You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
156 lines
5.4 KiB
156 lines
5.4 KiB
---
|
|
- name: 'TLS | verify if cert is valid'
|
|
command: >
|
|
openssl verify
|
|
-CAfile {{ ca_cert_tls_ca_path }}
|
|
-verify_hostname {{ ca_cert_common_name }}
|
|
{{ ca_cert_tls_cert_path }}
|
|
register: ca_cert_tls_cert_is_valid
|
|
check_mode: false
|
|
changed_when: ca_cert_tls_cert_is_valid.rc != 0
|
|
failed_when: false
|
|
when: ca_cert_proto == 'tls'
|
|
|
|
- name: 'SSH | verify if cert is valid and get info'
|
|
ssh_cert:
|
|
path: '{{ ca_cert_ssh_key_path }}-cert.pub'
|
|
ca_path: '{{ ca_cert_ssh_ca_path }}'
|
|
principals: [ '{{ ca_cert_common_name }}' ]
|
|
register: ca_cert_ssh_cert_is_valid
|
|
changed_when: ca_cert_ssh_cert_is_valid.rc != 0
|
|
ignore_errors: true
|
|
check_mode: false
|
|
when: ca_cert_proto == 'ssh'
|
|
|
|
- name: 'TLS | get remaining validity'
|
|
shell: >
|
|
{% if ansible_distribution != 'OpenWrt' %}
|
|
echo $(( ($(date -d "$(openssl x509 -in {{ ca_cert_tls_cert_path }} -enddate -noout | sed "s/.*=\(.*\)/\1/")" +%s)-$(date -d now +%s))/86400 ))
|
|
{% else %}
|
|
echo $(( ($(date -D '%b %e %H:%M:%S %Y' -d "$(openssl x509 -in {{ ca_cert_tls_cert_path }} -enddate -noout | sed "s/.*=\(.*\)/\1/")" +%s)-$(date +%s))/86400 ))
|
|
{% endif %}
|
|
register: ca_cert_cert_remaining_days
|
|
changed_when: false
|
|
check_mode: false
|
|
when: ca_cert_proto == 'tls' and not ca_cert_tls_cert_is_valid.changed
|
|
|
|
- name: 'set cert validity'
|
|
set_fact:
|
|
ca_cert_cert_is_valid: >-
|
|
{% if ca_cert_proto == 'tls' %}{{ ca_cert_tls_cert_is_valid }}{%
|
|
elif ca_cert_proto == 'ssh' %}{{ ca_cert_ssh_cert_is_valid }}{% endif %}
|
|
|
|
- name: 'set remaning validity'
|
|
set_fact:
|
|
ca_cert_cert_remaining_days: >-
|
|
{% if ca_cert_proto == 'tls' %}{{ ca_cert_cert_remaining_days.stdout }}{%
|
|
elif ca_cert_proto == 'ssh' %}{{ ca_cert_cert_is_valid.certificate.valid.remaining_days }}{% endif %}
|
|
when: ca_cert_cert_is_valid.rc|d(1) == 0
|
|
|
|
- name: 'renew'
|
|
block:
|
|
- name: 'RENEW | backup existing private keys'
|
|
copy:
|
|
remote_src: true
|
|
src: '{{ item }}'
|
|
dest: '{{ item }}-backup'
|
|
failed_when: false
|
|
register: ca_cert_key_backup
|
|
loop: '{{ keypair[ca_cert_proto] }}'
|
|
vars:
|
|
keypair:
|
|
ssh:
|
|
- '{{ ca_cert_ssh_key_path }}'
|
|
- '{{ ca_cert_ssh_key_path }}.pub'
|
|
tls:
|
|
- '{{ ca_cert_tls_key_path }}'
|
|
|
|
- name: 'RENEW | TLS | create private key (if not exists)'
|
|
command: >
|
|
openssl genpkey
|
|
-algorithm ed25519
|
|
-out {{ ca_cert_tls_key_path }}
|
|
args:
|
|
creates: >-
|
|
{{ "" if ca_cert_renew_private_key else ca_cert_tls_key_path }}
|
|
when: ca_cert_proto == 'tls'
|
|
|
|
- name: 'RENEW | SSH | create key pair'
