Add support for mkcert.
This commit is contained in:
parent
d96def22ce
commit
de549df51a
|
@ -170,15 +170,21 @@ pki_subdirs:
|
||||||
- certs
|
- certs
|
||||||
- keys
|
- keys
|
||||||
pki_install_a_custom_ca: false
|
pki_install_a_custom_ca: false
|
||||||
self_signed_cert: "{{ pki_dir }}/certs/selfsigned/cert"
|
self_signed_cert: "{{ pki_dir }}/selfsigned/cert"
|
||||||
self_signed_fullchain: "{{ pki_dir }}/certs/selfsigned/fullchain"
|
self_signed_fullchain: "{{ pki_dir }}/selfsigned/fullchain"
|
||||||
self_signed_key: "{{ pki_dir }}/keys/selfsigned/privkey"
|
self_signed_key: "{{ pki_dir }}/selfsigned/privkey"
|
||||||
self_signed_subject: "/CN={{ ansible_fqdn }} self signed"
|
self_signed_subject: "/CN={{ ansible_fqdn }} self signed"
|
||||||
|
|
||||||
|
mkcert_create_certificate: false
|
||||||
|
mkcert_cert_name: "{{ ansible_fqdn}}.pem"
|
||||||
|
mkcert_key_name: "{{ ansible_fqdn}}-key.pem"
|
||||||
|
mkcert_dsn_and_ip_list: "{{ ansible_fqdn }} {{ ansible_default_ipv4 }}"
|
||||||
|
mkcert_ca_host: localhost
|
||||||
|
|
||||||
trusted_ca_el_anchors_path: '/etc/pki/ca-trust/source/anchors'
|
trusted_ca_el_anchors_path: '/etc/pki/ca-trust/source/anchors'
|
||||||
trusted_ca_deb_path: '/usr/local/share/ca-certificates'
|
trusted_ca_deb_path: '/usr/local/share/ca-certificates'
|
||||||
# it shoudn't be needed
|
# it shoudn't be needed
|
||||||
trusted_ca_letsencrypt_install: False
|
trusted_ca_letsencrypt_install: false
|
||||||
trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs
|
trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs
|
||||||
trusted_ca_letsencrypt_ca_files:
|
trusted_ca_letsencrypt_ca_files:
|
||||||
- { ca_src: 'isrgrootx1.pem', ca: 'isrgrootx1.crt', name: 'isrg-root-x1' }
|
- { ca_src: 'isrgrootx1.pem', ca: 'isrgrootx1.crt', name: 'isrg-root-x1' }
|
||||||
|
@ -195,4 +201,4 @@ expired_ca_letsencrypt_ca_files:
|
||||||
- letsencryptauthorityx3.pem
|
- letsencryptauthorityx3.pem
|
||||||
|
|
||||||
trusted_ca_additional_ca_files: []
|
trusted_ca_additional_ca_files: []
|
||||||
# - { can_url: 'https://example.com/foo-ca.pem', ca: 'foo-ca.pem', name: 'foo-ca' }
|
# - { ca_url: 'https://example.com/foo-ca.pem', ca: 'foo-ca.pem', name: 'foo-ca' }
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
---
|
||||||
|
- name: Create the certificate using the private CA
|
||||||
|
tags: [pki, tls, tls_certificate]
|
||||||
|
block:
|
||||||
|
- name: Create the certificate (delegate to the CA vm)
|
||||||
|
become_user: mkcert-ca
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: mkcert -cert-file {{ mkcert_cert_name }} -key-file {{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
|
||||||
|
args:
|
||||||
|
creates: "/srv/mkcert-ca/{{ mkcert_cert_name }}"
|
||||||
|
delegate_to: "{{ mkcert_ca_host }}"
|
||||||
|
|
||||||
|
- name: Manage the certificate installation
|
||||||
|
tags: [pki, tls, tls_certificate]
|
||||||
|
block:
|
||||||
|
- name: Get the certificate and its key from the CA server
|
||||||
|
become_user: mkcert-ca
|
||||||
|
ansible.builtin.fetch:
|
||||||
|
src: "/srv/mkcert-ca/{{ item }}"
|
||||||
|
dest: "files/{{ item }}"
|
||||||
|
loop:
|
||||||
|
- "{{ mkcert_cert_name }}"
|
||||||
|
- "{{ mkcert_key_name }}"
|
||||||
|
delegate_to: "{{ mkcert_ca_host }}"
|
||||||
|
|
||||||
|
- name: Copy the certificate to the destination server
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "files/{{ mkcert_cert_name }}"
|
||||||
|
dest: "{{ pki_dir }}/certs/{{ mkcert_cert_name }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0444
