LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
395 Commits
12 Branches
967 KiB
Tree: c03b9af325
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c03b9af325'
${ noResults }
lilik_playbook/roles/ca_cert/tasks/main.yaml

156 lines
5.4 KiB
Raw Normal View History

roles/ca_cert: new role! New role to automate generation and issuing of certificate using a `ca_manager` server. Code is more sintentic and concise, and we avoid duplications.
4 years ago
 
  1. ---

  2. - name: 'TLS | verify if cert is valid'

  3.   command: >

  4.     openssl verify

  5.     -CAfile {{ ca_cert_tls_ca_path }}

  6.     -verify_hostname {{ ca_cert_common_name }}

  7.     {{ ca_cert_tls_cert_path }}

  8.   register: ca_cert_tls_cert_is_valid

  9.   check_mode: false

  10.   changed_when: ca_cert_tls_cert_is_valid.rc != 0

  11.   failed_when: false

  12.   when: ca_cert_proto == 'tls'

  13. 

  14. - name: 'SSH | verify if cert is valid and get info'

  15.   ssh_cert:

  16.     path: '{{ ca_cert_ssh_key_path }}-cert.pub'

  17.     ca_path: '{{ ca_cert_ssh_ca_path }}'

  18.     principals: [ '{{ ca_cert_common_name }}' ]

  19.   register: ca_cert_ssh_cert_is_valid

  20.   changed_when: ca_cert_ssh_cert_is_valid.rc != 0

  21.   ignore_errors: true

  22.   check_mode: false

  23.   when: ca_cert_proto == 'ssh'

  24. 

  25. - name: 'TLS | get remaining validity'

  26.   shell: >

  27.     {% if ansible_distribution != 'OpenWrt' %}

  28.     echo $(( ($(date -d "$(openssl x509 -in {{ ca_cert_tls_cert_path }} -enddate -noout | sed "s/.*=\(.*\)/\1/")" +%s)-$(date -d now +%s))/86400 ))

  29.     {% else %}

  30.     echo $(( ($(date -D '%b %e %H:%M:%S %Y' -d "$(openssl x509 -in {{ ca_cert_tls_cert_path }} -enddate -noout | sed "s/.*=\(.*\)/\1/")" +%s)-$(date +%s))/86400 ))

  31.     {% endif %}

  32.   register: ca_cert_cert_remaining_days

  33.   changed_when: false

  34.   check_mode: false

  35.   when: ca_cert_proto == 'tls' and not ca_cert_tls_cert_is_valid.changed

  36. 

  37. - name: 'set cert validity'

  38.   set_fact:

  39.     ca_cert_cert_is_valid: >-

  40.       {% if ca_cert_proto == 'tls' %}{{ ca_cert_tls_cert_is_valid }}{%

  41.        elif ca_cert_proto == 'ssh' %}{{ ca_cert_ssh_cert_is_valid }}{% endif %}

  42. 

  43. - name: 'set remaning validity'

  44.   set_fact:

  45.     ca_cert_cert_remaining_days: >-

  46.       {% if ca_cert_proto == 'tls' %}{{ ca_cert_cert_remaining_days.stdout }}{%

  47.        elif ca_cert_proto == 'ssh' %}{{ ca_cert_cert_is_valid.certificate.valid.remaining_days }}{% endif %}

  48.   when: ca_cert_cert_is_valid.rc|d(1) == 0

  49. 

  50. - name: 'renew'

  51.   block:

  52.     - name: 'RENEW | backup existing private keys'

  53.       copy:

  54.         remote_src: true

  55.         src: '{{ item }}'

  56.         dest: '{{ item }}-backup'

  57.       failed_when: false

  58.       register: ca_cert_key_backup

  59.       loop: '{{ keypair[ca_cert_proto] }}'

  60.       vars:

  61.         keypair:

  62.           ssh:

  63.             - '{{ ca_cert_ssh_key_path }}'

  64.             - '{{ ca_cert_ssh_key_path }}.pub'

  65.           tls:

  66.             - '{{ ca_cert_tls_key_path }}'

  67. 

