chore 📦: Update setupacdc.yml to retrieve certificate chain via openssl s_client

Updated the setupacdc.yml file to include a new command that retrieves the certificate chain for each node using openssl s_client. This change allows for more accurate certificate verification and handling in the setup process.
2025-11-01 18:05:41 +01:00
parent d93b989647
commit 28e2c8492a
1 changed files with 36 additions and 3 deletions
--- a/tasks/setupacdc.yml
+++ b/tasks/setupacdc.yml
@@ -15,6 +15,10 @@
    addc_hostname: "DC1"      
    mac_address: "8E:90:31:DE:31:36"
    node_ip: "{{ hostvars['node0']['ansible_host'] }}"
+    target_port: 8006
+    dest_file: "/tmp/{{ node_ip }}.pem"
+
+

  tasks:

@@ -42,9 +46,32 @@
    #   ansible.builtin.debug:
    #     msg: "The trusted CA store path is: {{ ca_store_path }}"

-    - name: Disable SSL verification for the connection
-      ansible.builtin.set_fact:
-        ansible_ssh_common_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o VerifyHostKeyDNS=no"
+
+    - name: Retrieve certificate chain via openssl s_client
+      command: >
+        openssl s_client -connect {{ node_ip }}:{{ target_port }}
+        -servername {{ node_ip }} -showcerts </dev/null
+      register: s_client
+      changed_when: false
+      failed_when: "'-----BEGIN CERTIFICATE-----' not in s_client.stdout"
+
+    - name: Extract all PEM certificate blocks from output
+      set_fact:
+        cert_blocks: "{{ s_client.stdout | regex_findall('-----BEGIN CERTIFICATE-----(?:.|\\n)*?-----END CERTIFICATE-----') }}"
+
+    - name: Choose which certificate(s) to save (leaf by default)
+      set_fact:
+        cert_to_write: "{{ cert_blocks[0] if cert_blocks|length > 0 else '' }}"
+      when: cert_blocks is defined
+
+    - name: Save the certificate (PEM) to a file on the controller
+      copy:
+        content: "{{ cert_to_write }}\n"
+        dest: "{{ dest_file }}"
+        mode: '0644'
+      when: cert_to_write != ''
+
+


    - name: Download Proxmox's SSL certificate
@@ -63,6 +90,7 @@
    - name: Add the Proxmox certificate to the system's trusted CA store
      ansible.builtin.copy:
        src: "/tmp/proxmox-ca.pem"
+        # src: "{{ dest_file }}"
        dest: "/usr/local/share/ca-certificates/proxmox-ca.crt"
        mode: '0644'
      when: cert_stat.stat.exists
@@ -78,6 +106,11 @@
        state: restarted
      when: cert_stat.stat.exists

+
+
+
+
+
    - name: Install 'proxmoxer' and 'requests' Python libraries for the ansible controller
      ansible.builtin.pip:
        name: