Merge pull request #4 from l1ll1/master

example of creating OpenSSL CA and Certificates

Merge pull request #4 from l1ll1/master
9a0f2a69 · Chris Hines · 4f5bd762 · ae5ec5b9 · 9a0f2a69 · 9a0f2a69
Commit 9a0f2a69 authored 10 years ago by Chris Hines
--- a/roles/opensslCA/meta/main.yml
+++ b/roles/opensslCA/meta/main.yml
+---
+depdenencies:
+  - {role: commonVars }
--- a/roles/opensslCA/tasks/main.yml
+++ b/roles/opensslCA/tasks/main.yml
+---
+- name : make ca dir
+  file: path={{ x509cadir }} owner=root group=root state=directory
+  sudo: true
+- name : make newcerts dir
+  file: path={{ x509cadir }}/newcerts owner=root group=root state=directory
+  sudo: true
+- name : make private dir
+  file: path={{ x509cadir }}/private mode=700 owner=root group=root state=directory
+  sudo: true
+- name: initialise ca
+  shell: echo 01 > serial ; touch index.txt
+  args: 
+    chdir: "{{ x509cadir }}"
+    creates: index.txt
+  sudo: true
+- name: template openssl.cnf
+  template: dest={{ x509cadir }}/openssl.cnf src=openssl_cnf.j2
+  sudo: true
+- name: generate key
+  shell: openssl genrsa -out private/cakey.pem 2048
+  args:
+    chdir: "{{ x509cadir }}"
+    creates: private/cakey.pem
+  sudo: true
+- name: generate cert
+  shell: openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 -config openssl.cnf
+  args:
+    chdir: "{{ x509cadir }}"
+    creates: cacert.pem
+  sudo: true
--- a/roles/opensslCA/templates/openssl_cnf.j2
+++ b/roles/opensslCA/templates/openssl_cnf.j2
+[ ca ]
+default_ca = CA_default
+[ CA_default ]
+dir= {{ x509cadir }}
+certs = $dir/certs
+new_certs_dir = $dir/newcerts
+crl_dir = $dir/crl
+crl = $dir/crl.pem
+crlnumber   = $dir/crlnumber
+database = $dir/index.txt
+private_key = $dir/private/cakey.pem
+RANDFILE = $dir/private/.rand
+x509_extensions = usr_cert
+name_opt    = ca_default        # Subject Name options
+cert_opt    = ca_default        # Certificate field options
+default_days    = 365           # how long to certify for
+default_crl_days= 30            # how long before next CRL
+default_md  = default       # use public key default MD
+preserve    = no            # keep passed DN ordering
+policy      = policy_match
+certificate = $dir/cacert.pem
+serial = $dir/serial
+email_in_dn = no
+unique_subject = no
+[ req ]
+distinguished_name = default_name
+prompt = no
+[ default_name ] 
+countryName = NA
+stateOrProvinceName = NA
+organizationName    = NA
+commonName = ca
+[ policy_match ]
+countryName     = match
+stateOrProvinceName = match
+organizationName    = match
+organizationalUnitName  = optional
+commonName      = supplied
+emailAddress        = optional
+[ usr_cert ]
+basicConstraints=CA:FALSE
+nsComment           = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
--- a/roles/opensslCA/vars/main.yml
+++ b/roles/opensslCA/vars/main.yml
+---
+x509cadir: /var/ca
--- a/roles/opensslServer/tasks/main.yml
+++ b/roles/opensslServer/tasks/main.yml
+- include_vars: roles/opensslca/vars/main.yml
+- name: install system packages apt
+  apt: name=openssl state=installed update_cache=true
+  sudo: true
+  when: ansible_os_family == 'Debian'
+- name: install system packages yum
+  yum: name=openssl state=installed
+  sudo: true
+  when: ansible_os_family == 'RedHat'
+- name : make csr dir
