Use one ACME account key per host

This is nicer for us, since this avoids sharing a secret. Also put certificate directories in `certs` sub-directory for better organization.
2023-04-25 18:03:59 +02:00 · 2023-04-25 18:03:59 +02:00 · 4814ea8bda
commit 4814ea8bda
parent f9c51842fd
2 changed files with 43 additions and 33 deletions
--- a/playbooks/roles/cert/tasks/deploy_cert.yml
+++ b/playbooks/roles/cert/tasks/deploy_cert.yml
@ -1,4 +1,4 @@
- name: Ensure certs directory exists
+- name: Ensure `ansible_certs` directory exists
  ansible.builtin.file:
    path: /etc/ansible_certs
    state: directory
@ -7,18 +7,27 @@
    mode: "755"
  become: true

+- name: Ensure `certs` sub-directory exists
+  ansible.builtin.file:
+    path: /etc/ansible_certs/certs
+    state: directory
+    owner: root
+    group: root
+    mode: "755"
+  become: true
+
 - name: Ensure sub-directory for the certificate exists
  ansible.builtin.file:
-    path: "/etc/ansible_certs/{{ item }}"
+    path: "/etc/ansible_certs/certs/{{ item }}"
    state: directory
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
    mode: "755"
  become: true

- name: Ensure private key is generated
+- name: Ensure private key for certificate exists
  community.crypto.openssl_privatekey:
-    path: "/etc/ansible_certs/{{ item }}/key.pem"
+    path: "/etc/ansible_certs/certs/{{ item }}/key.pem"
    size: 4096
    type: RSA
    owner: "{{ cert__owner }}"
@ -28,8 +37,8 @@

 - name: Ensure certificate signing request is created
  community.crypto.openssl_csr:
-    path: "/etc/ansible_certs/{{ item }}/csr.pem"
-    privatekey_path: "/etc/ansible_certs/{{ item }}/key.pem"
+    path: "/etc/ansible_certs/certs/{{ item }}/csr.pem"
+    privatekey_path: "/etc/ansible_certs/certs/{{ item }}/key.pem"
    common_name: "{{ item }}"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
@ -37,18 +46,28 @@
  become: true
  register: cert__csr_result

+- name: Ensure private key for ACME account exists
+  community.crypto.openssl_privatekey:
+    path: "/etc/ansible_certs/account_key.pem"
+    size: 4096
+    type: RSA
+    owner: root
+    group: root
+    mode: "0600"
+  become: true
+
 - name: Check certificate status and create ACME challenge if needed
  community.crypto.acme_certificate:
-    account_email: "{{ cert__acme_account.email }}"
-    account_key_content: "{{ cert__acme_account.key }}"
+    account_email: "{{ cert__acme_account_email }}"
+    account_key_src: "/etc/ansible_certs/account_key.pem"
    acme_directory: https://acme-v02.api.letsencrypt.org/directory
    acme_version: 2
    remaining_days: 28
    terms_agreed: true
    challenge: dns-01
-    csr: "/etc/ansible_certs/{{ item }}/csr.pem"
-    dest: "/etc/ansible_certs/{{ item }}/cert.pem"
-    fullchain_dest: "/etc/ansible_certs/{{ item }}/fullchain.pem"
+    csr: "/etc/ansible_certs/certs/{{ item }}/csr.pem"
+    dest: "/etc/ansible_certs/certs/{{ item }}/cert.pem"
+    fullchain_dest: "/etc/ansible_certs/certs/{{ item }}/fullchain.pem"
  become: true
  register: cert__acme_challenge

@ -68,16 +87,16 @@
        state: present
    - name: Retrieve certificate
      community.crypto.acme_certificate:
-        account_email: "{{ cert__acme_account.email }}"
-        account_key_content: "{{ cert__acme_account.key }}"
+        account_email: "{{ cert__acme_account_email }}"
+        account_key_src: "/etc/ansible_certs/account_key.pem"
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
        acme_version: 2
        terms_agreed: true
        remaining_days: 28
        challenge: dns-01
-        csr: "/etc/ansible_certs/{{ item }}/csr.pem"
-        dest: "/etc/ansible_certs/{{ item }}/cert.pem"
-        fullchain_dest: "/etc/ansible_certs/{{ item }}/fullchain.pem"
+        csr: "/etc/ansible_certs/certs/{{ item }}/csr.pem"
+        dest: "/etc/ansible_certs/certs/{{ item }}/cert.pem"
+        fullchain_dest: "/etc/ansible_certs/certs/{{ item }}/fullchain.pem"
        data: "{{ cert__acme_challenge }}"
      become: true
      notify: "{{ cert__handlers }}"
@ -95,7 +114,7 @@

 - name: Ensure correct permissions for certificate are set
  ansible.builtin.file:
-    path: "/etc/ansible_certs/{{ item }}/cert.pem"
+    path: "/etc/ansible_certs/certs/{{ item }}/cert.pem"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
    mode: "0660"
@ -103,7 +122,7 @@

 - name: Ensure correct permissions for fullchain cert are set
  ansible.builtin.file:
-    path: "/etc/ansible_certs/{{ item }}/fullchain.pem"
+    path: "/etc/ansible_certs/certs/{{ item }}/fullchain.pem"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
    mode: "0660"
@ -111,20 +130,20 @@

 - name: Get content of cert.pem
  ansible.builtin.slurp:
-    src: "/etc/ansible_certs/{{ item }}/cert.pem"
+    src: "/etc/ansible_certs/certs/{{ item }}/cert.pem"
  become: true
  register: cert__cert_slurp

 - name: Get content of fullchain.pem
  ansible.builtin.slurp:
-    src: "/etc/ansible_certs/{{ item }}/fullchain.pem"
+    src: "/etc/ansible_certs/certs/{{ item }}/fullchain.pem"
  become: true
  register: cert__fullchain_slurp

 - name: Ensure ca.pem is created
  ansible.builtin.copy:
    content: "{{ cert__fullchain_slurp.content | b64decode | replace(cert__cert_slurp.content | b64decode, '') }}"
-    dest: "/etc/ansible_certs/{{ item }}/ca.pem"
+    dest: "/etc/ansible_certs/certs/{{ item }}/ca.pem"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
    mode: "0660"