step_ca_certificates: implement state, drop step_ra_revoke (#353)

* step_ca_certificate: add new parameters

* step_ca_certificate: implement state, drop step_ca_revoke module

Fixes #188
Fixes #121

roles/step_acme_cert/molecule/converge.yml

@@ -5,28 +5,64 @@
     webroots:
       Debian: /var/www/html
       RedHat: /usr/share/nginx/html
-    webgroup:
+    web_user:
       Debian: www-data
       RedHat: nginx
+    # Shared parameters
+    step_acme_cert_duration: 1h
+    step_acme_cert_renewal_when: 59m # force renewal to happen every minute
+    step_acme_cert_renewal_reload_services: ["nginx"]
+    certs_directory: /etc/ssl/step-certs
   tasks:
-    - name: Test getting a standalone cert
+    - name: step-certs directory exists
+      ansible.builtin.file:
+        path: "{{ certs_directory }}"
+        owner: "{{ step_acme_cert_user }}"
+        group: "{{ web_user[ansible_os_family] }}"
+        mode: "750"
+        state: directory
+
+    # this is just to test standalone behavior, this certificate is not used by the nginx setup
+    - name: Test getting a standalone cert (not used by nginx)
       include_role:
         name: step_acme_cert
+      vars:
+        step_acme_cert_certfile:
+          path: "{{ certs_directory }}/standalone.cert"
+          mode: "644"
+          group: "{{ web_user[ansible_os_family] }}"
+        step_acme_cert_keyfile:
+          path: "{{ certs_directory }}/standalone.key"
+          mode: "640"
+          group: "{{ web_user[ansible_os_family] }}"
+        step_acme_cert_renewal_service: step-renew-standalone
 
+    # this is done so that we can write our ACME token as the nginx user while getting a certificate.
+    - name: Set .well-known directory permissions to nginx
+      ansible.builtin.file:
+        path: "{{ webroots[ansible_os_family] }}/.well-known"
+        owner: "{{ web_user[ansible_os_family] }}"
+        group: root
+        mode: "755"
+        state: directory
     - name: Start nginx
       systemd:
         name: nginx
         state: started
-
     - name: Get cert via webroot
       include_role:
         name: step_acme_cert
       vars:
+        step_acme_cert_certfile:
+          path: "{{ certs_directory }}/webroot.cert"
+          mode: "644"
+          group: "{{ web_user[ansible_os_family] }}"
+        step_acme_cert_keyfile:
+          path: "{{ certs_directory }}/webroot.key"
+          mode: "640"
+          group: "{{ web_user[ansible_os_family] }}"
         step_acme_cert_webroot_path: "{{ webroots[ansible_os_family] }}"
-        step_acme_cert_duration: 1h
         step_acme_cert_renewal_service: step-renew-webroot
-        step_acme_cert_renewal_when: 59m # force renewal to happen every minute
-        step_acme_cert_renewal_reload_services: ["nginx"]
 
     - name: Install Nginx site [Debian]
       template:

roles/step_acme_cert/molecule/default/molecule.yml

@@ -136,15 +136,6 @@ provisioner:
       all:
         # Test legacy steppath behavior
         step_cli_steppath: /etc/step-cli-molecule
+        step_acme_cert_user: root
         step_acme_cert_ca_provisioner: ACME
         step_bootstrap_ca_url: https://step-ca:9000
-
-        certfile: /etc/ssl/step.crt
-        keyfile: /etc/ssl/step.key
-
-        step_acme_cert_certfile:
-          mode: "644"
-          group: "{{ webgroup[ansible_os_family] }}"
-        step_acme_cert_keyfile:
-          mode: "640"
-          group: "{{ webgroup[ansible_os_family] }}"

roles/step_acme_cert/molecule/non_root/molecule.yml

@@ -134,19 +134,7 @@ provisioner:
       ca:
         step_ca_user: step-ca
       all:
-        step_acme_cert_user: max
+        step_acme_cert_user: "{{ web_user[ansible_os_family] }}"
         step_acme_cert_steppath: "/home/max/custom-steppath"
         step_acme_cert_ca_provisioner: ACME
         step_bootstrap_ca_url: https://step-ca:9000
-
-        certfile: /etc/ssl/non-root/nginx-test.cert
-        keyfile: /etc/ssl/non-root/nginx-test.key
-
-        step_acme_cert_certfile:
-          path: /etc/ssl/non-root/nginx-test.cert
-          mode: "644"
-          group: "{{ webgroup[ansible_os_family] }}"
-        step_acme_cert_keyfile:
-          path: /etc/ssl/non-root/nginx-test.key
-          mode: "640"
-          group: "{{ webgroup[ansible_os_family] }}"

roles/step_acme_cert/molecule/non_root/prepare.yml

@@ -25,7 +25,7 @@
 
 - hosts: clients
   vars:
-    webgroup:
+    web_user:
       Debian: www-data
       RedHat: nginx
   tasks:
@@ -38,31 +38,19 @@
         state: stopped
         enabled: no
 
