From ec297a7dd34b87e871a547f9309159edbf938204 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Sun, 19 Sep 2021 21:40:09 +0200 Subject: [PATCH 01/10] factorize the `when` condition --- roles/generate-cert/tasks/main.yml | 232 ++++++++++++++--------------- 1 file changed, 111 insertions(+), 121 deletions(-) diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml index 9afa09a..b4c583f 100644 --- a/roles/generate-cert/tasks/main.yml +++ b/roles/generate-cert/tasks/main.yml @@ -22,125 +22,115 @@ register: validity when: cert_file.stat.exists -# TODO: Use a block to have only one `when` -- name: Generate private key - become: false - openssl_privatekey: - path: "/tmp/ansible_hacky_pki_{{ cname }}.key" - mode: u=rw,g=,o= - size: "{{ key_size | default(omit) }}" - delegate_to: localhost +- name: Generate the certificate + block: + - name: Generate private key + become: false + openssl_privatekey: + path: "/tmp/ansible_hacky_pki_{{ cname }}.key" + mode: u=rw,g=,o= + size: "{{ key_size | default(omit) }}" + delegate_to: localhost + + # TODO: add a revocation methode, most probably crl, with crl_distribution_points + - name: Generate a Certificate Signing Request + become: false + openssl_csr: + path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" + privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key" + common_name: "{{ cname }}" + country_name: "{{ country_name | default(omit) }}" + locality_name: "{{ locality_name | default(omit) }}" + state_or_province_name: "{{ state_or_province_name | default(omit) }}" + organization_name: "{{ organization_name | default(omit) }}" + organizational_unit_name: "{{ organizational_unit_name | default(omit) }}" + email_address: "{{ email_address | default(omit) }}" + basic_constraints: + - CA:FALSE # syntax? + basic_constraints_critical: yes + key_usage: "{{ key_usage }}" + key_usage_critical: yes + subject_alt_name: "{{ subject_alt_name | default(omit) }}" + delegate_to: localhost + + - name: Put the CA in a file + become: false + copy: + content: "{{ ca_cert }}" + dest: "/tmp/ansible_hacky_pki_ca.crt" + delegate_to: localhost + + - name: Put the CA key in a file + become: false + copy: + content: "{{ ca_key }}" + dest: "/tmp/ansible_hacky_pki_ca.key" + mode: u=rw,g=,o= + delegate_to: localhost + no_log: yes + + - name: Sign the certificate + become: false + openssl_certificate: + path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" + csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" + ownca_not_after: "{{ validity_duration }}" + ownca_path: /tmp/ansible_hacky_pki_ca.crt + ownca_privatekey_passphrase: "{{ ca_passphrase }}" + ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key + provider: ownca + delegate_to: localhost + + - name: Send private key to the server + copy: + src: "/tmp/ansible_hacky_pki_{{ cname }}.key" + dest: "{{ directory }}/{{ cname }}.key" + owner: "{{ owner | default('root') }}" + group: "{{ group | default('root') }}" + mode: "{{ key_mode | default('u=rw,g=,o=') }}" + no_log: yes + + - name: Send certificate to the server + copy: + src: "/tmp/ansible_hacky_pki_{{ cname }}.crt" + dest: "{{ directory }}/{{ cname }}.crt" + owner: "{{ owner | default('root') }}" + group: "{{ group | default('root') }}" + mode: "{{ key_mode | default('u=rw,g=r,o=r') }}" + + # Clean up + - name: Remove the local cert key + become: false + file: + path: "/tmp/ansible_hacky_pki_{{ cname }}.key" + state: absent + delegate_to: localhost + + - name: Remove the CSR + become: false + file: + path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" + state: absent + delegate_to: localhost + + - name: Remove the local certificate + become: false + file: + path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" + state: absent + delegate_to: localhost + + - name: Remove the CA certificate + become: false + file: + path: /tmp/ansible_hacky_pki_ca.crt + state: absent + delegate_to: localhost + + - name: Remove the CA key + become: false + file: + path: /tmp/ansible_hacky_pki_ca.key + state: absent + delegate_to: localhost when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -# TODO: add a revocation methode, most probably crl, with crl_distribution_points -- name: Generate a Certificate Signing Request - become: false - openssl_csr: - path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" - privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key" - common_name: "{{ cname }}" - country_name: "{{ country_name | default(omit) }}" - locality_name: "{{ locality_name | default(omit) }}" - state_or_province_name: "{{ state_or_province_name | default(omit) }}" - organization_name: "{{ organization_name | default(omit) }}" - organizational_unit_name: "{{ organizational_unit_name | default(omit) }}" - email_address: "{{ email_address | default(omit) }}" - basic_constraints: - - CA:FALSE # syntax? - basic_constraints_critical: yes - key_usage: "{{ key_usage }}" - key_usage_critical: yes - subject_alt_name: "{{ subject_alt_name | default(omit) }}" - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Put the CA in a file - become: false - copy: - content: "{{ ca_cert }}" - dest: "/tmp/ansible_hacky_pki_ca.crt" - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Put the CA key in a file - become: false - copy: - content: "{{ ca_key }}" - dest: "/tmp/ansible_hacky_pki_ca.key" - mode: u=rw,g=,o= - delegate_to: localhost - no_log: yes - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Sign the certificate - become: false - openssl_certificate: - path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" - csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" - ownca_not_after: "{{ validity_duration }}" - ownca_path: /tmp/ansible_hacky_pki_ca.crt - ownca_privatekey_passphrase: "{{ ca_passphrase }}" - ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key - provider: ownca - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Send private key to the server - copy: - src: "/tmp/ansible_hacky_pki_{{ cname }}.key" - dest: "{{ directory }}/{{ cname }}.key" - owner: "{{ owner | default('root') }}" - group: "{{ group | default('root') }}" - mode: "{{ key_mode | default('u=rw,g=,o=') }}" - no_log: yes - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Send certificate to the server - copy: - src: "/tmp/ansible_hacky_pki_{{ cname }}.crt" - dest: "{{ directory }}/{{ cname }}.crt" - owner: "{{ owner | default('root') }}" - group: "{{ group | default('root') }}" - mode: "{{ key_mode | default('u=rw,g=r,o=r') }}" - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -# Clean up -- name: Remove the local cert key - become: false - file: - path: "/tmp/ansible_hacky_pki_{{ cname }}.key" - state: absent - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Remove the CSR - become: false - file: - path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" - state: