From de549df51aa5401f49c82479966d962454f6fbd7 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Jul 2023 19:25:22 +0200 Subject: [PATCH] Add support for mkcert. --- defaults/main.yml | 16 ++- tasks/certificate_from_private_ca.yml | 40 ++++++ tasks/main.yml | 7 + tasks/pki_dir.yml | 20 +++ tasks/self_signed_certificate.yml | 32 +---- tasks/trusted_ca.yml | 193 +++++++++++++------------- 6 files changed, 174 insertions(+), 134 deletions(-) create mode 100644 tasks/certificate_from_private_ca.yml create mode 100644 tasks/pki_dir.yml diff --git a/defaults/main.yml b/defaults/main.yml index 22976b9..943cbb4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -170,15 +170,21 @@ pki_subdirs: - certs - keys pki_install_a_custom_ca: false -self_signed_cert: "{{ pki_dir }}/certs/selfsigned/cert" -self_signed_fullchain: "{{ pki_dir }}/certs/selfsigned/fullchain" -self_signed_key: "{{ pki_dir }}/keys/selfsigned/privkey" +self_signed_cert: "{{ pki_dir }}/selfsigned/cert" +self_signed_fullchain: "{{ pki_dir }}/selfsigned/fullchain" +self_signed_key: "{{ pki_dir }}/selfsigned/privkey" self_signed_subject: "/CN={{ ansible_fqdn }} self signed" +mkcert_create_certificate: false +mkcert_cert_name: "{{ ansible_fqdn}}.pem" +mkcert_key_name: "{{ ansible_fqdn}}-key.pem" +mkcert_dsn_and_ip_list: "{{ ansible_fqdn }} {{ ansible_default_ipv4 }}" +mkcert_ca_host: localhost + trusted_ca_el_anchors_path: '/etc/pki/ca-trust/source/anchors' trusted_ca_deb_path: '/usr/local/share/ca-certificates' # it shoudn't be needed -trusted_ca_letsencrypt_install: False +trusted_ca_letsencrypt_install: false trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs trusted_ca_letsencrypt_ca_files: - { ca_src: 'isrgrootx1.pem', ca: 'isrgrootx1.crt', name: 'isrg-root-x1' } @@ -195,4 +201,4 @@ expired_ca_letsencrypt_ca_files: - letsencryptauthorityx3.pem trusted_ca_additional_ca_files: [] -# - { can_url: 'https://example.com/foo-ca.pem', ca: 'foo-ca.pem', name: 'foo-ca' } +# - { ca_url: 'https://example.com/foo-ca.pem', ca: 'foo-ca.pem', name: 'foo-ca' } diff --git a/tasks/certificate_from_private_ca.yml b/tasks/certificate_from_private_ca.yml new file mode 100644 index 0000000..b65577f --- /dev/null +++ b/tasks/certificate_from_private_ca.yml @@ -0,0 +1,40 @@ +--- +- name: Create the certificate using the private CA + tags: [pki, tls, tls_certificate] + block: + - name: Create the certificate (delegate to the CA vm) + become_user: mkcert-ca + ansible.builtin.command: + cmd: mkcert -cert-file {{ mkcert_cert_name }} -key-file {{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }} + args: + creates: "/srv/mkcert-ca/{{ mkcert_cert_name }}" + delegate_to: "{{ mkcert_ca_host }}" + +- name: Manage the certificate installation + tags: [pki, tls, tls_certificate] + block: + - name: Get the certificate and its key from the CA server + become_user: mkcert-ca + ansible.builtin.fetch: + src: "/srv/mkcert-ca/{{ item }}" + dest: "files/{{ item }}" + loop: + - "{{ mkcert_cert_name }}" + - "{{ mkcert_key_name }}" + delegate_to: "{{ mkcert_ca_host }}" + + - name: Copy the certificate to the destination server + ansible.builtin.copy: + src: "files/{{ mkcert_cert_name }}" + dest: "{{ pki_dir }}/certs/{{ mkcert_cert_name }}" + owner: root + group: root + mode: 0444 + + - name: Copy the certificate to the destination server + ansible.builtin.copy: + src: "files/{{ mkcert_key_name }}" + dest: "{{ pki_dir }}/keys/{{ mkcert_key_name }}" + owner: root + group: root + mode: 