Add support for mkcert.

This commit is contained in:
Andrea Dell'Amico 2023-07-12 19:25:22 +02:00
parent d96def22ce
commit de549df51a
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
6 changed files with 174 additions and 134 deletions

View File

@ -170,15 +170,21 @@ pki_subdirs:
- certs - certs
- keys - keys
pki_install_a_custom_ca: false pki_install_a_custom_ca: false
self_signed_cert: "{{ pki_dir }}/certs/selfsigned/cert" self_signed_cert: "{{ pki_dir }}/selfsigned/cert"
self_signed_fullchain: "{{ pki_dir }}/certs/selfsigned/fullchain" self_signed_fullchain: "{{ pki_dir }}/selfsigned/fullchain"
self_signed_key: "{{ pki_dir }}/keys/selfsigned/privkey" self_signed_key: "{{ pki_dir }}/selfsigned/privkey"
self_signed_subject: "/CN={{ ansible_fqdn }} self signed" self_signed_subject: "/CN={{ ansible_fqdn }} self signed"
mkcert_create_certificate: false
mkcert_cert_name: "{{ ansible_fqdn}}.pem"
mkcert_key_name: "{{ ansible_fqdn}}-key.pem"
mkcert_dsn_and_ip_list: "{{ ansible_fqdn }} {{ ansible_default_ipv4 }}"
mkcert_ca_host: localhost
trusted_ca_el_anchors_path: '/etc/pki/ca-trust/source/anchors' trusted_ca_el_anchors_path: '/etc/pki/ca-trust/source/anchors'
trusted_ca_deb_path: '/usr/local/share/ca-certificates' trusted_ca_deb_path: '/usr/local/share/ca-certificates'
# it shoudn't be needed # it shoudn't be needed
trusted_ca_letsencrypt_install: False trusted_ca_letsencrypt_install: false
trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs
trusted_ca_letsencrypt_ca_files: trusted_ca_letsencrypt_ca_files:
- { ca_src: 'isrgrootx1.pem', ca: 'isrgrootx1.crt', name: 'isrg-root-x1' } - { ca_src: 'isrgrootx1.pem', ca: 'isrgrootx1.crt', name: 'isrg-root-x1' }
@ -195,4 +201,4 @@ expired_ca_letsencrypt_ca_files:
- letsencryptauthorityx3.pem - letsencryptauthorityx3.pem
trusted_ca_additional_ca_files: [] trusted_ca_additional_ca_files: []
# - { can_url: 'https://example.com/foo-ca.pem', ca: 'foo-ca.pem', name: 'foo-ca' } # - { ca_url: 'https://example.com/foo-ca.pem', ca: 'foo-ca.pem', name: 'foo-ca' }

View File

@ -0,0 +1,40 @@
---
- name: Create the certificate using the private CA
tags: [pki, tls, tls_certificate]
block:
- name: Create the certificate (delegate to the CA vm)
become_user: mkcert-ca
ansible.builtin.command:
cmd: mkcert -cert-file {{ mkcert_cert_name }} -key-file {{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
args:
creates: "/srv/mkcert-ca/{{ mkcert_cert_name }}"
delegate_to: "{{ mkcert_ca_host }}"
- name: Manage the certificate installation
tags: [pki, tls, tls_certificate]
block:
- name: Get the certificate and its key from the CA server
become_user: mkcert-ca
ansible.builtin.fetch:
src: "/srv/mkcert-ca/{{ item }}"
dest: "files/{{ item }}"
loop:
- "{{ mkcert_cert_name }}"
- "{{ mkcert_key_name }}"
delegate_to: "{{ mkcert_ca_host }}"
- name: Copy the certificate to the destination server
ansible.builtin.copy:
src: "files/{{ mkcert_cert_name }}"
dest: "{{ pki_dir }}/certs/{{ mkcert_cert_name }}"
owner: root
group: root
mode: 0444
- name: Copy the certificate to the destination server
ansible.builtin.copy:
src: "files/{{ mkcert_key_name }}"
dest: "{{ pki_dir }}/keys/{{ mkcert_key_name }}"
owner: root
group: root
mode: 0440

