diff --git a/defaults/main.yml b/defaults/main.yml index 09dc252..ac680a8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,15 +1,17 @@ --- -java_keystore_use_default: False +java_keystore_use_default: false java_default_keystore: '{{ jdk_java_home }}/jre/lib/security/cacerts' +java_default_truststore: "{{ java_default_keystore }}" java_keystore_dir: "{{ pki_dir | default('/etc/pki') }}/jdk" -#java_keystore_file: '{{ java_default_keystore }}' -java_keystore_file: '{{ java_keystore_dir }}/java.jks' -java_keytool_bin: '{{ jdk_java_home }}/jre/bin/keytool' +java_keystore_file: "{% if java_keystore_use_default %}{{ java_default_keystore }}{% else %}{{ java_keystore_dir }}/java.jks{% endif %}" +java_truststore_file: "{{ java_keystore_file }}" -#java_keystore_certs_list: [] +java_trusted_certificates_list: [] +java_keystore_certs_list: [] java_keystore_cert_alias: '{{ ansible_fqdn }}' -# This is the default java password. No need to hide it. +# This is the default password of the JDK keystore. No need to hide it. # Change it inside a vault file if you need something good java_keystore_pwd: changeit +java_truststore_pwd: "{{ java_keystore_pwd }}" java_keystore_letsencrypt_trusted_ca: identrustdstx3 -java_import_letsencrypt_cert: True +java_import_letsencrypt_cert: true diff --git a/handlers/main.yml b/handlers/main.yml deleted file mode 100644 index 27474e0..0000000 --- a/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for ansible-role-template \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml index 5d6bbbc..c190cb6 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,33 +1,30 @@ galaxy_info: author: Andrea Dell'Amico - description: Systems Architect + description: Role that manages a Java keystore company: ISTI-CNR - - issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning - + namespace: adellam + role_name: java_keystore license: EUPL 1.2+ - - min_ansible_version: 2.8 - - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # + min_ansible_version: "1.14" platforms: - name: Ubuntu versions: - bionic + - focal + - jammy - name: EL versions: - - 7 - - 8 + - "7" + - "8" + - "9" galaxy_tags: - java - keystore dependencies: - - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-openjdk.git + - name: openjdk + src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-openjdk.git version: master - name: openjdk state: latest diff --git a/tasks/main.yml b/tasks/main.yml index f3fd7bb..4480f49 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,32 +1,69 @@ --- -- block: - - name: Create the PKI directory - file: dest={{ java_keystore_dir }} state=directory owner=root group=root mode=0755 - +- name: Manage the PKI directory when: not java_keystore_use_default tags: java_keystore + block: + - name: Create the PKI directory + ansible.builtin.file: + dest: "{{ java_keystore_dir }}" + state: directory + owner: root + group: root + mode: "0755" -- block: - - name: Import the certificates - shell: RETVAL= ; {{ java_keytool_bin }} -list -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt | grep {{ item.alias }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then {{ java_keytool_bin }} -trustcacerts -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt -importcert -alias {{ item.alias }} -file {{ item.certfile }} ; fi - with_items: '{{ java_keystore_certs_list | default([]) }}' - - - name: Import the certificate key - shell: RETVAL= ; {{ java_keytool_bin }} -import -alias NOME -keyalg RSA -keystore {{ java_keystore_file }} -dname "CN={{ ansible_fqdn }}" -keypass {{ java_keystore_pwd }} -storepass {{ java_keystore_pwd }} -file {{ item.keyfile }} - with_items: '{{ java_keystore_certs_list | default([]) }}' - - when: java_keystore_certs_list is defined - tags: java_keystore - -- block: - - name: Import the Letsencrypt intermediate CA cert - shell: RETVAL= ; {{ java_keytool_bin }} -list -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt | grep {{ java_keystore_letsencrypt_trusted_ca }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then {{ java_keytool_bin }} -trustcacerts -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt -importcert -alias {{ java_keystore_letsencrypt_trusted_ca }} -dname "CN={{ ansible_fqdn }}" -file {{ letsencrypt_acme_certs_dir }}/fullchain ; fi - - - name: Import the letsencrypt certificate - shell: RETVAL= ; {{ java_keytool_bin }} -list -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt | grep {{ ansible_fqdn }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then openssl pkcs12 -export -in {{ letsencrypt_acme_certs_dir }}/cert -inkey {{ letsencrypt_acme_certs_dir }}/privkey -CAfile {{ letsencrypt_acme_certs_dir }}/fullchain -name "{{ ansible_fqdn }}" -out /var/tmp/{{ ansible_fqdn }}.p12 -password pass:{{ java_keystore_pwd }} ; {{ java_keytool_bin }} -importkeystore -srcstorepass {{ java_keystore_pwd }} -deststorepass {{ java_keystore_pwd }} -destkeystore {{ java_keystore_file }} -srckeystore /var/tmp/{{ ansible_fqdn }}.p12 -srcstoretype PKCS12 ; rm -f /var/tmp/{{ ansible_fqdn }}.p12 ; fi - +- name: Import a certificate generated by a mkcert CA into a keystore when: - - java_import_letsencrypt_cert - - letsencrypt_acme_install is defined and letsencrypt_acme_install - tags: java_keystore + - java_keystore_certs_list is defined + - mkcert_create_certificate is defined and mkcert_create_certificate + tags: [java_keystore, java_keystore_mkcert] + block: + - name: Generate a PKCS12 from the certificate and key produced by mkcert + community.crypto.openssl_pkcs12: + action: export + friendly_name: "{{ java_keystore_cert_alias }}" + path: "{{ pki_dir }}/keys/{{ ansible_fqdn }}.pkcs12" + certificate_path: "{{ mkcert_cert_dest_path }}" + privatekey_path: "{{ mkcert_key_dest_path }}" + other_certificates: '{{ java_trusted_certificates_list }}' + owner: root + group: root + mode: "0600" + state: present + - name: Import the CA certificate + community.general.java_cert: + pkcs12_path: "{{ pki_dir }}/keys/{{ ansible_fqdn }}.pkcs12" + cert_alias: "{{ java_keystore_cert_alias }}" + keystore_path: "{{ java_keystore_file }}" + keystore_pass: "{{ java_keystore_pwd }}" + keystore_create: true + state: present + +- name: Import a certificate generated by a Letsencrypt into a keystore + when: + - java_keystore_certs_list is defined + - mkcert_create_certificate is defined and mkcert_create_certificate + tags: [java_keystore, java_keystore_letsencrypt, letsencrypt] + block: + - name: Generate a PKCS12 from the certificate and key produced by Letsencrypt + community.crypto.openssl_pkcs12: + action: export + friendly_name: "{{ java_keystore_cert_alias }}" + path: "{{ letsencrypt_acme_sh_certificates_install_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}.pkcs12" + certificate_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/cert" + privatekey_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/privkey" + other_certificates: + - '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain' + owner: root + group: root + mode: "0600" + state: present + + - name: Import the CA certificate + community.general.java_cert: + pkcs12_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}.pkcs12" + cert_alias: "{{ java_keystore_cert_alias }}" + keystore_path: "{{ java_keystore_file }}" + keystore_pass: "{{ java_keystore_pwd }}" + keystore_create: true + state: present