mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
87e1edf575
There is a new certificate management module placed in the plugins
folder:
plugins/modules/ipacert.py
The certificate module allows to request, revoke, release and retrieve
certificates for users, hosts and services.
Here is the documentation for the module:
README-cert.md
New example playbooks have been added:
playbooks/cert/cert-hold.yml
playbooks/cert/cert-release.yml
playbooks/cert/cert-request-host.yml
playbooks/cert/cert-request-service.yml
playbooks/cert/cert-request-user.yml
playbooks/cert/cert-retrieve.yml
playbooks/cert/cert-revoke.yml
New tests for the module can be found at:
tests/cert/test_cert_client_context.yml
tests/cert/test_cert_host.yml
tests/cert/test_cert_service.yml
tests/cert/test_cert_user.yml
The module has been co-authored by Sam Morris (@yrro) and Rafael
Guterres Jeffman (@rjeffman).
233 lines
6.9 KiB
YAML
233 lines
6.9 KiB
YAML
---
|
|
- name: Test service certificate requests
|
|
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
# Change "become" or "gather_facts" to "yes",
|
|
# if you test playbook requires any.
|
|
become: false
|
|
gather_facts: false
|
|
module_defaults:
|
|
ipahost:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
ipacert:
|
|
ipaadmin_password: SomeADMINpassword
|
|
# ipacert only supports client context
|
|
ipaapi_context: "client"
|
|
|
|
tasks:
|
|
|
|
# SETUP
|
|
|
|
- name: Ensure test files do not exist
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- "/root/retrieved.pem"
|
|
- "/root/cert_1.pem"
|
|
- "/root/service.csr"
|
|
|
|
# Ensure test items exist
|
|
|
|
- name: Ensure domain name is set
|
|
ansible.builtin.set_fact:
|
|
ipa_domain: ipa.test
|
|
when: ipa_domain is not defined
|
|
|
|
- name: Ensure test host exist
|
|
ipahost:
|
|
name: "certservice.{{ ipa_domain }}"
|
|
force: true
|
|
state: present
|
|
|
|
- name: Ensure service exist
|
|
ipaservice:
|
|
name: "HTTP/certservice.{{ ipa_domain }}"
|
|
force: true
|
|
state: present
|
|
|
|
- name: Create signing request for certificate
|
|
ansible.builtin.shell:
|
|
cmd: "openssl req -newkey rsa:1024 -keyout /dev/null -nodes -subj /CN=certservice.{{ ipa_domain }}"
|
|
register: service_req
|
|
|
|
- name: Create CSR file
|
|
ansible.builtin.copy:
|
|
dest: "/root/service.csr"
|
|
content: "{{ service_req.stdout }}"
|
|
mode: '0644'
|
|
|
|
# TESTS
|
|
|
|
- name: Request certificate for service
|
|
ipacert:
|
|
csr: '{{ service_req.stdout }}'
|
|
principal: "HTTP/certservice.{{ ipa_domain }}"
|
|
add_principal: true
|
|
state: requested
|
|
register: service_cert
|
|
failed_when: not service_cert.changed or service_cert.failed
|
|
|
|
- name: Display data from the requested certificate.
|
|
ansible.builtin.debug:
|
|
var: service_cert
|
|
|
|
- name: Retrieve certificate for service
|
|
ipacert:
|
|
serial_number: "{{ service_cert.certificate.serial_number }}"
|
|
state: retrieved
|
|
register: retrieved
|
|
failed_when: retrieved.certificate.serial_number != service_cert.certificate.serial_number
|
|
|
|
- name: Display data from the retrieved certificate.