|
||||||
|
|
||||||
|
- name: Copy the certificate to the destination server
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "files/{{ mkcert_key_name }}"
|
||||||
|
dest: "{{ pki_dir }}/keys/{{ mkcert_key_name }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0440
|
|
@ -9,9 +9,16 @@
|
||||||
ansible.builtin.import_tasks: timezone.yml
|
ansible.builtin.import_tasks: timezone.yml
|
||||||
- name: Sysctl kernel parameters
|
- name: Sysctl kernel parameters
|
||||||
ansible.builtin.import_tasks: sysctl.yml
|
ansible.builtin.import_tasks: sysctl.yml
|
||||||
|
- name: Create a directory that will contain the local generated certificates
|
||||||
|
ansible.builtin.import_tasks: pki_dir.yml
|
||||||
- name: Self signed certificates waiting for the letsencrypt ones
|
- name: Self signed certificates waiting for the letsencrypt ones
|
||||||
ansible.builtin.import_tasks: self_signed_certificate.yml
|
ansible.builtin.import_tasks: self_signed_certificate.yml
|
||||||
when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install
|
when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install
|
||||||
|
- name: Certificate from privte CA (mkcert)
|
||||||
|
ansible.builtin.import_tasks: certificate_from_private_ca.yml
|
||||||
|
when:
|
||||||
|
- (letsencrypt_acme_sh_install is not defined) or (not letsencrypt_acme_sh_install)
|
||||||
|
- mkcert_create_certificate
|
||||||
- name: HTTP client proxy
|
- name: HTTP client proxy
|
||||||
ansible.builtin.import_tasks: http_client_proxy.yml
|
ansible.builtin.import_tasks: http_client_proxy.yml
|
||||||
- name: Manage additiondal disk volumes
|
- name: Manage additiondal disk volumes
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
- name: Manage the PKI directory
|
||||||
|
tags: [pki, ssl, ca, letsencrypt, tls, tls_certificate]
|
||||||
|
block:
|
||||||
|
- name: Ensure that the PKI directory exists
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ pki_dir }}"
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Ensure that the PKI subdirectories exist
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ pki_dir }}/{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0755
|
||||||
|
loop: "{{ pki_subdirs }}"
|
|
@ -1,24 +1,4 @@
|
||||||
---
|
---
|
||||||
- name: Manage the PKI directory
|
|
||||||
tags: ['pki', 'ssl', 'ca', 'letsencrypt']
|
|
||||||
block:
|
|
||||||
- name: Ensure that the PKI directory exists
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ pki_dir }}"
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: Ensure that the PKI subdirectories exist
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ pki_dir }}/{{ item }}"
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0755
|
|
||||||
loop: "{{ pki_subdirs }}"
|
|
||||||
|
|
||||||
- name: Letsencrypt is going to manage the certificates. Check if a certificate already exists
|
- name: Letsencrypt is going to manage the certificates. Check if a certificate already exists
|
||||||
tags: ['pki', 'ssl', 'letsencrypt']
|
tags: ['pki', 'ssl', 'letsencrypt']
|
||||||
block:
|
block:
|
||||||
|
@ -43,15 +23,7 @@
|
||||||
mode: 0755
|
mode: 0755
|
||||||
loop:
|
loop:
|
||||||
- "{{ letsencrypt_acme_sh_certificates_install_base_path }}"
|
- "{{ letsencrypt_acme_sh_certificates_install_base_path }}"
|
||||||
- "{{ pki_dir }}/certs/selfsigned"
|
- "{{ pki_dir }}/selfsigned"
|
||||||
|
|
||||||
- name: Path to the self signed key file
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ pki_dir }}/keys/selfsigned"
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0700
