Correction du cert-builder pour hôte tiers.

On accède à la configuration de `openssl_ca_host` via `hostvars`
et pas directement pour que le rôle fonctionne pour un hôte
différent de `openssl_ca_host`.
This commit is contained in:
jeltz 2020-09-20 14:27:39 +02:00
parent f2ccfbf2ec
commit 31db1c1e29

View file

@ -39,49 +39,61 @@
- name: Download the CSR to local - name: Download the CSR to local
fetch: fetch:
src: "/etc/ssl/csr/{{ certificate.slug }}.csr" src: "/etc/ssl/csr/{{ certificate.slug }}.csr"
dest: "loot/csr/{{ certificate.slug }}.csr" dest: "loot/csr/ext/{{ certificate.slug }}.csr"
flat: yes flat: yes
- name: Create directories for CSRs and certificates
become: true
file:
state: directory
name: "{{ item }}"
owner: root
group: root
mode: u=rwx,g=rx,o=rx
loop:
- /etc/ssl/csr/ext
- /etc/ssl/certs/ext
- name: Upload the CSR to CA server - name: Upload the CSR to CA server
become: true become: true
copy: copy:
# FIXME: on devrait faire un répertoire "incoming" pour # FIXME: on devrait faire un répertoire "incoming" pour
# pas réecrire la CSR et le certificat de l'AC ! # pas réecrire la CSR et le certificat de l'AC !
src: "loot/csr/{{ certificate.slug }}.csr" src: "loot/csr/ext/{{ certificate.slug }}.csr"
dest: "/etc/ssl/csr/{{ certificate.slug }}.csr" dest: "/etc/ssl/csr/ext/{{ certificate.slug }}.csr"
owner: root owner: root
group: root group: root
mode: u=r,g=r,o=r mode: u=r,g=r,o=r
delegate_to: "{{ openssl_ca_host }}"
- name: Generate the certificate from CSR - name: Generate the certificate from CSR
become: yes become: yes
openssl_certificate: openssl_certificate:
ownca_privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem" ownca_privatekey_path: "/etc/ssl/private/{{ hostvars[openssl_ca_host].root_ca.slug }}.pem"
ownca_path: "/etc/ssl/certs/{{ root_ca.slug }}.pem" ownca_path: "/etc/ssl/certs/{{ hostvars[openssl_ca_host].root_ca.slug }}.pem"
csr_path: "/etc/ssl/csr/{{ certificate.slug }}.csr" csr_path: "/etc/ssl/csr/ext/{{ certificate.slug }}.csr"
path: "/etc/ssl/certs/{{ certificate.slug }}.pem" path: "/etc/ssl/certs/ext/{{ certificate.slug }}.pem"
owner: root owner: root
group: root group: root
mode: u=r,g=r,o=r mode: u=r,g=r,o=r
provider: ownca provider: ownca
ownca_not_before: "{{ certificate.not_before }}" ownca_not_before: "{{ certificate.not_before }}"
ownca_not_after: "{{ certificate.not_after }}" ownca_not_after: "{{ certificate.not_after }}"
ownca_locality_name: "{{ root_ca.locality_name }}" ownca_locality_name: "{{ hostvars[openssl_ca_host].root_ca.locality_name }}"
ownca_country_name: "{{ root_ca.country_name }}" ownca_country_name: "{{ hostvars[openssl_ca_host].root_ca.country_name }}"
ownca_organization_name: "{{ root_ca.organization_name }}"
delegate_to: "{{ openssl_ca_host }}" delegate_to: "{{ openssl_ca_host }}"
- name: Retrieve the certificate - name: Retrieve the certificate
fetch: fetch:
src: "/etc/ssl/certs/{{ certificate.slug }}.pem" src: "/etc/ssl/certs/ext/{{ certificate.slug }}.pem"
dest: "loot/certs/{{ certificate.slug }}.pem" dest: "loot/certs/ext/{{ certificate.slug }}.pem"
flat: yes flat: yes
delegate_to: "{{ openssl_ca_host }}" delegate_to: "{{ openssl_ca_host }}"
- name: Send the certificate to host - name: Send the certificate to host
become: yes become: yes
copy: copy:
src: "loot/certs/{{ certificate.slug }}.pem" src: "loot/certs/ext/{{ certificate.slug }}.pem"
dest: "/etc/ssl/certs/{{ certificate.slug }}.pem" dest: "/etc/ssl/certs/{{ certificate.slug }}.pem"
owner: root owner: root
group: root group: root