined) | ternary(alt_interface_ip, ansible_default_ipv4.address)}},IP:0.0.0.0,IP:127.0.0.1"
|
|
|
|
|
when:
|
|
|
|
|
- not server_csr.stat.exists
|
|
|
|
|
- generate_server_cert
|
|
|
|
|
- tls_server_enable_san
|
|
|
|
|
|
|
|
|
|
- name: Check if the server cert exists
|
|
|
|
|
delegate_to: localhost
|
|
|
|
|
stat:
|
|
|
|
|
path: "{{ cert_dir }}/{{ inventory_hostname_short }}.pem"
|
|
|
|
|
register: server_crt
|
|
|
|
|
|
|
|
|
|
- name: Create and sign server cert request by CA
|
|
|
|
|
delegate_to: localhost
|
|
|
|
|
community.crypto.x509_certificate:
|
|
|
|
|
path: "{{ cert_dir }}/{{ inventory_hostname_short }}.pem"
|
|
|
|
|
csr_path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr"
|
|
|
|
|
ownca_not_after: "+{{ tls_server_valid_days }}d"
|
|
|
|
|
ownca_path: "{{ cert_dir }}/{{ tls_ca_cert }}"
|
|
|
|
|
ownca_privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}"
|
|
|
|
|
provider: ownca
|
|
|
|
|
ignore_errors: true
|
|
|
|
|
when:
|
|
|
|
|
- not server_crt.stat.exists
|
|
|
|
|
- generate_server_cert
|
|
|
|
|
register: server_cert_file
|
|
|
|
|
|
|
|
|
|
- name: Copy the certificate to the remote machine
|
|
|
|
|
become: yes
|
|
|
|
|
copy:
|
|
|
|
|
src: "{{ cert_dir }}/{{ inventory_hostname_short }}.pem"
|
|
|
|
|
dest: /etc/ssl/local/private
|
|
|
|
|
mode: 0600
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
when: server_cert_file.changed
|