|
|
||||||
|
|
||||||
- name: Generate the self signed certificate and private key
|
- name: Generate the self signed certificate and private key
|
||||||
ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject }}'
|
ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject }}'
|
||||||
|
@ -69,6 +41,6 @@
|
||||||
|
|
||||||
- name: Create the symbolic link for the certificates into the letsencrypt live directory
|
- name: Create the symbolic link for the certificates into the letsencrypt live directory
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
src: "{{ pki_dir }}/certs/selfsigned"
|
src: "{{ pki_dir }}/selfsigned"
|
||||||
dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
|
dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
|
||||||
state: link
|
state: link
|
||||||
|
|
|
@ -1,125 +1,120 @@
|
||||||
---
|
---
|
||||||
- name: Manage optional CA files on EL
|
- name: Manage optional CA files on EL
|
||||||
|
tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
|
||||||
block:
|
block:
|
||||||
- name: Get the CA files that we want to trust
|
- name: Get the CA files that we want to trust on EL
|
||||||
get_url: url={{ item.ca_url }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444'
|
get_url: url={{ item.ca_url }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444'
|
||||||
with_items: '{{ trusted_ca_additional_ca_files }}'
|
with_items: '{{ trusted_ca_additional_ca_files }}'
|
||||||
register: ca_files_installation
|
register: ca_files_installation
|
||||||
|
|
||||||
- name: Trust the CA files
|
- name: Trust the CA files on EL
|
||||||
command: /bin/update-ca-trust extract
|
command: /bin/update-ca-trust extract
|
||||||
when: ca_files_installation is changed
|
when: ca_files_installation is changed
|
||||||
|
|
||||||
when: ansible_distribution_file_variety == "RedHat"
|
when: ansible_distribution_file_variety == "RedHat"
|
||||||
tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ]
|
|
||||||
|
|
||||||
- name: Manage the Letsencrypt CA files on EL
|
- name: Manage the Letsencrypt CA files on EL
|
||||||
block:
|
|
||||||
- name: Download the letsencrypt CA files on EL
|
|
||||||
get_url:
|
|
||||||
url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}'
|
|
||||||
dest: '/etc/pki/ca-trust/source/anchors/{{ item.ca }}'
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0444
|
|
||||||
loop: '{{ trusted_ca_letsencrypt_ca_files }}'
|
|
||||||
register: letsencrypt_ca_files_installation
|
|
||||||
|
|
||||||
- name: Rebuild the trust CA files on EL
|
|
||||||
command: /bin/update-ca-trust extract
|
|
||||||
when: letsencrypt_ca_files_installation is changed
|
|
||||||
|
|
||||||
- name: Ensure that the expired CA files are not present
|
|
||||||
file:
|
|
||||||
dest: '/etc/pki/ca-trust/source/anchors/{{ item }}'
|
|
||||||
state: absent
|
|
||||||
loop: '{{ expired_ca_letsencrypt_ca_files }}'
|
|
||||||
register: letsencrypt_ca_files_removal
|
|
||||||
|
|
||||||
- name: Rebuild the trust CA files on EL
|
|
||||||
command: /bin/update-ca-trust extract
|
|
||||||
when: letsencrypt_ca_files_removal is changed
|
|
||||||
|
|
||||||
when:
|
when:
|
||||||
- trusted_ca_letsencrypt_install
|
- trusted_ca_letsencrypt_install
|
||||||
- ansible_distribution_file_variety == "RedHat"
|
- ansible_distribution_file_variety == "RedHat"
|
||||||
tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ]
|
tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
|
||||||
|
block:
|
||||||
|
- name: Download the letsencrypt CA files on EL
