|
|
|
---
|
|
|
|
## SET UP ACCOUNT KEYS ########################################################################
|
|
|
|
- name: Create ECC256 account key
|
|
|
|
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
|
|
|
|
- name: Create ECC384 account key
|
|
|
|
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
|
|
|
|
- name: Create RSA-2048 account key
|
|
|
|
command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
|
|
|
|
## SET UP ACCOUNTS ############################################################################
|
|
|
|
- name: Make sure ECC256 account hasn't been created yet
|
|
|
|
acme_account:
|
|
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
|
|
acme_version: 2
|
|
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
|
|
validate_certs: no
|
|
|
|
account_key_src: "{{ output_dir }}/account-ec256.pem"
|
|
|
|
state: absent
|
|
|
|
- name: Create ECC384 account
|
|
|
|
acme_account:
|
|
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
|
|
acme_version: 2
|
|
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
|
|
validate_certs: no
|
|
|
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
|
|
|
|
state: present
|
|
|
|
allow_creation: yes
|
|
|
|
terms_agreed: yes
|
|
|
|
contact:
|
|
|
|
- mailto:example@example.org
|
|
|
|
- mailto:example@example.com
|
|
|
|
- name: Create RSA-2048 account
|
|
|
|
acme_account:
|
|
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
|
|
acme_version: 2
|
|
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
|
|
validate_certs: no
|
|
|
|
account_key_src: "{{ output_dir }}/account-rsa2048.pem"
|
|
|
|
state: present
|
|
|
|
allow_creation: yes
|
|
|
|
terms_agreed: yes
|
|
|
|
contact: []
|
|
|
|
## OBTAIN CERTIFICATES ########################################################################
|
|
|
|
- name: Obtain cert 1
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 1
|
|
|
|
certificate_name: cert-1
|
|
|
|
key_type: rsa
|
|
|
|
rsa_bits: 2048
|
|
|
|
subject_alt_name: "DNS:example.com"
|
|
|
|
subject_alt_name_critical: no
|
|
|
|
account_key: account-ec256
|
|
|
|
challenge: http-01
|
|
|
|
modify_account: yes
|
|
|
|
deactivate_authzs: no
|
|
|
|
force: no
|
|
|
|
remaining_days: 10
|
|
|
|
terms_agreed: yes
|
|
|
|
account_email: "example@example.org"
|
|
|
|
- name: Obtain cert 2
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 2
|
|
|
|
certificate_name: cert-2
|
|
|
|
key_type: ec256
|
|
|
|
subject_alt_name: "DNS:*.example.com,DNS:example.com"
|
|
|
|
subject_alt_name_critical: yes
|
|
|
|
account_key: account-ec384
|
|
|
|
challenge: dns-01
|
|
|
|
modify_account: no
|
|
|
|
deactivate_authzs: yes
|
|
|
|
force: no
|
|
|
|
remaining_days: 10
|
|
|
|
terms_agreed: no
|
|
|
|
account_email: ""
|
|
|
|
- name: Obtain cert 3
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 3
|
|
|
|
certificate_name: cert-3
|
|
|
|
key_type: ec384
|
|
|
|
subject_alt_name: "DNS:*.example.com,DNS:example.org,DNS:t1.example.com"
|
|
|
|
subject_alt_name_critical: no
|
|
|
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa2048.pem') }}"
|
|
|
|
challenge: dns-01
|
|
|
|
modify_account: no
|
|
|
|
deactivate_authzs: no
|
|
|
|
force: no
|
|
|
|
remaining_days: 10
|
|
|
|
terms_agreed: no
|
|
|
|
account_email: ""
|
|
|
|
- name: Obtain cert 4
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 4
|
|
|
|
certificate_name: cert-4
|
|
|
|
key_type: rsa
|
|
|
|
rsa_bits: 2048
|
|
|
|
subject_alt_name: "DNS:example.com,DNS:t1.example.com,DNS:test.t2.example.com,DNS:example.org,DNS:test.example.org"
|
|
|
|
subject_alt_name_critical: no
|
|
|
|
account_key: account-rsa2048
|
|
|
|
