make the role indempotant with cert renewal
This commit is contained in:
parent
ce8496040a
commit
0a3b7bf590
GPG key ID:
67486F107F62E9E9
2 changed files with 27 additions and 11 deletions
|
|
@ -3,3 +3,5 @@ key_usage:
|
||||||
- digitalSignature
|
- digitalSignature
|
||||||
- keyEncipherment
|
- keyEncipherment
|
||||||
validity_duration: "+365d"
|
validity_duration: "+365d"
|
||||||
|
time_before_expiration_for_renewal: "+30d" # need a better name
|
||||||
|
force_renewal: no
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,20 @@
|
||||||
path: "{{ directory }}/{{ cname }}.key"
|
path: "{{ directory }}/{{ cname }}.key"
|
||||||
register: key_file
|
register: key_file
|
||||||
|
|
||||||
|
- name: Test if the cert already exist
|
||||||
|
stat:
|
||||||
|
path: "{{ directory }}/{{ cname }}.crt"
|
||||||
|
register: cert_file
|
||||||
|
|
||||||
|
- name: Test if we need to renew the certificate
|
||||||
|
openssl_certificate_info:
|
||||||
|
path: "{{ directory }}/{{ cname }}.crt"
|
||||||
|
valid_at:
|
||||||
|
renewal: "{{ time_before_expiration_for_renewal }}"
|
||||||
|
register: validity
|
||||||
|
when: cert_file.stat.exists
|
||||||
|
|
||||||
|
# TODO: Use a block to have only one `when`
|
||||||
- name: Generate private key
|
- name: Generate private key
|
||||||
become: false
|
become: false
|
||||||
openssl_privatekey:
|
openssl_privatekey:
|
||||||
|
|
@ -16,7 +30,7 @@
|
||||||
mode: u=rw,g=,o=
|
mode: u=rw,g=,o=
|
||||||
size: "{{ key_size | default(omit) }}"
|
size: "{{ key_size | default(omit) }}"
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
# TODO: add a revocation methode, most probably crl, with crl_distribution_points
|
# TODO: add a revocation methode, most probably crl, with crl_distribution_points
|
||||||
- name: Generate a Certificate Signing Request
|
- name: Generate a Certificate Signing Request
|
||||||
|
|
@ -38,7 +52,7 @@
|
||||||
key_usage_critical: yes
|
key_usage_critical: yes
|
||||||
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
|
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
- name: Put the CA in a file
|
- name: Put the CA in a file
|
||||||
become: false
|
become: false
|
||||||
|
|
@ -46,7 +60,7 @@
|
||||||
content: "{{ ca_cert }}"
|
content: "{{ ca_cert }}"
|
||||||
dest: "/tmp/ansible_hacky_pki_ca.crt"
|
dest: "/tmp/ansible_hacky_pki_ca.crt"
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
- name: Put the CA key in a file
|
- name: Put the CA key in a file
|
||||||
become: false
|
become: false
|
||||||
|
|
@ -55,7 +69,7 @@
|
||||||
dest: "/tmp/ansible_hacky_pki_ca.key"
|
dest: "/tmp/ansible_hacky_pki_ca.key"
|
||||||
mode: u=rw,g=,o=
|
mode: u=rw,g=,o=
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
- name: Sign the certificate
|
- name: Sign the certificate
|
||||||
become: false
|
become: false
|
||||||
|
|
@ -68,7 +82,7 @@
|
||||||
ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
|
ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
|
||||||
provider: ownca
|
provider: ownca
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
- name: Send private key to the server
|
- name: Send private key to the server
|
||||||
copy:
|
copy:
|
||||||
|
|
@ -77,7 +91,7 @@
|
||||||
owner: "{{ owner | default('root') }}"
|
owner: "{{ owner | default('root') }}"
|
||||||
group: "{{ group | default('root') }}"
|
group: "{{ group | default('root') }}"
|
||||||
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
|
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
- name: Send certificate to the server
|
- name: Send certificate to the server
|
||||||
copy:
|
copy:
|
||||||
|
|
@ -86,7 +100,7 @@
|
||||||
owner: "{{ owner | default('root') }}"
|
owner: "{{ owner | default('root') }}"
|
||||||
group: "{{ group | default('root') }}"
|
group: "{{ group | default('root') }}"
|
||||||
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
|
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
# Clean up
|
# Clean up
|
||||||
- name: Remove the local cert key
|
- name: Remove the local cert key
|
||||||
|
|
@ -95,7 +109,7 @@
|
||||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
||||||
state: absent
|
state: absent
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
- name: Remove the CSR
|
- name: Remove the CSR
|
||||||
become: false
|
become: false
|
||||||
|
|
@ -103,7 +117,7 @@
|
||||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
|
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
|
||||||
state: absent
|
state: absent
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
- name: Remove the local certificate
|
- name: Remove the local certificate
|
||||||
become: false
|
become: false
|
||||||
|
|
@ -111,7 +125,7 @@
|
||||||
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
|
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
|
||||||
state: absent
|
state: absent
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
- name: Remove the CA certificate
|
- name: Remove the CA certificate
|
||||||
become: false
|
become: false
|
||||||
|
|
@ -119,7 +133,7 @@
|
||||||
path: /tmp/ansible_hacky_pki_ca.crt
|
path: /tmp/ansible_hacky_pki_ca.crt
|
||||||
state: absent
|
state: absent
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: not key_file.stat.exists
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
- name: Remove the CA key
|
- name: Remove the CA key
|
||||||
become: false
|
become: false
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue