Change CA cert format and add force copy option

The certificate form of the CA has to be crt to be sure it is manageable
by the Debian update-ca-certificates executable.
Also, added option to force the copy of the certificates, also if the
local files did not change.
This commit is contained in:
sfigato 2021-01-24 22:37:47 +01:00
parent 21b16fd264
commit 426803e260
Signed by: blallo
GPG Key ID: 0CBE577C9B72DC3F
5 changed files with 20 additions and 5 deletions

View File

@ -8,11 +8,12 @@ gen_tls_remote_ca_certs_dir: /etc/ssl/certs
gen_tls_generate_ca_cert: false
gen_tls_generate_client_cert: false
gen_tls_generate_server_cert: false
gen_tls_force_copy: false
# -------
# CA CERT
# -------
gen_tls_ca_cert: ca.pem
gen_tls_ca_cert: ca.crt
gen_tls_ca_csr: ca.csr
gen_tls_ca_key: ca.key
gen_tls_ca_key_size: 4096

View File

@ -36,7 +36,7 @@
mode: 0644
owner: root
group: root
when: client_key_file.changed
when: client_key_file.changed or gen_tls_force_copy
- name: Check if the client CSR exists
delegate_to: localhost
@ -84,4 +84,4 @@
mode: 0600
owner: root
group: root
when: client_cert_file.changed
when: client_cert_file.changed or gen_tls_force_copy

View File

@ -33,7 +33,7 @@
mode: 0644
owner: root
group: root
when: server_key_file.changed
when: server_key_file.changed or gen_tls_force_copy
- name: Check if the server CSR exists
delegate_to: localhost
@ -93,4 +93,4 @@
mode: 0600
owner: root
group: root
when: server_cert_file.changed
when: server_cert_file.changed or gen_tls_force_copy

View File

@ -21,3 +21,9 @@
- name: Populate /etc/hosts with inventory's hosts
include_tasks: populate-etc-hosts.yaml
when: gen_tls_populate_etc_hosts|bool
- name: Update system CA on Debian
include_tasks: update-debian-ca.yaml
when:
- gen_tls_generate_certs
- ansible_os_family == "Debian"

View File

@ -0,0 +1,8 @@
---
- name: Copy the CA certificate to directory for system CA update
become: yes
shell: "cp {{ gen_tls_remote_ca_certs_dir }}/{{ gen_tls_ca_cert }} /usr/local/share/ca-certificates"
- name: Update the system CA
become: yes
shell: /usr/sbin/update-ca-certificates