challenge: http-01
|
|
|
|
modify_account: no
|
|
|
|
deactivate_authzs: yes
|
|
|
|
force: yes
|
|
|
|
remaining_days: 10
|
|
|
|
terms_agreed: no
|
|
|
|
account_email: ""
|
|
|
|
- name: Obtain cert 5
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 5, Iteration 1/4
|
|
|
|
certificate_name: cert-5
|
|
|
|
key_type: ec521
|
|
|
|
subject_alt_name: "DNS:t2.example.com"
|
|
|
|
subject_alt_name_critical: no
|
|
|
|
account_key: account-ec384
|
|
|
|
challenge: http-01
|
|
|
|
modify_account: no
|
|
|
|
deactivate_authzs: yes
|
|
|
|
force: yes
|
|
|
|
remaining_days: 10
|
|
|
|
terms_agreed: no
|
|
|
|
account_email: ""
|
|
|
|
- name: Obtain cert 5 (should not, since already there and valid for more than 10 days)
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 5, Iteration 2/4
|
|
|
|
certificate_name: cert-5
|
|
|
|
key_type: ec521
|
|
|
|
subject_alt_name: "DNS:t2.example.com"
|
|
|
|
subject_alt_name_critical: no
|
|
|
|
account_key: account-ec384
|
|
|
|
challenge: http-01
|
|
|
|
modify_account: no
|
|
|
|
deactivate_authzs: yes
|
|
|
|
force: no
|
|
|
|
remaining_days: 10
|
|
|
|
terms_agreed: no
|
|
|
|
account_email: ""
|
|
|
|
- set_fact:
|
|
|
|
cert_5_recreate_1: "{{ challenge_data is changed }}"
|
|
|
|
- name: Obtain cert 5 (should again by less days)
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 5, Iteration 3/4
|
|
|
|
certificate_name: cert-5
|
|
|
|
key_type: ec521
|
|
|
|
subject_alt_name: "DNS:t2.example.com"
|
|
|
|
subject_alt_name_critical: no
|
|
|
|
account_key: account-ec384
|
|
|
|
challenge: http-01
|
|
|
|
modify_account: no
|
|
|
|
deactivate_authzs: yes
|
|
|
|
force: yes
|
|
|
|
remaining_days: 1000
|
|
|
|
terms_agreed: no
|
|
|
|
account_email: ""
|
|
|
|
- set_fact:
|
|
|
|
cert_5_recreate_2: "{{ challenge_data is changed }}"
|
|
|
|
- name: Obtain cert 5 (should again by force)
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 5, Iteration 4/4
|
|
|
|
certificate_name: cert-5
|
|
|
|
key_type: ec521
|
|
|
|
subject_alt_name: "DNS:t2.example.com"
|
|
|
|
subject_alt_name_critical: no
|
|
|
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
|
|
|
|
challenge: http-01
|
|
|
|
modify_account: no
|
|
|
|
deactivate_authzs: yes
|
|
|
|
force: yes
|
|
|
|
remaining_days: 10
|
|
|
|
terms_agreed: no
|
|
|
|
account_email: ""
|
|
|
|
- set_fact:
|
|
|
|
cert_5_recreate_3: "{{ challenge_data is changed }}"
|
|
|
|
- name: Obtain cert 6
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 6
|
|
|
|
certificate_name: cert-6
|
|
|
|
key_type: rsa
|
|
|
|
rsa_bits: 2048
|
|
|
|
subject_alt_name: "DNS:example.org"
|
|
|
|
subject_alt_name_critical: no
|
|
|
|
account_key: account-ec256
|
|
|
|
challenge: tls-alpn-01
|
|
|
|
modify_account: yes
|
|
|
|
deactivate_authzs: no
|
|
|
|
force: no
|
|
|
|
remaining_days: 10
|
|
|
|
terms_agreed: yes
|
|
|
|
account_email: "example@example.org"
|
|
|
|
- name: Obtain cert 7
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 7
|
|
|
|
certificate_name: cert-7
|
|
|
|
key_type: rsa
|
|
|
|
rsa_bits: 2048
|
|
|
|
subject_alt_name:
|
|
|
|
- "IP:127.0.0.1"
|
|
|
|
# - "IP:::1"
|
|
|
|
subject_alt_name_critical: no
|
|
|
|
account_key: account-ec256
|
|
|
|
challenge: http-01
|
|
|
|
modify_account: yes
|
|
|
|
deactivate_authzs: no
|
|
|
|
force: no
|
|
|
|
remaining_days: 10
|
|
|
|
terms_agreed: yes
|
|
|
|
account_email: "example@example.org"
|
|
|
|
- name: Obtain cert 8
|
|
|
|
include_tasks: obtain-cert.yml
|
|
|
|
vars:
|
|
|
|
certgen_title: Certificate 8
|
|
|
|
certificate_name: cert-8
|
|
|
|
key_type: rsa
|
|
|
|
rsa_bits: 2048
|
|
|
|
subject_alt_name:
|
|
|
|
- "IP:127.0.0.1"
