From 4b982205bacda9e21c044aaa9c8ddcfc8b1259db Mon Sep 17 00:00:00 2001
From: Finn Hercke <f.hercke@kalisch-systems.de>
Date: Tue, 11 Mar 2025 12:49:33 +0100
Subject: [PATCH] Revoke already issued certificates on re-enroll

---
 roles/lmn_wlan_8021x/tasks/main.yml | 47 +++++++++++++++++++++--------
 1 file changed, 35 insertions(+), 12 deletions(-)

diff --git a/roles/lmn_wlan_8021x/tasks/main.yml b/roles/lmn_wlan_8021x/tasks/main.yml
index f94b876..62b70fd 100644
--- a/roles/lmn_wlan_8021x/tasks/main.yml
+++ b/roles/lmn_wlan_8021x/tasks/main.yml
@@ -3,6 +3,34 @@
   community.crypto.openssl_privatekey:
     path: /etc/ssl/private/{{ ssid }}.key
 
+- name: Check if a certificate is already issued to client
+  stat:
+    path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
+  register: cert_already_issued
+  delegate_to: radius_server
+
+- name: Revoke already existing client certificate
+  community.crypto.x509_crl:
+    path: "/etc/freeradius/3.0/certs/ca.crl"
+    privatekey_path: "/etc/freeradius/3.0/certs/ca.key"
+    privatekey_passphrase: "{{ radiusca_password }}"
+    crl_mode: "update"
+    issuer:
+      C: "DE"
+      ST: "Baden-Wuerttemberg"
+      L: "Reutlingen"
+      O: "Ferdinand-von-Steinbeis-Schule Reutlingen"
+      emailAddress: "admin@steinbeis.schule"
+      CN: "Radius Certificate Authority"
+    last_update: "+0s"
+    next_update: "+365d"
+    revoked_certificates:
+      - path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
+        revocation_date: 20250311120100Z
+        reason: "unspecified"
+  delegate_to: radius_server
+  when: cert_already_issued.stat.exists
+
 - name: Create CSR for client certificate
   community.crypto.openssl_csr_pipe:
     common_name: "{{ ansible_hostname }}"
@@ -32,24 +60,19 @@
     mode: '0755'
   delegate_to: radius_server
 
+- name: Copy client certificate to radius-server
+  ansible.builtin.copy:
+    dest: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
+    mode: "0644"
+    content: "{{ certificate.certificate }}"
+  delegate_to: radius_server
+
 - name: Write certificate to client
   ansible.builtin.copy:
     dest: /etc/ssl/certs/{{ ssid }}.crt
     mode: '0644'
     content: "{{ certificate.certificate }}"
 
-- name: Extract Serial from Certificate
-  ansible.builtin.command: 'openssl x509 -noout -serial -in /etc/ssl/certs/{{ ssid }}.crt'
-  register: cert_serial
-  changed_when: cert_serial.rc != 0
-
-- name: Create issued-Notice-file on radius-server
-  ansible.builtin.copy:
-    dest: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}"
-    mode: '0644'
-    content: "{{ cert_serial.stdout }}"
-  delegate_to: radius_server
-
 - name: Check if NetworkManager config exists {{ ssid }}
   ansible.builtin.stat:
     path: /etc/NetworkManager/system-connections/{{ ssid }}.nmconnection