fix self-signed certificates

2020-12-27 18:18:17 +01:00 · 2020-12-27 18:18:17 +01:00 · 3365215ceb
commit 3365215ceb
parent 7f7079db9e
3 changed files with 57 additions and 42 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -14,10 +14,7 @@
    - acme

 - name: Install Self-Signed certificates
-  include_tasks: self_signed.yml
-  loop: "{{ acme_domains | list }}"
-  loop_control:
-    loop_var: domain_name
+  import_tasks: self_signed.yml
  when: not acme_enabled
  tags:
    - certificate
--- a/tasks/self_signed.yml
+++ b/tasks/self_signed.yml
@ -14,51 +14,28 @@
    path: "{{ config_dir }}"
    state: directory
    owner: root
-    group: "{{ acme_ssl_group }}"
-    mode: "711"
+    group: root
+    mode: "755"
  loop:
    - "{{ acme_config_dir }}"
-  - "{{ acme_keys_dir }}"
-  - "{{ acme_accounts_dir }}"
+    - "{{ acme_certs_dir }}"
    - "{{ acme_csr_dir }}"
  loop_control:
    loop_var: config_dir
  tags: selfsigned_install

- name: Create {{ domain_name }} certificates directory
+- name: Create ACME private keys directory
  file:
-    path: "{{ acme_certs_dir }}/{{ domain_name }}.d"
+    path: "{{ acme_keys_dir }}"
    state: directory
    owner: root
    group: "{{ acme_ssl_group }}"
-    mode: "755"
-  tags: selfsigned_install
+    mode: "750"
+  tags: acme_install

- name: Generate private key for {{ domain_name }} certificate
-  openssl_privatekey:
-    path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
-    owner: root
-    group: "{{ acme_ssl_group }}"
-    mode: "640"
-    type: RSA
-    size: 4096
-
- name: Generate CSR for {{ domain_name }} certificate
-  openssl_csr:
-    path: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
-    owner: root
-    group: "{{ acme_ssl_group }}"
-    mode: "644"
-    privatekey_path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
-    common_name: "{{ domain_name }}"
-
- name: Generate self-signed certificate
-  openssl_certificate:
-    path: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem" 
-    csr_path: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
-    privatekey_path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
-    provider: selfsigned 
-    state: present
-    owner: root 
-    group: "{{ acme_ssl_group }}" 
-    mode: "644"
+- name: Install Self-Signed certificate for each domain
+  include_tasks: self_signed_domain.yml
+  loop: "{{ acme_config.domains }}"
+  loop_control:
+    loop_var: domain
+    label: "{{ domain.name }}"
--- a/tasks/self_signed_domain.yml
+++ b/tasks/self_signed_domain.yml
@ -0,0 +1,41 @@
+
+- name: Create {{ domain.name }} certificates directory
+  file:
+    path: "{{ acme_certs_dir }}/{{ domain.name }}.d"
+    state: directory
+    owner: root
+    group: root
+    mode: "755"
+  tags: selfsigned_install
+
+- name: Generate private key for {{ domain.name }} certificate
+  openssl_privatekey:
+    path: "{{ acme_keys_dir }}/{{ domain.name }}.key"
+    owner: root
+    group: "{{ acme_ssl_group }}"
+    mode: "640"
+    type: RSA
+    size: 4096
+  tags: selfsigned_config
+
+- name: Generate CSR for {{ domain.name }} certificate
+  openssl_csr:
+    path: "{{ acme_csr_dir }}/{{ domain.name }}.csr"
+    owner: root
+    group: root
+    mode: "644"
+    privatekey_path: "{{ acme_keys_dir }}/{{ domain.name }}.key"
+    common_name: "{{ domain.name }}"
+    subject_alt_name: "{{ domain.alt_names | default([]) | map('regex_replace', '^', 'DNS:') | list }}"
+  tags: selfsigned_config
+
+- name: Generate self-signed certificate
+  openssl_certificate:
+    path: "{{ acme_certs_dir }}/{{ domain.name }}.d/cert.pem" 
+    csr_path: "{{ acme_csr_dir }}/{{ domain.name }}.csr"
+    privatekey_path: "{{ acme_keys_dir }}/{{ domain.name }}.key"
+    provider: selfsigned 
+    state: present
+    owner: root 
+    group: root
+    mode: "644"