|
|
|
|
# IPv4 only since our test validation server doesn't work
|
|
|
|
# with IPv6 (thanks to Python's socketserver).
|
|
|
|
subject_alt_name_critical: no
|
|
|
|
account_key: account-ec256
|
|
|
|
challenge: tls-alpn-01
|
|
|
|
challenge_alpn_tls: acme_challenge_cert_helper
|
|
|
|
modify_account: yes
|
|
|
|
deactivate_authzs: no
|
|
|
|
force: no
|
|
|
|
remaining_days: 10
|
|
|
|
terms_agreed: yes
|
|
|
|
account_email: "example@example.org"
|
|
|
|
## DISSECT CERTIFICATES #######################################################################
|
|
|
|
# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
|
|
|
|
- name: Verifying cert 1
|
|
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-1-root.pem" -untrusted "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"
|
|
|
|
ignore_errors: yes
|
|
|
|
register: cert_1_valid
|
|
|
|
- name: Verifying cert 2
|
|
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-2-root.pem" -untrusted "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"
|
|
|
|
ignore_errors: yes
|
|
|
|
register: cert_2_valid
|
|
|
|
- name: Verifying cert 3
|
|
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-3-root.pem" -untrusted "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"
|
|
|
|
ignore_errors: yes
|
|
|
|
register: cert_3_valid
|
|
|
|
- name: Verifying cert 4
|
|
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-4-root.pem" -untrusted "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"
|
|
|
|
ignore_errors: yes
|
|
|
|
register: cert_4_valid
|
|
|
|
- name: Verifying cert 5
|
|
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-5-root.pem" -untrusted "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"
|
|
|
|
ignore_errors: yes
|
|
|
|
register: cert_5_valid
|
|
|
|
- name: Verifying cert 6
|
|
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"
|
|
|
|
ignore_errors: yes
|
|
|
|
register: cert_6_valid
|
|
|
|
- name: Verifying cert 7
|
|
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-7-root.pem" -untrusted "{{ output_dir }}/cert-7-chain.pem" "{{ output_dir }}/cert-7.pem"
|
|
|
|
ignore_errors: yes
|
|
|
|
register: cert_7_valid
|
|
|
|
- name: Verifying cert 8
|
|
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-8-root.pem" -untrusted "{{ output_dir }}/cert-8-chain.pem" "{{ output_dir }}/cert-8.pem"
|
|
|
|
ignore_errors: yes
|
|
|
|
register: cert_8_valid
|
|
|
|
# Dump certificate info
|
|
|
|
- name: Dumping cert 1
|
|
|
|
command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text
|
|
|
|
register: cert_1_text
|
|
|
|
- name: Dumping cert 2
|
|
|
|
command: openssl x509 -in "{{ output_dir }}/cert-2.pem" -noout -text
|
|
|
|
register: cert_2_text
|
|
|
|
- name: Dumping cert 3
|
|
|
|
command: openssl x509 -in "{{ output_dir }}/cert-3.pem" -noout -text
|
|
|
|
register: cert_3_text
|
|
|
|
- name: Dumping cert 4
|
|
|
|
command: openssl x509 -in "{{ output_dir }}/cert-4.pem" -noout -text
|
|
|
|
register: cert_4_text
|
|
|
|
- name: Dumping cert 5
|
|
|
|
command: openssl x509 -in "{{ output_dir }}/cert-5.pem" -noout -text
|
|
|
|
register: cert_5_text
|
|
|
|
- name: Dumping cert 6
|
|
|
|
command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text
|
|
|
|
register: cert_6_text
|
|
|
|
- name: Dumping cert 7
|
|
|
|
command: openssl x509 -in "{{ output_dir }}/cert-7.pem" -noout -text
|
|
|
|
register: cert_7_text
|
|
|
|
- name: Dumping cert 8
|
|
|
|
command: openssl x509 -in "{{ output_dir }}/cert-8.pem" -noout -text
|
|
|
|
register: cert_8_text
|