-    - name: Create test user
-      ansible.builtin.user:
-        name: max
-        create_home: yes
-    - name: Create certificate directory
-      ansible.builtin.file:
-        state: directory
-        path: /etc/ssl/non-root
-        owner: max
-        group: "{{ webgroup[ansible_os_family] }}"
-        mode: "750"
-
-    - name: Get CA fingerprint
+    - name: Get CA fingerprint # noqa: run-once[task]
       ansible.builtin.command: docker exec step-ca step certificate fingerprint certs/root_ca.crt
       register: _ca_fingerprint
       changed_when: false
       check_mode: false
       run_once: true
       delegate_to: localhost
 
-    - name: Bootstrap host
+    - name: Bootstrap nginx host
       include_role:
         name: maxhoesel.smallstep.step_bootstrap_host
       vars:
         step_bootstrap_fingerprint: "{{ _ca_fingerprint.stdout }}"
         step_bootstrap_users:
-          - user: max
+          - user: "{{ web_user[ansible_os_family] }}"
             steppath: "{{ step_acme_cert_steppath }}"

roles/step_acme_cert/molecule/templates/nginx.conf

@@ -38,8 +38,8 @@ http {
         listen 443 ssl default_server;
 	    listen [::]:443 ssl default_server;
 
-        ssl_certificate {{ certfile}};
-        ssl_certificate_key {{ keyfile }};
+        ssl_certificate {{ certs_directory }}/webroot.cert;
+        ssl_certificate_key {{ certs_directory }}/webroot.key;
 
         location / {
         }

roles/step_acme_cert/molecule/templates/nginx_site.conf

@@ -7,8 +7,8 @@ server {
 
 	root /var/www/html;
 
-    ssl_certificate {{ certfile}};
-    ssl_certificate_key {{ keyfile }};
+    ssl_certificate {{ certs_directory }}/webroot.cert;
+    ssl_certificate_key {{ certs_directory }}/webroot.key;
 
 	index index.html index.htm index.nginx-debian.html;
 

roles/step_acme_cert/molecule/verify.yml

@@ -9,7 +9,7 @@
       assert:
         that:
           - ansible_facts.services["nginx.service"]["state"] == "running"
-          - ansible_facts.services["step-renew.service"]["state"] == "running"
+          - ansible_facts.services["step-renew-standalone.service"]["state"] == "running"
           - ansible_facts.services["step-renew-webroot.service"]["state"] == "running"
       register: _res
       retries: 3
@@ -27,7 +27,7 @@
       assert:
         that:
           - ansible_facts.services["nginx.service"]["state"] == "running"
-          - ansible_facts.services["step-renew.service"]["state"] == "running"
+          - ansible_facts.services["step-renew-standalone.service"]["state"] == "running"
           - ansible_facts.services["step-renew-webroot.service"]["state"] == "running"
       register: _res
       retries: 3

roles/step_acme_cert/tasks/main.yml

@@ -12,20 +12,32 @@
     step_acme_cert_keyfile_full: "{{ step_acme_cert_keyfile_defaults | combine(step_acme_cert_keyfile) }}"
     step_acme_cert_certfile_full: "{{ step_acme_cert_certfile_defaults | combine(step_acme_cert_certfile) }}"
 
-- name: Look for existing certificate
-  ansible.builtin.stat:
-    path: "{{ step_acme_cert_certfile_full.path }}"
-  register: step_acme_cert_current_cert
+- name: Get certificate from CA
+  maxhoesel.smallstep.step_ca_certificate:
+    provisioner: "{{ step_acme_cert_ca_provisioner }}"
+    contact: "{{ step_acme_cert_contact }}"
+    crt_file: "{{ step_acme_cert_certfile_full.path }}"
+    key_file: "{{ step_acme_cert_keyfile_full.path }}"
+    state: present
+    name: "{{ step_acme_cert_name }}"
+    not_after: "{{ step_acme_cert_duration | default(omit) }}"
+    san: "{{ step_acme_cert_san }}"
+    standalone: "{{ step_acme_cert_webroot_path | bool }}"
+    step_cli_executable: "{{ step_cli_executable }}"
+    webroot: "{{ step_acme_cert_webroot_path }}"
+  become: yes
+  become_user: "{{ step_acme_cert_user }}"
+  environment:
+    STEPPATH: "{{ _resolved_steppath }}"
 
-- name: Check if certificate is valid
-  ansible.builtin.command: "{{ step_cli_executable }} certificate verify {{ step_acme_cert_certfile_full.path }}"
-  changed_when: no
-  check_mode: no
-  ignore_errors: true
-  register: _step_acme_cert_validity
-  when: step_acme_cert_current_cert.stat.exists
-
-- ansible.builtin.include_tasks: get_cert.yml
-  when: 'not step_acme_cert_current_cert.stat.exists or "failed to verify certificate" in _step_acme_cert_validity.stderr'
+- name: Cert and key permissions are set
+  file:
+    path: "{{ item.path }}"
+    mode: "{{ item.mode }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+  loop:
+    - "{{ step_acme_cert_keyfile_full }}"
+    - "{{ step_acme_cert_certfile_full }}"
 
 - ansible.builtin.include_tasks: renewal.yml