From 395104bc654d709135b0c23bc96d9c4b3c48df41 Mon Sep 17 00:00:00 2001
From: CVL-GitHub <jupiter.hu@monash.edu>
Date: Mon, 3 Nov 2014 05:10:57 +0000
Subject: [PATCH] Don't recreate certificates if they exist

---
 roles/OpenVPN-Client/tasks/copyCerts.yml      |  5 ++
 roles/OpenVPN-Server/tasks/copyCerts.yml      | 34 ++------
 roles/easy-rsa-CA-client/files/defaultConfig  | 80 -------------------
 .../tasks/buildClientCert.yml                 | 30 +++----
 .../tasks/installEasyRsa.yml                  |  3 +
 .../tasks/buildServerCert.yml                 | 25 +++---
 .../tasks/installEasyRsa.yml                  |  3 +
 roles/easy-rsa-CA/tasks/buildCA.yml           |  2 +
 roles/easy-rsa-CA/tasks/buildClientCert.yml   | 11 +--
 roles/easy-rsa-CA/tasks/buildServerCert.yml   | 23 +++---
 roles/easy-rsa-CA/tasks/installEasyRsa.yml    |  2 +
 11 files changed, 58 insertions(+), 160 deletions(-)
 delete mode 100644 roles/easy-rsa-CA-client/files/defaultConfig

diff --git a/roles/OpenVPN-Client/tasks/copyCerts.yml b/roles/OpenVPN-Client/tasks/copyCerts.yml
index 91cd1af3..45f85422 100644
--- a/roles/OpenVPN-Client/tasks/copyCerts.yml
+++ b/roles/OpenVPN-Client/tasks/copyCerts.yml
@@ -2,12 +2,15 @@
 - 
   copy: "src=/tmp/{{ inventory_hostname }}/ca.crt dest=/etc/openvpn/ca.crt  mode=644 owner=root group=root"
   name: "Copying CA certificate"
+  when: "client_rsa.stat.exists == false"
 - 
   copy: "src=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.crt dest=/etc/openvpn/{{ inventory_hostname }}.crt mode=644 owner=root group=root"
   name: "Copying Client certificate"
+  when: "client_rsa.stat.exists == false"
 - 
   copy: "src=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.key dest=/etc/openvpn/{{ inventory_hostname }}.key  mode=600 owner=root group=root"
   name: "Copying Client key"
+  when: "client_rsa.stat.exists == false"
 
 - name: "Copying client.conf to the OpenVPN client"
   template: src={{ item }} dest=/etc/openvpn/client.conf
@@ -20,7 +23,9 @@
         - ../templates/
         - ../files/
   notify: restart openvpn
+  when: "client_rsa.stat.exists == false"
 
 - name: "Removing Cert Directory"
   local_action: "command rm -rf /tmp/{{ inventory_hostname }}"
+  when: "client_rsa.stat.exists == false"
 
diff --git a/roles/OpenVPN-Server/tasks/copyCerts.yml b/roles/OpenVPN-Server/tasks/copyCerts.yml
index 9c78c1d7..243fae4b 100644
--- a/roles/OpenVPN-Server/tasks/copyCerts.yml
+++ b/roles/OpenVPN-Server/tasks/copyCerts.yml
@@ -1,34 +1,10 @@
 --- 
-- 
-  failed_when: "CAcert.stat.exists  == false"
-  name: "Checking if CA certificate exist"
-  register: CAcert
-  stat: path="/etc/easy-rsa/2.0/keys/ca.crt"
-- 
-  name: "Copying CA certificate"
-  shell: "cp -rpvf /etc/easy-rsa/2.0/keys/ca.crt /etc/openvpn/"
-  when: "CAcert.stat.exists  == true"
-- 
-  failed_when: "ServerCert.stat.exists  == false"
-  name: "Check if Server certificate exist"
-  register: ServerCert
-  stat: "path=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt"
-- 
-  name: "Copying Server certificate"
-  shell: "cp -rpvf /etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt /etc/openvpn/"
-  when: "ServerCert.stat.exists  == true"
-- 
-  failed_when: "ServerKey.stat.exists  == false"
-  name: "Check if Server key exist"
-  register: ServerKey
