--- - name: Test service certificate requests hosts: "{{ ipa_test_host | default('ipaserver') }}" # Change "become" or "gather_facts" to "yes", # if you test playbook requires any. become: false gather_facts: false module_defaults: ipahost: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" ipaservice: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" ipacert: ipaadmin_password: SomeADMINpassword # ipacert only supports client context ipaapi_context: "client" tasks: # SETUP - name: Ensure test files do not exist ansible.builtin.file: path: "{{ item }}" state: absent with_items: - "/root/retrieved.pem" - "/root/cert_1.pem" - "/root/service.csr" # Ensure test items exist - name: Ensure domain name is set ansible.builtin.set_fact: ipa_domain: ipa.test when: ipa_domain is not defined - name: Ensure test host exist ipahost: name: "certservice.{{ ipa_domain }}" force: true state: present - name: Ensure service exist ipaservice: name: "HTTP/certservice.{{ ipa_domain }}" force: true state: present - name: Create signing request for certificate ansible.builtin.shell: cmd: "openssl req -newkey rsa:2048 -keyout /dev/null -nodes -subj /CN=certservice.{{ ipa_domain }}" register: service_req - name: Create CSR file ansible.builtin.copy: dest: "/root/service.csr" content: "{{ service_req.stdout }}" mode: '0644' # TESTS - name: Request certificate for service ipacert: csr: '{{ service_req.stdout }}' principal: "HTTP/certservice.{{ ipa_domain }}" add_principal: true state: requested register: service_cert failed_when: not service_cert.changed or service_cert.failed - name: Display data from the requested certificate. ansible.builtin.debug: var: service_cert - name: Retrieve certificate for service ipacert: serial_number: "{{ service_cert.certificate.serial_number }}" state: retrieved register: retrieved failed_when: retrieved.certificate.serial_number != service_cert.certificate.serial_number - name: Display data from the retrieved certificate. ansible.builtin.debug: var: retrieved - name: Place certificate on hold ipacert: serial_number: '{{ service_cert.certificate.serial_number }}' state: held register: result failed_when: not result.changed or result.failed - name: Place certificate on hold, again ipacert: serial_number: '{{ service_cert.certificate.serial_number }}' state: held register: result failed_when: result.changed or result.failed - name: Release hold on certificate ipacert: serial_number: '{{ service_cert.certificate.serial_number }}' state: released register: result failed_when: not result.changed or result.failed - name: Release hold on certificate, again ipacert: serial_number: '{{ service_cert.certificate.serial_number }}' state: released register: result failed_when: result.changed or result.failed - name: Revoke certificate ipacert: serial_number: '{{ service_cert.certificate.serial_number }}' state: revoked reason: keyCompromise register: result failed_when: not result.changed or result.failed - name: Revoke certificate, again ipacert: serial_number: '{{ service_cert.certificate.serial_number }}' state: revoked reason: keyCompromise register: result failed_when: result.changed or result.failed - name: Try to revoke inexistent certificate ipacert: serial_number: 0x123456789 reason: 9 state: revoked register: result failed_when: not (result.failed and ("Request failed with status 404" in result.msg or result.msg is regex("Certificate [^0]*0x123456789 not found"))) - name: Try to release revoked certificate ipacert: serial_number: '{{ service_cert.certificate.serial_number }}' state: released register: result failed_when: not result.failed or "Cannot release hold on certificate revoked with reason" not in result.msg - name: Request certificate for service and save to file ipacert: csr: '{{ service_req.stdout }}' principal: "HTTP/certservice.{{ ipa_domain }}" add_principal: true certificate_out: "/root/cert_1.pem" state: requested register: result failed_when: not result.changed or result.failed or result.certificate != {} - name: Check requested certificate file ansible.builtin.file: path: "/root/cert_1.pem" check_mode: true register: result failed_when: result.changed or result.failed - name: Retrieve certificate for service to a file ipacert: serial_number: "{{ service_cert.certificate.serial_number }}" certificate_out: "/root/retrieved.pem" state: retrieved register: result failed_when: result.changed or result.failed or result.certificate != {} - name: Check retrieved certificate file ansible.builtin.file: path: "/root/retrieved.pem" check_mode: true register: result failed_when: result.changed or result.failed - name: Request with invalid CSR. ipacert: csr: | -----BEGIN CERTIFICATE REQUEST----- BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx 5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w== -----END CERTIFICATE REQUEST----- principal: "HTTP/certservice.{{ ipa_domain }}" state: requested register: result failed_when: not (result.failed and "Failure decoding Certificate Signing Request" in result.msg) - name: Request certificate using a file ipacert: csr_file: "/root/service.csr" principal: "HTTP/certservice.{{ ipa_domain }}" state: requested register: result failed_when: not result.changed or result.failed - name: Request certificate using an invalid profile ipacert: csr_file: "/root/service.csr" principal: "HTTP/certservice.{{ ipa_domain }}" profile: invalid_profile state: requested register: result failed_when: not (result.failed and ("Request failed with status 400" in result.msg or "Profile not found" in result.msg)) # CLEANUP TEST ITEMS - name: Remove test service ipaservice: name: "HTTP/certservice.{{ ipa_domain }}" state: absent continue: true - name: Remove test host ipahost: name: certservice.example.com state: absent - name: Ensure test files do not exist ansible.builtin.file: path: "{{ item }}" state: absent with_items: - "/root/retrieved.pem" - "/root/cert_1.pem" - "/root/service.csr"