Refactor certificates role to normalize server and client certificate creation

Signed-off-by: Eric D. Helms <ericdhelms@gmail.com>

Author: ehelms

playbooks/deploy.yaml

@@ -3,35 +3,38 @@
   hosts:
     - quadlet
   become: true
+  vars_files:
+    - "../vars/{{ certificate_source | default('default') }}_certificates.yml"
   vars:
     certificates_hostnames:
+      - "{{ ansible_fqdn }}"
       - localhost
     certificates_ca_password: "CHANGEME"
     candlepin_db_password: "CHANGEME"
     candlepin_keystore_password: "CHANGEME"
     candlepin_oauth_secret: "CHANGEME"
-    candlepin_ca_key: "{{ certificates_ca_directory }}/private/ca.key"
-    candlepin_ca_key_password: "{{ certificates_ca_directory }}/private/ca.pwd"
-    candlepin_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
-    candlepin_tomcat_key: "{{ certificates_ca_directory }}/private/localhost.key"
-    candlepin_tomcat_certificate: "{{ certificates_ca_directory }}/certs/localhost.crt"
-    candlepin_client_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}-client.key"
-    candlepin_client_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}-client.crt"
-    foreman_proxy_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
-    foreman_proxy_server_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}.key"
-    foreman_proxy_server_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}.crt"
-    foreman_proxy_client_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}-client.key"
-    foreman_proxy_client_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}-client.crt"
-    foreman_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
-    foreman_client_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}-client.key"
-    foreman_client_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}-client.crt"
+    candlepin_ca_key_password: "{{ ca_key_password }}"
+    candlepin_ca_key: "{{ ca_key }}"
+    candlepin_ca_certificate: "{{ ca_certificate }}"
+    candlepin_tomcat_key: "{{ localhost_key }}"
+    candlepin_tomcat_certificate: "{{ localhost_certificate }}"
+    candlepin_client_key: "{{ client_key }}"
+    candlepin_client_certificate: "{{ client_certificate }}"
+    foreman_proxy_ca_certificate: "{{ ca_certificate }}"
+    foreman_proxy_server_key: "{{ server_key }}"
+    foreman_proxy_server_certificate: "{{ server_certificate }}"
+    foreman_proxy_client_key: "{{ client_key }}"
+    foreman_proxy_client_certificate: "{{ client_certificate }}"
+    foreman_ca_certificate: "{{ ca_certificate }}"
+    foreman_client_key: "{{ client_key }}"
+    foreman_client_certificate: "{{ client_certificate }}"
     foreman_db_password: "CHANGEME"
     foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456
     foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456
-    httpd_server_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
-    httpd_client_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
-    httpd_server_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}.crt"
-    httpd_server_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}.key"
+    httpd_server_ca_certificate: "{{ ca_certificate }}"
+    httpd_client_ca_certificate: "{{ ca_certificate }}"
+    httpd_server_certificate: "{{ server_certificate }}"
+    httpd_server_key: "{{ server_key }}"
     pulp_db_password: "CHANGEME"
     pulp_content_origin: "https://{{ ansible_fqdn }}"
     postgresql_databases:
@@ -56,7 +59,13 @@
       - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
       - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
   roles:
-    - certificates
+    - role: certificates
+      when: "certificate_source | default('default') == 'default'"
+    - role: certificate_checks
+      vars:
+        certificate_checks_certificate: "{{ server_certificate }}"
+        certificate_checks_key: "{{ server_key }}"
+        certificate_checks_ca: "{{ ca_certificate }}"
     - geerlingguy.postgresql
     - redis
     - candlepin

roles/certificate_checks/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Fetch katello_certs_check
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/theforeman/foreman-installer/refs/heads/develop/bin/katello-certs-check
+    dest: /usr/bin/katello-certs-check
+    mode: '0744'
+
+- name: Check certificates
+  ansible.builtin.command:
+    argv:
+      - "/usr/bin/katello-certs-check"
+      - "-t"
+      - "foreman"
+      - "-c"
+      - "{{ certificate_checks_certificate }}"
+      - "-k"
+      - "{{ certificate_checks_key }}"
+      - "-b"
+      - "{{ certificate_checks_ca }}"
+  changed_when: false

roles/certificates/defaults/main.yml

@@ -1,7 +1,6 @@
 ---
+certificates_ca: true
 certificates_ca_directory: /root/certificates # Change this to /var/lib?
 certificates_ca_directory_keys: "{{ certificates_ca_directory }}/private"
 certificates_ca_directory_certs: "{{ certificates_ca_directory }}/certs"
 certificates_ca_directory_requests: "{{ certificates_ca_directory }}/requests"
-certificates_server: "{{ ansible_fqdn }}"
-certificates_client: "{{ ansible_fqdn }}-client"