absent - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Remove the local certificate - become: false - file: - path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" - state: absent - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Remove the CA certificate - become: false - file: - path: /tmp/ansible_hacky_pki_ca.crt - state: absent - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Remove the CA key - become: false - file: - path: /tmp/ansible_hacky_pki_ca.key - state: absent - delegate_to: localhost - when: not key_file.stat.exists From b41a2b1bc242060ffc42bac7dd60617f99856755 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Sun, 19 Sep 2021 22:42:31 +0200 Subject: [PATCH 02/10] add crl endpoint support --- README.md | 18 ++++++++++++++++++ group_vars/all.yml | 11 +++++++++++ roles/generate-cert/tasks/main.yml | 2 +- 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e31562a..417b5d6 100644 --- a/README.md +++ b/README.md @@ -60,3 +60,21 @@ Then, don't forget to remode the file `ca.key`. ## How does it works ? The role check if the certificate already exist and is valid. If not, it will generate **on the localhost** the certificates and then copy them to the remote host and delate the local version. + +## Add a CRL endpoint + +If you use a CRL to revocate your certifiates, you can add the variable `crl_distribution_points` to describe the CRL endpoint(s). CF https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html for more information about `crl_distribution_points`. + +``` +crl_distribution_points: + - full_name: "URI:https://ca.example.com/revocations.crl" + reasons: + - key_compromise + - ca_compromise + - affiliation_changed + - superseded + - cessation_of_operation + - certificate_hold + - privilege_withdrawn + - aa_compromise +``` diff --git a/group_vars/all.yml b/group_vars/all.yml index c31f01c..b1752c5 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,4 +1,15 @@ --- +crl_distribution_points: + - full_name: "URI:https://ca.example.com/revocations.crl" + reasons: + - key_compromise + - ca_compromise + - affiliation_changed + - superseded + - cessation_of_operation + - certificate_hold + - privilege_withdrawn + - aa_compromise ca_cert: | -----BEGIN CERTIFICATE----- MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml index b4c583f..8850257 100644 --- a/roles/generate-cert/tasks/main.yml +++ b/roles/generate-cert/tasks/main.yml @@ -32,7 +32,6 @@ size: "{{ key_size | default(omit) }}" delegate_to: localhost - # TODO: add a revocation methode, most probably crl, with crl_distribution_points - name: Generate a Certificate Signing Request become: false openssl_csr: @@ -51,6 +50,7 @@ key_usage: "{{ key_usage }}" key_usage_critical: yes subject_alt_name: "{{ subject_alt_name | default(omit) }}" + crl_distribution_points: "{{ crl_distribution_points | default(omit) }}" delegate_to: localhost - name: Put the CA in a file From be23d7a4987a946f563e77325b2024e66b0bc3c7 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Sun, 19 Sep 2021 23:07:37 +0200 Subject: [PATCH 03/10] copyright and stuff --- README.md | 21 ++++- roles/generate-cert/LICENSE | 167 ++++++++++++++++++++++++++++++++++ roles/generate-cert/README.md | 9 ++ 3 files changed, 194 insertions(+), 3 deletions(-) create mode 100644 roles/generate-cert/LICENSE create mode 100644 roles/generate-cert/README.md diff --git a/README.md b/README.md index 417b5d6..b88cc26 100644 --- a/README.md +++ b/README.md @@ -2,14 +2,27 @@ Ansible Hacky PKI is an ansible role that generate certificates signed by a given CA. -The Public Certificate of the CA and its Private Key are ansible variables. Make sure to store the private key in a Vault and to not rease the CA used in example. +## Warning + +You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**. +In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability, +please contact me to see if we can find a patch. + ## Dependencies You need to have the `cryptography` python library available on the localhost and on the remote hosts. +## How to use it + +Copy the roles of the repo in the role folder of your ansible projet. Define in you projet the variables you want/need to modify (cf the section Generate a CA). + +After that you can use the role in your playbooks, as shown in the example playbook. + ## Generate a CA +The Public Certificate of the CA and its Private Key are ansible variables. Make sure to store the private key in a Vault and to not rease the CA used in example. + ### Generate a key ``` @@ -55,8 +68,6 @@ ca_cert: | Then, don't forget to remode the file `ca.key`. - - ## How does it works ? The role check if the certificate already exist and is valid. If not, it will generate **on the localhost** the certificates and then copy them to the remote host and delate the local version. @@ -78,3 +89,7 @@ crl_distribution_points: - privilege_withdrawn - aa_compromise ``` + +## Copyright + +Copyright 2021 Jean-Marie Mineau diff --git a/roles/generate-cert/LICENSE b/roles/generate-cert/LICENSE new file mode 100644 index 0000000..f234cd5 --- /dev/null +++ b/roles/generate-cert/LICENSE @@ -0,0 +1,167 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + + This version of the GNU Lesser General Public License incorporates +the terms and conditions of version 3 of the GNU General Public +License, supplemented by the additional permissions listed below. + + 0. Additional Definitions. + + As used herein, "this License" refers to version 3 of the GNU Lesser +General Public License, and the "GNU GPL" refers to version 3 of the GNU +General Public License. + + "The Library" refers to a covered work governed by this License, +other than an Application or a Combined Work as defined below. + + An "Application" is any work that makes use of an interface provided +by the Library, but which is not otherwise based on the Library. +Defining a subclass of a class defined by the Library is deemed a mode +of using an interface provided by the Library. + + A "Combined Work" is a work produced by combining or linking an +Application with the Library. The particular version of the Library +with which the Combined Work was made is also called the "Linked +Version". + + The "Minimal Corresponding Source" for a Combined Work means the +Corresponding Source for the Combined Work, excluding any source code +for portions of the Combined Work that, considered in isolation, are +based on the Application, and not on the Linked Version. + + The "Corresponding Application Code" for a Combined Work means the +object code and/or source code for the Application, including any data +and utility programs needed for reproducing the Combined Work from the +Application, but excluding the System Libraries of the Combined Work. + + 1. Exception to Section 3 of the GNU GPL. + + You may