only run uib on first item in vhosts

c7c0a8d8 · Oyvind.Gjesdal · 15d7b24f · c7c0a8d8
Commit c7c0a8d8 authored Jun 10, 2021 by Oyvind.Gjesdal
--- a/tasks/uib_ssl.yml
+++ b/tasks/uib_ssl.yml
@@ -5,6 +5,14 @@
    apache_digicert_uib_archive: "/etc/digicert-uib/archive"
    apache_digicert_uib_csr: "/etc/digicert-uib/csr"

+- name: "register a list of aliases to add to SSL (All aliases must be set in certalias or serveralias. certalias is not added to httpd, but just to config.)"
+  set_fact:
+    ssl_alias: "{{ [ apache_vhosts[0].serveralias | default('deleteme'),  apache_vhosts[0].certalias | default('deleteme') ] | reject('equalto','deleteme') | list }}"
+    
+- name: "debug"
+  debug:
+    msg: "{{ ssl_alias }}"
+
 - name: "install package for mod_ssl"
  package:
    name: "mod_ssl"
@@ -29,7 +37,7 @@
    group: "root"
    mode: "0550"
    setype: "cert_t"
-  loop: "{{ apache_vhosts }}"
+  loop: "{{ apache_vhosts[0] }}"
  when: "item.ssl_type == 'uib'"

 - name: "stat archive"
@@ -49,7 +57,7 @@
    backup: "yes"
    size: "2048"
    setype: "cert_t"
-  loop: "{{ apache_vhosts }}"
+  loop: "{{ apache_vhosts[0] }}"
  when: "item.ssl_type  | default('certbot')== 'uib'"

 - name: "generate an OpenSSL Certificate Signin request"
@@ -61,12 +69,13 @@
    organization_name: "Universitetet_i_Bergen"
    common_name: "{{ item.servername }}"
    subject_altname: "{{ item.altname | default(omit) }}"
-  loop: "{{ apache_vhosts }}"
+  loop: "{{ apache_vhosts[0] }}"
  when: "item.ssl_type  | default('certbot')== 'uib'"
  register: "apache_csr_result"

 - name: "send csr file by mail"
  mail:
+    sender: "ansible@{{ item.servername }}"
    subject: "csr certificate request for {{ item.servername }}"
    to: "{{ item.serveradmin }}"
    attach:
@@ -81,7 +90,7 @@
      Kan du også oppdatere sertifikatdatasen (CMDB) for {{ item.serveradmin }}?
      
      Takk!
-  loop: "{{ apache_vhosts }}"
+  loop: "{{ apache_vhosts[0] }}"
  when: "item.ssl_type  | default('certbot')== 'uib' and apache_csr_result.changed | bool"

 - name: "create symlinks for private keys"
@@ -89,11 +98,11 @@
    state: "link"
    src: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/priv_key.pem"
    dest: "/etc/pki/tls/private/{{item.servername }}.pem"
-  loop: "{{ apache_vhosts }}"
+  loop: "{{ apache_vhosts[0] }}"
  when: "item.ssl_type  | default('certbot')== 'uib'"

 - name: "Get certificate with certificate only"
-  loop: "{{ apache_vhosts }}"
+  loop: "{{ apache_vhosts[0] }}"
  get_url: 
    url: "{{ item.certificate_only_url }}"
    setype: "cert_t"
@@ -103,7 +112,7 @@
  when: "item.ssl_type  | default('certbot')== 'uib' and item.certificate_only_url is defined"

 - name: "Get intermediate certs only"
-  loop: "{{ apache_vhosts }}"
+  loop: "{{ apache_vhosts[0] }}"
  get_url:
    url: "{{ item.certificate_interm_only_url }}"
    setype: "cert_t"
@@ -126,7 +135,7 @@
 #  creates: "{ apache_digicert_uib_archive }}//{{ item.servername }}/cert.pem"

 - name: "Create symlinks for certificates to /etc/pki/"
-  loop: "{{ apache_vhosts }}"
+  loop: "{{ apache_vhosts[0] }}"
  file:
    state: "link"
    src: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/cert.cer"    
@@ -134,7 +143,7 @@
  when: "item.ssl_type  | default('certbot')== 'uib' and item.certificate_only_url is defined"

 - name: "Create symlinks for chains to /etc/pki/"
-  loop: "{{ apache_vhosts }}"
+  loop: "{{ apache_vhosts[0] }}"
  file:
    state: "link"
    src: "{{ apache_digicert_uib_archive }}/{{ item.servername }}/cert_interm.cer"
@@ -152,7 +161,7 @@
      #    validate: "apachectl configtest"
  notify: restart apache
  when: "item.ssl_type  | default('certbot')== 'uib'"
-  loop: "{{ apache_vhosts }}"
+  loop: "{{ apache_vhosts[0] }}"
  vars:
    current_vhost: "{{ item.servername }}"
  become: true