roles/certificates/tasks/ca.yml

@@ -0,0 +1,71 @@
+---
+- name: 'Install openssl'
+  ansible.builtin.package:
+    name: openssl
+    state: present
+
+- name: 'Create certs directory'
+  ansible.builtin.file:
+    path: "{{ certificates_ca_directory_certs }}"
+    state: directory
+    mode: '0755'
+
+- name: 'Create keys directory'
+  ansible.builtin.file:
+    path: "{{ certificates_ca_directory_keys }}"
+    state: directory
+    mode: '0755'
+
+- name: 'Create requests directory'
+  ansible.builtin.file:
+    path: "{{ certificates_ca_directory_requests }}"
+    state: directory
+    mode: '0755'
+
+- name: 'Deploy configuration file'
+  ansible.builtin.template:
+    src: openssl.cnf.j2
+    dest: "{{ certificates_ca_directory }}/openssl.cnf"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: 'Create index file'
+  ansible.builtin.file:
+    path: "{{ certificates_ca_directory }}/index.txt"
+    state: touch
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: 'Ensure serial starting number'
+  ansible.builtin.template:
+    src: serial.j2
+    dest: "{{ certificates_ca_directory }}/serial"
+    force: false
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: 'Create CA key password file'
+  ansible.builtin.copy:
+    content: "{{ certificates_ca_password }}"
+    dest: "{{ certificates_ca_directory_keys }}/ca.pwd"
+    owner: root
+    group: root
+    mode: '0600'
+  no_log: true
+
+- name: 'Creating CA certificate and key'
+  ansible.builtin.command: >
+    openssl req -new
+      -x509
+      -nodes
+      -extensions v3_ca
+      -config "{{ certificates_ca_directory }}/openssl.cnf"
+      -subj "/CN=Foreman Self-signed CA"
+      -keyout "{{ certificates_ca_directory_keys }}/ca.key"
+      -out "{{ certificates_ca_directory_certs }}/ca.crt"
+      -passout "file:{{ certificates_ca_directory_keys }}/ca.pwd"
+  args:
+    creates: "{{ certificates_ca_directory_certs }}/ca.crt"

roles/certificates/tasks/issue.yml

@@ -1,24 +1,66 @@
 ---
-- name: 'Creating signing request'
+- name: 'Create server key'
   ansible.builtin.command: >
-    openssl req -new
-      -newkey rsa:2048
-      -nodes
-      -out    "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
-      -keyout "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}.key"
-      -subj "/C=US/ST=North Carolina/L=Raleigh/O=Foreman/OU=Katello/CN={{ certificates_hostname }}"
+    openssl genrsa
+      -out "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}.key"
+      4096
+  args:
+    creates: "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}.key"
+
+- name: 'Creating server signing request'
+  ansible.builtin.command: >
+    openssl req
+      -new
+      -config "{{ certificates_ca_directory }}/openssl.cnf"
+      -key "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}.key"
+      -subj "/CN={{ certificates_hostname }}"
+      -addext "subjectAltName = DNS:{{ certificates_hostname }}"
+      -out "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
   args:
     creates: "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
 
-- name: 'Sign signing request'
+- name: 'Sign server signing request'
   ansible.builtin.command: >
-      openssl ca
-        -config "{{ certificates_ca_directory }}/openssl.cnf"
-        -batch
-        -policy signing_policy
-        -extensions signing_req
-        -passin "file:{{ certificates_ca_directory_keys }}/ca.pwd"
-        -out "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}.crt"
-        -infiles "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
+    openssl ca
+      -create_serial
+      -batch
+      -extensions ssl_server
+      -config "{{ certificates_ca_directory }}/openssl.cnf"
+      -passin "file:{{ certificates_ca_directory_keys }}/ca.pwd"
+      -in "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}.csr"
+      -out "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}.crt"
   args:
     creates: "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}.crt"
+
+- name: 'Create client key'
+  ansible.builtin.command: >
+    openssl genrsa
+      -out "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}-client.key"
+      4096
+  args:
+    creates: "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}-client.key"
+
+- name: 'Creating client signing request'
+  ansible.builtin.command: >
+    openssl req
+      -new
+      -config "{{ certificates_ca_directory }}/openssl.cnf"
+      -key "{{ certificates_ca_directory_keys }}/{{ certificates_hostname }}-client.key"
+      -addext "subjectAltName = DNS:{{ certificates_hostname }}"
+      -subj "/CN={{ certificates_hostname }}"
+      -out "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}-client.csr"
+  args:
+    creates: "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}-client.csr"
+
+- name: 'Sign client signing request'
+  ansible.builtin.command: >
+    openssl ca
+      -create_serial
+      -batch
+      -extensions ssl_client
+      -config "{{ certificates_ca_directory }}/openssl.cnf"
+      -passin "file:{{ certificates_ca_directory_keys }}/ca.pwd"
+      -in "{{ certificates_ca_directory_requests }}/{{ certificates_hostname }}-client.csr"
+      -out "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}-client.crt"
+  args:
+    creates: "{{ certificates_ca_directory_certs }}/{{ certificates_hostname }}-client.crt"

