Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Valdate certificate before overwriting #9

Merged
merged 2 commits into from Sep 7, 2019
Merged

Valdate certificate before overwriting #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6331b4f
Valdate certificate before overwriting, create backup of certificate
ganto Sep 7, 2019
31912cb
Make sure the copy and cleanup tasks are run with the correct user
ganto Sep 7, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
21 changes: 20 additions & 1 deletion CHANGES.rst
View file
Open in desktop
Expand Up @@ -12,7 +12,26 @@ The current role maintainer is `ganto <ganto@linuxmonk.ch>`_.
`ganto.acme_tiny master`_ - unreleased
--------------------------------------

.. _ganto.acme_tiny master: https://github.com/ganto/ansible-acme_tiny/compare/v0.1.1...master
.. _ganto.acme_tiny master: https://github.com/ganto/ansible-acme_tiny/compare/v0.1.2...master


`ganto.acme_tiny v0.1.2`_ - 2019-09-07
--------------------------------------

.. _ganto.acme_tiny v0.1.2: https://github.com/ganto/ansible-acme_tiny/compare/v0.1.0...v0.1.2

Added
~~~~~

- New variable :envvar:`acme_tiny__cert_backup` allows to disable backup of
existing certificates. Defaults to ``True``.

Changed
~~~~~~~

- Don't overwrite existing certificate when running ``acme-tiny``. First create a
temporary file and only copy certificate in place after validation.


`ganto.acme_tiny v0.1.1`_ - 2018-09-23
--------------------------------------
Expand Down
7 changes: 7 additions & 0 deletions defaults/main.yml
View file
Open in desktop
Expand Up @@ -30,6 +30,13 @@ acme_tiny__challenge_dir: '/var/www/acme-challenges'
# :ref:`acme_tiny_ref_account_key`.
acme_tiny__account_key: 'account.key'


# .. envvar:: acme_tiny__cert_backup
#
# If a certificate already exists create a backup before overwriting it with
# the re-newed certificate.
acme_tiny__cert_backup: True

# ]]]
# Certificate authority configuration [[[
# ---------------------------------------
Expand Down
24 changes: 19 additions & 5 deletions tasks/main.yml
View file
Open in desktop
Expand Up @@ -13,22 +13,36 @@
--directory-url '{{ acme_tiny__ca_directory_url }}'
--account-key '{{ acme_tiny__config_dir }}/{{ acme_tiny__account_key }}'
--csr '{{ acme_tiny__cert_request }}'
--acme-dir '{{ acme_tiny__challenge_dir }}' > '{{ acme_tiny__certificate }}'
--acme-dir '{{ acme_tiny__challenge_dir }}' > '{{ acme_tiny__certificate }}.tmp'
register: acme_tiny__register_certificate
failed_when: False

- name: Show acme-tiny output
debug: var=acme_tiny__register_certificate
debug:
var: acme_tiny__register_certificate
when: not ansible_check_mode|d()
failed_when: ("rc" in acme_tiny__register_certificate) and
(not acme_tiny__register_certificate.rc == 0)

- name: Certificate permissions
file:
path: '{{ acme_tiny__certificate }}'
- name: Copy certificate from temporary file
become: True
become_user: '{{ acme_tiny__user_name }}'
copy:
src: '{{ acme_tiny__certificate }}.tmp'
dest: '{{ acme_tiny__certificate }}'
owner: '{{ acme_tiny__user_name }}'
group: '{{ acme_tiny__user_group }}'
mode: '0644'
backup: '{{ acme_tiny__cert_backup }}'
remote_src: True
validate: /usr/bin/openssl x509 -in %s -noout -text

- name: Cleanup temporary file
become: True
become_user: '{{ acme_tiny__user_name }}'
file:
path: '{{ acme_tiny__certificate }}.tmp'
state: absent

- name: Merge certificate/key to PEM file
become: True
Expand Down