Browse Source

use module cert_request where possible

this module read a file containing a public key and prepares
the sign_request for a ssl_host or ssh_host request
python3
Edoardo Putti 7 years ago
parent
commit
a0772bb643
3 changed files with 16 additions and 69 deletions
  1. +5
    -20
      roles/dovecot/tasks/main.yaml
  2. +5
    -20
      roles/exim4/tasks/main.yaml
  3. +6
    -29
      roles/ssh_server/tasks/main.yaml

+ 5
- 20
roles/dovecot/tasks/main.yaml View File

@ -133,27 +133,12 @@
failed_when: false failed_when: false
- block: - block:
- name: get pub key
slurp:
src: "/etc/dovecot/private/dovecot.csr"
register: pub_key
- debug:
var: pub_key
verbosity: 2
- name: generate host request - name: generate host request
set_fact:
ca_request:
type: 'sign_request'
request:
keyType: 'ssl_host'
hostName: '{{ inventory_hostname }}.lilik.it'
keyData: "{{ pub_key.content| b64decode}}"
- debug:
var: authorities_request
verbosity: 2
cert_request:
host: "{{ inventory_hostname }}.lilik.it"
path: "/etc/dovecot/private/dovecot.csr"
proto: "ssl"
register: ca_request
- name: start sign request - name: start sign request
include: ca-dialog.yaml include: ca-dialog.yaml


+ 5
- 20
roles/exim4/tasks/main.yaml View File

@ -106,27 +106,12 @@
failed_when: false failed_when: false
- block: - block:
- name: get pub key
slurp:
src: "/etc/exim4/exim.csr"
register: pub_key
- debug:
var: pub_key
verbosity: 2
- name: generate host request - name: generate host request
set_fact:
ca_request:
type: 'sign_request'
request:
keyType: 'ssl_host'
hostName: '{{ inventory_hostname }}.lilik.it'
keyData: "{{ pub_key.content| b64decode}}"
- debug:
var: authorities_request
verbosity: 2
cert_request:
proto: 'ssl'
host: '{{ inventory_hostname }}.lilik.it'
path: "/etc/exim4/exim.csr"
register: ca_request
- name: start sign request - name: start sign request
include: ca-dialog.yaml include: ca-dialog.yaml


+ 6
- 29
roles/ssh_server/tasks/main.yaml View File

@ -23,14 +23,6 @@
dest: "/etc/ssh/user_ca.pub" dest: "/etc/ssh/user_ca.pub"
notify: restart ssh notify: restart ssh
#- name: Check if host certificate is valid
# shell: '[[ $(ssh-keygen -f /etc/ssh/ssh_host_ed25519_key-cert.pub -L |grep "$(ssh-keygen -f /etc/ssh/user_ca.pub -l|cut -d " " -f 2)" -A 3 |grep Valid |cut -d " " -f 13) > $(date +%Y-%m-%dT%H:%M:%S --date "+1 month") ]]'
# args:
# executable: /bin/bash
# register: vm_has_valid_ssh_certificate
# changed_when: false
# failed_when: false
- name: Validate SSH host certificate if any - name: Validate SSH host certificate if any
ssh_cert: ssh_cert:
register: ssh_verification register: ssh_verification
@ -41,27 +33,12 @@
verbosity: 2 verbosity: 2
- block: - block:
- name: Read host public key
slurp:
src: "/etc/ssh/ssh_host_ed25519_key.pub"
register: vm_public_key
- debug:
var: vm_public_key['content']
verbosity: 2
- name: generate host request
set_fact:
ca_request:
type: 'sign_request'
request:
keyType: 'ssh_host'
hostName: '{{ ansible_docker_extra_args or inventory_hostname }}.lilik.it'
keyData: "{{ vm_public_key['content'] | b64decode | replace('\n', '')}}"
- debug:
var: ca_request | to_json
verbosity: 2
- name: Generate host request
host_request:
host: "{{ server_fqdn }}"
path: "/etc/ssh/ssh_host_ed25519_key.pub"
proto: "ssh"
register: ca_request
- name: start sign request - name: start sign request
include: ca-dialog.yaml include: ca-dialog.yaml


Loading…
Cancel
Save