a5692af18c
At the moment we have no way of making "shorter" lived certificates with the role, which may be an important factor for security considerations, given that default value is 10 years. Change-Id: I7ce88c8163ec9ad0beca59e6b49a75f2f375390a Signed-off-by: Dmitriy Rabotyagov <noonedeadpunk@gmail.com>
166 lines
5.6 KiB
YAML
166 lines
5.6 KiB
YAML
---
|
|
- name: Verify
|
|
hosts: all
|
|
vars:
|
|
pki_trust_store_location:
|
|
apt: /usr/local/share/ca-certificates/
|
|
dnf: /etc/pki/ca-trust/source/anchors/
|
|
tasks:
|
|
# Check that certificate authorities are installed (or absent) at the correct path
|
|
- ansible.builtin.stat:
|
|
path: "{{ pki_trust_store_location[ansible_facts['pkg_mgr']] }}/{{ functional_ca_name_1 }}.crt"
|
|
register: ca_1_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ pki_trust_store_location[ansible_facts['pkg_mgr']] }}/{{ functional_ca_name_2 }}.crt"
|
|
register: ca_2_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ pki_trust_store_location[ansible_facts['pkg_mgr']] }}/{{ functional_ca_name_3 }}.crt"
|
|
register: ca_3_stat
|
|
|
|
- ansible.builtin.assert:
|
|
that:
|
|
- ca_1_stat.stat.exists
|
|
- not ca_2_stat.stat.exists
|
|
- ca_3_stat.stat.exists
|
|
|
|
# Check that certificates are installed (or absent) at the correct path
|
|
# 1 installed via "src"
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_cert_1_dest }}"
|
|
register: cert_1_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_chain_1_dest }}"
|
|
register: chain_1_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_ca_bundle_1_dest }}"
|
|
register: ca_bundle_1_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_key_1_dest }}"
|
|
register: key_1_stat
|
|
|
|
# 1 installed via "name" and "type"
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_cert_name_1_dest }}"
|
|
register: cert_name_1_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_chain_name_1_dest }}"
|
|
register: chain_name_1_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_ca_bundle_name_1_dest }}"
|
|
register: ca_bundle_name_1_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_key_name_1_dest }}"
|
|
register: key_name_1_stat
|
|
|
|
# others
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_cert_2_dest }}"
|
|
register: cert_2_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_chain_2_dest }}"
|
|
register: chain_2_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_ca_bundle_2_dest }}"
|
|
register: ca_bundle_2_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_key_2_dest }}"
|
|
register: key_2_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_cert_3_dest }}"
|
|
register: cert_3_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_chain_3_dest }}"
|
|
register: chain_3_stat
|
|
|
|
- ansible.builtin.stat:
|
|
path: "{{ functional_install_key_3_dest }}"
|
|
register: key_3_stat
|
|
|
|
- ansible.builtin.assert:
|
|
that:
|
|
- cert_1_stat.stat.exists
|
|
- cert_1_stat.stat.pw_name == "root"
|
|
- cert_1_stat.stat.gr_name == "root"
|
|
|
|
- chain_1_stat.stat.exists
|
|
- chain_1_stat.stat.mode == "0755"
|
|
- chain_1_stat.stat.pw_name == "root"
|
|
- chain_1_stat.stat.gr_name == "root"
|
|
|
|
- ca_bundle_1_stat.stat.exists
|
|
- ca_bundle_1_stat.stat.pw_name == "root"
|
|
- ca_bundle_1_stat.stat.gr_name == "root"
|
|
|
|
- key_1_stat.stat.exists
|
|
- key_1_stat.stat.pw_name == "root"
|
|
- key_1_stat.stat.gr_name == "root"
|
|
|
|
- cert_name_1_stat.stat.exists
|
|
- cert_name_1_stat.stat.mode == "0644"
|
|
- cert_name_1_stat.stat.pw_name == "test"
|
|
- cert_name_1_stat.stat.gr_name == "root"
|
|
|
|
- chain_name_1_stat.stat.exists
|
|
- chain_name_1_stat.stat.mode == "0644"
|
|
- chain_name_1_stat.stat.pw_name == "root"
|
|
- chain_name_1_stat.stat.gr_name == "test"
|
|
|
|
- ca_bundle_name_1_stat.stat.exists
|
|
- ca_bundle_name_1_stat.stat.mode == "0644"
|
|
- ca_bundle_name_1_stat.stat.pw_name == "test"
|
|
- ca_bundle_name_1_stat.stat.gr_name == "test"
|
|
|
|
- key_name_1_stat.stat.exists
|
|
- key_name_1_stat.stat.mode == "0600"
|
|
- key_name_1_stat.stat.pw_name == "root"
|
|
- key_name_1_stat.stat.gr_name == "root"
|
|
|
|
- cert_2_stat.stat.exists
|
|
- chain_2_stat.stat.exists
|
|
- ca_bundle_2_stat.stat.exists
|
|
- key_2_stat.stat.exists
|
|
- not cert_3_stat.stat.exists
|
|
- not chain_3_stat.stat.exists
|
|
- not key_3_stat.stat.exists
|
|
|
|
# Check that certificates can validate against the installed CA
|
|
- name: Validate server certificate against system trust store
|
|
ansible.builtin.command: certtool --verify --infile "{{ functional_install_chain_1_dest }}"
|
|
changed_when: false
|
|
|
|
- name: Validate server certificate against system trust store
|
|
ansible.builtin.command: certtool --verify --infile "{{ functional_install_chain_2_dest }}"
|
|
changed_when: false
|
|
|
|
- name: Fetch server certificate details
|
|
community.crypto.x509_certificate_info:
|
|
path: "{{ functional_install_chain_1_dest }}"
|
|
register: _functional_chain_1_dest
|
|
|
|
- name: Fetch server certificate details
|
|
community.crypto.x509_certificate_info:
|
|
path: "{{ functional_install_chain_2_dest }}"
|
|
register: _functional_chain_2_dest
|
|
|
|
- debug:
|
|
var: (_functional_chain_1_dest.not_after | to_datetime('%Y%m%d%H%M%S%fZ') - now()).days
|
|
|
|
- name: Ensure validity period for certificates
|
|
ansible.builtin.assert:
|
|
that:
|
|
- (_functional_chain_1_dest.not_after | to_datetime('%Y%m%d%H%M%S%fZ') - now()).days == 3649
|
|
- (_functional_chain_2_dest.not_after | to_datetime('%Y%m%d%H%M%S%fZ') - now()).days == 29
|