blob: d17515e36c4965d87ffe9ed910ae46fa2f20d80c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
# NOTE: certmonger post-command are passed directly to exec().
# Spaces in filenames, quotes, and other shell meta-characters will break your hook!
---
- name: check if certificate is already tracked by certmonger
command: ipa-getcert list --certfile {{ certificate_path }}
failed_when: False
changed_when: False
register: certmonger_already_tracking
- name: retrieve certificate via certmonger
block:
- name: create freeipa hosts
ipahost:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
name: '{{ certificate_san }}'
state: present
loop: '{{ certificate_sans }}'
loop_control:
loop_var: certificate_san
- name: create freeipa services
ipaservice:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
name: '{{ certificate_service }}/{{ certificate_san }}'
host: '{{ omit if certificate_san == ansible_fqdn else [ansible_fqdn] }}'
loop: '{{ certificate_sans }}'
loop_control:
loop_var: certificate_san
when: "certificate_service != 'host'"
- name: prepare post-save hook
block:
- name: create post-save script
copy:
content: |
#!/bin/bash
exec 1> >(logger -s -t $(basename "$0")) 2>&1
exec {{ certificate_hook }}
dest: '{{ certificate_post_save_script }}'
mode: 0555
setype: certmonger_unconfined_exec_t
- name: set certmonger_unconfined_exec_t sefcontext on post-save script
sefcontext:
target: '{{ certificate_post_save_script }}'
state: present
setype: certmonger_unconfined_exec_t
tags: selinux
register: certificate_post_save_script_sefcontext
- name: apply selinux context to post-save script
command: restorecon {{ certificate_post_save_script | quote }}
when: certificate_post_save_script_sefcontext.changed
tags: selinux
when: certificate_hook is defined
- name: submit certificate request
command: >
ipa-getcert {{ 'resubmit' if certmonger_already_tracking.rc == 0 else 'request' }}
--certfile {{ certificate_path | quote }}
{% if certmonger_already_tracking.rc != 0 %}
--keyfile {{ certificate_key_path | quote }}
--key-type {{ certificate_type | quote }}
--key-size {{ certificate_size | quote }}
{% endif %}
--principal {{ certificate_service ~ '/' ~ ansible_fqdn | quote }}
--subject-name CN={{ ansible_fqdn | quote }}
{% for san in certificate_sans %}
--dns {{ san | quote }}
{% endfor %}
--cert-owner {{ certificate_owner | quote }}
--cert-perms {{ '0%0o' % certificate_mode }}
--key-owner {{ certificate_owner | quote }}
--key-perms {{ '0%0o' % certificate_mode }}
{% if certificate_key_passphrase is defined %}
--pin {{ certificate_key_passphrase | quote }}
{% endif %}
{% if certificate_hook is defined %}
--after-command {{ certificate_post_save_script | quote }}
{% endif %}
- name: wait request to complete
command: ipa-getcert status --certfile {{ certificate_path | quote }}
register: certmonger_status
retries: 10
delay: 2
until: certmonger_status.rc == 0
when: certmonger_already_tracking.rc != 0 or certificate_resubmit
- name: enable certmonger daemon
systemd:
name: certmonger
enabled: yes
state: started
|