From 04ec142a9f4b5993109a935e476fc11baa6c4517 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 21 Feb 2017 18:45:00 +0100 Subject: [PATCH] library/roles/java-keyring: Role that adds certificates to a java keystore. --- java-keyring/defaults/main.yml | 13 +++++++++++++ java-keyring/tasks/main.yml | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 java-keyring/defaults/main.yml create mode 100644 java-keyring/tasks/main.yml diff --git a/java-keyring/defaults/main.yml b/java-keyring/defaults/main.yml new file mode 100644 index 00000000..c9b4fc59 --- /dev/null +++ b/java-keyring/defaults/main.yml @@ -0,0 +1,13 @@ +--- +java_keyring_use_default: True +java_default_keyring: '{{ jdk_java_home }}/jre/lib/security/cacerts' +java_keyring_dir: "{{ pki_dir | default('/etc/pki') }}/jdk" +java_keyring_file: '{{ java_default_keyring }}' +#java_keyring_file: '{{ java_keyring_dir }}/java.jks' +java_keytool_bin: '{{ jdk_java_home }}/jre/bin/keytool' + +#java_keyring_certs_list: [] +java_keyring_cert_alias: '{{ ansible_fqdn }}' +java_keyring_pwd: changeit +java_keyring_letsencrypt_trusted_ca: identrustdstx3 +java_import_letsencrypt_cert: True diff --git a/java-keyring/tasks/main.yml b/java-keyring/tasks/main.yml new file mode 100644 index 00000000..06c7100b --- /dev/null +++ b/java-keyring/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- block: + - name: Create the PKI directory + file: dest={{ java_keyring_dir }} state=directory owner=root group=root mode=0755 + + when: not java_keyring_use_default + tags: java_keyring + +- block: + - name: Import the certificates + shell: keytool -list -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt | grep {{ item.alias }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then keytool -trustcacerts -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt -importcert -alias {{ item.alias }} -file {{ item.certfile | default(omit) }} ; fi + with_items: '{{ java_keyring_certs_list | default([]) }}' + + - name: Import the certificate key + shell: keytool -import -alias NOME -keyalg RSA -keystore {{ java_keyring_file }} -dname "CN={{ ansible_fqdn }}" -keypass {{ java_keyring_pwd }} -storepass {{ java_keyring_pwd }} -file {{ item.keyfile }} + with_items: '{{ java_keyring_certs_list | default([]) }}' + + when: java_keyring_certs_list is defined + tags: java_keyring + +- block: + - name: Import the Letsencrypt intermediate CA cert + shell: keytool -list -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt | grep {{ java_keyring_letsencrypt_trusted_ca }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then keytool -trustcacerts -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt -importcert -alias {{ java_keyring_letsencrypt_trusted_ca }} -dname "CN={{ ansible_fqdn }}" -file {{ letsencrypt_acme_certs_dir }}/chain ; fi + + - name: Import the letsencrypt certificate + shell: keytool -list -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt | grep {{ ansible_fqdn }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then openssl pkcs12 -export -in {{ letsencrypt_acme_certs_dir }}/cert -inkey {{ letsencrypt_acme_certs_dir }}/privkey -CAfile {{ letsencrypt_acme_certs_dir }}/chain -name "{{ ansible_fqdn }}" -out /var/tmp/{{ ansible_fqdn }}.p12 -password pass:{{ java_keyring_pwd }} ; keytool -importkeystore -srcstorepass {{ java_keyring_pwd }} -deststorepass {{ java_keyring_pwd }} -destkeystore {{ java_keyring_file }} -srckeystore /var/tmp/{{ ansible_fqdn }}.p12 -srcstoretype PKCS12 ; rm -f /var/tmp/{{ ansible_fqdn }}.p12 ; fi + + when: + - java_import_letsencrypt_cert + - letsencrypt_acme_install is defined and letsencrypt_acme_install + tags: java_keyring +