convey a covered work under sections 3 and 4 of this License +without being bound by section 3 of the GNU GPL. + + 2. Conveying Modified Versions. + + If you modify a copy of the Library, and, in your modifications, a +facility refers to a function or data to be supplied by an Application +that uses the facility (other than as an argument passed when the +facility is invoked), then you may convey a copy of the modified +version: + + a) under this License, provided that you make a good faith effort to + ensure that, in the event an Application does not supply the + function or data, the facility still operates, and performs + whatever part of its purpose remains meaningful, or + + b) under the GNU GPL, with none of the additional permissions of + this License applicable to that copy. + + 3. Object Code Incorporating Material from Library Header Files. + + The object code form of an Application may incorporate material from +a header file that is part of the Library. You may convey such object +code under terms of your choice, provided that, if the incorporated +material is not limited to numerical parameters, data structure +layouts and accessors, or small macros, inline functions and templates +(ten or fewer lines in length), you do both of the following: + + a) Give prominent notice with each copy of the object code that the + Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the object code with a copy of the GNU GPL and this license + document. + + 4. Combined Works. + + You may convey a Combined Work under terms of your choice that, +taken together, effectively do not restrict modification of the +portions of the Library contained in the Combined Work and reverse +engineering for debugging such modifications, if you also do each of +the following: + + a) Give prominent notice with each copy of the Combined Work that + the Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the Combined Work with a copy of the GNU GPL and this license + document. + + c) For a Combined Work that displays copyright notices during + execution, include the copyright notice for the Library among + these notices, as well as a reference directing the user to the + copies of the GNU GPL and this license document. + + d) Do one of the following: + + 0) Convey the Minimal Corresponding Source under the terms of this + License, and the Corresponding Application Code in a form + suitable for, and under terms that permit, the user to + recombine or relink the Application with a modified version of + the Linked Version to produce a modified Combined Work, in the + manner specified by section 6 of the GNU GPL for conveying + Corresponding Source. + + 1) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (a) uses at run time + a copy of the Library already present on the user's computer + system, and (b) will operate properly with a modified version + of the Library that is interface-compatible with the Linked + Version. + + e) Provide Installation Information, but only if you would otherwise + be required to provide such information under section 6 of the + GNU GPL, and only to the extent that such information is + necessary to install and execute a modified version of the + Combined Work produced by recombining or relinking the + Application with a modified version of the Linked Version. (If + you use option 4d0, the Installation Information must accompany + the Minimal Corresponding Source and Corresponding Application + Code. If you use option 4d1, you must provide the Installation + Information in the manner specified by section 6 of the GNU GPL + for conveying Corresponding Source.) + + 5. Combined Libraries. + + You may place library facilities that are a work based on the +Library side by side in a single library together with other library +facilities that are not Applications and are not covered by this +License, and convey such a combined library under terms of your +choice, if you do both of the following: + + a) Accompany the combined library with a copy of the same work based + on the Library, uncombined with any other library facilities, + conveyed under the terms of this License. + + b) Give prominent notice with the combined library that part of it + is a work based on the Library, and explaining where to find the + accompanying uncombined form of the same work. + + 6. Revised Versions of the GNU Lesser General Public License. + + The Free Software Foundation may publish revised and/or new versions +of the GNU Lesser General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the +Library as you received it specifies that a certain numbered version +of the GNU Lesser General Public License "or any later version" +applies to it, you have the option of following the terms and +conditions either of that published version or of any later version +published by the Free Software Foundation. If the Library as you +received it does not specify a version number of the GNU Lesser +General Public License, you may choose any version of the GNU Lesser +General Public License ever published by the Free Software Foundation. + + If the Library as you received it specifies that a proxy can decide +whether future versions of the GNU Lesser General Public License shall +apply, that proxy's public statement of acceptance of any version is +permanent authorization for you to choose that version for the +Library. + + diff --git a/roles/generate-cert/README.md b/roles/generate-cert/README.md new file mode 100644 index 0000000..ce5aeca --- /dev/null +++ b/roles/generate-cert/README.md @@ -0,0 +1,9 @@ +# generate-cert + +This role is part of the project [Ansible Hacky PKI](https://gitea.auro.re/histausse/ansible_hacky_pki) licenced under the LGPL 3. + +You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**. +In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability, +please contact me to see if we can find a patch. + +Copyright 2021 Jean-Marie Mineau From c0aa30a9a98bb610a14dbaa670c5169e9b665ea6 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Mon, 20 Sep 2021 14:11:58 +0200 Subject: [PATCH 04/10] add an example for copying the CA cert --- example.