Change CA cert format and add force copy option
The certificate form of the CA has to be crt to be sure it is manageable by the Debian update-ca-certificates executable. Also, added option to force the copy of the certificates, also if the local files did not change.
This commit is contained in:
parent
21b16fd264
commit
426803e260
|
@ -8,11 +8,12 @@ gen_tls_remote_ca_certs_dir: /etc/ssl/certs
|
||||||
gen_tls_generate_ca_cert: false
|
gen_tls_generate_ca_cert: false
|
||||||
gen_tls_generate_client_cert: false
|
gen_tls_generate_client_cert: false
|
||||||
gen_tls_generate_server_cert: false
|
gen_tls_generate_server_cert: false
|
||||||
|
gen_tls_force_copy: false
|
||||||
|
|
||||||
# -------
|
# -------
|
||||||
# CA CERT
|
# CA CERT
|
||||||
# -------
|
# -------
|
||||||
gen_tls_ca_cert: ca.pem
|
gen_tls_ca_cert: ca.crt
|
||||||
gen_tls_ca_csr: ca.csr
|
gen_tls_ca_csr: ca.csr
|
||||||
gen_tls_ca_key: ca.key
|
gen_tls_ca_key: ca.key
|
||||||
gen_tls_ca_key_size: 4096
|
gen_tls_ca_key_size: 4096
|
||||||
|
|
|
@ -36,7 +36,7 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
when: client_key_file.changed
|
when: client_key_file.changed or gen_tls_force_copy
|
||||||
|
|
||||||
- name: Check if the client CSR exists
|
- name: Check if the client CSR exists
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
@ -84,4 +84,4 @@
|
||||||
mode: 0600
|
mode: 0600
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
when: client_cert_file.changed
|
when: client_cert_file.changed or gen_tls_force_copy
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
when: server_key_file.changed
|
when: server_key_file.changed or gen_tls_force_copy
|
||||||
|
|
||||||
- name: Check if the server CSR exists
|
- name: Check if the server CSR exists
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
@ -93,4 +93,4 @@
|
||||||
mode: 0600
|
mode: 0600
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
when: server_cert_file.changed
|
when: server_cert_file.changed or gen_tls_force_copy
|
||||||
|
|
|
@ -21,3 +21,9 @@
|
||||||
- name: Populate /etc/hosts with inventory's hosts
|
- name: Populate /etc/hosts with inventory's hosts
|
||||||
include_tasks: populate-etc-hosts.yaml
|
include_tasks: populate-etc-hosts.yaml
|
||||||
when: gen_tls_populate_etc_hosts|bool
|
when: gen_tls_populate_etc_hosts|bool
|
||||||
|
|
||||||
|
- name: Update system CA on Debian
|
||||||
|
include_tasks: update-debian-ca.yaml
|
||||||
|
when:
|
||||||
|
- gen_tls_generate_certs
|
||||||
|
- ansible_os_family == "Debian"
|
||||||
|
|
8
tasks/update-debian-ca.yaml
Normal file
8
tasks/update-debian-ca.yaml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
- name: Copy the CA certificate to directory for system CA update
|
||||||
|
become: yes
|
||||||
|
shell: "cp {{ gen_tls_remote_ca_certs_dir }}/{{ gen_tls_ca_cert }} /usr/local/share/ca-certificates"
|
||||||
|
|
||||||
|
- name: Update the system CA
|
||||||
|
become: yes
|
||||||
|
shell: /usr/sbin/update-ca-certificates
|
Loading…
Reference in New Issue
Block a user