-
Notifications
You must be signed in to change notification settings - Fork 8
/
certificates.yml
139 lines (124 loc) · 4.28 KB
/
certificates.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
---
# Distribute SSL certificates to each host.
- hosts: local
connection: local
gather_facts: no
tags: certificates
tasks:
- name: remove obsolete certificates on cluster rebuilds
file: path=certificates state=absent
when: fresh_cluster
- name: ensure certificates directory exists
file: path=certificates/ state=directory
- hosts: deconst-all
gather_facts: no
tags: certificates
tasks:
- name: gather existing certificates, if they are already present
fetch: src={{ item.src }} dest={{ item.dest }} flat=yes
with_items:
- src: /etc/ssl/certs/deconst-ca.pem
dest: certificates/ca.pem
- src: /etc/ssl/private/host-cert.pem
dest: certificates/{{ inventory_hostname }}-cert.pem
- src: /etc/ssl/private/host-key.pem
dest: certificates/{{ inventory_hostname }}-key.pem
- src: /etc/deconst/ssl/dhparams.pem
dest: certificates/{{ inventory_hostname }}-dhparams.pem
sudo: yes
- hosts: local
connection: local
gather_facts: no
tags: certificates
tasks:
- name: password file
shell: >
touch certificates/password &&
chmod 600 certificates/password &&
head -c 128 /dev/urandom | base64 > certificates/tmppassword &&
cat certificates/tmppassword > certificates/password &&
cat certificates/tmppassword >> certificates/password &&
rm certificates/tmppassword
creates=certificates/password
- name: generate a private CA
shell: >
echo "01" >> certificates/ca.srl &&
openssl genrsa \
-aes256 \
-passout file:certificates/password \
-out certificates/ca-key.pem 2048 &&
openssl req \
-new -x509 -batch \
-days 365 \
-subj "/" \
-passin file:certificates/password \
-key certificates/ca-key.pem \
-out certificates/ca.pem
creates=certificates/ca.pem
- hosts: deconst-all
tags: certificates
tasks:
- name: generate a host certificate
local_action: |
shell echo "extendedKeyUsage = clientAuth,serverAuth" >> /tmp/ext-{{ inventory_hostname }}.cnf &&
echo "subjectAltName=IP:{{ ansible_eth1.ipv4.address }}" >> /tmp/ext-{{ inventory_hostname }}.cnf &&
openssl genrsa \
-aes256 \
-passout file:certificates/password \
-out certificates/{{ inventory_hostname }}-key.pem 2048 &&
openssl req \
-subj "/CN={{ ansible_eth1.ipv4.address }}/subjectAltName=IP:{{ ansible_eth1.ipv4.address }}" \
-new \
-batch \
-passin file:certificates/password \
-key certificates/{{ inventory_hostname }}-key.pem \
-passout file:certificates/password \
-out certificates/{{ inventory_hostname }}-req.csr &&
openssl x509 -req \
-days 365 \
-passin file:certificates/password \
-in certificates/{{ inventory_hostname }}-req.csr \
-CA certificates/ca.pem \
-CAkey certificates/ca-key.pem \
-CAserial certificates/ca.srl \
-extfile /tmp/ext-{{ inventory_hostname }}.cnf \
-out certificates/{{ inventory_hostname }}-cert.pem &&
openssl rsa \
-passin file:certificates/password \
-in certificates/{{ inventory_hostname }}-key.pem \
-out certificates/{{ inventory_hostname }}-key.pem
creates=certificates/{{ inventory_hostname }}-cert.pem
- name: generate strong DH parameters
local_action: |
shell openssl dhparam -out certificates/{{ inventory_hostname }}-dhparams.pem 2048
creates=certificates/{{ inventory_hostname }}-dhparams.pem
- name: install the CA certificate
copy:
src: certificates/ca.pem
dest: /etc/ssl/certs/deconst-ca.pem
mode: 0644
sudo: yes
- name: install the host certificate
copy:
src: certificates/{{ inventory_hostname }}-cert.pem
dest: /etc/ssl/private/host-cert.pem
mode: 0644
owner: root
group: root
sudo: yes
- name: install the host private key
copy:
src: certificates/{{ inventory_hostname }}-key.pem
dest: /etc/ssl/private/host-key.pem
mode: 0644
owner: root
group: root
sudo: yes
- name: install the DH parameters
copy:
src: certificates/{{ inventory_hostname }}-dhparams.pem
dest: /etc/deconst/ssl/dhparams.pem
mode: 0644
owner: root
group: root
sudo: yes