From 31db1c1e29fcbba058a1c4ba01c8338005c221f5 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sun, 20 Sep 2020 14:27:39 +0200 Subject: [PATCH] =?UTF-8?q?Correction=20du=20cert-builder=20pour=20h=C3=B4?= =?UTF-8?q?te=20tiers.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On accède à la configuration de `openssl_ca_host` via `hostvars` et pas directement pour que le rôle fonctionne pour un hôte différent de `openssl_ca_host`. --- roles/openssl-cert-builder/tasks/main.yml | 38 +++++++++++++++-------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/roles/openssl-cert-builder/tasks/main.yml b/roles/openssl-cert-builder/tasks/main.yml index f92d6ed..a13a0f5 100644 --- a/roles/openssl-cert-builder/tasks/main.yml +++ b/roles/openssl-cert-builder/tasks/main.yml @@ -39,49 +39,61 @@ - name: Download the CSR to local fetch: src: "/etc/ssl/csr/{{ certificate.slug }}.csr" - dest: "loot/csr/{{ certificate.slug }}.csr" + dest: "loot/csr/ext/{{ certificate.slug }}.csr" flat: yes +- name: Create directories for CSRs and certificates + become: true + file: + state: directory + name: "{{ item }}" + owner: root + group: root + mode: u=rwx,g=rx,o=rx + loop: + - /etc/ssl/csr/ext + - /etc/ssl/certs/ext + - name: Upload the CSR to CA server become: true copy: # FIXME: on devrait faire un répertoire "incoming" pour # pas réecrire la CSR et le certificat de l'AC ! - src: "loot/csr/{{ certificate.slug }}.csr" - dest: "/etc/ssl/csr/{{ certificate.slug }}.csr" + src: "loot/csr/ext/{{ certificate.slug }}.csr" + dest: "/etc/ssl/csr/ext/{{ certificate.slug }}.csr" owner: root group: root mode: u=r,g=r,o=r + delegate_to: "{{ openssl_ca_host }}" - name: Generate the certificate from CSR become: yes openssl_certificate: - ownca_privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem" - ownca_path: "/etc/ssl/certs/{{ root_ca.slug }}.pem" - csr_path: "/etc/ssl/csr/{{ certificate.slug }}.csr" - path: "/etc/ssl/certs/{{ certificate.slug }}.pem" + ownca_privatekey_path: "/etc/ssl/private/{{ hostvars[openssl_ca_host].root_ca.slug }}.pem" + ownca_path: "/etc/ssl/certs/{{ hostvars[openssl_ca_host].root_ca.slug }}.pem" + csr_path: "/etc/ssl/csr/ext/{{ certificate.slug }}.csr" + path: "/etc/ssl/certs/ext/{{ certificate.slug }}.pem" owner: root group: root mode: u=r,g=r,o=r provider: ownca ownca_not_before: "{{ certificate.not_before }}" ownca_not_after: "{{ certificate.not_after }}" - ownca_locality_name: "{{ root_ca.locality_name }}" - ownca_country_name: "{{ root_ca.country_name }}" - ownca_organization_name: "{{ root_ca.organization_name }}" + ownca_locality_name: "{{ hostvars[openssl_ca_host].root_ca.locality_name }}" + ownca_country_name: "{{ hostvars[openssl_ca_host].root_ca.country_name }}" delegate_to: "{{ openssl_ca_host }}" - name: Retrieve the certificate fetch: - src: "/etc/ssl/certs/{{ certificate.slug }}.pem" - dest: "loot/certs/{{ certificate.slug }}.pem" + src: "/etc/ssl/certs/ext/{{ certificate.slug }}.pem" + dest: "loot/certs/ext/{{ certificate.slug }}.pem" flat: yes delegate_to: "{{ openssl_ca_host }}" - name: Send the certificate to host become: yes copy: - src: "loot/certs/{{ certificate.slug }}.pem" + src: "loot/certs/ext/{{ certificate.slug }}.pem" dest: "/etc/ssl/certs/{{ certificate.slug }}.pem" owner: root group: root