updated full-pki info

README.md

@@ -24,7 +24,7 @@ Ansible Role to create certificates to use on a linux server.
       * Supported for Nginx and Apache
       * Host needs to have a valid public dns record pointed at it
       * Needs to be publicly reachable over port 80/tcp
-    * _Use a proper **Certificate Authority** (_full PKI_) to create **signed certificates**_ => not yet available
+    * _Use a proper **Certificate Authority** (_full PKI_) to create **signed certificates**_ => **not yet available**
 
 
   * **Default config**:
@@ -47,6 +47,7 @@ Ansible Role to create certificates to use on a linux server.
 
 * **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!
 
+
 ## Requirements
 
 * Community collection: ```ansible-galaxy install -r requirements.yml```
@@ -84,6 +85,8 @@ Example for Self-Signed config:
 ```yaml
 certs:
   mode: 'selfsigned'
+  # choose 'ca' instead if you use dns-names
+  #   some browsers won't let you connect when using self-signed ones
   path: '/etc/nginx/ssl'
   group_key: 'nginx'
   owner_cert: 'nginx'

defaults/main.yml

@@ -2,7 +2,7 @@
 
 # default config => is overwritten by provided config
 default_certs:
-  mode: 'selfsigned'  # selfsigned, ca, ca_min, le_certbot
+  mode: 'selfsigned'  # selfsigned, ca, pki, le_certbot
   path: '/etc/certs'
 
   cert:

tasks/debian/letsencrypt/main.yml

@@ -37,8 +37,21 @@
   no_log: true
   with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
 
-- name: Certificates | Debian | LetsEncrypt Certbot | Removing certificates
+# todo: task gets stuck
-  ansible.builtin.command: "certbot revoke --cert-name {{ le_name }} && certbot delete --cert-name {{ le_name }}"
+- name: Certificates | Debian | LetsEncrypt Certbot | Revoking certificates
+  ansible.builtin.command: "certbot revoke --cert-name {{ le_name }}"
+  when:
+    - le_cert.state != 'present'
+    - existing_certs_raw.stdout.find(le_name) != -1
+  vars:
+    le_cert: "{{ default_le_certbot_cert_config | combine(cert_item.value, recursive=true) }}"
+    le_name: "{{ cert_item.key | safe_key }}"
+  loop_control:
+    loop_var: cert_item
+  with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
+
+- name: Certificates | Debian | LetsEncrypt Certbot | Deleting certificates
+  ansible.builtin.command: "certbot delete --cert-name {{ le_name }}"
   when:
     - le_cert.state != 'present'
     - existing_certs_raw.stdout.find(le_name) != -1

tasks/debian/pki.yml

@@ -5,5 +5,5 @@
 
 - name: Certificates | Debian | Internal | CA | Not yet implemented
   ansible.builtin.debug:
-    msg: "The certificate mode 'ca_full' is not yet implemented!"
+    msg: "The certificate mode 'pki' is not yet implemented!"
   tags: ca

tasks/main.yml

@@ -8,11 +8,11 @@
 
 - name: Certificates | Internal signed
   ansible.builtin.include_tasks: internal/main.yml
-  when: "CERT_CONFIG.mode in ['ca_full', 'ca', 'selfsigned']"
+  when: "CERT_CONFIG.mode in ['pki', 'ca', 'selfsigned']"
 
 - name: Certificates | Internal | CA
-  ansible.builtin.include_tasks: debian/ca_full.yml
+  ansible.builtin.include_tasks: debian/pki.yml
-  when: CERT_CONFIG.mode == 'ca_full'
+  when: CERT_CONFIG.mode == 'pki'
 
 - name: Certificates | Debian | Letsencrypt
   ansible.builtin.include_tasks: debian/letsencrypt/main.yml