Change CA cert format and add force copy option
The certificate form of the CA has to be crt to be sure it is manageable by the Debian update-ca-certificates executable. Also, added option to force the copy of the certificates, also if the local files did not change.
This commit is contained in:
parent
21b16fd264
commit
426803e260
|
@ -8,11 +8,12 @@ gen_tls_remote_ca_certs_dir: /etc/ssl/certs
|
|||
gen_tls_generate_ca_cert: false
|
||||
gen_tls_generate_client_cert: false
|
||||
gen_tls_generate_server_cert: false
|
||||
gen_tls_force_copy: false
|
||||
|
||||
# -------
|
||||
# CA CERT
|
||||
# -------
|
||||
gen_tls_ca_cert: ca.pem
|
||||
gen_tls_ca_cert: ca.crt
|
||||
gen_tls_ca_csr: ca.csr
|
||||
gen_tls_ca_key: ca.key
|
||||
gen_tls_ca_key_size: 4096
|
||||
|
|
|
@ -36,7 +36,7 @@
|
|||
mode: 0644
|
||||
owner: root
|
||||
group: root
|
||||
when: client_key_file.changed
|
||||
when: client_key_file.changed or gen_tls_force_copy
|
||||
|
||||
- name: Check if the client CSR exists
|
||||
delegate_to: localhost
|
||||
|
@ -84,4 +84,4 @@
|
|||
mode: 0600
|
||||
owner: root
|
||||
group: root
|
||||
when: client_cert_file.changed
|
||||
when: client_cert_file.changed or gen_tls_force_copy
|
||||
|
|
|
@ -33,7 +33,7 @@
|
|||
mode: 0644
|
||||
owner: root
|
||||
group: root
|
||||
when: server_key_file.changed
|
||||
when: server_key_file.changed or gen_tls_force_copy
|
||||
|
||||
- name: Check if the server CSR exists
|
||||
delegate_to: localhost
|
||||
|
@ -93,4 +93,4 @@
|
|||
mode: 0600
|
||||
owner: root
|
||||
group: root
|
||||
when: server_cert_file.changed
|
||||
when: server_cert_file.changed or gen_tls_force_copy
|
||||
|
|
|
@ -21,3 +21,9 @@
|
|||
- name: Populate /etc/hosts with inventory's hosts
|
||||
include_tasks: populate-etc-hosts.yaml
|
||||
when: gen_tls_populate_etc_hosts|bool
|
||||
|
||||
- name: Update system CA on Debian
|
||||
include_tasks: update-debian-ca.yaml
|
||||
when:
|
||||
- gen_tls_generate_certs
|
||||
- ansible_os_family == "Debian"
|
||||
|
|
8
tasks/update-debian-ca.yaml
Normal file
8
tasks/update-debian-ca.yaml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: Copy the CA certificate to directory for system CA update
|
||||
become: yes
|
||||
shell: "cp {{ gen_tls_remote_ca_certs_dir }}/{{ gen_tls_ca_cert }} /usr/local/share/ca-certificates"
|
||||
|
||||
- name: Update the system CA
|
||||
become: yes
|
||||
shell: /usr/sbin/update-ca-certificates
|
Loading…
Reference in New Issue
Block a user