chore 📦: Update setupacdc.yml to retrieve certificate chain via openssl s_client
Updated the setupacdc.yml file to include a new command that retrieves the certificate chain for each node using openssl s_client. This change allows for more accurate certificate verification and handling in the setup process.
This commit is contained in:
@@ -15,6 +15,10 @@
|
|||||||
addc_hostname: "DC1"
|
addc_hostname: "DC1"
|
||||||
mac_address: "8E:90:31:DE:31:36"
|
mac_address: "8E:90:31:DE:31:36"
|
||||||
node_ip: "{{ hostvars['node0']['ansible_host'] }}"
|
node_ip: "{{ hostvars['node0']['ansible_host'] }}"
|
||||||
|
target_port: 8006
|
||||||
|
dest_file: "/tmp/{{ node_ip }}.pem"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
|
|
||||||
@@ -42,9 +46,32 @@
|
|||||||
# ansible.builtin.debug:
|
# ansible.builtin.debug:
|
||||||
# msg: "The trusted CA store path is: {{ ca_store_path }}"
|
# msg: "The trusted CA store path is: {{ ca_store_path }}"
|
||||||
|
|
||||||
- name: Disable SSL verification for the connection
|
|
||||||
ansible.builtin.set_fact:
|
- name: Retrieve certificate chain via openssl s_client
|
||||||
ansible_ssh_common_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o VerifyHostKeyDNS=no"
|
command: >
|
||||||
|
openssl s_client -connect {{ node_ip }}:{{ target_port }}
|
||||||
|
-servername {{ node_ip }} -showcerts </dev/null
|
||||||
|
register: s_client
|
||||||
|
changed_when: false
|
||||||
|
failed_when: "'-----BEGIN CERTIFICATE-----' not in s_client.stdout"
|
||||||
|
|
||||||
|
- name: Extract all PEM certificate blocks from output
|
||||||
|
set_fact:
|
||||||
|
cert_blocks: "{{ s_client.stdout | regex_findall('-----BEGIN CERTIFICATE-----(?:.|\\n)*?-----END CERTIFICATE-----') }}"
|
||||||
|
|
||||||
|
- name: Choose which certificate(s) to save (leaf by default)
|
||||||
|
set_fact:
|
||||||
|
cert_to_write: "{{ cert_blocks[0] if cert_blocks|length > 0 else '' }}"
|
||||||
|
when: cert_blocks is defined
|
||||||
|
|
||||||
|
- name: Save the certificate (PEM) to a file on the controller
|
||||||
|
copy:
|
||||||
|
content: "{{ cert_to_write }}\n"
|
||||||
|
dest: "{{ dest_file }}"
|
||||||
|
mode: '0644'
|
||||||
|
when: cert_to_write != ''
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- name: Download Proxmox's SSL certificate
|
- name: Download Proxmox's SSL certificate
|
||||||
@@ -63,6 +90,7 @@
|
|||||||
- name: Add the Proxmox certificate to the system's trusted CA store
|
- name: Add the Proxmox certificate to the system's trusted CA store
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: "/tmp/proxmox-ca.pem"
|
src: "/tmp/proxmox-ca.pem"
|
||||||
|
# src: "{{ dest_file }}"
|
||||||
dest: "/usr/local/share/ca-certificates/proxmox-ca.crt"
|
dest: "/usr/local/share/ca-certificates/proxmox-ca.crt"
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
when: cert_stat.stat.exists
|
when: cert_stat.stat.exists
|
||||||
@@ -78,6 +106,11 @@
|
|||||||
state: restarted
|
state: restarted
|
||||||
when: cert_stat.stat.exists
|
when: cert_stat.stat.exists
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- name: Install 'proxmoxer' and 'requests' Python libraries for the ansible controller
|
- name: Install 'proxmoxer' and 'requests' Python libraries for the ansible controller
|
||||||
ansible.builtin.pip:
|
ansible.builtin.pip:
|
||||||
name:
|
name:
|
||||||
|
|||||||
Reference in New Issue
Block a user