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/example.yml b/example.yml index 6eea405..dddc126 100644 --- a/example.yml +++ b/example.yml @@ -6,3 +6,10 @@ vars: directory: /etc/nginx/certs/ cname: example.com + +- hosts: all + tasks: Copy the CA certificate to remote host, for mutual SSL auth for instance + - name: + copy: + content: "{{ ca_cert }}" + dest: /etc/nginx/certs/ca.crt From 1e4d8a0426a6198d65308285dd7a4177225f21da Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Thu, 14 Oct 2021 23:08:06 +0200 Subject: [PATCH 05/10] store certs and keys in a store directory and use links [UNTESTED] --- roles/generate-cert/defaults/main.yml | 1 + roles/generate-cert/tasks/main.yml | 39 +++++++++++++++++++++++---- 2 files changed, 35 insertions(+), 5 deletions(-) diff --git a/roles/generate-cert/defaults/main.yml b/roles/generate-cert/defaults/main.yml index db793c5..b104186 100644 --- a/roles/generate-cert/defaults/main.yml +++ b/roles/generate-cert/defaults/main.yml @@ -5,3 +5,4 @@ key_usage: validity_duration: "+365d" time_before_expiration_for_renewal: "+30d" # need a better name force_renewal: no +store_directory: /etc/hackypky diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml index 8850257..afd91c7 100644 --- a/roles/generate-cert/tasks/main.yml +++ b/roles/generate-cert/tasks/main.yml @@ -1,4 +1,16 @@ --- +- name: Ensure the directories used to store certs exist + file: + path: "{{ item }}" + state: directory + group: root + owner: root + mode: u=rwx,g=rx,o=rx + loop: + - "{{ store_directory }}" + - "{{ store_directory }}/crts" + - "{{ store_directory }}/keys" + - name: Ensure the directory containing the cert exist file: path: "{{ directory }}" @@ -6,17 +18,17 @@ - name: Test if the key already exist stat: - path: "{{ directory }}/{{ cname }}.key" + path: "{{ store_directory}}/keys/{{ cname }}.key" register: key_file - name: Test if the cert already exist stat: - path: "{{ directory }}/{{ cname }}.crt" + path: "{{ store_directory}}/crts/{{ cname }}.crt" register: cert_file - name: Test if we need to renew the certificate openssl_certificate_info: - path: "{{ directory }}/{{ cname }}.crt" + path: "{{ store_directory }}/crts/{{ cname }}.crt" valid_at: renewal: "{{ time_before_expiration_for_renewal }}" register: validity @@ -84,7 +96,7 @@ - name: Send private key to the server copy: src: "/tmp/ansible_hacky_pki_{{ cname }}.key" - dest: "{{ directory }}/{{ cname }}.key" + dest: "{{ store_directory }}/keys/{{ cname }}.key" owner: "{{ owner | default('root') }}" group: "{{ group | default('root') }}" mode: "{{ key_mode | default('u=rw,g=,o=') }}" @@ -93,7 +105,7 @@ - name: Send certificate to the server copy: src: "/tmp/ansible_hacky_pki_{{ cname }}.crt" - dest: "{{ directory }}/{{ cname }}.crt" + dest: "{{ store_directory }}/crts/{{ cname }}.crt" owner: "{{ owner | default('root') }}" group: "{{ group | default('root') }}" mode: "{{ key_mode | default('u=rw,g=r,o=r') }}" @@ -134,3 +146,20 @@ state: absent delegate_to: localhost when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) + +- name: Create the link to cert + file: + src: "{{ store_directory }}/crts/{{ cname }}.crt" + dest: "{{ directory }}/{{ cname }}.crt" + owner: "{{ owner | default('root') }}" + group: "{{ group | default('root') }}" + state: link + +- name: Create the link to key + file: + src: "{{ store_directory }}/keys/{{ cname }}.key" + dest: "{{ directory }}/{{ cname }}.key" + owner: "{{ owner | default('root') }}" + group: "{{ group | default('root') }}" + state: link + From 89960146afca0d385872ae4417e85d53bae926aa Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Sat, 5 Mar 2022 01:48:15 +0100 Subject: [PATCH 06/10] remove role --- roles/generate-cert/LICENSE | 167 -------------------------- roles/generate-cert/README.md | 9 -- roles/generate-cert/defaults/main.yml | 8 -- roles/generate-cert/tasks/main.yml | 165 ------------------------- 4 files changed, 349 deletions(-) delete mode 100644 roles/generate-cert/LICENSE delete mode 100644 roles/generate-cert/README.md delete mode 100644 roles/generate-cert/defaults/main.yml delete mode 100644 roles/generate-cert/tasks/main.yml diff --git a/roles/generate-cert/LICENSE b/roles/generate-cert/LICENSE deleted file mode 100644 index f234cd5..0000000 --- a/roles/generate-cert/LICENSE +++ /dev/null @@ -1,167 +0,0 @@ - GNU LESSER GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - - This version of the GNU Lesser General Public License incorporates -the terms and conditions of version 3 of the GNU General Public -License, supplemented by the additional permissions listed below. - - 0. Additional Definitions. - - As used herein, "this License" refers to version 3 of the GNU Lesser -General Public License, and the "GNU GPL" refers to version 3 of the GNU -General Public License. - - "The Library" refers to a covered work governed by this License, -other than an Application or a Combined Work as defined below. - - An "Application" is any work that makes use of an interface provided -by the Library, but which is not otherwise based on the Library. -Defining a subclass of a class defined by the Library is deemed a mode -of using an interface provided by the Library. - - A "Combined Work" is a work produced by combining or linking an -Application with the Library. The particular version of the Library -with which the Combined Work was made is also called the "Linked -Version". - - The "Minimal Corresponding Source" for a Combined Work means the -Corresponding Source for the Combined Work, excluding any source code -for portions of the Combined Work that, considered in isolation, are -based on the Application, and not on the Linked Version. - - The "Corresponding Application Code" for a Combined Work means the -object code and/or source code for the Application, including any data -and utility programs needed for reproducing the Combined Work from the -Application, but excluding the System Libraries of the Combined Work. - - 1. Exception to Section 3 of the GNU GPL. - - You may convey a covered work under sections 3 and 4 of this License -without being bound by section 3 of the GNU GPL. - - 2. Conveying Modified Versions. - - If you modify a copy of the Library, and, in your modifications, a -facility refers to a function or data to be supplied by an Application -that uses the facility (other than as an argument passed when the -facility is invoked), then you may convey a copy of the modified -version: - - a) under this License, provided that you make a good faith effort to - ensure that, in the event an Application does not supply the - function or data, the facility still operates, and performs - whatever part of its purpose remains meaningful, or - - b) under the GNU GPL, with none of the additional permissions of - this License applicable to that copy. - - 3. Object Code Incorporating Material from Library Header Files. - - The object code form of an Application may incorporate material from -a header file that is part of the Library. You may convey such object -code under terms of your choice, provided that, if the incorporated -material is not limited to numerical parameters, data structure -layouts and accessors, or small macros, inline functions and templates -(ten or fewer lines in length), you do both of the following: - - a) Give prominent notice with each copy of the object code that the - Library is used in it and that the Library and its use are - covered by this License. - - b) Accompany the object code with a copy