0440 diff --git a/tasks/main.yml b/tasks/main.yml index 4ffd0dd..2d741f0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,9 +9,16 @@ ansible.builtin.import_tasks: timezone.yml - name: Sysctl kernel parameters ansible.builtin.import_tasks: sysctl.yml +- name: Create a directory that will contain the local generated certificates + ansible.builtin.import_tasks: pki_dir.yml - name: Self signed certificates waiting for the letsencrypt ones ansible.builtin.import_tasks: self_signed_certificate.yml when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install +- name: Certificate from privte CA (mkcert) + ansible.builtin.import_tasks: certificate_from_private_ca.yml + when: + - (letsencrypt_acme_sh_install is not defined) or (not letsencrypt_acme_sh_install) + - mkcert_create_certificate - name: HTTP client proxy ansible.builtin.import_tasks: http_client_proxy.yml - name: Manage additiondal disk volumes diff --git a/tasks/pki_dir.yml b/tasks/pki_dir.yml new file mode 100644 index 0000000..4118a8b --- /dev/null +++ b/tasks/pki_dir.yml @@ -0,0 +1,20 @@ +--- +- name: Manage the PKI directory + tags: [pki, ssl, ca, letsencrypt, tls, tls_certificate] + block: + - name: Ensure that the PKI directory exists + ansible.builtin.file: + path: "{{ pki_dir }}" + state: directory + owner: root + group: root + mode: 0755 + + - name: Ensure that the PKI subdirectories exist + ansible.builtin.file: + path: "{{ pki_dir }}/{{ item }}" + state: directory + owner: root + group: root + mode: 0755 + loop: "{{ pki_subdirs }}" diff --git a/tasks/self_signed_certificate.yml b/tasks/self_signed_certificate.yml index 1da55f7..51d2fe7 100644 --- a/tasks/self_signed_certificate.yml +++ b/tasks/self_signed_certificate.yml @@ -1,24 +1,4 @@ --- -- name: Manage the PKI directory - tags: ['pki', 'ssl', 'ca', 'letsencrypt'] - block: - - name: Ensure that the PKI directory exists - ansible.builtin.file: - path: "{{ pki_dir }}" - state: directory - owner: root - group: root - mode: 0755 - - - name: Ensure that the PKI subdirectories exist - ansible.builtin.file: - path: "{{ pki_dir }}/{{ item }}" - state: directory - owner: root - group: root - mode: 0755 - loop: "{{ pki_subdirs }}" - - name: Letsencrypt is going to manage the certificates. Check if a certificate already exists tags: ['pki', 'ssl', 'letsencrypt'] block: @@ -43,15 +23,7 @@ mode: 0755 loop: - "{{ letsencrypt_acme_sh_certificates_install_base_path }}" - - "{{ pki_dir }}/certs/selfsigned" - - - name: Path to the self signed key file - ansible.builtin.file: - path: "{{ pki_dir }}/keys/selfsigned" - state: directory - owner: root - group: root - mode: 0700 + - "{{ pki_dir }}/selfsigned" - name: Generate the self signed certificate and private key ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject }}' @@ -69,6 +41,6 @@ - name: Create the symbolic link for the certificates into the letsencrypt live directory ansible.builtin.file: - src: "{{ pki_dir }}/certs/selfsigned" + src: "{{ pki_dir }}/selfsigned" dest: "{{ letsencrypt_acme_sh_certificates_install_path }}" state: link diff --git a/tasks/trusted_ca.yml b/tasks/trusted_ca.yml index fa0f034..95defe8 100644 --- a/tasks/trusted_ca.yml +++ b/tasks/trusted_ca.yml @@ -1,125 +1,120 @@ --- - name: Manage optional CA files on EL + tags: ['pki', 'trusted_ca', 'letsencrypt_ca'] block: - - name: Get the CA files that we want to trust - get_url: url={{ item.ca_url }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444' - with_items: '{{ trusted_ca_additional_ca_files }}' - register: ca_files_installation + - name: Get the CA files that we want to trust on EL + get_url: url={{ item.ca_url }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444' + with_items: '{{ trusted_ca_additional_ca_files }}' + register: ca_files_installation - - name: Trust the CA files - command: /bin/update-ca-trust extract - when: ca_files_installation is changed + - name: Trust the CA files on EL + command: /bin/update-ca-trust extract + when: ca_files_installation is changed when: ansible_distribution_file_variety == "RedHat" - tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ] - name: Manage the Letsencrypt CA files on EL - block: - - name: Download the letsencrypt CA files on EL - get_url: - url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}' - dest: '/etc/pki/ca-trust/source/anchors/{{ item.ca }}' - owner: root - group: root - mode: 0444 - loop: '{{ trusted_ca_letsencrypt_ca_files }}' - register: letsencrypt_ca_files_installation - - - name: Rebuild the trust CA files on EL - command: /bin/update-ca-trust extract - when: letsencrypt_ca_files_installation is changed - - - name: Ensure that the expired CA files are not present - file: - dest: '/etc/pki/ca-trust/source/anchors/{{ item }}' - state: absent - loop: '{{ expired_ca_letsencrypt_ca_files }}' - register: letsencrypt_ca_files_removal - - - name: Rebuild the trust CA files on EL - command: /bin/update-ca-trust extract - when: letsencrypt_ca_files_removal is changed - when: - trusted_ca_letsencrypt_install - ansible_distribution_file_variety == "RedHat" - tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ] + tags: ['pki', 'trusted_ca', 'letsencrypt_ca'] + block: + - name: Download the letsencrypt CA files on EL + get_url: + url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}' + dest: '/etc/pki/ca-trust/source/anchors/{{ item.ca }}' + owner: root + group: root + mode: 0444 + loop: '{{ trusted_ca_letsencrypt_ca_files }}' + register: letsencrypt_ca_files_installation + + - name: Rebuild the trust CA files on EL + command: /bin/update-ca-trust extract + when: letsencrypt_ca_files_installation is changed + + - name: Ensure that the expired CA files are not present + file: + dest: '/etc/pki/ca-trust/source/anchors/{{ item }}' + state: absent + loop: '{{ expired_ca_letsencrypt_ca_files }}' + register: letsencrypt_ca_files_removal + + - name: Rebuild the trust CA files on EL + command: /bin/update-ca-trust extract + when: letsencrypt_ca_files_removal is changed + - name: Manage optional CA files on deb - block: - - name: Ensure that ca-certificates is installed and up to date - apt: - pkg: ca-certificates - state: latest - cache_valid_time: 1800 - - - name: Get the CA files that we want to trust on deb - get_url: url={{ item.ca_url }} dest={{ trusted_ca_deb_path }}/{{ item.ca }} owner=root group=root mode='0444' - with_items: '{{ trusted_ca_additional_ca_files }}' - register: ca_files_installation - - - name: Trust the CA files on deb - command: /usr/sbin/update-ca-certificates - when: ca_files_installation is changed - when: ansible_distribution_file_variety == "Debian" - tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ] + tags: ['pki', 'trusted_ca', 'letsencrypt_ca'] + block: + - name: Ensure that ca-certificates is installed and up to date + apt: + pkg: ca-certificates + state: latest + cache_valid_time: 1800 + + - name: Get the CA files that we want to trust on deb + get_url: url={{ item.ca_url }} dest={{ trusted_ca_deb_path }}/{{ item.ca }} owner=root group=root mode='0444' + with_items: '{{ trusted_ca_additional_ca_files }}' + register: ca_files_installation + + - name: Trust the CA files on deb + command: /usr/sbin/update-ca-certificates + when: ca_files_installation is changed - name: Distrust the DST Root CA X3 in Ubuntu Trusty - block: - - name: Comment the mozilla/DST_Root_CA_X3.crt entry - lineinfile: - path: /etc/ca-certificates.conf - regexp: '^mozilla/DST_Root_CA_X3.crt' - line: '!mozilla/DST_Root_CA_X3.crt' - register: dst_x3_distrust - - - name: Trust the CA files on deb - command: /usr/sbin/update-ca-certificates - when: dst_x3_distrust is changed - when: - ansible_distribution_file_variety == "Debian" - ansible_distribution_version is version_compare('14.04', '==') - tags: [ 'pki', 'obsolete_ca' ] + tags: ['pki', 'obsolete_ca'] + block: + - name: Comment the mozilla/DST_Root_CA_X3.crt entry + lineinfile: + path: /etc/ca-certificates.conf + regexp: '^mozilla/DST_Root_CA_X3.crt' + line: '!mozilla/DST_Root_CA_X3.crt' + register: dst_x3_distrust + - name: Trust the CA files on deb + command: /usr/sbin/update-ca-certificates + when: dst_x3_distrust is changed - name: Manage the Letsencrypt CA files on deb - block: - - name: Download the letsencrypt CA files on deb - get_url: - url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}' - dest: '{{ trusted_ca_deb_path }}/{{ item.ca }}' - owner: root - group: root - mode: 0444 - loop: '{{ trusted_ca_letsencrypt_ca_files }}' - register: letsencrypt_ca_files_installation - - - name: Trust the CA files on deb - command: /usr/sbin/update-ca-certificates - when: letsencrypt_ca_files_installation is changed - - - name: Ensure that the expired CA files are not present - file: - dest: '/etc/ssl/certs/{{ item }}' - state: absent - loop: '{{ expired_ca_letsencrypt_ca_files }}' - register: letsencrypt_ca_files_removal - - - name: Ensure that the expired CA files are not present - file: - dest: '{{ trusted_ca_deb_path }}/{{ item }}' - state: absent - loop: '{{ expired_ca_letsencrypt_ca_files }}' - register: letsencrypt_ca_files_removal - - - name: Trust the CA files on deb - command: /usr/sbin/update-ca-certificates - when: letsencrypt_ca_files_removal is changed - when: - trusted_ca_letsencrypt_install - ansible_distribution_file_variety == "Debian" - tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ] + tags: ['pki', 'trusted_ca', 'letsencrypt_ca'] + block: + - name: Download the letsencrypt CA files on deb + get_url: + url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}' + dest: '{{ trusted_ca_deb_path }}/{{ item.ca }}' + owner: root + group: root + mode: 0444 + loop: '{{ trusted_ca_letsencrypt_ca_files }}' + register: letsencrypt_ca_files_installation + - name: Trust the CA files on deb + command: /usr/sbin/update-ca-certificates + when: letsencrypt_ca_files_installation is changed + + - name: Ensure that the expired CA files are not present + file: + dest: '/etc/ssl/certs/{{ item }}' + state: absent + loop: '{{ expired_ca_letsencrypt_ca_files }}' + register: letsencrypt_ca_files_removal + + - name: Ensure that the expired CA files are not present + file: + dest: '{{ trusted_ca_deb_path }}/{{ item }}' + state: absent + loop: '{{ expired_ca_letsencrypt_ca_files }}' + register: letsencrypt_ca_files_removal + + - name: Trust the CA files on deb + command: /usr/sbin/update-ca-certificates + when: letsencrypt_ca_files_removal is changed