git/bachelor-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
bachelor-thesis/infrastructure/ansible/roles/mft-create-certificates/tasks/main.yml

203 lines
5.9 KiB
YAML
Raw Blame History

---
# NOTE: There are also ansible modules that help generating certificates
# http://docs.ansible.com/ansible/latest/list_of_crypto_modules.html
#
# but I trust direct calls to openssl more..
- name: Delete local temporary directory for certificate generation
file:
path: "{{ local_sign_dir }}"
state: absent
become: false
delegate_to: localhost
- name: Create local temporary directory for certificate generation
file:
path: "{{ local_sign_dir }}"
state: directory
mode: 0755
become: false
delegate_to: localhost
- name: Remove certificates if they already exist
file:
path: "{{ item }}"
state: absent
become: false
delegate_to: localhost
with_items:
- "{{ cert_key_path.local }}"
- "{{ cert_csr_path }}"
- "{{ cert_single_cert_path }}"
- "{{ cert_cert_path.local }}"
- "{{ cert_pcks12_cert_path.local }}"
- name: Use current_host_config.hostname as common name (CN) in certificate generation
set_fact:
cert_host_fields: "/C={{cert_country}}/ST={{cert_state}}/L={{cert_locality}}/O={{cert_organization}}/OU=sub/CN={{ current_host_config.hostname }}"
when: (current_host_config.contains_setup is not defined or current_host_config.contains_setup is defined) and ("mft-cluster-node" not in current_host_config.contains_setup or "fx-cluster" not in current_host_config.contains_setup)
- name: Use current_host_config.cluster_hostname as common name (CN) in certificate generation if operating as a MFT cluster node
set_fact:
cert_host_fields: "/C={{cert_country}}/ST={{cert_state}}/L={{cert_locality}}/O={{cert_organization}}/OU=sub/CN={{ current_host_config.cluster_hostname }}"
when: current_host_config.contains_setup is defined and ("mft-cluster-node" in current_host_config.contains_setup or "fx-cluster" in current_host_config.contains_setup)
- name: Create local temporary openssl config
template:
src: openssl.cnf.j2
dest: "{{ cert_config_path }}"
become: false
delegate_to: localhost
- name: Generate intermediate CSR
command: >
openssl req
-newkey rsa:{{ cert_key_size }}
-nodes
-keyout {{ cert_inter_key_path }}
-out {{ cert_inter_csr_path }}
-days {{ cert_days_valid }}
-subj "{{ cert_inter_fields }}"
args:
creates: "{{ cert_inter_csr_path }}"
become: false
delegate_to: localhost
- name: Generate intermediate certificate
command: >
openssl x509
-extfile {{ cert_config_path }}
-extensions v3_intermediate_ca
-CA {{ cert_ca_cert_path.local }}
-CAkey {{ cert_ca_key_path }}
-req -in {{ cert_inter_csr_path }}
-out {{ cert_inter_cert_path }}
-days {{ cert_days_valid }}
-CAcreateserial
args:
creates: "{{ cert_inter_cert_path }}"
become: false
delegate_to: localhost
- name: Generate PKCS12 store
command: >
keytool -storetype PKCS12 -noprompt
-storepass {{ cert_pkcs12_pass }}
-importcert -file {{ cert_ca_cert_path.local }}
-alias ca
-keystore {{ cert_truststore_path.local }}
args:
creates: "{{ cert_truststore_path.local }}"
become: false
delegate_to: localhost
- name: Create host key
command: >
openssl req -new
-newkey rsa:{{ cert_key_size }}
-nodes
-out {{ cert_csr_path }}
-keyout {{ cert_key_path.local }}
-days {{ cert_days_valid }}
-subj "{{ cert_host_fields }}"
-config "{{ cert_config_path }}"
-extensions v3_req
args:
creates: "{{ cert_key_path.local }}"
become: false
delegate_to: localhost
- name: Create host certificate
command: >
openssl x509
-CA {{ cert_inter_cert_path }}
-CAkey {{ cert_inter_key_path }}
-req -in {{ cert_csr_path }}
-out {{ cert_single_cert_path }}
-days {{ cert_days_valid }}
-CAcreateserial
-extfile "{{ cert_config_path }}"
-extensions v3_req
args:
creates: "{{ cert_single_cert_path }}"
become: false
delegate_to: localhost
- name: Concat certificate chain
shell: >
cat {{ cert_single_cert_path }}
{{ cert_inter_cert_path }}
{{ cert_ca_cert_path.local }} > {{ cert_cert_path.local }}
args:
creates: "{{ cert_cert_path.local }}"
become: false
delegate_to: localhost
- name: Export host certificate to PCKS12 format
command: >
openssl pkcs12 -export
-inkey {{ cert_key_path.local }}
-in {{ cert_cert_path.local }}
-chain -CAfile {{ cert_cert_path.local }}
-name {{ ansible_hostname }}
-out {{ cert_pcks12_cert_path.local }}
-passout pass:{{ cert_pkcs12_pass }}
-noiter -nomaciter
args:
creates: "{{ cert_pcks12_cert_path.local }}"
become: false
delegate_to: localhost
- name: Copy certificates to host linux
copy:
src: "{{ item.local }}"
dest: "{{ item.remote }}"
owner: "{{ cert_owner }}"
group: "{{ cert_group }}"
mode: 0600
with_items:
- "{{ cert_key_path }}"
- "{{ cert_cert_path }}"
- "{{ cert_pcks12_cert_path }}"
- "{{ cert_ca_cert_path }}"
- "{{ cert_truststore_path }}"
when: ansible_os_family != "Windows" and (fx_version is not defined or fx_version is version('3.0.0', '<'))
become: true
- name: Copy certificates to host linux
copy:
src: "{{ item.local }}"
dest: "{{ item.remote_v3 }}"
owner: "{{ cert_owner }}"
group: "{{ cert_group }}"
mode: 0600
with_items:
- "{{ cert_key_path }}"
- "{{ cert_cert_path }}"
- "{{ cert_pcks12_cert_path }}"
- "{{ cert_ca_cert_path }}"
- "{{ cert_truststore_path }}"
when: fx_version is defined and ansible_os_family != "Windows" and fx_version is version('3.0.0', '>=')
become: true
- name: Copy certificates to host windows
win_copy:
src: "{{ item.local }}"
dest: "{{ item.remote }}"
with_items:
- "{{ cert_key_path }}"
- "{{ cert_cert_path }}"
- "{{ cert_pcks12_cert_path }}"
- "{{ cert_ca_cert_path }}"
- "{{ cert_truststore_path }}"
when: ansible_os_family == "Windows"
ignore_errors: true
- name: Disable selinux
command: setenforce 0
ignore_errors: true
# vim:ft=ansible
Reference in a new issue View git blame Copy permalink