From a5f0c611b7f5254a32fe2d7a8afb1223ba844096 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 20 Aug 2018 19:19:04 +0200 Subject: [PATCH] Cleanup the basic pki tasks. Add support for acme.sh --- ubuntu-deb-general/tasks/main.yml | 4 + .../tasks/pki-basics-letsencrypt-acme-sh.yml | 43 +++++++++ .../tasks/pki-basics-letsencrypt-acmetool.yml | 44 +++++++++ ubuntu-deb-general/tasks/pki-basics.yml | 95 ++----------------- 4 files changed, 99 insertions(+), 87 deletions(-) create mode 100644 ubuntu-deb-general/tasks/pki-basics-letsencrypt-acme-sh.yml create mode 100644 ubuntu-deb-general/tasks/pki-basics-letsencrypt-acmetool.yml diff --git a/ubuntu-deb-general/tasks/main.yml b/ubuntu-deb-general/tasks/main.yml index 62f2bc11..cb5723da 100644 --- a/ubuntu-deb-general/tasks/main.yml +++ b/ubuntu-deb-general/tasks/main.yml @@ -20,6 +20,10 @@ - import_tasks: rsyslogfix.yml - import_tasks: unattended-upgrades.yml - import_tasks: pki-basics.yml +- import_tasks: pki-basics-letsencrypt-acmetool.yml + when: letsencrypt_acme_install is defined and letsencrypt_acme_install +- import_tasks: pki-basics-letsencrypt-acme-sh.yml + when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install - import_tasks: install_external_ca_cert.yml - import_tasks: manage_su_limits.yml - import_tasks: disable-unneeded-services.yml diff --git a/ubuntu-deb-general/tasks/pki-basics-letsencrypt-acme-sh.yml b/ubuntu-deb-general/tasks/pki-basics-letsencrypt-acme-sh.yml new file mode 100644 index 00000000..a0e746da --- /dev/null +++ b/ubuntu-deb-general/tasks/pki-basics-letsencrypt-acme-sh.yml @@ -0,0 +1,43 @@ +- block: + - name: When we are going to install letsencrypt acme.sh certificates, create a preliminary path and a self signed cert. Check if a certificate already exists. If so, skip all the related tasks + stat: path={{ letsencrypt_acme_sh_user_home }}/live/{{ ansible_fqdn }} + register: true_cert + + tags: [ 'pki', 'ssl', 'letsencrypt' ] + when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install + +- block: + - name: When we are going to install letsencrypt acme.sh certificates, create a preliminary path and a self signed cert. Now the physical paths + file: path={{ item }} mode=0755 state=directory + with_items: + - '{{ letsencrypt_acme_sh_user_home }}/live' + - '{{ letsencrypt_acme_sh_user_home }}/certs/fakeselfsignedcert' + + - name: When we are going to install letsencrypt acme.sh certificates, create a preliminary path and a self signed cert. Now the physical path for the key file + file: path={{ item }} mode=0700 state=directory + with_items: + - '{{ letsencrypt_acme_sh_user_home }}/keys/fakeselfsignedcert' + + - name: When we are going to install letsencrypt acme.sh certificates, create a preliminary path and a self signed cert. Now the certificate and private key + command: openssl req -x509 -newkey rsa:2048 -keyout {{ letsencrypt_acme_sh_user_home }}/keys/fakeselfsignedcert/privkey -out {{ letsencrypt_acme_sh_user_home }}/certs/fakeselfsignedcert/cert -days 365 -nodes -subj '/CN={{ ansible_fqdn }} self signed' + args: + creates: '{{ letsencrypt_acme_sh_user_home }}/certs/fakeselfsignedcert/cert' + + - name: When we are going to install letsencrypt acme.sh certificates, create a preliminary path and a self signed cert. Now the symbolic links for the private key + file: src=../../keys/fakeselfsignedcert/privkey dest={{ letsencrypt_acme_sh_user_home }}/certs/fakeselfsignedcert/privkey state=link + + - name: When we are going to install letsencrypt acme.sh certificates, create a preliminary path and a self signed cert. Now the symbolic links for the chain file + file: src=cert dest={{ letsencrypt_acme_sh_user_home }}/certs/fakeselfsignedcert/chain state=link + + - name: When we are going to install letsencrypt acme.sh certificates, create a preliminary path and a self signed cert. Now the symbolic links for the fullchain file + file: src=cert dest={{ letsencrypt_acme_sh_user_home }}/certs/fakeselfsignedcert/fullchain state=link + + - name: When we are going to install letsencrypt acme.sh certificates, create a preliminary path and a self signed