From 3365215ceba761cb90f97a93e7ad5270bd3e59d6 Mon Sep 17 00:00:00 2001 From: HgO Date: Sun, 27 Dec 2020 18:18:17 +0100 Subject: [PATCH] fix self-signed certificates --- tasks/main.yml | 5 +--- tasks/self_signed.yml | 53 ++++++++++-------------------------- tasks/self_signed_domain.yml | 41 ++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+), 42 deletions(-) create mode 100644 tasks/self_signed_domain.yml diff --git a/tasks/main.yml b/tasks/main.yml index 207ba06..1bf3fa9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -14,10 +14,7 @@ - acme - name: Install Self-Signed certificates - include_tasks: self_signed.yml - loop: "{{ acme_domains | list }}" - loop_control: - loop_var: domain_name + import_tasks: self_signed.yml when: not acme_enabled tags: - certificate diff --git a/tasks/self_signed.yml b/tasks/self_signed.yml index c3b38df..e016791 100644 --- a/tasks/self_signed.yml +++ b/tasks/self_signed.yml @@ -14,51 +14,28 @@ path: "{{ config_dir }}" state: directory owner: root - group: "{{ acme_ssl_group }}" - mode: "711" + group: root + mode: "755" loop: - - "{{ acme_config_dir }}" - - "{{ acme_keys_dir }}" - - "{{ acme_accounts_dir }}" - - "{{ acme_csr_dir }}" + - "{{ acme_config_dir }}" + - "{{ acme_certs_dir }}" + - "{{ acme_csr_dir }}" loop_control: loop_var: config_dir tags: selfsigned_install -- name: Create {{ domain_name }} certificates directory +- name: Create ACME private keys directory file: - path: "{{ acme_certs_dir }}/{{ domain_name }}.d" + path: "{{ acme_keys_dir }}" state: directory owner: root group: "{{ acme_ssl_group }}" - mode: "755" - tags: selfsigned_install + mode: "750" + tags: acme_install -- name: Generate private key for {{ domain_name }} certificate - openssl_privatekey: - path: "{{ acme_keys_dir }}/{{ domain_name }}.pem" - owner: root - group: "{{ acme_ssl_group }}" - mode: "640" - type: RSA - size: 4096 - -- name: Generate CSR for {{ domain_name }} certificate - openssl_csr: - path: "{{ acme_csr_dir }}/{{ domain_name }}.csr" - owner: root - group: "{{ acme_ssl_group }}" - mode: "644" - privatekey_path: "{{ acme_keys_dir }}/{{ domain_name }}.pem" - common_name: "{{ domain_name }}" - -- name: Generate self-signed certificate - openssl_certificate: - path: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem" - csr_path: "{{ acme_csr_dir }}/{{ domain_name }}.csr" - privatekey_path: "{{ acme_keys_dir }}/{{ domain_name }}.pem" - provider: selfsigned - state: present - owner: root - group: "{{ acme_ssl_group }}" - mode: "644" \ No newline at end of file +- name: Install Self-Signed certificate for each domain + include_tasks: self_signed_domain.yml + loop: "{{ acme_config.domains }}" + loop_control: + loop_var: domain + label: "{{ domain.name }}" \ No newline at end of file diff --git a/tasks/self_signed_domain.yml b/tasks/self_signed_domain.yml new file mode 100644 index 0000000..21657c4 --- /dev/null +++ b/tasks/self_signed_domain.yml @@ -0,0 +1,41 @@ + +- name: Create {{ domain.name }} certificates directory + file: + path: "{{ acme_certs_dir }}/{{ domain.name }}.d" + state: directory + owner: root + group: root + mode: "755" + tags: selfsigned_install + +- name: Generate private key for {{ domain.name }} certificate + openssl_privatekey: + path: "{{ acme_keys_dir }}/{{ domain.name }}.key" + owner: root + group: "{{ acme_ssl_group }}" + mode: "640" + type: RSA + size: 4096 + tags: selfsigned_config + +- name: Generate CSR for {{ domain.name }} certificate + openssl_csr: + path: "{{ acme_csr_dir }}/{{ domain.name }}.csr" + owner: root + group: root + mode: "644" + privatekey_path: "{{ acme_keys_dir }}/{{ domain.name }}.key" + common_name: "{{ domain.name }}" + subject_alt_name: "{{ domain.alt_names | default([]) | map('regex_replace', '^', 'DNS:') | list }}" + tags: selfsigned_config + +- name: Generate self-signed certificate + openssl_certificate: + path: "{{ acme_certs_dir }}/{{ domain.name }}.d/cert.pem" + csr_path: "{{ acme_csr_dir }}/{{ domain.name }}.csr" + privatekey_path: "{{ acme_keys_dir }}/{{ domain.name }}.key" + provider: selfsigned + state: present + owner: root + group: root + mode: "644" \ No newline at end of file