|
|
openssh_keypair:
|
|
force: '{{ ca_cert_renew_private_key }}'
|
|
path: '{{ ca_cert_ssh_key_path }}'
|
|
type: 'ed25519'
|
|
when: ca_cert_proto == 'ssh'
|
|
|
|
- name: 'RENEW | TLS | create cert signing request'
|
|
command: >
|
|
openssl req
|
|
-new
|
|
-subj '{{ ca_cert_tls_subj }}'
|
|
-key '{{ ca_cert_tls_key_path }}'
|
|
-out '{{ ca_cert_tls_csr_path }}'
|
|
when: ca_cert_proto == 'tls'
|
|
|
|
- name: 'RENEW | CA_MANAGER | generate json signing request'
|
|
cert_request:
|
|
host: '{{ ca_cert_common_name }}'
|
|
path: >-
|
|
{% if ca_cert_proto == 'tls' %}{{ ca_cert_tls_csr_path }}{%
|
|
elif ca_cert_proto == 'ssh' %}{{ ca_cert_ssh_key_path+'.pub' }}{% endif %}
|
|
proto: '{{ "ssl" if ca_cert_proto == "tls" else ca_cert_proto }}'
|
|
client: '{{ ca_cert_client }}'
|
|
register: ca_cert_signing_request
|
|
|
|
- name: 'RENEW | CA_MANAGER | send signing request'
|
|
raw: '{{ ca_cert_signing_request | to_json }}'
|
|
delegate_to: '{{ ca_cert_ca_manager_host }}'
|
|
delegate_facts: true
|
|
register: ca_cert_signing_request_results
|
|
failed_when: (ca_cert_signing_request_results.stdout|from_json).failed
|
|
|
|
- name: 'RENEW | CA_MANAGER | set signing request id'
|
|
set_fact:
|
|
ca_cert_request_id: >-
|
|
{{ (ca_cert_signing_request_results.stdout|from_json).requestID }}
|
|
|
|
- name: 'RENEW | CA_MANAGER | generate json get request'
|
|
set_fact:
|
|
ca_cert_get_request:
|
|
type: 'get_certificate'
|
|
requestID: '{{ ca_cert_request_id }}'
|
|
|
|
- name: 'RENEW | CA_MANAGER | prompt for signature'
|
|
debug:
|
|
msg: >-
|
|
Please manually confirm sign request with id {{ ca_cert_request_id }}.
|
|
|
|
- name: 'RENEW | CA_MANAGER | send get request'
|
|
raw: '{{ ca_cert_get_request | to_json }}'
|
|
delegate_to: '{{ ca_cert_ca_manager_host }}'
|
|
delegate_facts: true
|
|
register: ca_cert_get_request_results
|
|
failed_when: (ca_cert_get_request_results.stdout|from_json).failed
|
|
|
|
- name: 'RENEW | store new certificate'
|
|
copy:
|
|
content: '{{ (ca_cert_get_request_results.stdout|from_json).result }}'
|
|
dest: >-
|
|
{% if ca_cert_proto == 'tls' %}{{ ca_cert_tls_cert_path }}{%
|
|
elif ca_cert_proto == 'ssh' %}{{ ca_cert_ssh_key_path }}-cert.pub{% endif %}
|
|
rescue:
|
|
- name: 'RENEW FAILED | restore backup'
|
|
copy:
|
|
remote_src: true
|
|
src: '{{ item.dest }}'
|
|
dest: '{{ item.src }}'
|
|
when: not item.failed
|
|
loop: '{{ ca_cert_key_backup.results }}'
|
|
always:
|
|
- name: 'RENEW | clean backup'
|
|
file:
|
|
path: '{{ item.dest }}'
|
|
state: 'absent'
|
|
when: not item.failed
|
|
loop: '{{ ca_cert_key_backup.results }}'
|
|
when: ca_cert_cert_is_valid.changed or ca_cert_cert_remaining_days|int < ca_cert_min_days_validity
|
|
...
|