Private CA: remove the certificates from the CA server if they are already present so that we can create new ones.

2026-01-07 17:51:03 +01:00 · 2026-01-07 17:51:03 +01:00 · 60b9fb6cc0
parent fedba79e71
commit 60b9fb6cc0
1 changed files with 16 additions and 5 deletions
--- a/tasks/certificate_from_private_ca.yml
+++ b/tasks/certificate_from_private_ca.yml
@ -6,7 +6,18 @@
      ansible.builtin.set_fact:
        ansible_common_remote_group: ansible

-    - name: certificate_from_private_ca | Create the certificate (delegate to the CA vm)
+    - name: certificate_from_private_ca | Remove the already existing certificates from the CA archive (delegate to the CA server)
+      ansible.builtin.file:
+        path: "/srv/mkcert-ca/{{ item }}"
+        state: absent
+      loop:
+        - "{{ mkcert_cert_name }}"
+        - "{{ mkcert_key_name }}"
+        - "client-{{ mkcert_cert_name }}"
+        - "client-{{ mkcert_key_name }}"
+      delegate_to: "{{ mkcert_ca_host }}"
+
+    - name: certificate_from_private_ca | Create the certificate (delegate to the CA server)
      ansible.builtin.command:
        cmd: mkcert -cert-file /srv/mkcert-ca/{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
      args:
@ -16,9 +27,9 @@
        CAROOT: /srv/mkcert-ca/.local/share/mkcert
      delegate_to: "{{ mkcert_ca_host }}"

-    - name: certificate_from_private_ca | Create a certificate able to do client authentication (delegate to the CA vm)
+    - name: certificate_from_private_ca | Create a certificate able to do client authentication (delegate to the CA server)
      ansible.builtin.command:
-        cmd: mkcert -client -cert-file /srv/mkcert-ca/client-{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/client-{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
+        cmd: mkcert -client -cert-file /srv/mkcert-ca/client-{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/client-{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }} # yamllint disable-line rule:line-length
      args:
        chdir: /srv/mkcert-ca
        creates: "/srv/mkcert-ca/client-{{ mkcert_cert_name }}"
@ -47,7 +58,7 @@
        dest: "{{ mkcert_cert_dest_path }}"
        owner: root
        group: root
-        mode: 0444
+        mode: "0444"
      loop:
        - "{{ mkcert_cert_name }}"
        - "client-{{ mkcert_cert_name }}"
@ -58,7 +69,7 @@
        dest: "{{ mkcert_key_dest_path }}"
        owner: root
        group: root
-        mode: 0440
+        mode: "0440"
      loop:
        - "{{ mkcert_key_name }}"
        - "client-{{ mkcert_key_name }}"