View File

@ -9,9 +9,16 @@
ansible.builtin.import_tasks: timezone.yml ansible.builtin.import_tasks: timezone.yml
- name: Sysctl kernel parameters - name: Sysctl kernel parameters
ansible.builtin.import_tasks: sysctl.yml ansible.builtin.import_tasks: sysctl.yml
- name: Create a directory that will contain the local generated certificates
ansible.builtin.import_tasks: pki_dir.yml
- name: Self signed certificates waiting for the letsencrypt ones - name: Self signed certificates waiting for the letsencrypt ones
ansible.builtin.import_tasks: self_signed_certificate.yml ansible.builtin.import_tasks: self_signed_certificate.yml
when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install
- name: Certificate from privte CA (mkcert)
ansible.builtin.import_tasks: certificate_from_private_ca.yml
when:
- (letsencrypt_acme_sh_install is not defined) or (not letsencrypt_acme_sh_install)
- mkcert_create_certificate
- name: HTTP client proxy - name: HTTP client proxy
ansible.builtin.import_tasks: http_client_proxy.yml ansible.builtin.import_tasks: http_client_proxy.yml
- name: Manage additiondal disk volumes - name: Manage additiondal disk volumes

20
tasks/pki_dir.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: Manage the PKI directory
tags: [pki, ssl, ca, letsencrypt, tls, tls_certificate]
block:
- name: Ensure that the PKI directory exists
ansible.builtin.file:
path: "{{ pki_dir }}"
state: directory
owner: root
group: root
mode: 0755
- name: Ensure that the PKI subdirectories exist
ansible.builtin.file:
path: "{{ pki_dir }}/{{ item }}"
state: directory
owner: root
group: root
mode: 0755
loop: "{{ pki_subdirs }}"

View File

@ -1,24 +1,4 @@
--- ---
- name: Manage the PKI directory
tags: ['pki', 'ssl', 'ca', 'letsencrypt']
block:
- name: Ensure that the PKI directory exists
ansible.builtin.file:
path: "{{ pki_dir }}"
state: directory
owner: root
group: root
mode: 0755
- name: Ensure that the PKI subdirectories exist
ansible.builtin.file:
path: "{{ pki_dir }}/{{ item }}"
state: directory
owner: root
group: root
mode: 0755
loop: "{{ pki_subdirs }}"
- name: Letsencrypt is going to manage the certificates. Check if a certificate already exists - name: Letsencrypt is going to manage the certificates. Check if a certificate already exists
tags: ['pki', 'ssl', 'letsencrypt'] tags: ['pki', 'ssl', 'letsencrypt']
block: block:
@ -43,15 +23,7 @@
mode: 0755 mode: 0755
loop: loop:
- "{{ letsencrypt_acme_sh_certificates_install_base_path }}" - "{{ letsencrypt_acme_sh_certificates_install_base_path }}"
- "{{ pki_dir }}/certs/selfsigned" - "{{ pki_dir }}/selfsigned"
- name: Path to the self signed key file
ansible.builtin.file:
path: "{{ pki_dir }}/keys/selfsigned"
state: directory
owner: root
group: root
mode: 0700
- name: Generate the self signed certificate and private key - name: Generate the self signed certificate and private key
ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject }}' ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject }}'
@ -69,6 +41,6 @@
- name: Create the symbolic link for the certificates into the letsencrypt live directory - name: Create the symbolic link for the certificates into the letsencrypt live directory
ansible.builtin.file: ansible.builtin.file:
src: "{{ pki_dir }}/certs/selfsigned" src: "{{ pki_dir }}/selfsigned"
dest: "{{ letsencrypt_acme_sh_certificates_install_path }}" dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
state: link state: link

