ISTI-ansible-roles
/
ansible-role-basic-system-setup
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Private CA: remove the certificates from the CA server if they are already present so that we can create new ones.

This commit is contained in:
Andrea Dell'Amico 2026-01-07 17:51:03 +01:00
parent fedba79e71
commit 60b9fb6cc0
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
1 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
tasks/certificate_from_private_ca.yml
View File

@ -6,7 +6,18 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
ansible_common_remote_group: ansible ansible_common_remote_group: ansible
- name: certificate_from_private_ca | Create the certificate (delegate to the CA vm) - name: certificate_from_private_ca | Remove the already existing certificates from the CA archive (delegate to the CA server)
ansible.builtin.file:
path: "/srv/mkcert-ca/{{ item }}"
state: absent
loop:
- "{{ mkcert_cert_name }}"
- "{{ mkcert_key_name }}"
- "client-{{ mkcert_cert_name }}"
- "client-{{ mkcert_key_name }}"
delegate_to: "{{ mkcert_ca_host }}"
- name: certificate_from_private_ca | Create the certificate (delegate to the CA server)
ansible.builtin.command: ansible.builtin.command:
cmd: mkcert -cert-file /srv/mkcert-ca/{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }} cmd: mkcert -cert-file /srv/mkcert-ca/{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
args: args:
@ -16,9 +27,9 @@
CAROOT: /srv/mkcert-ca/.local/share/mkcert CAROOT: /srv/mkcert-ca/.local/share/mkcert
delegate_to: "{{ mkcert_ca_host }}" delegate_to: "{{ mkcert_ca_host }}"
- name: certificate_from_private_ca | Create a certificate able to do client authentication (delegate to the CA vm) - name: certificate_from_private_ca | Create a certificate able to do client authentication (delegate to the CA server)
ansible.builtin.command: ansible.builtin.command:
cmd: mkcert -client -cert-file /srv/mkcert-ca/client-{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/client-{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }} cmd: mkcert -client -cert-file /srv/mkcert-ca/client-{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/client-{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }} # yamllint disable-line rule:line-length
args: args:
chdir: /srv/mkcert-ca chdir: /srv/mkcert-ca
creates: "/srv/mkcert-ca/client-{{ mkcert_cert_name }}" creates: "/srv/mkcert-ca/client-{{ mkcert_cert_name }}"
@ -47,7 +58,7 @@
dest: "{{ mkcert_cert_dest_path }}" dest: "{{ mkcert_cert_dest_path }}"
owner: root owner: root
group: root group: root
mode: 0444 mode: "0444"
loop: loop:
- "{{ mkcert_cert_name }}" - "{{ mkcert_cert_name }}"
- "client-{{ mkcert_cert_name }}" - "client-{{ mkcert_cert_name }}"
@ -58,7 +69,7 @@
dest: "{{ mkcert_key_dest_path }}" dest: "{{ mkcert_key_dest_path }}"
owner: root owner: root
group: root group: root
mode: 0440 mode: "0440"
loop: loop:
- "{{ mkcert_key_name }}" - "{{ mkcert_key_name }}"
- "client-{{ mkcert_key_name }}" - "client-{{ mkcert_key_name }}"