2018-12-23 09:00:12 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
- set_fact:
|
|
|
|
matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
|
|
|
|
matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
|
|
|
|
matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
|
|
|
|
|
|
|
|
- name: Check if SSL certificate file exists
|
|
|
|
stat:
|
|
|
|
path: "{{ matrix_ssl_certificate_cert_path }}"
|
|
|
|
register: matrix_ssl_certificate_cert_path_stat_result
|
|
|
|
|
|
|
|
# In order to do any sort of generation (below), we need to ensure the directory exists first
|
|
|
|
- name: Ensure SSL certificate directory exists
|
|
|
|
file:
|
|
|
|
path: "{{ matrix_ssl_certificate_csr_path|dirname }}"
|
|
|
|
state: directory
|
|
|
|
mode: 0750
|
|
|
|
owner: "{{ matrix_user_username }}"
|
|
|
|
group: "{{ matrix_user_username }}"
|
|
|
|
when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
|
|
|
|
|
|
|
|
# The proper way to do this is by using a sequence of
|
|
|
|
# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
|
|
|
|
#
|
|
|
|
# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
|
|
|
|
# which is not available on CentOS 7 (at least).
|
|
|
|
#
|
|
|
|
# We'll do it in a more manual way.
|
|
|
|
- name: Generate SSL certificate
|
|
|
|
command: |
|
|
|
|
openssl req -x509 \
|
|
|
|
-sha256 \
|
|
|
|
-newkey rsa:4096 \
|
|
|
|
-nodes \
|
|
|
|
-subj "/CN={{ domain_name }}" \
|
|
|
|
-keyout {{ matrix_ssl_certificate_cert_key_path }} \
|
|
|
|
-out {{ matrix_ssl_certificate_cert_path }} \
|
|
|
|
-days 3650
|
2019-02-02 15:32:13 +00:00
|
|
|
become: true
|
|
|
|
become_user: "{{ matrix_user_username }}"
|
|
|
|
when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
|