-  stat: "path=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.key"
-- 
-  name: "Copying Server key"
-  shell: "cp -rpvf /etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.key /etc/openvpn/"
-  when: "ServerKey.stat.exists  == true"
-- 
+- name: "Copying CA and server certificate"
+  shell: "cp -pvf /etc/easy-rsa/2.0/keys/ca.crt /etc/openvpn/; cp -pvf /etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt /etc/openvpn/; cp -pvf /etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.key /etc/openvpn/"
+  args:
+    creates: /etc/openvpn/ca.crt
+- name: "Create symlink for Diffie Hellman"
   file: "src=/etc/easy-rsa/2.0/keys/dh512.pem dest=/etc/openvpn/dh512.pem state=link"
-  name: "Create symlink for Diffie Hellman"
 - name: "Copying server.conf to the OpenVPN server"
   template: src={{ item }} dest=/etc/openvpn/server.conf
   with_first_found:
diff --git a/roles/easy-rsa-CA-client/files/defaultConfig b/roles/easy-rsa-CA-client/files/defaultConfig
deleted file mode 100644
index af221dfe..00000000
--- a/roles/easy-rsa-CA-client/files/defaultConfig
+++ /dev/null
@@ -1,80 +0,0 @@
-# easy-rsa parameter settings
-
-# NOTE: If you installed from an RPM,
-# don't edit this file in place in
-# /usr/share/openvpn/easy-rsa --
-# instead, you should copy the whole
-# easy-rsa directory to another location
-# (such as /etc/openvpn) so that your
-# edits will not be wiped out by a future
-# OpenVPN package upgrade.
-
-# This variable should point to
-# the top level of the easy-rsa
-# tree.
-export EASY_RSA="/etc/easy-rsa/2.0"
-
-#
-# This variable should point to
-# the requested executables
-#
-export OPENSSL="openssl"
-export PKCS11TOOL="pkcs11-tool"
-export GREP="grep"
-
-
-# This variable should point to
-# the openssl.cnf file included
-# with easy-rsa.
-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
-
-# Edit this variable to point to
-# your soon-to-be-created key
-# directory.
-#
-# WARNING: clean-all will do
-# a rm -rf on this directory
-# so make sure you define
-# it correctly!
-export KEY_DIR="$EASY_RSA/keys"
-
-# Issue rm -rf warning
-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-
-# PKCS11 fixes
-export PKCS11_MODULE_PATH="dummy"
-export PKCS11_PIN="dummy"
-
-# Increase this to 2048 if you
-# are paranoid.  This will slow
-# down TLS negotiation performance
-# as well as the one-time DH parms
-# generation process.
-export KEY_SIZE=512
-
-# In how many days should the root CA key expire?
-export CA_EXPIRE=3650
-
-# In how many days should certificates expire?
-export KEY_EXPIRE=3650
-
-# These are the default values for fields
-# which will be placed in the certificate.
-# Don't leave any of these fields blank.
-export KEY_COUNTRY="AU"
-export KEY_PROVINCE="Victoria"
-export KEY_CITY="Melbourne"
-export KEY_ORG="Monash University"
-export KEY_EMAIL="shahaan.ayyub@monash.edu"
-export KEY_OU="MCC-R@CMON"
-
-# X509 Subject Field
-export KEY_NAME="EasyRSA"
-
-# PKCS11 Smart Card
-# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
-# export PKCS11_PIN=1234
-
-# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
-# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
-# export KEY_CN="CommonName"
diff --git a/roles/easy-rsa-CA-client/tasks/buildClientCert.yml b/roles/easy-rsa-CA-client/tasks/buildClientCert.yml
index 77d20a61..a2274be4 100644
--- a/roles/easy-rsa-CA-client/tasks/buildClientCert.yml
+++ b/roles/easy-rsa-CA-client/tasks/buildClientCert.yml
@@ -1,24 +1,24 @@
 --- 
-- 
-  delegate_to: "{{ server }}"
-  name: "Check if certificate exist"
-  register: cert
-  stat: "path=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt"
-- 
+- name: "Check if the easy-rsa is installed"
+  register: client_rsa
+  stat: "path=/etc/openvpn/ca.crt"
+
+- name: "Creating Client certificate"
   delegate_to: "{{ server }}"
-  name: "Creating Client certificate"
   shell: " cd /etc/easy-rsa/2.0; source ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/pkitool --csr {{ inventory_hostname }} ;\"$EASY_RSA\"/pkitool --sign {{ inventory_hostname }}"
-  when: "cert.stat.exists  == false"
-- 
+  when: "client_rsa.stat.exists == false"
+
+- name: "Copy the Client Certificate to the master node"
   delegate_to: "{{ server }}"
   fetch: "src=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt dest=/tmp/{{ inventory_hostname }}/ fail_on_missing=yes validate_md5=yes flat=yes"
-  name: "Copy the Client Certificate to the master node"
-- 
+  when: "client_rsa.stat.exists == false"
+
+- name: "Copy the Client Certificate to the master node"
   delegate_to: "{{ server }}"
   fetch: "src=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.key dest=/tmp/{{ inventory_hostname }}/ fail_on_missing=yes validate_md5=yes flat=yes"
-  name: "Copy the Client Certificate to the master node"
-- 
+  when: "client_rsa.stat.exists == false"
+
+- name: "Copy the Client Certificate to the master node"
   delegate_to: "{{ server }}"
   fetch: "src=/etc/easy-rsa/2.0/keys/ca.crt dest=/tmp/{{ inventory_hostname }}/ fail_on_missing=yes validate_md5=yes flat=yes"
-  name: "Copy the Client Certificate to the master node"
-
+  when: "client_rsa.stat.exists == false"
diff --git a/roles/easy-rsa-CA-client/tasks/installEasyRsa.yml b/roles/easy-rsa-CA-client/tasks/installEasyRsa.yml
index c5880911..f479b156 100644
--- a/roles/easy-rsa-CA-client/tasks/installEasyRsa.yml
+++ b/roles/easy-rsa-CA-client/tasks/installEasyRsa.yml
@@ -5,3 +5,6 @@
 - 
   name: "Moving easy-rsa to /etc"
   shell: "cp -rf /usr/share/easy-rsa /etc/"
+  args:
+    creates: /etc/easy-rsa/2.0
+
diff --git a/roles/easy-rsa-CA-server/tasks/buildServerCert.yml b/roles/easy-rsa-CA-server/tasks/buildServerCert.yml
index 122a4064..595c7a6e 100644
--- a/roles/easy-rsa-CA-server/tasks/buildServerCert.yml
+++ b/roles/easy-rsa-CA-server/tasks/buildServerCert.yml
@@ -1,17 +1,12 @@
 --- 
-- 
-  name: "Check if certificate exist"
-  register: cert
-  stat: "path=/etc/easy-rsa/2.0/keys/{{ ansible_fqdn }}.crt"
-- 
-  name: "Creating Server certificate"
-  shell: " cd /etc/easy-rsa/2.0; source ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA/pkitool\"  --server {{ ansible_fqdn }}"
-  when: "cert.stat.exists == false"
-- 
-  name: "Check if Diffie Hellman parameters file exist"
-  register: dh
-  stat: path=/etc/easy-rsa/2.0/keys/dh512.pem
-- 
-  name: "Generating Diffie-Hellman Parameters"
+- name: "Creating Server certificate"
+  shell: " cd /etc/easy-rsa/2.0; source ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA/pkitool\"  --server {{ server }}; cp /etc/easy-rsa/2.0/keys/{{ server }}.crt /etc/easy-rsa/2.0/keys/dummy_server.crt"
+  args:
+    chdir: /etc/easy-rsa/2.0/keys/
