From 7a8a5982c0cfffbe6ac3a24c224acf6af69754b5 Mon Sep 17 00:00:00 2001
From: Markus Katharina Brechtel <markus.katharina.brechtel@thengo.net>
Date: Thu, 16 Nov 2017 14:16:28 +0000
Subject: [PATCH] current state

---
 defaults/main.yml                       | 17 +++++----
 handlers/main.yml                       |  7 ++++
 tasks/csr.yml                           |  6 +--
 tasks/directory.yml                     | 22 +++++++++++
 tasks/key.yml                           |  1 +
 tasks/main.yml                          |  3 ++
 tasks/provider-ca.yml                   | 49 +++++++++++++++++++++++++
 tasks/provider-letsencrypt.yml          |  1 +
 tasks/provider-selfsigned.yml           |  1 +
 templates/certificate_extensions.cnf.j2 |  2 +
 templates/csr.cnf.j2                    |  2 +-
 11 files changed, 99 insertions(+), 12 deletions(-)
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/directory.yml
 create mode 100644 tasks/provider-ca.yml
 create mode 100644 tasks/provider-letsencrypt.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 9d408b3..97d7c7d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,15 +1,16 @@
 certificate_name: "{{ certificate_common_name | regex_replace(' ', '_') }}"
-certificate_file: "{{ certificate_directory }}/{{ certificate_name }}.cert.pem"
+certificate_file: "{{ certificate_directory }}/certs/{{ certificate_name }}.cert.pem"
 
-certificate_private_key_file: "{{ certificate_private_directory }}/{{ certificate_name }}.key.pem"
+certificate_private_key_file: "{{ certificate_directory }}/private/{{ certificate_name }}.key.pem"
 certificate_private_key_size: 4096
 
-certificate_signing_request_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.pem"
-certificate_signing_request_config_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.cnf"
+certificate_signing_request_file: "{{ certificate_directory }}/csr/{{ certificate_name }}.csr.pem"
+certificate_signing_request_config_file: "{{ certificate_directory }}/cnf/{{ certificate_name }}.csr.cnf"
 
 certificate_authority: false
-certificate_key_usage:
-  - digitalSignature
-  - keyEncipherment
-#certificate_extended_key_usage:
+
+# certificate_key_usage:
+#   - digitalSignature
+#   - keyEncipherment
+# certificate_extended_key_usage:
 #  - serverAuth
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..1e2354b
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- name: stat certificate
+  stat:
+    path: "{{ certificate_file }}"
+  register: _certificate_stat
+  listen: certificate changed
diff --git a/tasks/csr.yml b/tasks/csr.yml
index 0df2f92..092c6bd 100644
--- a/tasks/csr.yml
+++ b/tasks/csr.yml
@@ -23,6 +23,6 @@
   changed_when: false
   register: _certificate_signing_request_info
 
-- name: certificate signing request debug
-  debug:
-    msg: "{{ _certificate_signing_request_info.stdout_lines }}"
+# - name: certificate signing request debug
+#   debug:
+#     msg: "{{ _certificate_signing_request_info.stdout_lines }}"
diff --git a/tasks/directory.yml b/tasks/directory.yml
new file mode 100644
index 0000000..55f26f4
--- /dev/null
+++ b/tasks/directory.yml
@@ -0,0 +1,22 @@
+---
+
+- name: directory
+  file:
+    path: "{{ certificate_directory }}"
+    state: directory
+
+- name: subdirectories
+  file:
+    path: "{{ certificate_directory }}/{{item}}"
+    state: directory
+  with_items:
+    - certs
+    - csr
+    - cnf
+    - private
+
+- name: private directory
+  file:
+    path: "{{ certificate_authority_directory }}/private"
+    mode: 0700
+    state: directory
diff --git a/tasks/key.yml b/tasks/key.yml
index 4d2a7b5..bc1ddb3 100644
--- a/tasks/key.yml
+++ b/tasks/key.yml
@@ -9,3 +9,4 @@
     creates: "{{ certificate_private_key_file }}"
   environment:
     PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
+  notify: certificate changed
diff --git a/tasks/main.yml b/tasks/main.yml
index d5446f8..d4b793f 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,5 +1,8 @@
 ---
 
