Merge "Increase validity period of Octavia CA and certificates"
This commit is contained in:
commit
cf36c38299
|
@ -30,6 +30,19 @@
|
||||||
- name: Store CA data
|
- name: Store CA data
|
||||||
set_fact:
|
set_fact:
|
||||||
ca_cert: "{{ ca_file_data.content | b64decode }}"
|
ca_cert: "{{ ca_file_data.content | b64decode }}"
|
||||||
|
|
||||||
|
- name: Get remaining validity period of the CA
|
||||||
|
shell: |
|
||||||
|
now=$(date +%s)
|
||||||
|
enddate=$(date +%s -d "$(openssl x509 -enddate -noout -in {{ octavia_confd_prefix }}/{{ ca_cert_path }} | cut -d= -f2)")
|
||||||
|
echo $((enddate - now))
|
||||||
|
register: validity_period
|
||||||
|
|
||||||
|
- name: Force CA update if remaining validity is less than 1 year
|
||||||
|
set_fact:
|
||||||
|
force_certs_update: true
|
||||||
|
when:
|
||||||
|
- (validity_period.stdout| int) < 31622400 # 31622400 seconds == 366 days
|
||||||
when:
|
when:
|
||||||
- ca_file_stat.stat.exists | bool
|
- ca_file_stat.stat.exists | bool
|
||||||
|
|
||||||
|
@ -46,9 +59,20 @@
|
||||||
slurp:
|
slurp:
|
||||||
src: "{{ octavia_confd_prefix }}/{{ ca_private_key_path }}"
|
src: "{{ octavia_confd_prefix }}/{{ ca_private_key_path }}"
|
||||||
register: key_file_data
|
register: key_file_data
|
||||||
- name: Store CA data
|
- name: Store CA private key
|
||||||
set_fact:
|
set_fact:
|
||||||
ca_private_key: "{{ key_file_data.content | b64decode }}"
|
ca_private_key: "{{ key_file_data.content | b64decode }}"
|
||||||
|
|
||||||
|
- name: Detect if key is encrypted with AES256
|
||||||
|
shell: grep -q 'AES-256-CBC' {{ octavia_confd_prefix }}/{{ ca_private_key_path }}
|
||||||
|
failed_when: false
|
||||||
|
register: ca_private_key_aes_256
|
||||||
|
- name: Store flag if a private key update is required
|
||||||
|
set_fact:
|
||||||
|
force_private_key_update: true
|
||||||
|
force_certs_update: true
|
||||||
|
when:
|
||||||
|
- ca_private_key_aes_256.rc != 0
|
||||||
when:
|
when:
|
||||||
- ca_key_file_stat.stat.exists | bool
|
- ca_key_file_stat.stat.exists | bool
|
||||||
|
|
||||||
|
|
|
@ -35,7 +35,39 @@
|
||||||
- name: Generating certificate authority private key
|
- name: Generating certificate authority private key
|
||||||
become: true
|
become: true
|
||||||
shell: |
|
shell: |
|
||||||
openssl genrsa -passout pass:{{ ca_passphrase }} -des3 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
|
openssl genrsa -passout pass:{{ ca_passphrase }} -aes256 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
|
||||||
|
when:
|
||||||
|
- not (force_certs_update | default(false) | bool)
|
||||||
|
|
||||||
|
- name: Reuse previous CA private key
|
||||||
|
block:
|
||||||
|
- name: Write previous CA private key
|
||||||
|
copy:
|
||||||
|
content: "{{ private_key_content }}"
|
||||||
|
dest: "{{ openssl_temp_dir }}/private/cakey.pem"
|
||||||
|
no_log: true
|
||||||
|
when:
|
||||||
|
- force_certs_update | default(false) | bool
|
||||||
|
- not (force_private_key_update | default(false) | bool)
|
||||||
|
|
||||||
|
- name: Reuse and update previous CA private key
|
||||||
|
block:
|
||||||
|
- name: Write previous CA private key
|
||||||
|
copy:
|
||||||
|
content: "{{ private_key_content }}"
|
||||||
|
dest: "{{ openssl_temp_dir }}/private/cakey.old.pem"
|
||||||
|
no_log: true
|
||||||
|
|
||||||
|
- name: Update CA private key
|
||||||
|
shell: |
|
||||||
|
openssl rsa -aes256 \
|
||||||
|
-passin pass:{{ ca_passphrase }} \
|
||||||
|
-passout pass:{{ ca_passphrase }} \
|
||||||
|
-in {{ openssl_temp_dir }}/private/cakey.old.pem \
|
||||||
|
-out {{ openssl_temp_dir }}/private/cakey.pem
|
||||||
|
when:
|
||||||
|
- force_certs_update | default(false) | bool
|
||||||
|
- force_private_key_update | default(false) | bool
|
||||||
|
|
||||||
- name: Reading private key
|
- name: Reading private key
|
||||||
become: true
|
become: true
|
||||||
|
@ -51,7 +83,7 @@
|
||||||
shell: |
|
shell: |
|
||||||
openssl req -x509 -passin pass:{{ ca_passphrase }} -new -nodes -key {{ openssl_temp_dir }}/private/cakey.pem \
|
openssl req -x509 -passin pass:{{ ca_passphrase }} -new -nodes -key {{ openssl_temp_dir }}/private/cakey.pem \
|
||||||
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
|
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
|
||||||
-days 365 -config {{ openssl_temp_dir }}/openssl.cnf \
|
-days 18250 -config {{ openssl_temp_dir }}/openssl.cnf \
|
||||||
-out {{ openssl_temp_dir }}/ca_01.pem
|
-out {{ openssl_temp_dir }}/ca_01.pem
|
||||||
|
|
||||||
- name: Reading CA certificate
|
- name: Reading CA certificate
|
||||||
|
@ -74,7 +106,7 @@
|
||||||
become: true
|
become: true
|
||||||
shell: |
|
shell: |
|
||||||
openssl ca -config {{ openssl_temp_dir }}/openssl.cnf -passin pass:{{ ca_passphrase }} -in {{ openssl_temp_dir }}/client.csr \
|
openssl ca -config {{ openssl_temp_dir }}/openssl.cnf -passin pass:{{ ca_passphrase }} -in {{ openssl_temp_dir }}/client.csr \
|
||||||
-days 365 -out {{ openssl_temp_dir }}/client-.pem -batch
|
-days 3650 -out {{ openssl_temp_dir }}/client-.pem -batch
|
||||||
|
|
||||||
- name: Read service private key and public certifcate
|
- name: Read service private key and public certifcate
|
||||||
become: true
|
become: true
|
||||||
|
|
|
@ -65,5 +65,6 @@
|
||||||
update_certs: false
|
update_certs: false
|
||||||
when:
|
when:
|
||||||
- (octavia_node_count | int) == (ca_certs | length)
|
- (octavia_node_count | int) == (ca_certs | length)
|
||||||
|
- not (force_certs_update | default(false))
|
||||||
when:
|
when:
|
||||||
- (ca_certs | length) > 0
|
- (ca_certs | length) > 0
|
||||||
|
|
|
@ -13,4 +13,4 @@
|
||||||
- include_tasks: certs_gen.yml
|
- include_tasks: certs_gen.yml
|
||||||
when:
|
when:
|
||||||
- generate_certs | bool
|
- generate_certs | bool
|
||||||
- (generate_ca | default(true)) | bool
|
- (generate_ca | default(true)) | bool or (force_certs_update | default(false) | bool)
|
||||||
|
|
Loading…
Reference in New Issue