forked from evolix/ansible-roles
91 lines
2.6 KiB
YAML
91 lines
2.6 KiB
YAML
|
---
|
||
|
# CA certificate
|
||
|
- name: Check whether CA certificate exists
|
||
|
stat:
|
||
|
path: "{{ pki_ca_crt }}"
|
||
|
delegate_to: "{{ pki_ca_host | mandatory }}"
|
||
|
run_once: true
|
||
|
register: ca_certificate_exists
|
||
|
|
||
|
- name: Fail if CA doesn't exists
|
||
|
fail:
|
||
|
msg: "CA '{{ pki_ca_crt }}' on host '{{ pki_ca_host }}' doesn't exists! You need to create one before continuing."
|
||
|
when: not ca_certificate_exists.stat.exists
|
||
|
|
||
|
- name: Read existing CA certificate if exists
|
||
|
slurp:
|
||
|
src: "{{ pki_ca_crt }}"
|
||
|
when: ca_certificate_exists.stat.exists
|
||
|
delegate_to: "{{ pki_ca_host | mandatory }}"
|
||
|
run_once: true
|
||
|
register: ca_certificate
|
||
|
|
||
|
- name: Write CA certificate file
|
||
|
copy:
|
||
|
dest: "{{ pki_ca_crt }}"
|
||
|
content: "{{ ca_certificate.content | b64decode }}"
|
||
|
run_once: true
|
||
|
register: ca_certificate
|
||
|
|
||
|
|
||
|
# Create new signed certificate
|
||
|
- name: Create private key for new certificate
|
||
|
community.crypto.openssl_privatekey:
|
||
|
path: "{{ pki_certificate_key }}"
|
||
|
run_once: true
|
||
|
|
||
|
- name: Create certificate signing request (CSR) for new certificate
|
||
|
community.crypto.openssl_csr_pipe:
|
||
|
privatekey_path: "{{ pki_certificate_key }}"
|
||
|
common_name: "{{ ansible_fqdn }}"
|
||
|
run_once: true
|
||
|
register: csr
|
||
|
|
||
|
- name: Check whether certificate exists
|
||
|
stat:
|
||
|
path: "{{ pki_certificate_crt }}"
|
||
|
run_once: true
|
||
|
register: certificate_exists
|
||
|
|
||
|
- name: Read existing certificate if exists
|
||
|
slurp:
|
||
|
src: "{{ pki_certificate_crt }}"
|
||
|
when: certificate_exists.stat.exists
|
||
|
run_once: true
|
||
|
register: certificate
|
||
|
|
||
|
- name: Sign certificate with CA
|
||
|
community.crypto.x509_certificate_pipe:
|
||
|
content: "{{ (certificate.content | b64decode) if certificate_exists.stat.exists else omit }}"
|
||
|
csr_content: "{{ csr.csr }}"
|
||
|
provider: ownca
|
||
|
ownca_path: "{{ pki_ca_crt }}"
|
||
|
ownca_privatekey_path: "{{ pki_ca_key }}"
|
||
|
ownca_privatekey_passphrase: "{{ pki_ca_password | mandatory}}"
|
||
|
delegate_to: "{{ pki_ca_host | mandatory }}"
|
||
|
run_once: true
|
||
|
register: certificate
|
||
|
when: not ansible_check_mode
|
||
|
|
||
|
- name: Write certificate file
|
||
|
copy:
|
||
|
dest: "{{ pki_certificate_crt }}"
|
||
|
content: "{{ certificate.certificate }}"
|
||
|
run_once: true
|
||
|
when: certificate is changed and not ansible_check_mode
|
||
|
|
||
|
- name: Write certificate file on the CA host
|
||
|
copy:
|
||
|
dest: "{{ pki_certificate_crt }}"
|
||
|
content: "{{ certificate.certificate }}"
|
||
|
delegate_to: "{{ pki_ca_host | mandatory }}"
|
||
|
run_once: true
|
||
|
when: certificate is changed and not ansible_check_mode
|
||
|
|
||
|
|
||
|
# Allow other roles to know if some certifiates has changed
|
||
|
- name: Set fact, pki_changed
|
||
|
when: certificate is changed or ca_certificate is changed
|
||
|
set_fact:
|
||
|
pki_changed: True
|