diff --git a/library/cert_request.py b/library/cert_request.py index d1958df..d80793b 100644 --- a/library/cert_request.py +++ b/library/cert_request.py @@ -74,6 +74,11 @@ def main(): required=True, choices=['ssh', 'ssl'], ), + client=dict( + required=False, + default=False, + choices=[True, False], + ), ), supports_check_mode=False, ) @@ -81,17 +86,24 @@ def main(): host = module.params.get('host') path = module.params.get('path') proto = module.params.get('proto') + client = module.params.get('client') with open(path, 'r') as src: result = { 'type': 'sign_request', 'request': { - 'keyType': '{}_host'.format(proto), - 'hostName': host, 'keyData': src.read(), }, } - module.exit_json(**result) + + if client: + result['request']['keyType'] = '{}_user'.format(proto) + result['request']['userName'] = host + else: + result['request']['keyType'] = '{}_host'.format(proto) + result['request']['hostName'] = host + + module.exit_json(**result) if __name__ == '__main__': diff --git a/roles/ldap/tasks/4_setup_tls.yaml b/roles/ldap/tasks/4_setup_tls.yaml index d3e9b85..f96dbb2 100644 --- a/roles/ldap/tasks/4_setup_tls.yaml +++ b/roles/ldap/tasks/4_setup_tls.yaml @@ -40,44 +40,6 @@ tags: - 'tls_int' -- when: slapd_cert_is_valid.rc != 0 - block: - - name: 'renewing cert - generating ca request' - cert_request: - host: '{{ ansible_hostname }}.{{ fqdn_domain }}' - path: '/etc/ldap/slapd.csr' - proto: 'ssl' - register: ca_request - - - name: 'renewing cert - sending ca sign request' - include: 'ca-dialog.yaml' - - - set_fact: - request_output: '{{ request_result.stdout | string | from_json }}' - - - debug: - var: request_result - - - name: 'renewing cert - generating get cert request' - set_fact: - ca_request: - type: 'get_certificate' - requestID: '{{ request_output.requestID }}' - - - debug: - msg: > - Please manually confirm sign request with id - {{ request_output.requestID }} - - - name: 'renewing cert - waiting for ca signature' - include: 'ca-dialog.yaml' - - - set_fact: - cert_key: '{{ request_result.stdout | string | from_json }}' - - - debug: - var: request_result - verbosity: 2 - name: 'create slapd cert request' shell: cmd: > @@ -90,13 +52,20 @@ tags: - 'tls_int' - - name: 'renewing cert - storing new cert file' - copy: - content: '{{ cert_key.result }}' - dest: '/etc/ldap/slapd.crt' +- import_tasks: 'ca-signing-request.yaml' + vars: + host: '{{ server_fqdn }}' + request_path: '/etc/ldap/slapd.csr' + output_path: '/etc/ldap/slapd.crt' + when: slapd_cert_is_valid.rc != 0 + tags: + - 'tls_int' # !BUG! Fixed in Ansible dev using ldap_attrs instead of ldap_attr +# Setting the parameters twice in a row fix the problem. # Ref: https://github.com/ansible/ansible/issues/25665 +# **ToDO: Find the right combination, is still failing at the first run +# but works on the second iteration - name: 'configuring TLS options (workaround)' ldap_attr: dn: 'cn=config' diff --git a/tasks/ca-signing-request.yaml b/tasks/ca-signing-request.yaml new file mode 100644 index 0000000..dd3f808 --- /dev/null +++ b/tasks/ca-signing-request.yaml @@ -0,0 +1,43 @@ +--- +- name: 'CA_MANAGER | generating json signing request' + cert_request: + host: '{{ host }}' + path: '{{ request_path }}' + proto: 'ssl' + client: '{{ client | default(false) }}' + register: ca_request + +- name: 'CA_MANAGER | sending json signing request' + include: 'ca-dialog.yaml' + +- set_fact: + request_output: '{{ request_result.stdout | string | from_json }}' + +- debug: + var: request_result + +- name: 'CA_MANAGER | generating json get request' + set_fact: + ca_request: + type: 'get_certificate' + requestID: '{{ request_output.requestID }}' + +- debug: + msg: > + Please manually confirm sign request with id + {{ request_output.requestID }} + +- name: 'CA_MANAGER | waiting for certificate...' + include: 'ca-dialog.yaml' + +- set_fact: + cert_key: '{{ request_result.stdout | string | from_json }}' + +- debug: + var: request_result + verbosity: 2 + +- name: 'CA_MANAGER | saving certificate' + copy: + content: '{{ cert_key.result }}' + dest: '{{ output_path }}'