ca_manager: refactor signing request

Created a reusable tasks list for issung certificates (tls) at the
moment.

Added option for module cert_request to programmatically require
signing of client certificate.

library/cert_request.py

@@ -74,6 +74,11 @@ def main():
                         required=True,
                         choices=['ssh', 'ssl'],
                     ),
+                    client=dict(
+                        required=False,
+                        default=False,
+                        choices=[True, False],
+                    ),
                 ),
                 supports_check_mode=False,
             )
@@ -81,17 +86,24 @@ def main():
     host = module.params.get('host')
     path = module.params.get('path')
     proto = module.params.get('proto')
+    client = module.params.get('client')
 
     with open(path, 'r') as src:
         result = {
             'type': 'sign_request',
             'request': {
-                'keyType': '{}_host'.format(proto),
-                'hostName': host,
                 'keyData': src.read(),
             },
         }
-        module.exit_json(**result)
+
+    if client:
+        result['request']['keyType'] = '{}_user'.format(proto)
+        result['request']['userName'] = host
+    else:
+        result['request']['keyType'] = '{}_host'.format(proto)
+        result['request']['hostName'] = host
+
+    module.exit_json(**result)
 
 
 if __name__ == '__main__':

roles/ldap/tasks/4_setup_tls.yaml

@@ -40,44 +40,6 @@
   tags:
     - 'tls_int'
 
-- when: slapd_cert_is_valid.rc != 0
-  block:
-    - name: 'renewing cert - generating ca request'
-      cert_request:
-        host: '{{ ansible_hostname }}.{{ fqdn_domain }}'
-        path: '/etc/ldap/slapd.csr'
-        proto: 'ssl'
-      register: ca_request
-
-    - name: 'renewing cert - sending ca sign request'
-      include: 'ca-dialog.yaml'
-
-    - set_fact:
-        request_output: '{{ request_result.stdout | string | from_json }}'
-
-    - debug:
-        var: request_result
-
-    - name: 'renewing cert - generating get cert request'
-      set_fact:
-        ca_request:
-          type: 'get_certificate'
-          requestID: '{{ request_output.requestID }}'
-
-    - debug:
-        msg: >
-          Please manually confirm sign request with id
-          {{ request_output.requestID }}
-
-    - name: 'renewing cert - waiting for ca signature'
-      include: 'ca-dialog.yaml'
-
-    - set_fact:
-        cert_key: '{{ request_result.stdout | string | from_json }}'
-
-    - debug:
-        var: request_result
-        verbosity: 2
 - name: 'create slapd cert request'
   shell:
     cmd: >
@@ -90,13 +52,20 @@
   tags:
     - 'tls_int'
 
-    - name: 'renewing cert - storing new cert file'
-      copy:
-        content: '{{ cert_key.result }}'
-        dest: '/etc/ldap/slapd.crt'
+- import_tasks: 'ca-signing-request.yaml'
+  vars:
+    host: '{{ server_fqdn }}'
+    request_path: '/etc/ldap/slapd.csr'
+    output_path: '/etc/ldap/slapd.crt'
+  when: slapd_cert_is_valid.rc != 0
+  tags:
+    - 'tls_int'
 
 # !BUG! Fixed in Ansible dev using ldap_attrs instead of ldap_attr
+# Setting the parameters twice in a row fix the problem.
 # Ref: https://github.com/ansible/ansible/issues/25665
+# **ToDO: Find the right combination, is still failing at the first run
+# but works on the second iteration
 - name: 'configuring TLS options (workaround)'
   ldap_attr:
     dn: 'cn=config'

tasks/ca-signing-request.yaml

@@ -0,0 +1,43 @@
+---
+- name: 'CA_MANAGER | generating json signing request'
+  cert_request:
+    host: '{{ host }}'
+    path: '{{ request_path }}'
+    proto: 'ssl'
+    client: '{{ client | default(false) }}'
+  register: ca_request
+
+- name: 'CA_MANAGER | sending json signing request'
+  include: 'ca-dialog.yaml'
+
+- set_fact:
+    request_output: '{{ request_result.stdout | string | from_json }}'
+
+- debug:
+    var: request_result
+
+- name: 'CA_MANAGER | generating json get request'
+  set_fact:
+    ca_request:
+      type: 'get_certificate'
+      requestID: '{{ request_output.requestID }}'
+
+- debug:
+    msg: >
+      Please manually confirm sign request with id
+      {{ request_output.requestID }}
+
+- name: 'CA_MANAGER | waiting for certificate...'
+  include: 'ca-dialog.yaml'
+
+- set_fact:
+    cert_key: '{{ request_result.stdout | string | from_json }}'
+
+- debug:
+    var: request_result
+    verbosity: 2
+
+- name: 'CA_MANAGER | saving certificate'
+  copy:
+    content: '{{ cert_key.result }}'
+    dest: '{{ output_path }}'