Change cert signing from command to module

With newer Ansible we are now able to sign nexus certificate
with own CA using openssl_certificate module.

Issue-ID: OOM-1700

Change-Id: Idc54955160caef4a57bd50fc86678923511b5bce
Signed-off-by: Milan Verespej <m.verespej@partner.samsung.com>

diff --git a/ansible/roles/certificates/tasks/generate-certificates.yml b/ansible/roles/certificates/tasks/generate-certificates.yml
index ac8fe1e..9bf75ff 100644 (file)
--- a/ansible/roles/certificates/tasks/generate-certificates.yml
+++ b/ansible/roles/certificates/tasks/generate-certificates.yml
@@ -66,25 +66,19 @@
     extended_key_usage:
       - serverAuth
     subject_alt_name:
-      "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
+      "{{ all_simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
 
-- name: Generate v3 extension config file
-  template:
-    src: v3.ext.j2
-    dest: "{{ certificates_local_dir }}/v3.ext"
-
-# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
-# Currently using 2.6.3
 - name: Sign Nexus certificate
-  command: >
-    openssl
-    x509
-    -req
-    -in "{{ certificates_local_dir }}/nexus_server.csr"
-    -extfile "{{ certificates_local_dir }}/v3.ext"
-    -CA "{{ certificates_local_dir }}/rootCA.crt"
-    -CAkey "{{ certificates_local_dir }}/rootCA.key"
-    -CAcreateserial
-    -out "{{ certificates_local_dir }}/nexus_server.crt"
-    -days 3650
-    -sha256
+  openssl_certificate:
+    provider: ownca
+    path: "{{ certificates_local_dir }}/nexus_server.crt"
+    csr_path: "{{ certificates_local_dir }}/nexus_server.csr"
+    ownca_path: "{{ certificates_local_dir }}/rootCA.crt"
+    ownca_privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
+    key_usage:
+      - digitalSignature
+      - nonRepudiation
+      - keyEncipherment
+      - dataEncipherment
+    subject_alt_name:
+      "{{ all_simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"

diff --git a/ansible/roles/certificates/templates/v3.ext.j2 b/ansible/roles/certificates/templates/v3.ext.j2
deleted file mode 100644 (file)
index 7be946f..0000000
--- a/ansible/roles/certificates/templates/v3.ext.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-authorityKeyIdentifier=keyid,issuer
-basicConstraints=CA:FALSE
-keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
-subjectAltName = @alt_names
-
-[alt_names]
-{% for name in all_simulated_hosts -%}
-    DNS.{{ loop.index }} = {{ name }}
-{% endfor %}