step_ca_certificate: implement state, drop step_ca_revoke module

Fixes maxhoesel-ansible#188 Fixes maxhoesel-ansible#121
maxhoesel · Oct 27, 2023 · 8cb8526 · 8cb8526
1 parent b0d076a
commit 8cb8526
Show file tree

Hide file tree

Showing 13 changed files with 492 additions and 304 deletions.
diff --git a/plugins/modules/step_ca_certificate.py b/plugins/modules/step_ca_certificate.py
diff --git a/plugins/modules/step_ca_revoke.py b/plugins/modules/step_ca_revoke.py
diff --git a/roles/step_acme_cert/molecule/converge.yml b/roles/step_acme_cert/molecule/converge.yml
@@ -8,25 +8,44 @@
     webgroup:
       Debian: www-data
       RedHat: nginx
+    # Shared parameters
+    step_acme_cert_duration: 1h
+    step_acme_cert_renewal_when: 59m # force renewal to happen every minute
+    step_acme_cert_renewal_reload_services: ["nginx"]
   tasks:
-    - name: Test getting a standalone cert
+    # this is just to test standalone behavior, this certificate is not used by the nginx setup
+    - name: Test getting a standalone cert (not used by nginx)
       include_role:
         name: step_acme_cert
+      vars:
+        step_acme_cert_certfile:
+          path: /etc/ssl/standalone.cert
+          mode: "644"
+          group: "{{ webgroup[ansible_os_family] }}"
+        step_acme_cert_keyfile:
+          path: /etc/ssl/standalone.key
+          mode: "640"
+          group: "{{ webgroup[ansible_os_family] }}"
+        step_acme_cert_renewal_service: step-renew-standalone
 
     - name: Start nginx
       systemd:
         name: nginx
         state: started
-
     - name: Get cert via webroot
       include_role:
         name: step_acme_cert
       vars:
+        step_acme_cert_certfile:
+          path: /etc/ssl/webroot.cert
+          mode: "644"
+          group: "{{ webgroup[ansible_os_family] }}"
+        step_acme_cert_keyfile:
+          path: /etc/ssl/webroot.key
+          mode: "640"
+          group: "{{ webgroup[ansible_os_family] }}"
         step_acme_cert_webroot_path: "{{ webroots[ansible_os_family] }}"
-        step_acme_cert_duration: 1h
         step_acme_cert_renewal_service: step-renew-webroot
-        step_acme_cert_renewal_when: 59m # force renewal to happen every minute
-        step_acme_cert_renewal_reload_services: ["nginx"]
 
     - name: Install Nginx site [Debian]
       template:

diff --git a/roles/step_acme_cert/molecule/default/molecule.yml b/roles/step_acme_cert/molecule/default/molecule.yml
@@ -138,13 +138,3 @@ provisioner:
         step_cli_steppath: /etc/step-cli-molecule
         step_acme_cert_ca_provisioner: ACME
         step_bootstrap_ca_url: https://step-ca:9000
-
-        certfile: /etc/ssl/step.crt
-        keyfile: /etc/ssl/step.key
-
-        step_acme_cert_certfile:
-          mode: "644"
-          group: "{{ webgroup[ansible_os_family] }}"
-        step_acme_cert_keyfile:
-          mode: "640"
-          group: "{{ webgroup[ansible_os_family] }}"
diff --git a/roles/step_acme_cert/molecule/non_root/molecule.yml b/roles/step_acme_cert/molecule/non_root/molecule.yml
@@ -138,15 +138,3 @@ provisioner:
         step_acme_cert_steppath: "/home/max/custom-steppath"
         step_acme_cert_ca_provisioner: ACME
         step_bootstrap_ca_url: https://step-ca:9000
-
-        certfile: /etc/ssl/non-root/nginx-test.cert
-        keyfile: /etc/ssl/non-root/nginx-test.key
-
-        step_acme_cert_certfile:
-          path: /etc/ssl/non-root/nginx-test.cert
-          mode: "644"
-          group: "{{ webgroup[ansible_os_family] }}"
-        step_acme_cert_keyfile:
-          path: /etc/ssl/non-root/nginx-test.key
-          mode: "640"
-          group: "{{ webgroup[ansible_os_family] }}"
diff --git a/roles/step_acme_cert/molecule/templates/nginx.conf b/roles/step_acme_cert/molecule/templates/nginx.conf
@@ -38,8 +38,8 @@ http {
         listen 443 ssl default_server;
 	    listen [::]:443 ssl default_server;
 