  68.     - name: 'RENEW | TLS | create private key (if not exists)'

  69.       command: >

  70.         openssl genpkey

  71.         -algorithm ed25519

  72.         -out {{ ca_cert_tls_key_path }}

  73.       args:

  74.         creates: >-

  75.           {{ "" if ca_cert_renew_private_key else ca_cert_tls_key_path }}

  76.       when: ca_cert_proto == 'tls'

  77. 

  78.     - name: 'RENEW | SSH | create key pair'

  79.       openssh_keypair:

  80.         force: '{{ ca_cert_renew_private_key }}'

  81.         path: '{{ ca_cert_ssh_key_path }}'

  82.         type: 'ed25519'

  83.       when: ca_cert_proto == 'ssh'

  84. 

  85.     - name: 'RENEW | TLS | create cert signing request'

  86.       command: >

  87.         openssl req

  88.         -new

  89.         -subj '{{ ca_cert_tls_subj }}'

  90.         -key '{{ ca_cert_tls_key_path }}'

  91.         -out '{{ ca_cert_tls_csr_path }}'

  92.       when: ca_cert_proto == 'tls'

  93. 

  94.     - name: 'RENEW | CA_MANAGER | generate json signing request'

  95.       cert_request:

  96.         host: '{{ ca_cert_common_name }}'

  97.         path: >-

  98.           {% if ca_cert_proto == 'tls' %}{{ ca_cert_tls_csr_path }}{%

  99.            elif ca_cert_proto == 'ssh' %}{{ ca_cert_ssh_key_path+'.pub' }}{% endif %}

  100.         proto: '{{ "ssl" if ca_cert_proto == "tls" else ca_cert_proto }}'

  101.         client: '{{ ca_cert_client }}'

  102.       register: ca_cert_signing_request

  103. 

  104.     - name: 'RENEW | CA_MANAGER | send signing request'

  105.       raw: '{{ ca_cert_signing_request | to_json }}'

  106.       delegate_to: '{{ ca_cert_ca_manager_host }}'

  107.       delegate_facts: true

  108.       register: ca_cert_signing_request_results

  109.       failed_when: (ca_cert_signing_request_results.stdout|from_json).failed

  110. 

  111.     - name: 'RENEW | CA_MANAGER | set signing request id'

  112.       set_fact:

  113.         ca_cert_request_id: >-

  114.           {{ (ca_cert_signing_request_results.stdout|from_json).requestID }}

  115. 

  116.     - name: 'RENEW | CA_MANAGER | generate json get request'

  117.       set_fact:

  118.         ca_cert_get_request:

  119.           type: 'get_certificate'

  120.           requestID: '{{ ca_cert_request_id }}'

  121. 

  122.     - name: 'RENEW | CA_MANAGER | prompt for signature'

  123.       debug:

  124.         msg: >-

  125.           Please manually confirm sign request with id {{ ca_cert_request_id }}.

  126. 

  127.     - name: 'RENEW | CA_MANAGER | send get request'

  128.       raw: '{{ ca_cert_get_request | to_json }}'

  129.       delegate_to: '{{ ca_cert_ca_manager_host }}'

  130.       delegate_facts: true

  131.       register: ca_cert_get_request_results

  132.       failed_when: (ca_cert_get_request_results.stdout|from_json).failed

  133. 

  134.     - name: 'RENEW | store new certificate'

  135.       copy:

  136.         content: '{{ (ca_cert_get_request_results.stdout|from_json).result }}'

  137.         dest: >-

  138.           {% if ca_cert_proto == 'tls' %}{{ ca_cert_tls_cert_path }}{%

  139.            elif ca_cert_proto == 'ssh' %}{{ ca_cert_ssh_key_path }}-cert.pub{% endif %}

  140.   rescue:

  141.     - name: 'RENEW FAILED | restore backup'

  142.       copy:

  143.         remote_src: true

  144.         src: '{{ item.dest }}'

  145.         dest: '{{ item.src }}'

  146.       when: not item.failed

  147.       loop: '{{ ca_cert_key_backup.results }}'

  148.   always:

  149.     - name: 'RENEW | clean backup'

  150.       file:

  151.         path: '{{ item.dest }}'

  152.         state: 'absent'

  153.       when: not item.failed

  154.       loop: '{{ ca_cert_key_backup.results }}'

  155.   when: ca_cert_cert_is_valid.changed or ca_cert_cert_remaining_days|int < ca_cert_min_days_validity

  156. ...