cert. Now the symbolic links for the certificate if there is not one + file: src=../certs/fakeselfsignedcert dest={{ letsencrypt_acme_sh_user_home }}/live/{{ ansible_fqdn }} state=link + + tags: [ 'pki', 'ssl', 'letsencrypt' ] + when: + - letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install + - true_cert is defined + - true_cert.stat is defined + - true_cert.stat.islnk is not defined diff --git a/ubuntu-deb-general/tasks/pki-basics-letsencrypt-acmetool.yml b/ubuntu-deb-general/tasks/pki-basics-letsencrypt-acmetool.yml new file mode 100644 index 00000000..d12ba9f9 --- /dev/null +++ b/ubuntu-deb-general/tasks/pki-basics-letsencrypt-acmetool.yml @@ -0,0 +1,44 @@ +--- +- block: + - name: When we are going to install letsencrypt acmetool certificates, create a preliminary path and a self signed cert. Check if a certificate already exists. If so, skip all the related tasks + stat: path={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }} + register: true_cert + + tags: [ 'pki', 'ssl', 'letsencrypt' ] + when: letsencrypt_acme_install is defined and letsencrypt_acme_install + +- block: + - name: When we are going to install letsencrypt acmetool certificates, create a preliminary path and a self signed cert. Now the physical paths + file: path={{ item }} mode=0755 state=directory + with_items: + - '{{ letsencrypt_acme_user_home }}/live' + - '{{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert' + + - name: When we are going to install letsencrypt acmetool certificates, create a preliminary path and a self signed cert. Now the physical path for the key file + file: path={{ item }} mode=0700 state=directory + with_items: + - '{{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert' + + - name: When we are going to install letsencrypt acmetool certificates, create a preliminary path and a self signed cert. Now the certificate and private key + command: openssl req -x509 -newkey rsa:2048 -keyout {{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey -out {{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert -days 365 -nodes -subj '/CN={{ ansible_fqdn }} self signed' + args: + creates: '{{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert' + + - name: When we are going to install letsencrypt acmetool certificates, create a preliminary path and a self signed cert. Now the symbolic links for the private key + file: src=../../keys/fakeselfsignedcert/privkey dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/privkey state=link + + - name: When we are going to install letsencrypt acmetool certificates, create a preliminary path and a self signed cert. Now the symbolic links for the chain file + file: src=cert dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/chain state=link + + - name: When we are going to install letsencrypt acmetool certificates, create a preliminary path and a self signed cert. Now the symbolic links for the fullchain file + file: src=cert dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/fullchain state=link + + - name: When we are going to install letsencrypt acmetool certificates, create a preliminary path and a self signed cert. Now the symbolic links for the certificate if there is not one + file: src=../certs/fakeselfsignedcert dest={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }} state=link + + tags: [ 'pki', 'ssl', 'letsencrypt' ] + when: + - letsencrypt_acme_install is defined and letsencrypt_acme_install + - true_cert is defined + - true_cert.stat is defined + - true_cert.stat.islnk is not defined diff --git a/ubuntu-deb-general/tasks/pki-basics.yml b/ubuntu-deb-general/tasks/pki-basics.yml index 765acb51..b516284c 100644 --- a/ubuntu-deb-general/tasks/pki-basics.yml +++ b/ubuntu-deb-general/tasks/pki-basics.yml @@ -1,90 +1,11 @@ --- -- name: Ensure that the PKI directory exists - file: path={{ pki_dir }} state=directory owner=root group=root mode=0755 +- block: + - name: Ensure that the PKI directory exists + file: path={{ pki_dir }} state=directory owner=root group=root mode=0755 + + - name: Ensure that the PKI subdirectories exist + file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755 + with_items: '{{ pki_subdirs }}' + tags: [ 'pki', 'ssl', 'ca', 'letsencrypt' ] -- name: Ensure that the PKI subdirectories exist - file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755 - with_items: '{{ pki_subdirs }}' - tags: [ 'pki', 'ssl', 'ca', 'letsencrypt' ] - -- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Check if a certificate already exists. If so, skip all the related tasks - stat: path={{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }} - register: true_cert - when: ( letsencrypt_acme_install is defined and letsencrypt_acme_install ) - tags: [ 'pki', 'ssl', 'letsencrypt' ] - -- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the physical paths - file: path={{ item }} mode=0755 state=directory - with_items: - - '{{ letsencrypt_acme_user_home | default(omit) }}/live' - - '{{ letsencrypt_acme_user_home | default(omit) }}/certs/fakeselfsignedcert' - when: - - true_cert is defined - - true_cert.stat is defined - - ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install ) - - letsencrypt_acme_user_home | default(omit) is defined - tags: [ 'pki', 'ssl', 'letsencrypt' ] - -- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the physical paths - file: path={{ item }} mode=0700 state=directory - with_items: - - '{{ letsencrypt_acme_user_home | default(omit) }}/keys/fakeselfsignedcert' - when: - - true_cert is defined - - true_cert.stat is defined - - ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install ) - - letsencrypt_acme_user_home | default(omit) is defined - tags: [ 'pki', 'ssl', 'letsencrypt' ] - -- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the certificate and private key - command: openssl req -x509 -newkey rsa:2048 -keyout {{ letsencrypt_acme_user_home | default(omit) }}/keys/fakeselfsignedcert/privkey -out {{ letsencrypt_acme_user_home | default(omit) }}/certs/fakeselfsignedcert/cert -days 365 -nodes -subj '/CN={{ ansible_fqdn }} self signed' - args: - creates: '{{ letsencrypt_acme_user_home | default(omit) }}/certs/fakeselfsignedcert/cert' - when: - - true_cert is defined - - true_cert.stat is defined - - ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install ) - tags: [ 'pki', 'ssl', 'letsencrypt' ] - -- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the private key - file: src=../../keys/fakeselfsignedcert/privkey dest={{ letsencrypt_acme_user_home | default(omit) }}/certs/fakeselfsignedcert/privkey state=link - when: - - true_cert is defined - - true_cert.stat is defined - - ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install ) - tags: [ 'pki', 'ssl', 'letsencrypt' ] - -- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the chain file - file: src=cert dest={{ letsencrypt_acme_user_home | default(omit) }}/certs/fakeselfsignedcert/chain state=link - when: - - true_cert is defined - - true_cert.stat is defined - - ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install ) - tags: [ 'pki', 'ssl', 'letsencrypt' ] - -- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the fullchain file - file: src=cert dest={{ letsencrypt_acme_user_home | default(omit) }}/certs/fakeselfsignedcert/fullchain state=link - when: - - true_cert is defined - - true_cert.stat is defined - - ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install ) - tags: [ 'pki', 'ssl', 'letsencrypt' ] - -- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the certificate if there is not one - file: src=../certs/fakeselfsignedcert dest={{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }} state=link - when: - - true_cert is defined - - true_cert.stat is defined - - ( true_cert.stat.islnk is not defined ) and ( letsencrypt_acme_install is defined and letsencrypt_acme_install ) - tags: [ 'pki', 'ssl', 'letsencrypt' ] - -- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case - shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem - args: - creates: '{{ pki_dir }}/haproxy/haproxy.pem' - when: - - letsencrypt_acme_install is defined and letsencrypt_acme_install - - haproxy_enabled is defined and haproxy_enabled - tags: [ 'pki', 'ssl', 'letsencrypt' ] -