check ssl and ssh certificate validity

roles/dovecot/tasks/main.yaml

@@ -106,30 +106,48 @@
         ssl_key = </etc/dovecot/private/dovecot.key
 
 - name: generate the RSA key
-  openssl_privatekey:
-    path: "/etc/dovecot/private/dovecot.key"
-    size: 2048
-    state: present
-    type: RSA
+# TODO: reenable openssl_privatekey when moving to ansible 2.3
+# openssl_privatekey:
+#   path: "/etc/dovecot/private/dovecot.key"
+#   size: 2048
+#   state: present
+#   type: RSA
+  shell: "openssl genrsa -out /etc/dovecot/private/dovecot.key 2048"
+  args:
+    creates: /etc/dovecot/private/dovecot.key
   notify: restart dovecot
 
 - name: generate CSR
-  openssl_csr:
-    commonName: "{{ fqdn_domain }}"
-    countryName: "IT"
-    digest: sha256
-    localityName: "TUSCANY"
-    organizationName: "IT"
-    path: "/etc/dovecot/private/dovecot.csr"
-    privatekey_path: "/etc/dovecot/private/dovecot.key"
-    state: present
-    stateOrProvinceName: "ITALY"
+  # TODO: reenable openssl_csr when moving to ansible 2.3
+  # openssl_csr:
+  #   commonName: "{{ fqdn_domain }}"
+  #   countryName: "IT"
+  #   digest: sha256
+  #   localityName: "TUSCANY"
+  #   organizationName: "IT"
+  #   path: "/etc/dovecot/private/dovecot.csr"
+  #   privatekey_path: "/etc/dovecot/private/dovecot.key"
+  #   state: present
+  #   stateOrProvinceName: "ITALY"
+  shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/dovecot/private/dovecot.key -out /etc/dovecot/private/dovecot.csr'
+  args:
+    creates: /etc/dovecot/private/dovecot.csr
   notify: restart dovecot
 
-- name: check if dovecot cert key exist
-  stat:
-    path: /etc/dovecot/dovecot.cert
-  register: dovecot_cert_key
+- name: lookup ssl ca key
+  set_fact:
+    ssl_ca_key: "{{ lookup('file', 'test_ssl_ca.crt') }}"
+
+- name: Update ssl CA key
+  copy:
+    content: "{{ ssl_ca_key }}"
+    dest: "/etc/dovecot/ssl_ca.crt"
+
+- name: check if dovecot cert is valid
+  command: 'openssl verify -CAfile /etc/dovecot/ssl_ca.crt /etc/dovecot/dovecot.cert'
+  register: dovecot_cert_is_valid
+  changed_when: false
+  failed_when: false
 
 - block:
     - name: get pub key
@@ -200,7 +218,7 @@
         dest: "/etc/dovecot/dovecot.cert"
       register: set_pub_key
 
-  when: not dovecot_cert_key.stat.exists
+  when: 'dovecot_cert_is_valid.rc != 0'
 
 - template:
     src: dovecot-ldap.conf.ext.j2

roles/ssh_server/tasks/main.yaml

@@ -1,4 +1,4 @@
-# We can not use include_role here since it not share thje connection with the current role
+# We can not use include_role here since it not share the connection with the current role
 - include: roles/service/tasks/main.yaml
   vars:
     service_name: ssh
@@ -6,13 +6,26 @@
         - openssh-server
         - openssh-sftp-server
 
-- name: Check if host certificate exists
-  stat:
-    path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
-  register: vm_ssh_certificate_exists
+- name: lookup user ca key
+  set_fact:
+    user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
+
+- name: Update container user CA key
+  copy:
+    content: "ssh-rsa {{ user_ca_key }}"
+    dest: "/etc/ssh/user_ca.pub"
+  notify: restart ssh
+
+- name: Check if host certificate is valid
+  shell: '[[ $(ssh-keygen -f /etc/ssh/ssh_host_ed25519_key-cert.pub -L |grep "$(ssh-keygen -f /etc/ssh/user_ca.pub -l|cut -d " " -f 2)" -A 3 |grep Valid |cut -d " " -f 13) > $(date +%Y-%m-%dT%H:%M:%S --date "+1 month") ]]'
+  args:
+    executable: /bin/bash
+  register: vm_has_valid_ssh_certificate
+  changed_when: false
+  failed_when: false
 
 - debug:
-    var: vm_ssh_certificate_exists
+    var: vm_has_valid_ssh_certificate
     verbosity: 2
 
 - block:
@@ -85,18 +98,7 @@
         dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
       register: set_pub_key
       notify: restart ssh
-  when: "not vm_ssh_certificate_exists.stat.exists"
-
-
-- name: lookup user ca key
-  set_fact:
-    user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
-
-- name: Update container user CA key
-  copy:
-    content: "ssh-rsa {{ user_ca_key }}"
-    dest: "/etc/ssh/user_ca.pub"
-  notify: restart ssh
+  when: "vm_has_valid_ssh_certificate.rc != 0"
 
 - name: add certificate to sshd config
   lineinfile: