Ajout d'un rôle de génération de certificats.

Le rôle `openssl-cert-builder` est encore très expérimental et dépend d'une modification de la collection `community.crypto` qui n'est pas encore terminée et donc pas encore intégrée à l'upstream.
4 years ago · 7fd8bd5b9b
parent 4f1d598fb5
commit 7fd8bd5b9b
3 changed files with 95 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,4 @@
 loot/certs/*
 !loot/certs/.gitkeep
+loot/csr/*
+!loot/csr/.gitkeep
--- a/roles/openssl-cert-builder/meta/main.yml
+++ b/roles/openssl-cert-builder/meta/main.yml
@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: openssl-common
+...
--- a/roles/openssl-cert-builder/tasks/main.yml
+++ b/roles/openssl-cert-builder/tasks/main.yml
@ -0,0 +1,89 @@
+---
+- name: Generate the private key
+  become: yes
+  openssl_privatekey:
+    path: "/etc/ssl/private/{{ certificate.slug }}.pem"
+    owner: root
+    group: root
+    mode: u=r,g=,o=
+    type: ECC
+    curve: secp384r1
+
+- name: Generate the CSR
+  become: yes
+  openssl_csr:
+    privatekey_path: "/etc/ssl/private/{{ certificate.slug }}.pem"
+    path: "/etc/ssl/csr/{{ certificate.slug }}.csr"
+    owner: root
+    group: root
+    mode: u=r,g=r,o=r
+    common_name: "{{ certificate.common_name }}"
+    # À terme, tous les champs seront définis via les overrides
+    # directement à la génération du certificat.
+    # On ne veut pas le faire ici, car c'est effectué sur des hôtes
+    # potentiellement compromis, et ils pourraient exploiter une
+    # race condition pour envoyer leur CSR et la faire signer à
+    # l'AC.
+    use_common_name_for_san: true
+    basic_constraints:
+      - CA:FALSE
+    basic_constraints_critical: true
+    key_usage:
+      - digitalSignature
+      - keyEncipherment
+    key_usage_critical: true
+    extended_key_usage:
+      - serverAuth
+    extended_key_usage_critical: true
+
+- name: Download the CSR to local
+  fetch:
+    src: "/etc/ssl/csr/{{ certificate.slug }}.csr"
+    dest: "loot/csr/{{ certificate.slug }}.csr"
+    flat: yes
+
+- name: Upload the CSR to CA server
+  become: true
+  copy:
+    # FIXME: on devrait faire un répertoire "incoming" pour
+    # pas réecrire la CSR et le certificat de l'AC !
+    src: "loot/csr/{{ certificate.slug }}.csr"
+    dest: "/etc/ssl/csr/{{ certificate.slug }}.csr"
+    owner: root
+    group: root
+    mode: u=r,g=r,o=r
+
+- name: Generate the certificate from CSR
+  become: yes
+  openssl_certificate:
+    ownca_privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
+    ownca_path: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
+    csr_path: "/etc/ssl/csr/{{ certificate.slug }}.csr"
+    path: "/etc/ssl/certs/{{ certificate.slug }}.pem"
+    owner: root
+    group: root
+    mode: u=r,g=r,o=r
+    provider: ownca
+    ownca_not_before: "{{ certificate.not_before }}"
+    ownca_not_after: "{{ certificate.not_after }}"
+    ownca_locality_name: "{{ root_ca.locality_name }}"
+    ownca_country_name: "{{ root_ca.country_name }}"
+    ownca_organization_name: "{{ root_ca.organization_name }}"
+  delegate_to: "{{ openssl_ca_host }}"
+
+- name: Retrieve the certificate
+  fetch:
+    src: "/etc/ssl/certs/{{ certificate.slug }}.pem"
+    dest: "loot/certs/{{ certificate.slug }}.pem"
+    flat: yes
+  delegate_to: "{{ openssl_ca_host }}"
+
+- name: Send the certificate to host
+  become: yes
+  copy:
+    src: "loot/certs/{{ certificate.slug }}.pem"
+    dest: "/etc/ssl/certs/{{ certificate.slug }}.pem"
+    owner: root
+    group: root
+    mode: u=r,g=r,o=r
+...