Jeltz
31db1c1e29
On accède à la configuration de `openssl_ca_host` via `hostvars` et pas directement pour que le rôle fonctionne pour un hôte différent de `openssl_ca_host`.
101 lines
No EOL
3 KiB
YAML
101 lines
No EOL
3 KiB
YAML
---
|
|
- name: Generate the private key
|
|
become: yes
|
|
openssl_privatekey:
|
|
path: "/etc/ssl/private/{{ certificate.slug }}.pem"
|
|
owner: root
|
|
group: root
|
|
mode: u=r,g=,o=
|
|
type: ECC
|
|
curve: secp384r1
|
|
|
|
- name: Generate the CSR
|
|
become: yes
|
|
openssl_csr:
|
|
privatekey_path: "/etc/ssl/private/{{ certificate.slug }}.pem"
|
|
path: "/etc/ssl/csr/{{ certificate.slug }}.csr"
|
|
owner: root
|
|
group: root
|
|
mode: u=r,g=r,o=r
|
|
common_name: "{{ certificate.common_name }}"
|
|
# À terme, tous les champs seront définis via les overrides
|
|
# directement à la génération du certificat.
|
|
# On ne veut pas le faire ici, car c'est effectué sur des hôtes
|
|
# potentiellement compromis, et ils pourraient générer une CSR
|
|
# arbitraire et la faire signer à l'AC (qui sera possiblement
|
|
# acceptée par les navigateurs des techniciens).
|
|
use_common_name_for_san: true
|
|
basic_constraints:
|
|
- CA:FALSE
|
|
basic_constraints_critical: true
|
|
key_usage:
|
|
- digitalSignature
|
|
- keyEncipherment
|
|
key_usage_critical: true
|
|
extended_key_usage:
|
|
- serverAuth
|
|
extended_key_usage_critical: true
|
|
|
|
- name: Download the CSR to local
|
|
fetch:
|
|
src: "/etc/ssl/csr/{{ certificate.slug }}.csr"
|
|
dest: "loot/csr/ext/{{ certificate.slug }}.csr"
|
|
flat: yes
|
|
|
|
- name: Create directories for CSRs and certificates
|
|
become: true
|
|
file:
|
|
state: directory
|
|
name: "{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: u=rwx,g=rx,o=rx
|
|
loop:
|
|
- /etc/ssl/csr/ext
|
|
- /etc/ssl/certs/ext
|
|
|
|
- name: Upload the CSR to CA server
|
|
become: true
|
|
copy:
|
|
# FIXME: on devrait faire un répertoire "incoming" pour
|
|
# pas réecrire la CSR et le certificat de l'AC !
|
|
src: "loot/csr/ext/{{ certificate.slug }}.csr"
|
|
dest: "/etc/ssl/csr/ext/{{ certificate.slug }}.csr"
|
|
owner: root
|
|
group: root
|
|
mode: u=r,g=r,o=r
|
|
delegate_to: "{{ openssl_ca_host }}"
|
|
|
|
- name: Generate the certificate from CSR
|
|
become: yes
|
|
openssl_certificate:
|
|
ownca_privatekey_path: "/etc/ssl/private/{{ hostvars[openssl_ca_host].root_ca.slug }}.pem"
|
|
ownca_path: "/etc/ssl/certs/{{ hostvars[openssl_ca_host].root_ca.slug }}.pem"
|
|
csr_path: "/etc/ssl/csr/ext/{{ certificate.slug }}.csr"
|
|
path: "/etc/ssl/certs/ext/{{ certificate.slug }}.pem"
|
|
owner: root
|
|
group: root
|
|
mode: u=r,g=r,o=r
|
|
provider: ownca
|
|
ownca_not_before: "{{ certificate.not_before }}"
|
|
ownca_not_after: "{{ certificate.not_after }}"
|
|
ownca_locality_name: "{{ hostvars[openssl_ca_host].root_ca.locality_name }}"
|
|
ownca_country_name: "{{ hostvars[openssl_ca_host].root_ca.country_name }}"
|
|
delegate_to: "{{ openssl_ca_host }}"
|
|
|
|
- name: Retrieve the certificate
|
|
fetch:
|
|
src: "/etc/ssl/certs/ext/{{ certificate.slug }}.pem"
|
|
dest: "loot/certs/ext/{{ certificate.slug }}.pem"
|
|
flat: yes
|
|
delegate_to: "{{ openssl_ca_host }}"
|
|
|
|
- name: Send the certificate to host
|
|
become: yes
|
|
copy:
|
|
src: "loot/certs/ext/{{ certificate.slug }}.pem"
|
|
dest: "/etc/ssl/certs/{{ certificate.slug }}.pem"
|
|
owner: root
|
|
group: root
|
|
mode: u=r,g=r,o=r
|
|
... |