View File

@ -1,125 +1,120 @@
--- ---
- name: Manage optional CA files on EL - name: Manage optional CA files on EL
tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
block: block:
- name: Get the CA files that we want to trust - name: Get the CA files that we want to trust on EL
get_url: url={{ item.ca_url }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444' get_url: url={{ item.ca_url }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444'
with_items: '{{ trusted_ca_additional_ca_files }}' with_items: '{{ trusted_ca_additional_ca_files }}'
register: ca_files_installation register: ca_files_installation
- name: Trust the CA files - name: Trust the CA files on EL
command: /bin/update-ca-trust extract command: /bin/update-ca-trust extract
when: ca_files_installation is changed when: ca_files_installation is changed
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ]
- name: Manage the Letsencrypt CA files on EL - name: Manage the Letsencrypt CA files on EL
block:
- name: Download the letsencrypt CA files on EL
get_url:
url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}'
dest: '/etc/pki/ca-trust/source/anchors/{{ item.ca }}'
owner: root
group: root
mode: 0444
loop: '{{ trusted_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_installation
- name: Rebuild the trust CA files on EL
command: /bin/update-ca-trust extract
when: letsencrypt_ca_files_installation is changed
- name: Ensure that the expired CA files are not present
file:
dest: '/etc/pki/ca-trust/source/anchors/{{ item }}'
state: absent
loop: '{{ expired_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_removal
- name: Rebuild the trust CA files on EL
command: /bin/update-ca-trust extract
when: letsencrypt_ca_files_removal is changed
when: when:
- trusted_ca_letsencrypt_install - trusted_ca_letsencrypt_install
- ansible_distribution_file_variety == "RedHat" - ansible_distribution_file_variety == "RedHat"
tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ] tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
block:
- name: Download the letsencrypt CA files on EL
get_url:
url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}'
dest: '/etc/pki/ca-trust/source/anchors/{{ item.ca }}'
owner: root
group: root
mode: 0444
loop: '{{ trusted_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_installation
- name: Rebuild the trust CA files on EL
command: /bin/update-ca-trust extract
when: letsencrypt_ca_files_installation is changed
- name: Ensure that the expired CA files are not present
file:
dest: '/etc/pki/ca-trust/source/anchors/{{ item }}'
state: absent
loop: '{{ expired_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_removal
- name: Rebuild the trust CA files on EL
command: /bin/update-ca-trust extract
when: letsencrypt_ca_files_removal is changed
- name: Manage optional CA files on deb - name: Manage optional CA files on deb
block:
- name: Ensure that ca-certificates is installed and up to date
apt:
pkg: ca-certificates
state: latest
cache_valid_time: 1800
- name: Get the CA files that we want to trust on deb
get_url: url={{ item.ca_url }} dest={{ trusted_ca_deb_path }}/{{ item.ca }} owner=root group=root mode='0444'
with_items: '{{ trusted_ca_additional_ca_files }}'
register: ca_files_installation
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: ca_files_installation is changed
when: ansible_distribution_file_variety == "Debian" when: ansible_distribution_file_variety == "Debian"
tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ] tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
block:
- name: Ensure that ca-certificates is installed and up to date
apt:
pkg: ca-certificates
state: latest
cache_valid_time: 1800
- name: Get the CA files that we want to trust on deb
get_url: url={{ item.ca_url }} dest={{ trusted_ca_deb_path }}/{{ item.ca }} owner=root group=root mode='0444'
with_items: '{{ trusted_ca_additional_ca_files }}'
register: ca_files_installation
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: ca_files_installation is changed
- name: Distrust the DST Root CA X3 in Ubuntu Trusty - name: Distrust the DST Root CA X3 in Ubuntu Trusty
block:
- name: Comment the mozilla/DST_Root_CA_X3.crt entry
lineinfile:
path: /etc/ca-certificates.conf
regexp: '^mozilla/DST_Root_CA_X3.crt'
line: '!mozilla/DST_Root_CA_X3.crt'
register: dst_x3_distrust
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: dst_x3_distrust is changed
when: when:
- ansible_distribution_file_variety == "Debian" - ansible_distribution_file_variety == "Debian"
- ansible_distribution_version is version_compare('14.04', '==') - ansible_distribution_version is version_compare('14.04', '==')
tags: [ 'pki', 'obsolete_ca' ] tags: ['pki', 'obsolete_ca']
block:
- name: Comment the mozilla/DST_Root_CA_X3.crt entry
lineinfile:
path: /etc/ca-certificates.conf
regexp: '^mozilla/DST_Root_CA_X3.crt'
line: '!mozilla/DST_Root_CA_X3.crt'
register: dst_x3_distrust
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: dst_x3_distrust is changed
- name: Manage the Letsencrypt CA files on deb - name: Manage the Letsencrypt CA files on deb
block:
- name: Download the letsencrypt CA files on deb
get_url:
url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}'
dest: '{{ trusted_ca_deb_path }}/{{ item.ca }}'
owner: root
group: root
mode: 0444
loop: '{{ trusted_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_installation
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: letsencrypt_ca_files_installation is changed
- name: Ensure that the expired CA files are not present
file:
dest: '/etc/ssl/certs/{{ item }}'
state: absent
loop: '{{ expired_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_removal
- name: Ensure that the expired CA files are not present
file:
dest: '{{ trusted_ca_deb_path }}/{{ item }}'
state: absent
loop: '{{ expired_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_removal
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: letsencrypt_ca_files_removal is changed
when: when:
- trusted_ca_letsencrypt_install - trusted_ca_letsencrypt_install
- ansible_distribution_file_variety == "Debian" - ansible_distribution_file_variety == "Debian"
tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ] tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
block:
- name: Download the letsencrypt CA files on deb
get_url:
url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}'
dest: '{{ trusted_ca_deb_path }}/{{ item.ca }}'
owner: root
group: root
mode: 0444
loop: '{{ trusted_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_installation
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: letsencrypt_ca_files_installation is changed
- name: Ensure that the expired CA files are not present
file:
dest: '/etc/ssl/certs/{{ item }}'
state: absent
loop: '{{ expired_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_removal
- name: Ensure that the expired CA files are not present
file:
dest: '{{ trusted_ca_deb_path }}/{{ item }}'
state: absent
loop: '{{ expired_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_removal
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: letsencrypt_ca_files_removal is changed