161 lines
5.7 KiB
YAML
161 lines
5.7 KiB
YAML
---
|
|
# Copyright (c) Ansible Project
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
## SET UP ACCOUNT KEYS ########################################################################
|
|
- block:
|
|
- name: Generate account keys
|
|
openssl_privatekey:
|
|
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
|
|
type: "{{ item.type }}"
|
|
size: "{{ item.size | default(omit) }}"
|
|
curve: "{{ item.curve | default(omit) }}"
|
|
force: true
|
|
loop: "{{ account_keys }}"
|
|
|
|
vars:
|
|
account_keys:
|
|
- name: account-ec256
|
|
type: ECC
|
|
curve: secp256r1
|
|
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
|
|
- name: Obtain cert 1
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 1 for renewal check
|
|
certificate_name: cert-1
|
|
key_type: rsa
|
|
rsa_bits: "{{ default_rsa_key_size }}"
|
|
subject_alt_name: "DNS:example.com"
|
|
subject_alt_name_critical: false
|
|
account_key: account-ec256
|
|
challenge: http-01
|
|
modify_account: true
|
|
deactivate_authzs: false
|
|
force: true
|
|
remaining_days: "{{ omit }}"
|
|
terms_agreed: true
|
|
account_email: "example@example.org"
|
|
## OBTAIN CERTIFICATE INFOS ###################################################################
|
|
- name: Dump OpenSSL x509 info
|
|
command:
|
|
cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
|
|
- name: Obtain certificate information
|
|
x509_certificate_info:
|
|
path: "{{ remote_tmp_dir }}/cert-1.pem"
|
|
register: cert_1_info
|
|
- name: Read certificate
|
|
slurp:
|
|
src: '{{ remote_tmp_dir }}/cert-1.pem'
|
|
register: slurp_cert_1
|
|
- name: Obtain certificate information (1/11)
|
|
acme_certificate_renewal_info:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
register: cert_1_renewal_1
|
|
- name: Obtain certificate information (2/11)
|
|
acme_certificate_renewal_info:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
remaining_days: 1000
|
|
remaining_percentage: 0.5
|
|
register: cert_1_renewal_2
|
|
- name: Obtain certificate information (3/11)
|
|
acme_certificate_renewal_info:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
certificate_content: "{{ slurp_cert_1.content | b64decode }}"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
now: +1800d
|
|
register: cert_1_renewal_3
|
|
- name: Obtain certificate information (4/11)
|
|
acme_certificate_renewal_info:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
now: +1800d
|
|
remaining_days: 30
|
|
remaining_percentage: 0.1
|
|
register: cert_1_renewal_4
|
|
- name: Obtain certificate information (5/11)
|
|
acme_certificate_renewal_info:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
now: +1800d
|
|
remaining_days: 30
|
|
remaining_percentage: 0.01
|
|
register: cert_1_renewal_5
|
|
- name: Obtain certificate information (6/11)
|
|
acme_certificate_renewal_info:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
now: +1800d
|
|
remaining_days: 10
|
|
remaining_percentage: 0.03
|
|
register: cert_1_renewal_6
|
|
- name: Obtain certificate information (7/11)
|
|
acme_certificate_renewal_info:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
now: +1830d
|
|
register: cert_1_renewal_7
|
|
- name: Obtain certificate information (8/11)
|
|
acme_certificate_renewal_info:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
now: +1830d
|
|
register: cert_1_renewal_8
|
|
- name: Obtain certificate information (9/11)
|
|
acme_certificate_renewal_info:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
certificate_path: "{{ remote_tmp_dir }}/cert-does-not-exist.pem"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
register: cert_1_renewal_9
|
|
- name: Create broken file
|
|
copy:
|
|
dest: "{{ remote_tmp_dir }}/cert-is-broken.pem"
|
|
content: |
|
|
--- THIS IS NOT A CERT ---
|
|
- name: Obtain certificate information (10/11)
|
|
acme_certificate_renewal_info:
|
|
treat_parsing_error_as_non_existing: false
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
register: cert_1_renewal_10
|
|
ignore_errors: true
|
|
- name: Obtain certificate information (11/11)
|
|
acme_certificate_renewal_info:
|
|
treat_parsing_error_as_non_existing: true
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: false
|
|
register: cert_1_renewal_11
|