diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml index 9afa09a..b4c583f 100644 --- a/roles/generate-cert/tasks/main.yml +++ b/roles/generate-cert/tasks/main.yml @@ -22,125 +22,115 @@ register: validity when: cert_file.stat.exists -# TODO: Use a block to have only one `when` -- name: Generate private key - become: false - openssl_privatekey: - path: "/tmp/ansible_hacky_pki_{{ cname }}.key" - mode: u=rw,g=,o= - size: "{{ key_size | default(omit) }}" - delegate_to: localhost +- name: Generate the certificate + block: + - name: Generate private key + become: false + openssl_privatekey: + path: "/tmp/ansible_hacky_pki_{{ cname }}.key" + mode: u=rw,g=,o= + size: "{{ key_size | default(omit) }}" + delegate_to: localhost + + # TODO: add a revocation methode, most probably crl, with crl_distribution_points + - name: Generate a Certificate Signing Request + become: false + openssl_csr: + path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" + privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key" + common_name: "{{ cname }}" + country_name: "{{ country_name | default(omit) }}" + locality_name: "{{ locality_name | default(omit) }}" + state_or_province_name: "{{ state_or_province_name | default(omit) }}" + organization_name: "{{ organization_name | default(omit) }}" + organizational_unit_name: "{{ organizational_unit_name | default(omit) }}" + email_address: "{{ email_address | default(omit) }}" + basic_constraints: + - CA:FALSE # syntax? + basic_constraints_critical: yes + key_usage: "{{ key_usage }}" + key_usage_critical: yes + subject_alt_name: "{{ subject_alt_name | default(omit) }}" + delegate_to: localhost + + - name: Put the CA in a file + become: false + copy: + content: "{{ ca_cert }}" + dest: "/tmp/ansible_hacky_pki_ca.crt" + delegate_to: localhost + + - name: Put the CA key in a file + become: false + copy: + content: "{{ ca_key }}" + dest: "/tmp/ansible_hacky_pki_ca.key" + mode: u=rw,g=,o= + delegate_to: localhost + no_log: yes + + - name: Sign the certificate + become: false + openssl_certificate: + path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" + csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" + ownca_not_after: "{{ validity_duration }}" + ownca_path: /tmp/ansible_hacky_pki_ca.crt + ownca_privatekey_passphrase: "{{ ca_passphrase }}" + ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key + provider: ownca + delegate_to: localhost + + - name: Send private key to the server + copy: + src: "/tmp/ansible_hacky_pki_{{ cname }}.key" + dest: "{{ directory }}/{{ cname }}.key" + owner: "{{ owner | default('root') }}" + group: "{{ group | default('root') }}" + mode: "{{ key_mode | default('u=rw,g=,o=') }}" + no_log: yes + + - name: Send certificate to the server + copy: + src: "/tmp/ansible_hacky_pki_{{ cname }}.crt" + dest: "{{ directory }}/{{ cname }}.crt" + owner: "{{ owner | default('root') }}" + group: "{{ group | default('root') }}" + mode: "{{ key_mode | default('u=rw,g=r,o=r') }}" + + # Clean up + - name: Remove the local cert key + become: false + file: + path: "/tmp/ansible_hacky_pki_{{ cname }}.key" + state: absent + delegate_to: localhost + + - name: Remove the CSR + become: false + file: + path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" + state: absent + delegate_to: localhost + + - name: Remove the local certificate + become: false + file: + path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" + state: absent + delegate_to: localhost + + - name: Remove the CA certificate + become: false + file: + path: /tmp/ansible_hacky_pki_ca.crt + state: absent + delegate_to: localhost + + - name: Remove the CA key + become: false + file: + path: /tmp/ansible_hacky_pki_ca.key + state: absent + delegate_to: localhost when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -# TODO: add a revocation methode, most probably crl, with crl_distribution_points -- name: Generate a Certificate Signing Request - become: false - openssl_csr: - path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" - privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key" - common_name: "{{ cname }}" - country_name: "{{ country_name | default(omit) }}" - locality_name: "{{ locality_name | default(omit) }}" - state_or_province_name: "{{ state_or_province_name | default(omit) }}" - organization_name: "{{ organization_name | default(omit) }}" - organizational_unit_name: "{{ organizational_unit_name | default(omit) }}" - email_address: "{{ email_address | default(omit) }}" - basic_constraints: - - CA:FALSE # syntax? - basic_constraints_critical: yes - key_usage: "{{ key_usage }}" - key_usage_critical: yes - subject_alt_name: "{{ subject_alt_name | default(omit) }}" - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Put the CA in a file - become: false - copy: - content: "{{ ca_cert }}" - dest: "/tmp/ansible_hacky_pki_ca.crt" - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Put the CA key in a file - become: false - copy: - content: "{{ ca_key }}" - dest: "/tmp/ansible_hacky_pki_ca.key" - mode: u=rw,g=,o= - delegate_to: localhost - no_log: yes - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Sign the certificate - become: false - openssl_certificate: - path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" - csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" - ownca_not_after: "{{ validity_duration }}" - ownca_path: /tmp/ansible_hacky_pki_ca.crt - ownca_privatekey_passphrase: "{{ ca_passphrase }}" - ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key - provider: ownca - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Send private key to the server - copy: - src: "/tmp/ansible_hacky_pki_{{ cname }}.key" - dest: "{{ directory }}/{{ cname }}.key" - owner: "{{ owner | default('root') }}" - group: "{{ group | default('root') }}" - mode: "{{ key_mode | default('u=rw,g=,o=') }}" - no_log: yes - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Send certificate to the server - copy: - src: "/tmp/ansible_hacky_pki_{{ cname }}.crt" - dest: "{{ directory }}/{{ cname }}.crt" - owner: "{{ owner | default('root') }}" - group: "{{ group | default('root') }}" - mode: "{{ key_mode | default('u=rw,g=r,o=r') }}" - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -# Clean up -- name: Remove the local cert key - become: false - file: - path: "/tmp/ansible_hacky_pki_{{ cname }}.key" - state: absent - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Remove the CSR - become: false - file: - path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" - state: absent - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Remove the local certificate - become: false - file: - path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" - state: absent - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Remove the CA certificate - become: false - file: - path: /tmp/ansible_hacky_pki_ca.crt - state: absent - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Remove the CA key - become: false - file: - path: /tmp/ansible_hacky_pki_ca.key - state: absent - delegate_to: localhost - when: not key_file.stat.exists