make the role indempotant with cert renewal

This commit is contained in:
histausse 2021-09-11 16:39:42 +02:00
parent ce8496040a
commit 0a3b7bf590
Signed by: histausse
GPG key ID: 67486F107F62E9E9
2 changed files with 27 additions and 11 deletions

View file

@ -3,3 +3,5 @@ key_usage:
- digitalSignature - digitalSignature
- keyEncipherment - keyEncipherment
validity_duration: "+365d" validity_duration: "+365d"
time_before_expiration_for_renewal: "+30d" # need a better name
force_renewal: no

View file

@ -9,6 +9,20 @@
path: "{{ directory }}/{{ cname }}.key" path: "{{ directory }}/{{ cname }}.key"
register: key_file register: key_file
- name: Test if the cert already exist
stat:
path: "{{ directory }}/{{ cname }}.crt"
register: cert_file
- name: Test if we need to renew the certificate
openssl_certificate_info:
path: "{{ directory }}/{{ cname }}.crt"
valid_at:
renewal: "{{ time_before_expiration_for_renewal }}"
register: validity
when: cert_file.stat.exists
# TODO: Use a block to have only one `when`
- name: Generate private key - name: Generate private key
become: false become: false
openssl_privatekey: openssl_privatekey:
@ -16,7 +30,7 @@
mode: u=rw,g=,o= mode: u=rw,g=,o=
size: "{{ key_size | default(omit) }}" size: "{{ key_size | default(omit) }}"
delegate_to: localhost delegate_to: localhost
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
# TODO: add a revocation methode, most probably crl, with crl_distribution_points # TODO: add a revocation methode, most probably crl, with crl_distribution_points
- name: Generate a Certificate Signing Request - name: Generate a Certificate Signing Request
@ -38,7 +52,7 @@
key_usage_critical: yes key_usage_critical: yes
subject_alt_name: "{{ subject_alt_name | default(omit) }}" subject_alt_name: "{{ subject_alt_name | default(omit) }}"
delegate_to: localhost delegate_to: localhost
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Put the CA in a file - name: Put the CA in a file
become: false become: false
@ -46,7 +60,7 @@
content: "{{ ca_cert }}" content: "{{ ca_cert }}"
dest: "/tmp/ansible_hacky_pki_ca.crt" dest: "/tmp/ansible_hacky_pki_ca.crt"
delegate_to: localhost delegate_to: localhost
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Put the CA key in a file - name: Put the CA key in a file
become: false become: false
@ -55,7 +69,7 @@
dest: "/tmp/ansible_hacky_pki_ca.key" dest: "/tmp/ansible_hacky_pki_ca.key"
mode: u=rw,g=,o= mode: u=rw,g=,o=
delegate_to: localhost delegate_to: localhost
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Sign the certificate - name: Sign the certificate
become: false become: false
@ -68,7 +82,7 @@
ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
provider: ownca provider: ownca
delegate_to: localhost delegate_to: localhost
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Send private key to the server - name: Send private key to the server
copy: copy:
@ -77,7 +91,7 @@
owner: "{{ owner | default('root') }}" owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}" group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=,o=') }}" mode: "{{ key_mode | default('u=rw,g=,o=') }}"
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Send certificate to the server - name: Send certificate to the server
copy: copy:
@ -86,7 +100,7 @@
owner: "{{ owner | default('root') }}" owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}" group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}" mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
# Clean up # Clean up
- name: Remove the local cert key - name: Remove the local cert key
@ -95,7 +109,7 @@
path: "/tmp/ansible_hacky_pki_{{ cname }}.key" path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
state: absent state: absent
delegate_to: localhost delegate_to: localhost
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the CSR - name: Remove the CSR
become: false become: false
@ -103,7 +117,7 @@
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
state: absent state: absent
delegate_to: localhost delegate_to: localhost
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the local certificate - name: Remove the local certificate
become: false become: false
@ -111,7 +125,7 @@
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
state: absent state: absent
delegate_to: localhost delegate_to: localhost
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the CA certificate - name: Remove the CA certificate
become: false become: false
@ -119,7 +133,7 @@
path: /tmp/ansible_hacky_pki_ca.crt path: /tmp/ansible_hacky_pki_ca.crt
state: absent state: absent
delegate_to: localhost delegate_to: localhost
when: not key_file.stat.exists when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the CA key - name: Remove the CA key
become: false become: false