of the GNU GPL and this license - document. - - 4. Combined Works. - - You may convey a Combined Work under terms of your choice that, -taken together, effectively do not restrict modification of the -portions of the Library contained in the Combined Work and reverse -engineering for debugging such modifications, if you also do each of -the following: - - a) Give prominent notice with each copy of the Combined Work that - the Library is used in it and that the Library and its use are - covered by this License. - - b) Accompany the Combined Work with a copy of the GNU GPL and this license - document. - - c) For a Combined Work that displays copyright notices during - execution, include the copyright notice for the Library among - these notices, as well as a reference directing the user to the - copies of the GNU GPL and this license document. - - d) Do one of the following: - - 0) Convey the Minimal Corresponding Source under the terms of this - License, and the Corresponding Application Code in a form - suitable for, and under terms that permit, the user to - recombine or relink the Application with a modified version of - the Linked Version to produce a modified Combined Work, in the - manner specified by section 6 of the GNU GPL for conveying - Corresponding Source. - - 1) Use a suitable shared library mechanism for linking with the - Library. A suitable mechanism is one that (a) uses at run time - a copy of the Library already present on the user's computer - system, and (b) will operate properly with a modified version - of the Library that is interface-compatible with the Linked - Version. - - e) Provide Installation Information, but only if you would otherwise - be required to provide such information under section 6 of the - GNU GPL, and only to the extent that such information is - necessary to install and execute a modified version of the - Combined Work produced by recombining or relinking the - Application with a modified version of the Linked Version. (If - you use option 4d0, the Installation Information must accompany - the Minimal Corresponding Source and Corresponding Application - Code. If you use option 4d1, you must provide the Installation - Information in the manner specified by section 6 of the GNU GPL - for conveying Corresponding Source.) - - 5. Combined Libraries. - - You may place library facilities that are a work based on the -Library side by side in a single library together with other library -facilities that are not Applications and are not covered by this -License, and convey such a combined library under terms of your -choice, if you do both of the following: - - a) Accompany the combined library with a copy of the same work based - on the Library, uncombined with any other library facilities, - conveyed under the terms of this License. - - b) Give prominent notice with the combined library that part of it - is a work based on the Library, and explaining where to find the - accompanying uncombined form of the same work. - - 6. Revised Versions of the GNU Lesser General Public License. - - The Free Software Foundation may publish revised and/or new versions -of the GNU Lesser General Public License from time to time. Such new -versions will be similar in spirit to the present version, but may -differ in detail to address new problems or concerns. - - Each version is given a distinguishing version number. If the -Library as you received it specifies that a certain numbered version -of the GNU Lesser General Public License "or any later version" -applies to it, you have the option of following the terms and -conditions either of that published version or of any later version -published by the Free Software Foundation. If the Library as you -received it does not specify a version number of the GNU Lesser -General Public License, you may choose any version of the GNU Lesser -General Public License ever published by the Free Software Foundation. - - If the Library as you received it specifies that a proxy can decide -whether future versions of the GNU Lesser General Public License shall -apply, that proxy's public statement of acceptance of any version is -permanent authorization for you to choose that version for the -Library. - - diff --git a/roles/generate-cert/README.md b/roles/generate-cert/README.md deleted file mode 100644 index ce5aeca..0000000 --- a/roles/generate-cert/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# generate-cert - -This role is part of the project [Ansible Hacky PKI](https://gitea.auro.re/histausse/ansible_hacky_pki) licenced under the LGPL 3. - -You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**. -In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability, -please contact me to see if we can find a patch. - -Copyright 2021 Jean-Marie Mineau diff --git a/roles/generate-cert/defaults/main.yml b/roles/generate-cert/defaults/main.yml deleted file mode 100644 index b104186..0000000 --- a/roles/generate-cert/defaults/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -key_usage: - - digitalSignature - - keyEncipherment -validity_duration: "+365d" -time_before_expiration_for_renewal: "+30d" # need a better name -force_renewal: no -store_directory: /etc/hackypky diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml deleted file mode 100644 index afd91c7..0000000 --- a/roles/generate-cert/tasks/main.yml +++ /dev/null @@ -1,165 +0,0 @@ ---- -- name: Ensure the directories used to store certs exist - file: - path: "{{ item }}" - state: directory - group: root - owner: root - mode: u=rwx,g=rx,o=rx - loop: - - "{{ store_directory }}" - - "{{ store_directory }}/crts" - - "{{ store_directory }}/keys" - -- name: Ensure the directory containing the cert exist - file: - path: "{{ directory }}" - state: directory - -- name: Test if the key already exist - stat: - path: "{{ store_directory}}/keys/{{ cname }}.key" - register: key_file - -- name: Test if the cert already exist - stat: - path: "{{ store_directory}}/crts/{{ cname }}.crt" - register: cert_file - -- name: Test if we need to renew the certificate - openssl_certificate_info: - path: "{{ store_directory }}/crts/{{ cname }}.crt" - valid_at: - renewal: "{{ time_before_expiration_for_renewal }}" - register: validity - when: cert_file.stat.exists - -- name: Generate the certificate - block: - - name: Generate private key - become: false - openssl_privatekey: - path: "/tmp/ansible_hacky_pki_{{ cname }}.key" - mode: u=rw,g=,o= - size: "{{ key_size | default(omit) }}" - delegate_to: localhost - - - name: Generate a Certificate Signing Request - become: false - openssl_csr: - path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" - privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key" - common_name: "{{ cname }}" - country_name: "{{ country_name | default(omit) }}" - locality_name: "{{ locality_name | default(omit) }}" - state_or_province_name: "{{ state_or_province_name | default(omit) }}" - organization_name: "{{ organization_name | default(omit) }}" - organizational_unit_name: "{{ organizational_unit_name | default(omit) }}" - email_address: "{{ email_address | default(omit) }}" - basic_constraints: - - CA:FALSE # syntax? - basic_constraints_critical: yes - key_usage: "{{ key_usage }}" - key_usage_critical: yes - subject_alt_name: "{{ subject_alt_name | default(omit) }}" - crl_distribution_points: "{{ crl_distribution_points | default(omit) }}" - delegate_to: localhost - - - name: Put the CA in a file - become: false - copy: - content: "{{ ca_cert }}" - dest: "/tmp/ansible_hacky_pki_ca.crt" - delegate_to: localhost - - - name: Put the CA key in a file - become: false - copy: - content: "{{ ca_key }}" - dest: "/tmp/ansible_hacky_pki_ca.key" - mode: u=rw,g=,o= - delegate_to: localhost - no_log: yes - - - name: Sign the certificate - become: false - openssl_certificate: - path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" - csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" - ownca_not_after: "{{ validity_duration }}" - ownca_path: /tmp/ansible_hacky_pki_ca.crt - ownca_privatekey_passphrase: "{{ ca_passphrase }}" - ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key - provider: ownca - delegate_to: localhost - - - name: Send private key to the server - copy: - src: "/tmp/ansible_hacky_pki_{{ cname }}.key" - dest: "{{ store_directory }}/keys/{{ cname }}.key" - owner: "{{ owner | default('root') }}" - group: "{{ group | default('root') }}" - mode: "{{ key_mode | default('u=rw,g=,o=') }}" - no_log: yes - - - name: Send certificate to the server - copy: - src: "/tmp/ansible_hacky_pki_{{ cname }}.crt" - dest: "{{ store_directory }}/crts/{{ cname }}.crt" - owner: "{{ owner | default('root') }}" - group: "{{ group | default('root') }}" - mode: "{{ key_mode | default('u=rw,g=r,o=r') }}" - - # Clean up - - name: Remove the local cert key - become: false - file: - path: "/tmp/ansible_hacky_pki_{{ cname }}.key" - state: absent - delegate_to: localhost - - - name: Remove the CSR - become: false - file: - path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" - state: absent - delegate_to: localhost - - - name: Remove the local certificate - become: false - file: - path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" - state: absent - delegate_to: localhost - - - name: Remove the CA certificate - become: false - file: - path: /tmp/ansible_hacky_pki_ca.crt - state: absent - delegate_to: localhost - - - name: Remove the CA key - become: false - file: - path: /tmp/ansible_hacky_pki_ca.key - state: absent - delegate_to: localhost - when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) - -- name: Create the link to cert - file: - src: "{{ store_directory }}/crts/{{ cname }}.crt" - dest: "{{ directory }}/{{ cname }}.crt" - owner: "{{ owner | default('root') }}" - group: "{{ group | default('root') }}" - state: link - -- name: Create the link to key - file: - src: "{{ store_directory }}/keys/{{ cname }}.key" - dest: "{{ directory }}/{{ cname }}.key" - owner: "{{ owner | default('root') }}" - group: "{{ group | default('root') }}" - state: link - From d9ae85f063ac12349f8638fd173c7aeb4a9154d2 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Sat, 5 Mar 2022 01:51:21 +0100 Subject: [PATCH 07/10] add submodule --- .gitmodules | 3 +++ roles/generate-cert | 1 + 2 files changed, 4 insertions(+) create mode 100644 .gitmodules create mode 160000 roles/generate-cert diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..edbf71e --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "roles/generate-cert"] + path = roles/generate-cert + url = ssh://git@gitea.auro.re:2222/Pains-Perdus/generate-cert.git diff --git a/roles/generate-cert b/roles/generate-cert new file mode 160000 index 0000000..2b5eb81 --- /dev/null +++ b/roles/generate-cert @@ -0,0 +1 @@ +Subproject commit 2b5eb81d7ef31946e541caedcb6b88ccb5e1b09c From 49bc9d74b1bcc397573218b36dc79b44da371784 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Sat, 5 Mar 2022 01:58:04 +0100 Subject: [PATCH 08/10] update readme --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b88cc26..c3f8efd 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,14 @@ You need to have the `cryptography` python library available on the localhost an ## How to use it -Copy the roles of the repo in the role folder of your ansible projet. Define in you projet the variables you want/need to modify (cf the section Generate a CA). +Add the submodule of the role you want to use in your role folder: + +``` +git submodule add ssh://git@gitea.auro.re:2222/Pains-Perdus/generate-cert.git roles/generate-cert +git submodule init +``` + +Define in you projet the variables you want/need to modify (cf the section Generate a CA). After that you can use the role in your playbooks, as shown in the example playbook. From 8fbe4d1c23e60f4b9b8d0236ed01d7fc1d8eee92 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Sat, 5 Mar 2022 02:03:32 +0100 Subject: [PATCH 09/10] update role --- roles/generate-cert | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/generate-cert b/roles/generate-cert index 2b5eb81..d0b9955 160000 --- a/roles/generate-cert +++ b/roles/generate-cert @@ -1 +1 @@ -Subproject commit 2b5eb81d7ef31946e541caedcb6b88ccb5e1b09c +Subproject commit d0b99550388efe0715fe759d4f1d3b69932f7919 From 7d27d13966796d4b43e076aebbf8501942329da6 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Thu, 9 Oct 2025 16:40:59 +0200 Subject: [PATCH 10/10] merge submodule with main repo --- .gitmodules | 3 - README.md | 9 +- roles/generate-cert | 1 - roles/generate-cert/LICENSE | 167 ++++++++++++++++++++++++++ roles/generate-cert/README.md | 12 ++ roles/generate-cert/defaults/main.yml | 8 ++ roles/generate-cert/tasks/main.yml | 165 +++++++++++++++++++++++++ 7 files changed, 354 insertions(+), 11 deletions(-) delete mode 100644 .gitmodules delete mode 160000 roles/generate-cert create mode 100644 roles/generate-cert/LICENSE create mode 100644 roles/generate-cert/README.md create mode 100644 roles/generate-cert/defaults/main.yml create mode 100644 roles/generate-cert/tasks/main.yml diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index edbf71e..0000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "roles/generate-cert"] - path = roles/generate-cert - url = ssh://git@gitea.auro.re:2222/Pains-Perdus/generate-cert.git diff --git a/README.md b/README.md index c3f8efd..2c81fe3 100644 --- a/README.md +++ b/README.md @@ -15,12 +15,7 @@ You need to have the `cryptography` python library available on the localhost an ## How to use it -Add the submodule of the role you want to use in your role folder: - -``` -git submodule add