diff --git a/defaults/main.yml b/defaults/main.yml index aa40704..c95d1f1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -92,6 +92,7 @@ pki_search_certificates_pattern: "pki_certificates_" # provider: ownca # cn: "imap.snakeoil.com" # signed_by: "SnakeRootIntermediate" +# ttl: 30d # Example variable defining a server certificate from ansible host variables # pki_certificates_default: diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml index c57fcaa..f2f6400 100644 --- a/molecule/default/group_vars/all.yml +++ b/molecule/default/group_vars/all.yml @@ -115,6 +115,7 @@ foo_certificates_variable: cn: "{{ ansible_facts['hostname'] }}" san: "{{ 'DNS:' ~ ansible_facts['hostname'] }}" signed_by: "ExampleCorpIntermediate" + ttl: 30d condition: true - name: "{{ ansible_facts['hostname'] }}_3" provider: ownca @@ -168,7 +169,7 @@ pki_install_certificates: # Custom certificate installation search pattern pki_search_install_certificates_pattern: "foo_install_certificates_" -# Certificates to isntall from a custom variable, with conditionals +# Certificates to install from a custom variable, with conditionals functional_install_cert_2_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_2.crt' }}" functional_install_chain_2_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_2-chain.crt' }}" functional_install_ca_bundle_2_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_2-ca_bundle.crt' }}" diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 3837657..12e5cc4 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -144,3 +144,22 @@ - name: Validate server certificate against system trust store ansible.builtin.command: certtool --verify --infile "{{ functional_install_chain_2_dest }}" changed_when: false + + - name: Fetch server certificate details + community.crypto.x509_certificate_info: + path: "{{ functional_install_chain_1_dest }}" + register: _functional_chain_1_dest + + - name: Fetch server certificate details + community.crypto.x509_certificate_info: + path: "{{ functional_install_chain_2_dest }}" + register: _functional_chain_2_dest + + - debug: + var: (_functional_chain_1_dest.not_after | to_datetime('%Y%m%d%H%M%S%fZ') - now()).days + + - name: Ensure validity period for certificates + ansible.builtin.assert: + that: + - (_functional_chain_1_dest.not_after | to_datetime('%Y%m%d%H%M%S%fZ') - now()).days == 3649 + - (_functional_chain_2_dest.not_after | to_datetime('%Y%m%d%H%M%S%fZ') - now()).days == 29 diff --git a/releasenotes/notes/ownca_cert_ttl-23505b58c9340cb4.yaml b/releasenotes/notes/ownca_cert_ttl-23505b58c9340cb4.yaml new file mode 100644 index 0000000..cdcd059 --- /dev/null +++ b/releasenotes/notes/ownca_cert_ttl-23505b58c9340cb4.yaml @@ -0,0 +1,18 @@ +--- +features: + - | + Added key ``ttl`` to the ``pki_create_certificates``. The value can be + defined as a timespec, without leading `+`. For example: + + .. code::yaml + + - name: "SnakeMail" + signed_by: "SnakeRootIntermediate" + provider: ownca + cn: "imap.snakeoil.com" + signed_by: "SnakeRootIntermediate" + ttl: 30d + + Default value is defined by the + `community.crypto.x509_certificate `_ + module. diff --git a/tasks/standalone/sign_cert.yml b/tasks/standalone/sign_cert.yml index a605996..6558cd3 100644 --- a/tasks/standalone/sign_cert.yml +++ b/tasks/standalone/sign_cert.yml @@ -68,6 +68,7 @@ ownca_path: "{{ _ca_file }}" ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/private/' ~ cert.signed_by ~ '.key.pem' }}" ownca_privatekey_passphrase: "{{ cert.ownca_key_passphrase | default(omit) }}" + ownca_not_after: "{{ ('ttl' in cert) | ternary('+' ~ cert.get('ttl'), omit) }}" provider: ownca force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}" register: cert_crt