diff --git a/README.md b/README.md index 483eba6..1585828 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ Ansible Role to create certificates to use on a linux server. * Supported for Nginx and Apache * Host needs to have a valid public dns record pointed at it * Needs to be publicly reachable over port 80/tcp - * _Use a proper **Certificate Authority** (_full PKI_) to create **signed certificates**_ => not yet available + * _Use a proper **Certificate Authority** (_full PKI_) to create **signed certificates**_ => **not yet available** * **Default config**: @@ -47,6 +47,7 @@ Ansible Role to create certificates to use on a linux server. * **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role! + ## Requirements * Community collection: ```ansible-galaxy install -r requirements.yml``` @@ -84,6 +85,8 @@ Example for Self-Signed config: ```yaml certs: mode: 'selfsigned' + # choose 'ca' instead if you use dns-names + # some browsers won't let you connect when using self-signed ones path: '/etc/nginx/ssl' group_key: 'nginx' owner_cert: 'nginx' diff --git a/defaults/main.yml b/defaults/main.yml index 70dcd9f..0647ce4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,7 +2,7 @@ # default config => is overwritten by provided config default_certs: - mode: 'selfsigned' # selfsigned, ca, ca_min, le_certbot + mode: 'selfsigned' # selfsigned, ca, pki, le_certbot path: '/etc/certs' cert: diff --git a/tasks/debian/letsencrypt/main.yml b/tasks/debian/letsencrypt/main.yml index f7bc25a..5576e48 100644 --- a/tasks/debian/letsencrypt/main.yml +++ b/tasks/debian/letsencrypt/main.yml @@ -37,8 +37,21 @@ no_log: true with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}" -- name: Certificates | Debian | LetsEncrypt Certbot | Removing certificates - ansible.builtin.command: "certbot revoke --cert-name {{ le_name }} && certbot delete --cert-name {{ le_name }}" +# todo: task gets stuck +- name: Certificates | Debian | LetsEncrypt Certbot | Revoking certificates + ansible.builtin.command: "certbot revoke --cert-name {{ le_name }}" + when: + - le_cert.state != 'present' + - existing_certs_raw.stdout.find(le_name) != -1 + vars: + le_cert: "{{ default_le_certbot_cert_config | combine(cert_item.value, recursive=true) }}" + le_name: "{{ cert_item.key | safe_key }}" + loop_control: + loop_var: cert_item + with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}" + +- name: Certificates | Debian | LetsEncrypt Certbot | Deleting certificates + ansible.builtin.command: "certbot delete --cert-name {{ le_name }}" when: - le_cert.state != 'present' - existing_certs_raw.stdout.find(le_name) != -1 diff --git a/tasks/debian/ca_full.yml b/tasks/debian/pki.yml similarity index 70% rename from tasks/debian/ca_full.yml rename to tasks/debian/pki.yml index 21c68e7..aed7ef7 100644 --- a/tasks/debian/ca_full.yml +++ b/tasks/debian/pki.yml @@ -5,5 +5,5 @@ - name: Certificates | Debian | Internal | CA | Not yet implemented ansible.builtin.debug: - msg: "The certificate mode 'ca_full' is not yet implemented!" + msg: "The certificate mode 'pki' is not yet implemented!" tags: ca diff --git a/tasks/main.yml b/tasks/main.yml index b658e21..488ccbd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,11 +8,11 @@ - name: Certificates | Internal signed ansible.builtin.include_tasks: internal/main.yml - when: "CERT_CONFIG.mode in ['ca_full', 'ca', 'selfsigned']" + when: "CERT_CONFIG.mode in ['pki', 'ca', 'selfsigned']" - name: Certificates | Internal | CA - ansible.builtin.include_tasks: debian/ca_full.yml - when: CERT_CONFIG.mode == 'ca_full' + ansible.builtin.include_tasks: debian/pki.yml + when: CERT_CONFIG.mode == 'pki' - name: Certificates | Debian | Letsencrypt ansible.builtin.include_tasks: debian/letsencrypt/main.yml