mirror of
https://github.com/rocky-linux/ansible-role-ipa-getcert.git
synced 2024-12-22 16:38:30 +00:00
94 lines
3.2 KiB
YAML
94 lines
3.2 KiB
YAML
---
|
|
# Request the certificate for the host from IPA
|
|
# System must be enrolled as an IPA Client and must be ran as root
|
|
- name: Check if host is IPA enrolled
|
|
shell: /usr/sbin/ipa-client-install --unattended 2>&1 | grep "already configured"
|
|
register: ipacheck
|
|
ignore_errors: true
|
|
changed_when: false
|
|
|
|
- name: Verify host is IPA enrolled
|
|
assert:
|
|
that:
|
|
- ipacheck.rc == 0 | mandatory
|
|
fail_msg: "System is not enrolled to IPA"
|
|
success_msg: "IPA enrolled, moving on"
|
|
quiet: true
|
|
|
|
- name: Check certificate existence
|
|
stat:
|
|
path: "{{ item.key_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.crt"
|
|
register: cert_results
|
|
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
|
ignore_errors: true
|
|
|
|
- name: Verify certificate existence
|
|
assert:
|
|
that:
|
|
- not item.stat.exists | mandatory
|
|
fail_msg: "Certificate already exists!"
|
|
success_msg: "Certificate doesn't exist, moving on"
|
|
quiet: true
|
|
with_items: "{{ cert_results.results }}"
|
|
|
|
- name: IPA Certificate Operations
|
|
block:
|
|
- name: Deploy ipa-getcert script
|
|
template:
|
|
src: "get_cert.sh.j2"
|
|
dest: "/root/get_cert.sh"
|
|
owner: root
|
|
group: root
|
|
mode: '0750'
|
|
|
|
- name: Request Certificate
|
|
raw: /root/get_cert.sh
|
|
register: ipa_cert_request
|
|
|
|
- name: Chain link certificates
|
|
block:
|
|
- name: Create chain directory
|
|
file:
|
|
state: directory
|
|
path: "{{ ipa_getcert_chain_location }}"
|
|
owner: root
|
|
group: "{{ ipa_getcert_group }}"
|
|
mode: '0750'
|
|
|
|
- name: Chain link certs
|
|
file:
|
|
state: link
|
|
src: "{{ item.cert_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.crt"
|
|
dest: "{{ ipa_getcert_chain_location }}/{{ item.name }}.crt"
|
|
owner: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
|
group: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
|
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
|
|
|
- name: Chain link keys
|
|
file:
|
|
state: link
|
|
src: "{{ item.key_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.key"
|
|
path: "{{ ipa_getcert_chain_location }}/{{ item.name }}.key"
|
|
owner: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
|
group: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
|
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
|
|
|
- name: Assemble the chain
|
|
assemble:
|
|
src: "{{ ipa_getcert_chain_location }}"
|
|
dest: "{{ ipa_getcert_chain_location }}/{{ item.name }}.pem"
|
|
regexp: "^{{ item.name }}.(crt|key)$"
|
|
owner: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
|
group: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
|
mode: '0640'
|
|
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
|
when:
|
|
- ipa_getcert_chain
|
|
- ipa_cert_request.rc == 0
|
|
rescue:
|
|
- name: "Erroring out with message"
|
|
debug:
|
|
msg: "We caught an error, likely with the ipa-getcert script. Please verify the output."
|
|
when:
|
|
- ipacheck.rc == 0
|