ssh://git@gitea.auro.re:2222/Pains-Perdus/generate-cert.git roles/generate-cert -git submodule init -``` +Add the roles/generate-cert to your role folder. Define in you projet the variables you want/need to modify (cf the section Generate a CA). @@ -99,4 +94,4 @@ crl_distribution_points: ## Copyright -Copyright 2021 Jean-Marie Mineau +Copyright 2021 Jean-Marie Mineau diff --git a/roles/generate-cert b/roles/generate-cert deleted file mode 160000 index d0b9955..0000000 --- a/roles/generate-cert +++ /dev/null @@ -1 +0,0 @@ -Subproject commit d0b99550388efe0715fe759d4f1d3b69932f7919 diff --git a/roles/generate-cert/LICENSE b/roles/generate-cert/LICENSE new file mode 100644 index 0000000..f234cd5 --- /dev/null +++ b/roles/generate-cert/LICENSE @@ -0,0 +1,167 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + + This version of the GNU Lesser General Public License incorporates +the terms and conditions of version 3 of the GNU General Public +License, supplemented by the additional permissions listed below. + + 0. Additional Definitions. + + As used herein, "this License" refers to version 3 of the GNU Lesser +General Public License, and the "GNU GPL" refers to version 3 of the GNU +General Public License. + + "The Library" refers to a covered work governed by this License, +other than an Application or a Combined Work as defined below. + + An "Application" is any work that makes use of an interface provided +by the Library, but which is not otherwise based on the Library. +Defining a subclass of a class defined by the Library is deemed a mode +of using an interface provided by the Library. + + A "Combined Work" is a work produced by combining or linking an +Application with the Library. The particular version of the Library +with which the Combined Work was made is also called the "Linked +Version". + + The "Minimal Corresponding Source" for a Combined Work means the +Corresponding Source for the Combined Work, excluding any source code +for portions of the Combined Work that, considered in isolation, are +based on the Application, and not on the Linked Version. + + The "Corresponding Application Code" for a Combined Work means the +object code and/or source code for the Application, including any data +and utility programs needed for reproducing the Combined Work from the +Application, but excluding the System Libraries of the Combined Work. + + 1. Exception to Section 3 of the GNU GPL. + + You may convey a covered work under sections 3 and 4 of this License +without being bound by section 3 of the GNU GPL. + + 2. Conveying Modified Versions. + + If you modify a copy of the Library, and, in your modifications, a +facility refers to a function or data to be supplied by an Application +that uses the facility (other than as an argument passed when the +facility is invoked), then you may convey a copy of the modified +version: + + a) under this License, provided that you make a good faith effort to + ensure that, in the event an Application does not supply the + function or data, the facility still operates, and performs + whatever part of its purpose remains meaningful, or + + b) under the GNU GPL, with none of the additional permissions of + this License applicable to that copy. + + 3. Object Code Incorporating Material from Library Header Files. + + The object code form of an Application may incorporate material from +a header file that is part of the Library. You may convey such object +code under terms of your choice, provided that, if the incorporated +material is not limited to numerical parameters, data structure +layouts and accessors, or small macros, inline functions and templates +(ten or fewer lines in length), you do both of the following: + + a) Give prominent notice with each copy of the object code that the + Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the object code with a copy of the GNU GPL and this license + document. + + 4. Combined Works. + + You may convey a Combined Work under terms of your choice that, +taken together, effectively do not restrict modification of the +portions of the Library contained in the Combined Work and reverse +engineering for debugging such modifications, if you also do each of +the following: + + a) Give prominent notice with each copy of the Combined Work that + the Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the Combined Work with a copy of the GNU GPL and this license + document. + + c) For a Combined Work that displays copyright notices during + execution, include the copyright notice for the Library among + these notices, as well as a reference directing the user to the + copies of the GNU GPL and this license document. + + d) Do one of the following: + + 0) Convey the Minimal Corresponding Source under the terms of this + License, and the Corresponding Application Code in a form + suitable for, and under terms that permit, the user to + recombine or relink the Application with a modified version of + the Linked Version to produce a modified Combined Work, in the + manner specified by section 6 of the GNU GPL for conveying + Corresponding Source. + + 1) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (a) uses at run time + a copy of the Library already present on the user's computer + system, and (b) will operate properly with a modified version + of the Library that is interface-compatible with the Linked + Version. + + e) Provide Installation Information, but only if you would otherwise + be required to provide such information under section 6 of the + GNU GPL, and only to the extent that such information is + necessary to install and execute a modified version of the + Combined Work produced by recombining or relinking the + Application with a modified version of the Linked Version. (If + you use option 4d0, the Installation Information must accompany + the Minimal Corresponding Source and Corresponding Application + Code. If you use option 4d1, you must provide the Installation + Information in the manner specified by section 6 of the GNU GPL + for conveying Corresponding Source.) + + 5. Combined Libraries. + + You may place library facilities that are a work based on the +Library side by side in a single library together with other library +facilities that are not Applications and are not covered by this +License, and convey such a combined library under terms of your +choice, if you do both of the following: + + a) Accompany the combined library with a copy of the same work based + on the Library, uncombined with any other library facilities, + conveyed under the terms of this License. + + b) Give prominent notice with the combined library that part of it + is a work based on the Library, and explaining where to find the + accompanying uncombined form of the same work. + + 6. Revised Versions of the GNU Lesser General Public License. + + The