|
||||||
|
get_url:
|
||||||
|
url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}'
|
||||||
|
dest: '/etc/pki/ca-trust/source/anchors/{{ item.ca }}'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0444
|
||||||
|
loop: '{{ trusted_ca_letsencrypt_ca_files }}'
|
||||||
|
register: letsencrypt_ca_files_installation
|
||||||
|
|
||||||
|
- name: Rebuild the trust CA files on EL
|
||||||
|
command: /bin/update-ca-trust extract
|
||||||
|
when: letsencrypt_ca_files_installation is changed
|
||||||
|
|
||||||
|
- name: Ensure that the expired CA files are not present
|
||||||
|
file:
|
||||||
|
dest: '/etc/pki/ca-trust/source/anchors/{{ item }}'
|
||||||
|
state: absent
|
||||||
|
loop: '{{ expired_ca_letsencrypt_ca_files }}'
|
||||||
|
register: letsencrypt_ca_files_removal
|
||||||
|
|
||||||
|
- name: Rebuild the trust CA files on EL
|
||||||
|
command: /bin/update-ca-trust extract
|
||||||
|
when: letsencrypt_ca_files_removal is changed
|
||||||
|
|
||||||
|
|
||||||
- name: Manage optional CA files on deb
|
- name: Manage optional CA files on deb
|
||||||
block:
|
|
||||||
- name: Ensure that ca-certificates is installed and up to date
|
|
||||||
apt:
|
|
||||||
pkg: ca-certificates
|
|
||||||
state: latest
|
|
||||||
cache_valid_time: 1800
|
|
||||||
|
|
||||||
- name: Get the CA files that we want to trust on deb
|
|
||||||
get_url: url={{ item.ca_url }} dest={{ trusted_ca_deb_path }}/{{ item.ca }} owner=root group=root mode='0444'
|
|
||||||
with_items: '{{ trusted_ca_additional_ca_files }}'
|
|
||||||
register: ca_files_installation
|
|
||||||
|
|
||||||
- name: Trust the CA files on deb
|
|
||||||
command: /usr/sbin/update-ca-certificates
|
|
||||||
when: ca_files_installation is changed
|
|
||||||
|
|
||||||
when: ansible_distribution_file_variety == "Debian"
|
when: ansible_distribution_file_variety == "Debian"
|
||||||
tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ]
|
tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
|
||||||
|
block:
|
||||||
|
- name: Ensure that ca-certificates is installed and up to date
|
||||||
|
apt:
|
||||||
|
pkg: ca-certificates
|
||||||
|
state: latest
|
||||||
|
cache_valid_time: 1800
|
||||||
|
|
||||||
|
- name: Get the CA files that we want to trust on deb
|
||||||
|
get_url: url={{ item.ca_url }} dest={{ trusted_ca_deb_path }}/{{ item.ca }} owner=root group=root mode='0444'
|
||||||
|
with_items: '{{ trusted_ca_additional_ca_files }}'
|
||||||
|
register: ca_files_installation
|
||||||
|
|
||||||
|
- name: Trust the CA files on deb
|
||||||
|
command: /usr/sbin/update-ca-certificates
|
||||||
|
when: ca_files_installation is changed
|
||||||
|
|
||||||
- name: Distrust the DST Root CA X3 in Ubuntu Trusty
|
- name: Distrust the DST Root CA X3 in Ubuntu Trusty
|
||||||
block:
|
|
||||||
- name: Comment the mozilla/DST_Root_CA_X3.crt entry
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/ca-certificates.conf
|
|
||||||
regexp: '^mozilla/DST_Root_CA_X3.crt'
|
|
||||||
line: '!mozilla/DST_Root_CA_X3.crt'
|
|
||||||
register: dst_x3_distrust
|
|
||||||
|
|
||||||
- name: Trust the CA files on deb
|
|
||||||
command: /usr/sbin/update-ca-certificates
|
|
||||||
when: dst_x3_distrust is changed
|
|
||||||
|
|
||||||
when:
|
when:
|
||||||
- ansible_distribution_file_variety == "Debian"
|
- ansible_distribution_file_variety == "Debian"
|
||||||
- ansible_distribution_version is version_compare('14.04', '==')
|
- ansible_distribution_version is version_compare('14.04', '==')
|
||||||
tags: [ 'pki', 'obsolete_ca' ]
|