+  file: path={{ csrdir }} owner=root group=root state=directory
+  sudo: true
+- name : make private dir
+  file: path={{ csrdir }}/private mode=700 owner=root group=root state=directory
+  sudo: true
+- name: template openssl.cnf
+  template: dest={{ csrdir }}/openssl.cnf src=openssl_cnf.j2
+  sudo: true
+- name: generate key
+  shell: openssl genrsa -out private/key.pem 2048
+  args:
+    chdir: "{{ csrdir }}"
+    creates: private/key.pem
+  sudo: true
+  register: needCert
+- name: generate csr
+  shell: openssl req -new -key private/key.pem -out {{ certname }}.csr -days 3650 -config openssl.cnf
+  args:
+    chdir: "{{ csrdir }}"
+    creates: "{{ certname }}.csr"
+  sudo: true
+  when: needCert|changed
+#
+# Copy the CSR from the host to localhost, then from localhost to the CA server
+#
+- name: copy csr to localhost
+  shell: scp {{ hostvars[ansible_hostname]['ansible_user_id'] }}@{{ ansible_ssh_host }}:/{{ csrdir }}/{{ certname }}.csr /tmp/{{ certname }}.csr
+  delegate_to: 127.0.0.1
+  when: needCert|changed
+- name: echo vars
+  shell: echo {{ causer }}@{{ ca_ssh_host }}
+- name: copy csr to CA
+  shell: scp /tmp/{{ certname }}.csr {{ causer }}@{{ ca_ssh_host }}:/tmp/{{ certname }}.csr
+  delegate_to: 127.0.0.1
+  when: needCert|changed
+#
+# Signing tasks
+# 
+- name: sign certs
+  shell: yes | openssl ca -config {{ cadir }}/openssl.cnf -days 3650 -in /tmp/{{ certname }}.csr -out /tmp/{{ certname }}.cert
+  sudo: true
+  delegate_to: "{{ cahost }}"
+  when: needCert|changed
+#
+# Copy cert from cahost to localhost then back to ansible_host
+#
+- name: copy cert to localhost
+  shell: scp {{ causer }}@{{ ca_ssh_host }}:/tmp/{{ certname }}.cert /tmp/{{ certname }}.cert
+  delegate_to: 127.0.0.1
+  when: needCert|changed
+- name: copy cert to ansible_host
+  copy: src=/tmp/{{ certname }}.cert dest={{ csrdir }}/{{ certname }}.cert
+  sudo: True
+  when: needCert|changed
--- a/roles/opensslServer/templates/openssl_cnf.j2
+++ b/roles/opensslServer/templates/openssl_cnf.j2
+[ req ]
+distinguished_name = default_name
+prompt = no
+[ default_name ]
+countryName = NA
+stateOrProvinceName = NA
+organizationName    = NA
+commonName = {{ ansible_hostname }}.{{ ansible_domain }}
--- a/roles/opensslServer/vars/main.yml
+++ b/roles/opensslServer/vars/main.yml
+---
+csrdir: /var/x509csr
+certname: "{{ ansible_hostname }}"
+cahost: "{{ groups['x509ca'][0] }}"
+ca_ssh_host: "{{ hostvars[cahost]['ansible_ssh_host'] }}"
+causer: "{{ hostvars[cahost]['ansible_user_id'] }}"
+cadir: "{{ x509cadir }}"
--- a/get_or_make_passwd.py
+++ b/get_or_make_passwd.py
--- a/scripts/makehosts.py
+++ b/scripts/makehosts.py
+#!/usr/bin/python
+import sys
+import json
+filename = sys.argv[1]
+domain = sys.argv[2]
+f=open(filename,'r')
+s=f.read()
+d=json.loads(s)
+f.close()
+hosts={}
+for group in d['groups'].keys():
+    i=0
+    for h in d['groups'][group]:
+        if hosts.has_key(h):
+            hosts[h].append('%s-%s.%s'%(group,i,domain))
+            hosts[h].append('%s-%s'%(group,i))
+            pass
+        else:
+            hosts[h] = ['%s.%s'%(h,domain),'%s-%s.%s'%(group,i,domain),'%s'%h,'%s-%s'%(group,i)]
+        i=i+1
+for h in hosts.keys():
+    string="%s"%(d['hostvars'][h]['ansible_eth0']['ipv4']['address'])
+    for name in hosts[h]:
+        string=string+" %s"%name
+    print string