Free Software Foundation may publish revised and/or new versions +of the GNU Lesser General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the +Library as you received it specifies that a certain numbered version +of the GNU Lesser General Public License "or any later version" +applies to it, you have the option of following the terms and +conditions either of that published version or of any later version +published by the Free Software Foundation. If the Library as you +received it does not specify a version number of the GNU Lesser +General Public License, you may choose any version of the GNU Lesser +General Public License ever published by the Free Software Foundation. + + If the Library as you received it specifies that a proxy can decide +whether future versions of the GNU Lesser General Public License shall +apply, that proxy's public statement of acceptance of any version is +permanent authorization for you to choose that version for the +Library. + + diff --git a/roles/generate-cert/README.md b/roles/generate-cert/README.md new file mode 100644 index 0000000..b92a8ac --- /dev/null +++ b/roles/generate-cert/README.md @@ -0,0 +1,12 @@ +# generate-cert + +This role is part of the project [Ansible Hacky PKI](https://git.mineau.eu/histausse/ansible_hacky_pki) licenced under the LGPL 3. See the project repo for examples. + +You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**. +In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability, +please contact me to see if we can find a patch. + + +## Copyright + +Copyright 2021 Jean-Marie Mineau diff --git a/roles/generate-cert/defaults/main.yml b/roles/generate-cert/defaults/main.yml new file mode 100644 index 0000000..b104186 --- /dev/null +++ b/roles/generate-cert/defaults/main.yml @@ -0,0 +1,8 @@ +--- +key_usage: + - digitalSignature + - keyEncipherment +validity_duration: "+365d" +time_before_expiration_for_renewal: "+30d" # need a better name +force_renewal: no +store_directory: /etc/hackypky diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml new file mode 100644 index 0000000..afd91c7 --- /dev/null +++ b/roles/generate-cert/tasks/main.yml @@ -0,0 +1,165 @@ +--- +- name: Ensure the directories used to store certs exist + file: + path: "{{ item }}" + state: directory + group: root + owner: root + mode: u=rwx,g=rx,o=rx + loop: + - "{{ store_directory }}" + - "{{ store_directory }}/crts" + - "{{ store_directory }}/keys" + +- name: Ensure the directory containing the cert exist + file: + path: "{{ directory }}" + state: directory + +- name: Test if the key already exist + stat: + path: "{{ store_directory}}/keys/{{ cname }}.key" + register: key_file + +- name: Test if the cert already exist + stat: + path: "{{ store_directory}}/crts/{{ cname }}.crt" + register: cert_file + +- name: Test if we need to renew the certificate + openssl_certificate_info: + path: "{{ store_directory }}/crts/{{ cname }}.crt" + valid_at: + renewal: "{{ time_before_expiration_for_renewal }}" + register: validity + when: cert_file.stat.exists + +- name: Generate the certificate + block: + - name: Generate private key + become: false + openssl_privatekey: + path: "/tmp/ansible_hacky_pki_{{ cname }}.key" + mode: u=rw,g=,o= + size: "{{ key_size | default(omit) }}" + delegate_to: localhost + + - name: Generate a Certificate Signing Request + become: false + openssl_csr: + path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" + privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key" + common_name: "{{ cname }}" + country_name: "{{ country_name | default(omit) }}" + locality_name: "{{ locality_name | default(omit) }}" + state_or_province_name: "{{ state_or_province_name | default(omit) }}" + organization_name: "{{ organization_name | default(omit) }}" + organizational_unit_name: "{{ organizational_unit_name | default(omit) }}" + email_address: "{{ email_address | default(omit) }}" + basic_constraints: + - CA:FALSE # syntax? + basic_constraints_critical: yes + key_usage: "{{ key_usage }}" + key_usage_critical: yes + subject_alt_name: "{{ subject_alt_name | default(omit) }}" + crl_distribution_points: "{{ crl_distribution_points | default(omit) }}" + delegate_to: localhost + + - name: Put the CA in a file + become: false + copy: + content: "{{ ca_cert }}" + dest: "/tmp/ansible_hacky_pki_ca.crt" + delegate_to: localhost + + - name: Put the CA key in a file + become: false + copy: + content: "{{ ca_key }}" + dest: "/tmp/ansible_hacky_pki_ca.key" + mode: u=rw,g=,o= + delegate_to: localhost + no_log: yes + + - name: Sign the certificate + become: false + openssl_certificate: + path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" + csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" + ownca_not_after: "{{ validity_duration }}" + ownca_path: /tmp/ansible_hacky_pki_ca.crt + ownca_privatekey_passphrase: "{{ ca_passphrase }}" + ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key + provider: ownca + delegate_to: localhost + + - name: Send private key to the server + copy: + src: "/tmp/ansible_hacky_pki_{{ cname }}.key" + dest: "{{ store_directory }}/keys/{{ cname }}.key" + owner: "{{ owner | default('root') }}" + group: "{{ group | default('root') }}" + mode: "{{ key_mode | default('u=rw,g=,o=') }}" + no_log: yes + + - name: Send certificate to the server + copy: + src: "/tmp/ansible_hacky_pki_{{ cname }}.crt" + dest: "{{ store_directory }}/crts/{{ cname }}.crt" + owner: "{{ owner | default('root') }}" + group: "{{ group | default('root') }}" + mode: "{{ key_mode | default('u=rw,g=r,o=r') }}" + + # Clean up + - name: Remove the local cert key + become: false + file: + path: "/tmp/ansible_hacky_pki_{{ cname }}.key" + state: absent + delegate_to: localhost + + - name: Remove the CSR + become: false + file: + path: "/tmp/ansible_hacky_pki_{{ cname }}.csr" + state: absent + delegate_to: localhost + + - name: Remove the local certificate + become: false + file: + path: "/tmp/ansible_hacky_pki_{{ cname }}.crt" + state: absent + delegate_to: localhost + + - name: Remove the CA certificate + become: false + file: + path: /tmp/ansible_hacky_pki_ca.crt + state: absent + delegate_to: localhost + + - name: Remove the CA key + become: false + file: + path: /tmp/ansible_hacky_pki_ca.key + state: absent + delegate_to: localhost + when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal) + +- name: Create the link to cert + file: + src: "{{ store_directory }}/crts/{{ cname }}.crt" + dest: "{{ directory }}/{{ cname }}.crt" + owner: "{{ owner | default('root') }}" + group: "{{ group | default('root') }}" + state: link + +- name: Create the link to key + file: + src: "{{ store_directory }}/keys/{{ cname }}.key" + dest: "{{ directory }}/{{ cname }}.key" + owner: "{{ owner | default('root') }}" + group: "{{ group | default('root') }}" + state: link +