roles/certificates/tasks/main.yml

@@ -1,132 +1,7 @@
 ---
-- name: 'Install openssl'
-  ansible.builtin.package:
-    name: openssl
-    state: present
-
-- name: 'Create certs directory'
-  ansible.builtin.file:
-    path: "{{ certificates_ca_directory_certs }}"
-    state: directory
-    mode: '0755'
-
-- name: 'Create keys directory'
-  ansible.builtin.file:
-    path: "{{ certificates_ca_directory_keys }}"
-    state: directory
-    mode: '0755'
-
-- name: 'Create requests directory'
-  ansible.builtin.file:
-    path: "{{ certificates_ca_directory_requests }}"
-    state: directory
-    mode: '0755'
-
-- name: 'Deploy configuration file'
-  ansible.builtin.template:
-    src: openssl.cnf.j2
-    dest: "{{ certificates_ca_directory }}/openssl.cnf"
-    owner: root
-    group: root
-    mode: '0644'
-
-- name: 'Create index file'
-  ansible.builtin.file:
-    path: "{{ certificates_ca_directory }}/index.txt"
-    state: touch
-    owner: root
-    group: root
-    mode: '0644'
-
-- name: 'Ensure serial starting number'
-  ansible.builtin.template:
-    src: serial.j2
-    dest: "{{ certificates_ca_directory }}/serial"
-    force: false
-    owner: root
-    group: root
-    mode: '0644'
-
-- name: 'Create CA key password file'
-  ansible.builtin.copy:
-    content: "{{ certificates_ca_password }}"
-    dest: "{{ certificates_ca_directory_keys }}/ca.pwd"
-    owner: root
-    group: root
-    mode: '0600'
-  no_log: true
-
-- name: 'Creating CA certificate and key'
-  ansible.builtin.command: >
-    openssl req -new
-      -x509
-      -extensions v3_ca
-      -config "{{ certificates_ca_directory }}/openssl.cnf"
-      -keyout "{{ certificates_ca_directory_keys }}/ca.key"
-      -out "{{ certificates_ca_directory_certs }}/ca.crt"
-      -passout "file:{{ certificates_ca_directory_keys }}/ca.pwd"
-  args:
-    creates: "{{ certificates_ca_directory_certs }}/ca.crt"
-
-- name: 'Create server key'
-  ansible.builtin.command: >
-    openssl genrsa
-      -out "{{ certificates_ca_directory_keys }}/{{ certificates_server }}.key"
-  args:
-    creates: "{{ certificates_ca_directory_keys }}/{{ certificates_server }}.key"
-
-- name: 'Create server signing request'
-  ansible.builtin.command: >
-    openssl req
-      -new
-      -config "{{ certificates_ca_directory }}/openssl.cnf"
-      -key "{{ certificates_ca_directory_keys }}/{{ certificates_server }}.key"
-      -out "{{ certificates_ca_directory_requests }}/{{ certificates_server }}.csr"
-  args:
-    creates: "{{ certificates_ca_directory_requests }}/{{ certificates_server }}.csr"
-
-- name: 'Create server certificate'
-  ansible.builtin.command: >
-    openssl ca
-      -create_serial
-      -batch
-      -extensions ssl_server
-      -passin "file:{{ certificates_ca_directory_keys }}/ca.pwd"
-      -config "{{ certificates_ca_directory }}/openssl.cnf"
-      -in "{{ certificates_ca_directory_requests }}/{{ certificates_server }}.csr"
-      -out "{{ certificates_ca_directory_certs }}/{{ certificates_server }}.crt"
-  args:
-    creates: "{{ certificates_ca_directory_certs }}/{{ certificates_server }}.crt"
-
-- name: 'Create client key'
-  ansible.builtin.command: >
-    openssl genrsa
-      -out "{{ certificates_ca_directory_keys }}/{{ certificates_client }}.key"
-  args:
-    creates: "{{ certificates_ca_directory_keys }}/{{ certificates_client }}.key"
-
-- name: 'Create client signing request'
-  ansible.builtin.command: >
-    openssl req
-      -new
-      -config "{{ certificates_ca_directory }}/openssl.cnf"
-      -key "{{ certificates_ca_directory_keys }}/{{ certificates_client }}.key"
-      -out "{{ certificates_ca_directory_requests }}/{{ certificates_client }}.csr"
-  args:
-    creates: "{{ certificates_ca_directory_requests }}/{{ certificates_client }}.csr"
-
-- name: 'Create server certificate'
-  ansible.builtin.command: >
-    openssl ca
-      -create_serial
-      -batch
-      -extensions ssl_client
-      -passin "file:{{ certificates_ca_directory_keys }}/ca.pwd"
-      -config "{{ certificates_ca_directory }}/openssl.cnf"
-      -in "{{ certificates_ca_directory_requests }}/{{ certificates_client }}.csr"
-      -out "{{ certificates_ca_directory_certs }}/{{ certificates_client }}.crt"
-  args:
-    creates: "{{ certificates_ca_directory_certs }}/{{ certificates_client }}.crt"
+- name: 'Generate CA certificate'
+  ansible.builtin.include_tasks: ca.yml
+  when: certificates_ca
 
 - name: 'Issue other certificates'
   ansible.builtin.include_tasks: issue.yml