+    creates: dummy_server.crt  ## Todo: {{ server }}.crt does not work
+
+- name: "Generating Diffie-Hellman Parameters"
   shell: "cd /etc/easy-rsa/2.0; source ./vars; ./build-dh"
-  when: "dh.stat.exists == false"
+  args:
+    chdir: /etc/easy-rsa/2.0/keys/
+    creates: dh512.pem
diff --git a/roles/easy-rsa-CA-server/tasks/installEasyRsa.yml b/roles/easy-rsa-CA-server/tasks/installEasyRsa.yml
index c5880911..8acdd711 100644
--- a/roles/easy-rsa-CA-server/tasks/installEasyRsa.yml
+++ b/roles/easy-rsa-CA-server/tasks/installEasyRsa.yml
@@ -5,3 +5,6 @@
 - 
   name: "Moving easy-rsa to /etc"
   shell: "cp -rf /usr/share/easy-rsa /etc/"
+  args:
+    chdir: /etc/easy-rsa/2.0/
+    creates: build-ca
diff --git a/roles/easy-rsa-CA/tasks/buildCA.yml b/roles/easy-rsa-CA/tasks/buildCA.yml
index 4c6fe213..f6624664 100644
--- a/roles/easy-rsa-CA/tasks/buildCA.yml
+++ b/roles/easy-rsa-CA/tasks/buildCA.yml
@@ -2,3 +2,5 @@
 - 
   name: "Building the CA Certificate"
   shell: ' cd /etc/easy-rsa/2.0; source ./vars; ./clean-all;  export EASY_RSA="${EASY_RSA:-.}"; "$EASY_RSA/pkitool" --initca $*'
+  args:
+    creates: /etc/easy-rsa/2.0/keys
diff --git a/roles/easy-rsa-CA/tasks/buildClientCert.yml b/roles/easy-rsa-CA/tasks/buildClientCert.yml
index 24aed52c..7f7dde37 100644
--- a/roles/easy-rsa-CA/tasks/buildClientCert.yml
+++ b/roles/easy-rsa-CA/tasks/buildClientCert.yml
@@ -1,11 +1,8 @@
 --- 
-- 
+- name: "Creating Client certificate"
   delegate_to: "127.0.0.1"
-  name: "Check if certificate exist"
-  register: cert
-  stat: "path=/etc/easy-rsa/2.0/keys/{{ client }}.crt"
-- 
-  delegate_to: "127.0.0.1"
-  name: "Creating Client certificate"
   shell: " cd /etc/easy-rsa/2.0; source ./vars; export EASY_RSA=\\\"${EASY_RSA:-.}\\\"; \"$EASY_RSA/pkitool\" --csr {{ client }} ;\"$E ASY_RSA/pkitool\" --sign {{ client }}"
+  args:
+    chdir: /etc/easy-rsa/2.0/keys/
+    creates: client.crt
 
diff --git a/roles/easy-rsa-CA/tasks/buildServerCert.yml b/roles/easy-rsa-CA/tasks/buildServerCert.yml
index 9f7c8aea..2508a895 100644
--- a/roles/easy-rsa-CA/tasks/buildServerCert.yml
+++ b/roles/easy-rsa-CA/tasks/buildServerCert.yml
@@ -1,17 +1,12 @@
 --- 
-- 
-  name: "Check if certificate exist"
-  register: cert
-  stat: "path=/etc/easy-rsa/2.0/keys/{{ server }}.crt"
-- 
-  name: "Creating Server certificate"
+- name: "Creating Server certificate"
   shell: " cd /etc/easy-rsa/2.0; source ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA/pkitool\"  --server {{ server }}"
-  when: "cert.stat.exists == false"
-- 
-  name: "Check if Diffie Hellman parameters file exist"
-  register: dh
-  stat: path=/etc/easy-rsa/2.0/keys/dh512.pem
-- 
-  name: "Generating Diffie-Hellman Parameters"
+  args:
+    chdir: /etc/easy-rsa/2.0/keys/
+    creates: server.crt
+
+- name: "Generating Diffie-Hellman Parameters"
   shell: "cd /etc/easy-rsa/2.0; source ./vars; ./build-dh"
-  when: "dh.stat.exists == false"
+  args:
+    chdir: /etc/easy-rsa/2.0/keys/
+    creates: dh512.pem
diff --git a/roles/easy-rsa-CA/tasks/installEasyRsa.yml b/roles/easy-rsa-CA/tasks/installEasyRsa.yml
index c5880911..80d80a19 100644
--- a/roles/easy-rsa-CA/tasks/installEasyRsa.yml
+++ b/roles/easy-rsa-CA/tasks/installEasyRsa.yml
@@ -5,3 +5,5 @@
 - 
   name: "Moving easy-rsa to /etc"
   shell: "cp -rf /usr/share/easy-rsa /etc/"
+  args:
+    creates: /etc/easy-rsa
-- 
GitLab