tags: ['pki', 'obsolete_ca']
|
||||||
|
block:
|
||||||
|
- name: Comment the mozilla/DST_Root_CA_X3.crt entry
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ca-certificates.conf
|
||||||
|
regexp: '^mozilla/DST_Root_CA_X3.crt'
|
||||||
|
line: '!mozilla/DST_Root_CA_X3.crt'
|
||||||
|
register: dst_x3_distrust
|
||||||
|
|
||||||
|
- name: Trust the CA files on deb
|
||||||
|
command: /usr/sbin/update-ca-certificates
|
||||||
|
when: dst_x3_distrust is changed
|
||||||
|
|
||||||
- name: Manage the Letsencrypt CA files on deb
|
- name: Manage the Letsencrypt CA files on deb
|
||||||
block:
|
|
||||||
- name: Download the letsencrypt CA files on deb
|
|
||||||
get_url:
|
|
||||||
url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}'
|
|
||||||
dest: '{{ trusted_ca_deb_path }}/{{ item.ca }}'
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0444
|
|
||||||
loop: '{{ trusted_ca_letsencrypt_ca_files }}'
|
|
||||||
register: letsencrypt_ca_files_installation
|
|
||||||
|
|
||||||
- name: Trust the CA files on deb
|
|
||||||
command: /usr/sbin/update-ca-certificates
|
|
||||||
when: letsencrypt_ca_files_installation is changed
|
|
||||||
|
|
||||||
- name: Ensure that the expired CA files are not present
|
|
||||||
file:
|
|
||||||
dest: '/etc/ssl/certs/{{ item }}'
|
|
||||||
state: absent
|
|
||||||
loop: '{{ expired_ca_letsencrypt_ca_files }}'
|
|
||||||
register: letsencrypt_ca_files_removal
|
|
||||||
|
|
||||||
- name: Ensure that the expired CA files are not present
|
|
||||||
file:
|
|
||||||
dest: '{{ trusted_ca_deb_path }}/{{ item }}'
|
|
||||||
state: absent
|
|
||||||
loop: '{{ expired_ca_letsencrypt_ca_files }}'
|
|
||||||
register: letsencrypt_ca_files_removal
|
|
||||||
|
|
||||||
- name: Trust the CA files on deb
|
|
||||||
command: /usr/sbin/update-ca-certificates
|
|
||||||
when: letsencrypt_ca_files_removal is changed
|
|
||||||
|
|
||||||
when:
|
when:
|
||||||
- trusted_ca_letsencrypt_install
|
- trusted_ca_letsencrypt_install
|
||||||
- ansible_distribution_file_variety == "Debian"
|
- ansible_distribution_file_variety == "Debian"
|
||||||
tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ]
|
tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
|
||||||
|
block:
|
||||||
|
- name: Download the letsencrypt CA files on deb
|
||||||
|
get_url:
|
||||||
|
url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}'
|
||||||
|
dest: '{{ trusted_ca_deb_path }}/{{ item.ca }}'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0444
|
||||||
|
loop: '{{ trusted_ca_letsencrypt_ca_files }}'
|
||||||
|
register: letsencrypt_ca_files_installation
|
||||||
|
|
||||||
|
- name: Trust the CA files on deb
|
||||||
|
command: /usr/sbin/update-ca-certificates
|
||||||
|
when: letsencrypt_ca_files_installation is changed
|
||||||
|
|
||||||
|
- name: Ensure that the expired CA files are not present
|
||||||
|
file:
|
||||||
|
dest: '/etc/ssl/certs/{{ item }}'
|
||||||
|
state: absent
|
||||||
|
loop: '{{ expired_ca_letsencrypt_ca_files }}'
|
||||||
|
register: letsencrypt_ca_files_removal
|
||||||
|
|
||||||
|
- name: Ensure that the expired CA files are not present
|
||||||
|
file:
|
||||||
|
dest: '{{ trusted_ca_deb_path }}/{{ item }}'
|
||||||
|
state: absent
|
||||||
|
loop: '{{ expired_ca_letsencrypt_ca_files }}'
|
||||||
|
register: letsencrypt_ca_files_removal
|
||||||
|
|
||||||
|
- name: Trust the CA files on deb
|
||||||
|
command: /usr/sbin/update-ca-certificates
|
||||||
|
when: letsencrypt_ca_files_removal is changed
|
||||||
|
|
Loading…
Reference in New Issue