ansible-role-basic-system-s.../tasks/trusted_ca.yml

121 lines
4.2 KiB
YAML

---
- name: Manage optional CA files on EL
tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
block:
- name: Get the CA files that we want to trust on EL
get_url: url={{ item.ca_url }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444'
with_items: '{{ trusted_ca_additional_ca_files }}'
register: ca_files_installation
- name: Trust the CA files on EL
command: /bin/update-ca-trust extract
when: ca_files_installation is changed
when: ansible_distribution_file_variety == "RedHat"
- name: Manage the Letsencrypt CA files on EL
when:
- trusted_ca_letsencrypt_install
- ansible_distribution_file_variety == "RedHat"
tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
block:
- name: Download the letsencrypt CA files on EL
get_url:
url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}'
dest: '/etc/pki/ca-trust/source/anchors/{{ item.ca }}'
owner: root
group: root
mode: 0444
loop: '{{ trusted_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_installation
- name: Rebuild the trust CA files on EL
command: /bin/update-ca-trust extract
when: letsencrypt_ca_files_installation is changed
- name: Ensure that the expired CA files are not present
file:
dest: '/etc/pki/ca-trust/source/anchors/{{ item }}'
state: absent
loop: '{{ expired_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_removal
- name: Rebuild the trust CA files on EL
command: /bin/update-ca-trust extract
when: letsencrypt_ca_files_removal is changed
- name: Manage optional CA files on deb
when: ansible_distribution_file_variety == "Debian"
tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
block:
- name: Ensure that ca-certificates is installed and up to date
apt:
pkg: ca-certificates
state: latest
cache_valid_time: 1800
- name: Get the CA files that we want to trust on deb
get_url: url={{ item.ca_url }} dest={{ trusted_ca_deb_path }}/{{ item.ca }} owner=root group=root mode='0444'
with_items: '{{ trusted_ca_additional_ca_files }}'
register: ca_files_installation
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: ca_files_installation is changed
- name: Distrust the DST Root CA X3 in Ubuntu Trusty
when:
- ansible_distribution_file_variety == "Debian"
- ansible_distribution_version is version_compare('14.04', '==')
tags: ['pki', 'obsolete_ca']
block:
- name: Comment the mozilla/DST_Root_CA_X3.crt entry
lineinfile:
path: /etc/ca-certificates.conf
regexp: '^mozilla/DST_Root_CA_X3.crt'
line: '!mozilla/DST_Root_CA_X3.crt'
register: dst_x3_distrust
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: dst_x3_distrust is changed
- name: Manage the Letsencrypt CA files on deb
when:
- trusted_ca_letsencrypt_install
- ansible_distribution_file_variety == "Debian"
tags: ['pki', 'trusted_ca', 'letsencrypt_ca']
block:
- name: Download the letsencrypt CA files on deb
get_url:
url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}'
dest: '{{ trusted_ca_deb_path }}/{{ item.ca }}'
owner: root
group: root
mode: 0444
loop: '{{ trusted_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_installation
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: letsencrypt_ca_files_installation is changed
- name: Ensure that the expired CA files are not present
file:
dest: '/etc/ssl/certs/{{ item }}'
state: absent
loop: '{{ expired_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_removal
- name: Ensure that the expired CA files are not present
file:
dest: '{{ trusted_ca_deb_path }}/{{ item }}'
state: absent
loop: '{{ expired_ca_letsencrypt_ca_files }}'
register: letsencrypt_ca_files_removal
- name: Trust the CA files on deb
command: /usr/sbin/update-ca-certificates
when: letsencrypt_ca_files_removal is changed