diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml index ada0d4e3..23cde5a0 100644 --- a/roles/vpn/tasks/openssl.yml +++ b/roles/vpn/tasks/openssl.yml @@ -37,9 +37,15 @@ dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf" - name: Build the CA pair - shell: | + shell: > openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem && - openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:"{{ easyrsa_CA_password }}" && + openssl req -utf8 -new + -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} + -config openssl.cnf + -keyout private/cakey.pem + -out cacert.pem -x509 -days 3650 + -batch + -passout pass:"{{ easyrsa_CA_password }}" && touch {{ IP_subject_alt_name }}_ca_generated args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" @@ -60,9 +66,20 @@ creates: serial_generated - name: Build the server pair - shell: | - openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ IP_subject_alt_name }}.key -out reqs/{{ IP_subject_alt_name }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" -batch && - openssl ca -utf8 -in reqs/{{ IP_subject_alt_name }}.req -out certs/{{ IP_subject_alt_name }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" && + shell: > + openssl req -utf8 -new + -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} + -config openssl.cnf + -keyout private/{{ IP_subject_alt_name }}.key + -out reqs/{{ IP_subject_alt_name }}.req -nodes + -passin pass:"{{ easyrsa_CA_password }}" + -subj "/CN={{ IP_subject_alt_name }}" -batch && + openssl ca -utf8 + -in reqs/{{ IP_subject_alt_name }}.req + -out certs/{{ IP_subject_alt_name }}.crt + -config openssl.cnf -days 3650 -batch + -passin pass:"{{ easyrsa_CA_password }}" + -subj "/CN={{ IP_subject_alt_name }}" && touch certs/{{ IP_subject_alt_name }}_crt_generated args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" @@ -71,9 +88,20 @@ subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}" - name: Build the client's pair - shell: | - openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch && - openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" && + shell: > + openssl req -utf8 -new + -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} + -config openssl.cnf + -keyout private/{{ item }}.key + -out reqs/{{ item }}.req -nodes + -passin pass:"{{ easyrsa_CA_password }}" + -subj "/CN={{ item }}" -batch && + openssl ca -utf8 + -in reqs/{{ item }}.req + -out certs/{{ item }}.crt + -config openssl.cnf -days 3650 -batch + -passin pass:"{{ easyrsa_CA_password }}" + -subj "/CN={{ item }}" && touch certs/{{ item }}_crt_generated args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" @@ -84,7 +112,8 @@ - name: Build the client's p12 shell: > - openssl pkcs12 -in certs/{{ item }}.crt + openssl pkcs12 + -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} @@ -104,7 +133,7 @@ - "{{ users }}" - name: Get active users - shell: | + shell: > grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | @@ -114,12 +143,19 @@ register: valid_certs - name: Revoke non-existing users - shell: | - openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt && - openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt - touch crl/{{ item }}_revoked + shell: > + openssl ca + -config openssl.cnf + -passin pass:"{{ easyrsa_CA_password }}" + -revoke certs/{{ item }}.crt && + openssl ca -gencrl + -config openssl.cnf + -passin pass:"{{ easyrsa_CA_password }}" + -revoke certs/{{ item }}.crt + -out crl/{{ item }}.crt + touch crl/{{ item }}_revoked args: - chdir: "configs/{{ IP_subject_alt_name }}/pki/" + chdir: configs/{{ IP_subject_alt_name }}/pki/ creates: crl/{{ item }}_revoked environment: subjectAltName: "DNS:{{ item }}"