From 9fe78254990d0c415682637b1620481db80dbf5a Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 16 Feb 2024 10:45:32 +0100 Subject: [PATCH] base: Generate default (self-signed) certificate Create /etc/ssl/certs on OpenBSD to follow Linux/Debian Don't change the owner/group of generated files (for now) --- roles/base/tasks/default_ssl.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/roles/base/tasks/default_ssl.yml b/roles/base/tasks/default_ssl.yml index 7317d51..b002afd 100644 --- a/roles/base/tasks/default_ssl.yml +++ b/roles/base/tasks/default_ssl.yml @@ -3,20 +3,21 @@ - name: Default certificate is present when: evobsd_default_ssl_cert | bool block: + - name: Ensure /etc/ssl/certs exists + ansible.builtin.file: + path: /etc/ssl/certs/ + owner: root + group: wheel + mode: "0755" + state: directory + ignore_errors: '{{ ansible_check_mode }}' + - name: Create private key and csr for default site ({{ ansible_fqdn }}) ansible.builtin.command: cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}" args: creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" - - name: Adjust rights on private key - ansible.builtin.file: - path: /etc/ssl/private/{{ ansible_fqdn }}.key - owner: root - group: ssl-cert - mode: "0640" - ignore_errors: '{{ ansible_check_mode }}' - - name: Create certificate for default site ansible.builtin.command: cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt