From 2b3918384da2c599720867fd04077a0059746427 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 25 Jul 2024 15:52:27 +0200 Subject: [PATCH] Replace usage of community.crypto by openssl calls on the managed node --- galaxy.yml | 3 +- requirements.yml | 4 +- roles/tas_single_node/defaults/main.yml | 15 - roles/tas_single_node/tasks/certificates.yml | 283 +++++++++--------- .../tasks/create_ingress_cert.yml | 60 ++-- 5 files changed, 171 insertions(+), 194 deletions(-) diff --git a/galaxy.yml b/galaxy.yml index 77360275..c675da80 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -11,8 +11,7 @@ description: TODO license_file: Apache-2.0 tags: [sigstore, tas, rhtas, security, cosign] # NOTE: when updating, also update dependencies in requirements.yml -dependencies: - containers.podman: ">=1.15.0" +dependencies: {} repository: https://github.com/securesign/artifact-signer-ansible/ documentation: http://TODO.com homepage: https://TODO.com diff --git a/requirements.yml b/requirements.yml index 9e18f325..246f2324 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,5 +1,3 @@ --- # NOTE: when updating, also update dependencies in galaxy.yml -collections: - - name: containers.podman - version: ">=1.15.0" +collections: [] diff --git a/roles/tas_single_node/defaults/main.yml b/roles/tas_single_node/defaults/main.yml index 35b1e218..286f1618 100644 --- a/roles/tas_single_node/defaults/main.yml +++ b/roles/tas_single_node/defaults/main.yml @@ -48,8 +48,6 @@ tas_single_node_certs_dir: "{{ tas_single_node_config_dir }}/certs" tas_single_node_kube_manifest_dir: "{{ tas_single_node_config_dir }}/manifests" tas_single_node_kube_configmap_dir: "{{ tas_single_node_config_dir }}/configs" -tas_single_node_local_certs_dir: /tmp/rhtas/certs - tas_single_node_private_key_filename: rhtas.key tas_single_node_ca_filename: rhtas.pem tas_single_node_fulcio_private_key_filename: fulcio.key @@ -64,15 +62,6 @@ tas_single_node_tsa_certificate_chain_filename: certificate-chain.pem tas_single_node_tsa_intermediate_certificate_filename: intermediate-certificate.pem tas_single_node_tsa_signer_private_key_filename: signer-private-key.pem -tas_single_node_local_private_key: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_private_key_filename }}" -tas_single_node_local_ca: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_ca_filename }}" -tas_single_node_local_fulcio_private_key: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_fulcio_private_key_filename }}" -tas_single_node_local_fulcio_public_key: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_fulcio_public_key_filename }}" -tas_single_node_local_fulcio_root_ca: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_fulcio_root_ca_filename }}" -tas_single_node_local_ctlog_private_key: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_ctlog_private_key_filename }}" -tas_single_node_local_ctlog_public_key: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_ctlog_public_key_filename }}" -tas_single_node_local_rekor_signer: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_rekor_signer_filename }}" -tas_single_node_local_rekor_public_key: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_rekor_public_key_filename }}" tas_single_node_remote_private_key: "{{ tas_single_node_certs_dir }}/{{ tas_single_node_private_key_filename }}" tas_single_node_remote_ca: "{{ tas_single_node_certs_dir }}/{{ tas_single_node_ca_filename }}" tas_single_node_remote_fulcio_private_key: "{{ tas_single_node_certs_dir }}/{{ tas_single_node_fulcio_private_key_filename }}" @@ -111,12 +100,8 @@ tas_single_node_ct_logprefix: rhtasansible tas_single_node_tsa_enabled: true tas_single_node_signer_type: file -tas_single_node_local_tsa_certificate_chain: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_tsa_certificate_chain_filename }}" -tas_single_node_local_tsa_intermediate_certificate: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_tsa_intermediate_certificate_filename }}" -tas_single_node_local_tsa_signer_private_key: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_tsa_signer_private_key_filename }}" tas_single_node_remote_tsa_signer_private_key: "{{ tas_single_node_certs_dir }}/{{ tas_single_node_tsa_signer_private_key_filename }}" tas_single_node_remote_tsa_certificate_chain: "{{ tas_single_node_certs_dir }}/{{ tas_single_node_tsa_certificate_chain_filename }}" -tas_single_node_local_tsa_private_key: "{{ tas_single_node_local_certs_dir }}/{{ tas_single_node_tsa_private_key_filename }}" tas_single_node_remote_tsa_private_key: "{{ tas_single_node_certs_dir }}/{{ tas_single_node_tsa_private_key_filename }}" tas_single_node_tsa_secret: "{{ tas_single_node_kube_configmap_dir }}/tsa-secret.yaml" diff --git a/roles/tas_single_node/tasks/certificates.yml b/roles/tas_single_node/tasks/certificates.yml index 8cbf9b71..37640be5 100644 --- a/roles/tas_single_node/tasks/certificates.yml +++ b/roles/tas_single_node/tasks/certificates.yml @@ -20,45 +20,44 @@ paths: "{{ tas_single_node_certs_dir }}" register: certs_dir_files -- name: Create Local Certificates Directory - ansible.builtin.file: - state: directory - dest: "{{ tas_single_node_local_certs_dir }}" - mode: "0700" - delegate_to: localhost +- name: Install openssl for generating RHTAS secrets + ansible.builtin.package: + name: openssl + state: present +# TODO: file permissions of the created files? - name: Create private key (RSA, 4096 bits) - community.crypto.openssl_privatekey: - path: "{{ tas_single_node_local_private_key }}" - delegate_to: localhost + ansible.builtin.command: + cmd: "openssl genrsa -out '{{ tas_single_node_remote_private_key }}' 4096" + creates: "{{ tas_single_node_remote_private_key }}" when: (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_private_key) | list | length) == 0 - name: Create Root CA - delegate_to: localhost when: (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_ca) | list | length) == 0 block: - name: Create certificate signing request (CSR) for CA certificate - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ tas_single_node_local_private_key }}" - common_name: "{{ tas_single_node_base_hostname }}" - use_common_name_for_san: false - basic_constraints: - - CA:TRUE - basic_constraints_critical: true - key_usage: - - keyCertSign - key_usage_critical: true + ansible.builtin.command: + cmd: >- + openssl req -new + -key '{{ tas_single_node_remote_private_key }}' + -subj '/CN={{ tas_single_node_base_hostname }}' + -addext 'basicConstraints=critical,CA:TRUE' + -addext 'keyUsage = critical,keyCertSign' register: ca_csr + changed_when: false - name: Create self-signed CA certificate from CSR - community.crypto.x509_certificate: - path: "{{ tas_single_node_local_ca }}" - csr_content: "{{ ca_csr.csr }}" - privatekey_path: "{{ tas_single_node_local_private_key }}" - provider: selfsigned - selfsigned_not_after: +365d # valid for one year - -- name: Create Ingress Certificates + ansible.builtin.shell: + # valid for two years + cmd: >- + set -o pipefail && + echo "{{ ca_csr.stdout }}" | + openssl x509 -req -days 730 + -signkey '{{ tas_single_node_remote_private_key }}' + -out '{{ tas_single_node_remote_ca }}' + creates: "{{ tas_single_node_remote_ca }}" + +- name: Create ingress certificates ansible.builtin.include_tasks: create_ingress_cert.yml loop: - fulcio @@ -69,154 +68,176 @@ loop_var: cert_name vars: existing_files: "{{ certs_dir_files }}" - local_ca_key_path: "{{ tas_single_node_local_private_key }}" - local_ca_cert_path: "{{ tas_single_node_local_ca }}" remote_ca_key_path: "{{ tas_single_node_remote_private_key }}" remote_ca_cert_path: "{{ tas_single_node_remote_ca }}" dns_name: "{{ cert_name }}.{{ tas_single_node_base_hostname }}" -- name: Create fulcio root - delegate_to: localhost +- name: Create Fulcio root when: > (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_fulcio_private_key) | list | length) == 0 or (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_fulcio_public_key) | list | length) == 0 or (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_fulcio_root_ca) | list | length) == 0 block: - - name: Create Fulcio Private Key - community.crypto.openssl_privatekey: - path: "{{ tas_single_node_local_fulcio_private_key }}" - curve: secp256r1 - type: ECC - passphrase: "{{ tas_single_node_fulcio_ca_passphrase }}" - cipher: auto - - - name: Create Fulcio Public Key - community.crypto.openssl_publickey: - path: "{{ tas_single_node_local_fulcio_public_key }}" - privatekey_path: "{{ tas_single_node_local_fulcio_private_key }}" - privatekey_passphrase: "{{ tas_single_node_fulcio_ca_passphrase }}" + - name: Create Fulcio private key + # openssl ecparam doesn't directly allow to encrypt the key with passphrase, so we pipe it to encryption command + ansible.builtin.shell: + cmd: >- + set -o pipefail && + openssl ecparam -name secp384r1 | + openssl ec -des3 + -out '{{ tas_single_node_remote_fulcio_private_key }}' + -passin 'pass:{{ tas_single_node_fulcio_ca_passphrase }}' + creates: "{{ tas_single_node_remote_fulcio_private_key }}" + + - name: Create Fulcio public key + ansible.builtin.command: + cmd: >- + openssl ec + -in '{{ tas_single_node_remote_fulcio_private_key }}' + -pubout '{{ tas_single_node_remote_fulcio_public_key }}' + -passin 'pass:{{ tas_single_node_fulcio_ca_passphrase }}' + creates: "{{ tas_single_node_remote_fulcio_public_key }}" - name: Create certificate signing request (CSR) for Fulcio Root certificate - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ tas_single_node_local_fulcio_private_key }}" - privatekey_passphrase: "{{ tas_single_node_fulcio_ca_passphrase }}" - basic_constraints: - - CA:TRUE - basic_constraints_critical: true - key_usage: - - keyCertSign - key_usage_critical: true + ansible.builtin.command: + cmd: >- + openssl req -new + -key '{{ tas_single_node_remote_fulcio_private_key }}' + -addext 'basicConstraints=critical,CA:TRUE' + -addext 'keyUsage = critical,keyCertSign' + -passin 'pass:{{ tas_single_node_fulcio_ca_passphrase }}' register: fulcio_root_csr + changed_when: false - name: Create self-signed Fulcio root from CSR - community.crypto.x509_certificate: - path: "{{ tas_single_node_local_fulcio_root_ca }}" - csr_content: "{{ fulcio_root_csr.csr }}" - privatekey_path: "{{ tas_single_node_local_fulcio_private_key }}" - privatekey_passphrase: "{{ tas_single_node_fulcio_ca_passphrase }}" - provider: selfsigned + ansible.builtin.shell: + # valid for two years + cmd: >- + set -o pipefail && + echo "{{ fulcio_root_csr.stdout }}" | + openssl x509 -req -days 730 + -signkey '{{ tas_single_node_remote_fulcio_private_key }}' + -passin 'pass:{{ tas_single_node_fulcio_ca_passphrase }}' + -out '{{ tas_single_node_remote_fulcio_root_ca }}' + creates: "{{ tas_single_node_remote_fulcio_root_ca }}" - name: Create ctlog root - delegate_to: localhost when: > (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_ctlog_private_key) | list | length) == 0 or (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_ctlog_public_key) | list | length) == 0 block: - - name: Create ctlog Private Key - community.crypto.openssl_privatekey: - path: "{{ tas_single_node_local_ctlog_private_key }}" - curve: secp256r1 - type: ECC - passphrase: "{{ tas_single_node_ctlog_ca_passphrase }}" - cipher: auto + - name: Create ctlog private key + # openssl ecparam doesn't directly allow to encrypt the key with passphrase, so we pipe it to encryption command + ansible.builtin.shell: + cmd: >- + set -o pipefail && + openssl ecparam -name secp384r1 | + openssl ec -des3 + -out '{{ tas_single_node_remote_ctlog_private_key }}' + -passin 'pass:{{ tas_single_node_ctlog_ca_passphrase }}' + creates: "{{ tas_single_node_remote_ctlog_private_key }}" - name: Create ctlog Public Key - community.crypto.openssl_publickey: - path: "{{ tas_single_node_local_ctlog_public_key }}" - privatekey_path: "{{ tas_single_node_local_ctlog_private_key }}" - privatekey_passphrase: "{{ tas_single_node_ctlog_ca_passphrase }}" + ansible.builtin.command: + cmd: >- + openssl ec + -in '{{ tas_single_node_remote_ctlog_private_key }}' + -pubout '{{ tas_single_node_remote_ctlog_public_key }}' + -passin 'pass:{{ tas_single_node_ctlog_ca_passphrase }}' + creates: "{{ tas_single_node_remote_ctlog_public_key }}" - name: Handle TSA certificate chain - delegate_to: localhost block: - - name: Create TSA root Private Key - community.crypto.openssl_privatekey: - path: "{{ tas_single_node_local_tsa_private_key }}" - curve: secp256r1 - type: ECC - passphrase: "{{ tas_single_node_tsa_ca_passphrase }}" - cipher: auto + - name: Create TSA root private key + # openssl ecparam doesn't directly allow to encrypt the key with passphrase, so we pipe it to encryption command + ansible.builtin.shell: + cmd: >- + set -o pipefail && + openssl ecparam -name secp384r1 | + openssl ec -des3 + -out '{{ tas_single_node_remote_tsa_private_key }}' + -passin 'pass:{{ tas_single_node_tsa_ca_passphrase }}' + creates: "{{ tas_single_node_remote_tsa_private_key }}" when: > (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_tsa_private_key) | list | length) == 0 and (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_tsa_certificate_chain) | list | length) == 0 and tas_single_node_signer_type == 'file' - - name: Create certificate signing request (CSR) for TSA Root certificate - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ tas_single_node_local_tsa_private_key }}" - privatekey_passphrase: "{{ tas_single_node_tsa_ca_passphrase }}" - common_name: "Root CA" - basic_constraints: - - CA:TRUE - basic_constraints_critical: true - key_usage: - - keyCertSign + - name: Create certificate signing request (CSR) for TSA root certificate + ansible.builtin.command: + cmd: >- + openssl req -new + -key {{ tas_single_node_remote_tsa_private_key }} + -subj '/CN=Root CA' + -addext 'basicConstraints=critical,CA:TRUE' + -addext 'keyUsage = keyCertSign' + -passin 'pass:{{ tas_single_node_tsa_ca_passphrase }}' register: tsa_root_csr when: > (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_tsa_certificate_chain) | list | length) == 0 and tas_single_node_signer_type == 'file' + changed_when: false - name: Create self-signed TSA root CA from CSR - community.crypto.x509_certificate: - path: "{{ tas_single_node_local_tsa_certificate_chain }}" - csr_content: "{{ tsa_root_csr.csr }}" - privatekey_path: "{{ tas_single_node_local_tsa_private_key }}" - privatekey_passphrase: "{{ tas_single_node_tsa_ca_passphrase }}" - provider: selfsigned + ansible.builtin.shell: + # valid for two years + cmd: >- + set -o pipefail && + echo "{{ tsa_root_csr.stdout }}" | + openssl x509 -req -days 730 + -signkey '{{ tas_single_node_remote_tsa_private_key }}' + -passin 'pass:{{ tas_single_node_tsa_ca_passphrase }}' + -out '{{ tas_single_node_remote_tsa_certificate_chain }}' + creates: "{{ tas_single_node_remote_tsa_certificate_chain }}" when: > (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_tsa_certificate_chain) | list | length) == 0 and tas_single_node_signer_type == 'file' # Intermediate certificate - - name: Create TSA intermediate CA Private Key - community.crypto.openssl_privatekey: - path: "{{ tas_single_node_local_tsa_signer_private_key }}" - curve: secp256r1 - type: ECC - passphrase: "{{ tas_single_node_tsa_ca_passphrase }}" - cipher: auto + - name: Create TSA intermediate CA private key + # openssl ecparam doesn't directly allow to encrypt the key with passphrase, so we pipe it to encryption command + ansible.builtin.shell: + cmd: >- + set -o pipefail && + openssl ecparam -name secp384r1 | + openssl ec -des3 + -out '{{ tas_single_node_remote_tsa_signer_private_key }}' + -passin 'pass:{{ tas_single_node_tsa_ca_passphrase }}' + creates: "{{ tas_single_node_remote_tsa_signer_private_key }}" when: > (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_tsa_certificate_chain) | list | length) == 0 and (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_tsa_signer_private_key) | list | length) == 0 and tas_single_node_signer_type == 'file' - name: Create TSA intermediate CA CSR - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ tas_single_node_local_tsa_signer_private_key }}" - privatekey_passphrase: "{{ tas_single_node_tsa_signer_passphrase }}" - common_name: "Intermediate CA" - basic_constraints: - - CA:TRUE - basic_constraints_critical: true - key_usage: - - keyCertSign - extended_key_usage: - - "1.3.6.1.5.5.7.3.8" - extended_key_usage_critical: true + ansible.builtin.command: + cmd: >- + openssl req -new + -key '{{ tas_single_node_remote_tsa_signer_private_key }}' + -subj '/CN=Intermediate CA' + -addext 'basicConstraints=critical,CA:TRUE' + -addext 'keyUsage = keyCertSign' + -addext 'extendedKeyUsage = critical,1.3.6.1.5.5.7.3.8' + -passin 'pass:{{ tas_single_node_tsa_signer_passphrase }}' register: tsa_intermediate_csr when: > (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_tsa_certificate_chain) | list | length) == 0 and tas_single_node_signer_type == 'file' + changed_when: false - name: Sign Intermediate CA with Root CA - community.crypto.x509_certificate: - path: "{{ tas_single_node_local_tsa_intermediate_certificate }}" - csr_content: "{{ tsa_intermediate_csr.csr }}" - ownca_path: "{{ tas_single_node_local_tsa_certificate_chain }}" - ownca_privatekey_path: "{{ tas_single_node_local_tsa_private_key }}" - ownca_privatekey_passphrase: "{{ tas_single_node_tsa_ca_passphrase }}" - provider: ownca + ansible.builtin.shell: + # valid for two years + cmd: >- + set -o pipefail && + echo "{{ tsa_intermediate_csr.stdout }}" | + openssl x509 -req -days 730 + -CA '{{ tas_single_node_remote_tsa_certificate_chain }}' + -CAkey '{{ tas_single_node_remote_tsa_private_key }}' + -passin 'pass:{{ tas_single_node_tsa_ca_passphrase }}' + -out '{{ tas_single_node_remote_tsa_intermediate_certificate }}' + creates: "{{ tas_single_node_remote_tsa_intermediate_certificate }}" when: > (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_tsa_certificate_chain) | list | length) == 0 and tas_single_node_signer_type == 'file' @@ -224,24 +245,10 @@ - name: Combine Intermediate and Root CA certificates into a chain ansible.builtin.command: > /bin/bash -c ' - cat {{ tas_single_node_local_tsa_intermediate_certificate }} {{ tas_single_node_local_tsa_certificate_chain }} > /tmp/certificate-chain.tmp && - mv /tmp/certificate-chain.tmp {{ tas_single_node_local_tsa_certificate_chain }};' + cat {{ tas_single_node_remote_tsa_intermediate_certificate }} {{ tas_single_node_remote_tsa_certificate_chain }} > /tmp/certificate-chain.tmp && + mv /tmp/certificate-chain.tmp {{ tas_single_node_remote_tsa_certificate_chain }};' register: result changed_when: "'changed' in result.stdout" when: > (certs_dir_files.files | selectattr('path', 'equalto', tas_single_node_remote_tsa_certificate_chain) | list | length) == 0 and tas_single_node_signer_type == 'file' - -- name: Copy Certificates to Server - become: true - ansible.builtin.copy: - src: "{{ tas_single_node_local_certs_dir }}/" - dest: "{{ tas_single_node_certs_dir }}" - force: true - mode: "0600" - -- name: Remove Local Certificate Directory - ansible.builtin.file: - state: absent - dest: "{{ tas_single_node_local_certs_dir }}" - delegate_to: localhost diff --git a/roles/tas_single_node/tasks/create_ingress_cert.yml b/roles/tas_single_node/tasks/create_ingress_cert.yml index 9d577e0e..37d50ce0 100644 --- a/roles/tas_single_node/tasks/create_ingress_cert.yml +++ b/roles/tas_single_node/tasks/create_ingress_cert.yml @@ -1,14 +1,11 @@ --- - name: Set Certificate Facts ansible.builtin.set_fact: - local_key_path: "{{ tas_single_node_local_certs_dir }}/ingress-{{ cert_name }}.key" - local_cert_path: "{{ tas_single_node_local_certs_dir }}/ingress-{{ cert_name }}.pem" remote_key_path: "{{ tas_single_node_certs_dir }}/ingress-{{ cert_name }}.key" remote_cert_path: "{{ tas_single_node_certs_dir }}/ingress-{{ cert_name }}.pem" delegate_to: localhost -- name: Create Certificate and Private Key - delegate_to: localhost +- name: Create certificate and private key when: > (existing_files.files | selectattr('path', 'equalto', remote_key_path) | list | length) == 0 or (existing_files.files | selectattr('path', 'equalto', remote_cert_path) | list | length) == 0 @@ -16,41 +13,32 @@ # and (existing_files.files | selectattr('path', 'equalto', cert_path) | list | length) == 0)) block: - name: Create Private Key {{ cert_name }} - community.crypto.openssl_privatekey: - path: "{{ local_key_path }}" + ansible.builtin.command: + cmd: "openssl genrsa -out '{{ remote_key_path }}' 4096" + creates: "{{ remote_key_path }}" # TODO: Allow more parameters to be provided - name: Create certificate signing request (CSR) for new certificate - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ local_key_path }}" - subject: - commonName: "{{ dns_name }}" - basic_constraints: - - CA:FALSE - extended_key_usage: - - serverAuth - key_usage: - - digitalSignature - - nonRepudiation - - keyEncipherment - - dataEncipherment - subject_alt_name: - - DNS:{{ dns_name }} + ansible.builtin.command: + cmd: >- + openssl req -new + -key '{{ remote_key_path }}' + -subj '/CN={{ dns_name }}' + -addext 'subjectAltName = DNS:{{ dns_name }}' + -addext 'basicConstraints=CA:FALSE' + -addext 'keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment' + -addext 'extendedKeyUsage = serverAuth' register: csr + changed_when: false - name: Sign certificate with our CA - community.crypto.x509_certificate_pipe: - csr_content: "{{ csr.csr }}" - provider: ownca - ownca_path: "{{ local_ca_cert_path }}" - ownca_privatekey_path: "{{ local_ca_key_path }}" - # ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}" - ownca_not_after: +365d # valid for one year - register: certificate - - - name: Create certificate - ansible.builtin.copy: - dest: "{{ local_cert_path }}" - content: "{{ certificate.certificate }}" - mode: "0600" - when: certificate is changed # noqa no-handler + ansible.builtin.shell: + # valid for two years + cmd: >- + set -o pipefail && + echo "{{ csr.stdout }}" | + openssl x509 -req -days 730 + -CA '{{ remote_ca_cert_path }}' + -CAkey '{{ remote_ca_key_path }}' + -out '{{ remote_cert_path }}' + creates: "{{ remote_cert_path }}"