+- include: directory.yml
+  when: certificate_directory is defined
+
 - name: setup
   include: setup_{{ansible_os_family}}.yml
 
diff --git a/tasks/provider-ca.yml b/tasks/provider-ca.yml
new file mode 100644
index 0000000..8e72fbe
--- /dev/null
+++ b/tasks/provider-ca.yml
@@ -0,0 +1,49 @@
+---
+
+- include: key.yml
+- include: csr.yml
+
+- name: certificate host_files directory
+  local_action: file
+  args:
+    path: host_files/{{inventory_hostname}}/certificate
+    state: directory
+
+- name: fetch certificate signing request
+  fetch:
+    src: "{{ certificate_signing_request_file }}"
+    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.csr.pem
+    flat: yes
+    fail_on_missing: yes
+
+- name: copy certificate signing request
+  copy:
+    src: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.csr.pem
+    dest: "{{ certificate_authority_directory }}/csr/{{inventory_hostname}}-{{certificate_name}}.csr.pem"
+  delegate_to: "{{ certificate_authority_host }}"
+
+- name: sign certificate with ca
+  command: openssl ca -selfsign -batch -notext
+    -config cnf/ca.cnf
+    -in csr/{{inventory_hostname}}-{{certificate_name}}.csr.pem
+    -out certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem
+    {{ certificate_authority_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
+  args:
+    chdir: "{{ certificate_authority_directory }}"
+    creates: "{{ certificate_authority_directory }}/certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem"
+  environment:
+    PRIVATE_KEY_PASSWORD: "{{ certificate_authority_private_key_password | default('') }}"
+  delegate_to: "{{ certificate_authority_host }}"
+
+- name: fetch certificate
+  fetch:
+    src: "{{ certificate_authority_directory }}/certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem"
+    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
+    flat: yes
+    fail_on_missing: yes
+  delegate_to: "{{ certificate_authority_host }}"
+
+- name: copy certificate
+  copy:
+    src: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
+    dest: "{{ certificate_file }}"
diff --git a/tasks/provider-letsencrypt.yml b/tasks/provider-letsencrypt.yml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/tasks/provider-letsencrypt.yml
@@ -0,0 +1 @@
+---
diff --git a/tasks/provider-selfsigned.yml b/tasks/provider-selfsigned.yml
index ad549bc..723e20c 100644
--- a/tasks/provider-selfsigned.yml
+++ b/tasks/provider-selfsigned.yml
@@ -15,3 +15,4 @@
     creates: "{{ certificate_file }}"
   environment:
     PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
+  notify: certificate changed
diff --git a/templates/certificate_extensions.cnf.j2 b/templates/certificate_extensions.cnf.j2
index dfc0861..14efc42 100644
--- a/templates/certificate_extensions.cnf.j2
+++ b/templates/certificate_extensions.cnf.j2
@@ -3,7 +3,9 @@
 [certificate_extensions]
 # Extensions for server certificates (`man x509v3_config`).
 basicConstraints = critical, {{ certificate_basic_constraints | join(', ') }}
+{% if certificate_key_usage is defined %}
 keyUsage = critical, {{ certificate_key_usage | join(', ') }}
+{% endif %}
 {% if certificate_extended_key_usage is defined  and  certificate_extended_key_usage %}
 extendedKeyUsage=critical, {{ certificate_extended_key_usage | join(', ') }}
 {% endif %}
diff --git a/templates/csr.cnf.j2 b/templates/csr.cnf.j2
index 52f2e35..5c33158 100644
--- a/templates/csr.cnf.j2
+++ b/templates/csr.cnf.j2
@@ -18,7 +18,7 @@ L = {{certificate_locality}}
 {% if certificate_organization is defined%}
 O = {{certificate_organization}}
 {% endif %}
-{% if certificate_organizational_unit is defined%}/OU=
+{% if certificate_organizational_unit is defined%}
 OU = {{certificate_organizational_unit}}
 {% endif %}
 CN = {{certificate_common_name}}