-        ssl_certificate {{ certfile}};
-        ssl_certificate_key {{ keyfile }};
+        ssl_certificate /etc/ssl/webroot.cert;
+        ssl_certificate_key /etc/ssl/webroot.key;
 
         location / {
         }

diff --git a/roles/step_acme_cert/molecule/templates/nginx_site.conf b/roles/step_acme_cert/molecule/templates/nginx_site.conf
@@ -7,8 +7,8 @@ server {
 
 	root /var/www/html;
 
-    ssl_certificate {{ certfile}};
-    ssl_certificate_key {{ keyfile }};
+    ssl_certificate /etc/ssl/webroot.cert;
+    ssl_certificate_key /etc/ssl/webroot.key;
 
 	index index.html index.htm index.nginx-debian.html;
 

diff --git a/roles/step_acme_cert/molecule/verify.yml b/roles/step_acme_cert/molecule/verify.yml
@@ -9,7 +9,7 @@
       assert:
         that:
           - ansible_facts.services["nginx.service"]["state"] == "running"
-          - ansible_facts.services["step-renew.service"]["state"] == "running"
+          - ansible_facts.services["step-renew-standalone.service"]["state"] == "running"
           - ansible_facts.services["step-renew-webroot.service"]["state"] == "running"
       register: _res
       retries: 3
@@ -27,7 +27,7 @@
       assert:
         that:
           - ansible_facts.services["nginx.service"]["state"] == "running"
-          - ansible_facts.services["step-renew.service"]["state"] == "running"
+          - ansible_facts.services["step-renew-standalone.service"]["state"] == "running"
           - ansible_facts.services["step-renew-webroot.service"]["state"] == "running"
       register: _res
       retries: 3

diff --git a/roles/step_acme_cert/tasks/get_cert.yml b/roles/step_acme_cert/tasks/get_cert.yml
diff --git a/roles/step_acme_cert/tasks/main.yml b/roles/step_acme_cert/tasks/main.yml
@@ -12,20 +12,32 @@
     step_acme_cert_keyfile_full: "{{ step_acme_cert_keyfile_defaults | combine(step_acme_cert_keyfile) }}"
     step_acme_cert_certfile_full: "{{ step_acme_cert_certfile_defaults | combine(step_acme_cert_certfile) }}"
 
-- name: Look for existing certificate
-  ansible.builtin.stat:
-    path: "{{ step_acme_cert_certfile_full.path }}"
-  register: step_acme_cert_current_cert
+- name: Get certificate from CA
+  maxhoesel.smallstep.step_ca_certificate:
+    provisioner: "{{ step_acme_cert_ca_provisioner }}"
+    contact: "{{ step_acme_cert_contact }}"
+    crt_file: "{{ step_acme_cert_certfile_full.path }}"
+    key_file: "{{ step_acme_cert_keyfile_full.path }}"
+    state: present
+    name: "{{ step_acme_cert_name }}"
+    not_after: "{{ step_acme_cert_duration | default(omit) }}"
+    san: "{{ step_acme_cert_san }}"
+    standalone: "{{ step_acme_cert_webroot_path | bool }}"
+    step_cli_executable: "{{ step_cli_executable }}"
+    webroot: "{{ step_acme_cert_webroot_path }}"
+  become: yes
+  become_user: "{{ step_acme_cert_user }}"
+  environment:
+    STEPPATH: "{{ _resolved_steppath }}"
 
-- name: Check if certificate is valid
-  ansible.builtin.command: "{{ step_cli_executable }} certificate verify {{ step_acme_cert_certfile_full.path }}"
-  changed_when: no
-  check_mode: no
-  ignore_errors: true
-  register: _step_acme_cert_validity
-  when: step_acme_cert_current_cert.stat.exists
-
-- ansible.builtin.include_tasks: get_cert.yml
-  when: 'not step_acme_cert_current_cert.stat.exists or "failed to verify certificate" in _step_acme_cert_validity.stderr'
+- name: Cert and key permissions are set
+  file:
+    path: "{{ item.path }}"
+    mode: "{{ item.mode }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+  loop:
+    - "{{ step_acme_cert_keyfile_full }}"
+    - "{{ step_acme_cert_certfile_full }}"
 
 - ansible.builtin.include_tasks: renewal.yml