|
|
ansible.builtin.debug:
|
|
var: retrieved
|
|
|
|
- name: Place certificate on hold
|
|
ipacert:
|
|
serial_number: '{{ service_cert.certificate.serial_number }}'
|
|
state: held
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Place certificate on hold, again
|
|
ipacert:
|
|
serial_number: '{{ service_cert.certificate.serial_number }}'
|
|
state: held
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Release hold on certificate
|
|
ipacert:
|
|
serial_number: '{{ service_cert.certificate.serial_number }}'
|
|
state: released
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Release hold on certificate, again
|
|
ipacert:
|
|
serial_number: '{{ service_cert.certificate.serial_number }}'
|
|
state: released
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Revoke certificate
|
|
ipacert:
|
|
serial_number: '{{ service_cert.certificate.serial_number }}'
|
|
state: revoked
|
|
reason: keyCompromise
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Revoke certificate, again
|
|
ipacert:
|
|
serial_number: '{{ service_cert.certificate.serial_number }}'
|
|
state: revoked
|
|
reason: keyCompromise
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Try to revoke inexistent certificate
|
|
ipacert:
|
|
serial_number: 0x123456789
|
|
reason: 9
|
|
state: revoked
|
|
register: result
|
|
failed_when: not (result.failed and ("Request failed with status 404" in result.msg or "Certificate serial number 0x123456789 not found" in result.msg))
|
|
|
|
- name: Try to release revoked certificate
|
|
ipacert:
|
|
serial_number: '{{ service_cert.certificate.serial_number }}'
|
|
state: released
|
|
register: result
|
|
failed_when: not result.failed or "Cannot release hold on certificate revoked with reason" not in result.msg
|
|
|
|
- name: Request certificate for service and save to file
|
|
ipacert:
|
|
csr: '{{ service_req.stdout }}'
|
|
principal: "HTTP/certservice.{{ ipa_domain }}"
|
|
add_principal: true
|
|
certificate_out: "/root/cert_1.pem"
|
|
state: requested
|
|
register: result
|
|
failed_when: not result.changed or result.failed or result.certificate
|
|
|
|
- name: Check requested certificate file
|
|
ansible.builtin.file:
|
|
path: "/root/cert_1.pem"
|
|
check_mode: true
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Retrieve certificate for service to a file
|
|
ipacert:
|
|
serial_number: "{{ service_cert.certificate.serial_number }}"
|
|
certificate_out: "/root/retrieved.pem"
|
|
state: retrieved
|
|
register: result
|
|
failed_when: result.changed or result.failed or result.certificate
|
|
|
|
- name: Check retrieved certificate file
|
|
ansible.builtin.file:
|
|
path: "/root/retrieved.pem"
|
|
check_mode: true
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Request with invalid CSR.
|
|
ipacert:
|
|
csr: |
|
|
-----BEGIN CERTIFICATE REQUEST-----
|
|
BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
|
|
MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
|
|
hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
|
|
AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
|
|
5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
|
|
-----END CERTIFICATE REQUEST-----
|
|
principal: "HTTP/certservice.{{ ipa_domain }}"
|
|
state: requested
|
|
register: result
|
|
failed_when: not (result.failed and "Failure decoding Certificate Signing Request" in result.msg)
|
|
|
|
- name: Request certificate using a file
|
|
ipacert:
|
|
csr_file: "/root/service.csr"
|
|
principal: "HTTP/certservice.{{ ipa_domain }}"
|
|
state: requested
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Request certificate using an invalid profile
|
|
ipacert:
|
|
csr_file: "/root/service.csr"
|
|
principal: "HTTP/certservice.{{ ipa_domain }}"
|
|
profile: invalid_profile
|
|
state: requested
|
|
register: result
|
|
failed_when: not (result.failed and "Request failed with status 400" in result.msg)
|
|
|
|
# CLEANUP TEST ITEMS
|
|
|
|
- name: Remove test service
|
|
ipaservice:
|
|
name: "HTTP/certservice.{{ ipa_domain }}"
|
|
state: absent
|
|
continue: true
|
|
|
|
- name: Remove test host
|
|
ipahost:
|
|
name: certservice.example.com
|
|
state: absent
|
|
|
|
- name: Ensure test files do not exist
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- "/root/retrieved.pem"
|
|
- "/root/cert_1.pem"
|
|
- "/root/service.csr"
|