Revoke already issued certificates on re-enroll

2025-03-11 12:49:33 +01:00 · 2025-03-11 12:49:33 +01:00 · 4b982205ba
commit 4b982205ba
parent 831f453512
1 changed files with 35 additions and 12 deletions
--- a/roles/lmn_wlan_8021x/tasks/main.yml
+++ b/roles/lmn_wlan_8021x/tasks/main.yml
@ -3,6 +3,34 @@
  community.crypto.openssl_privatekey:
    path: /etc/ssl/private/{{ ssid }}.key

+- name: Check if a certificate is already issued to client
+  stat:
+    path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
+  register: cert_already_issued
+  delegate_to: radius_server
+
+- name: Revoke already existing client certificate
+  community.crypto.x509_crl:
+    path: "/etc/freeradius/3.0/certs/ca.crl"
+    privatekey_path: "/etc/freeradius/3.0/certs/ca.key"
+    privatekey_passphrase: "{{ radiusca_password }}"
+    crl_mode: "update"
+    issuer:
+      C: "DE"
+      ST: "Baden-Wuerttemberg"
+      L: "Reutlingen"
+      O: "Ferdinand-von-Steinbeis-Schule Reutlingen"
+      emailAddress: "admin@steinbeis.schule"
+      CN: "Radius Certificate Authority"
+    last_update: "+0s"
+    next_update: "+365d"
+    revoked_certificates:
+      - path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
+        revocation_date: 20250311120100Z
+        reason: "unspecified"
+  delegate_to: radius_server
+  when: cert_already_issued.stat.exists
+
 - name: Create CSR for client certificate
  community.crypto.openssl_csr_pipe:
    common_name: "{{ ansible_hostname }}"
@ -32,24 +60,19 @@
    mode: '0755'
  delegate_to: radius_server

+- name: Copy client certificate to radius-server
+  ansible.builtin.copy:
+    dest: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
+    mode: "0644"
+    content: "{{ certificate.certificate }}"
+  delegate_to: radius_server
+
 - name: Write certificate to client
  ansible.builtin.copy:
    dest: /etc/ssl/certs/{{ ssid }}.crt
    mode: '0644'
    content: "{{ certificate.certificate }}"

- name: Extract Serial from Certificate
-  ansible.builtin.command: 'openssl x509 -noout -serial -in /etc/ssl/certs/{{ ssid }}.crt'
-  register: cert_serial
-  changed_when: cert_serial.rc != 0
-
- name: Create issued-Notice-file on radius-server
-  ansible.builtin.copy:
-    dest: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}"
-    mode: '0644'
-    content: "{{ cert_serial.stdout }}"
-  delegate_to: radius_server
-
 - name: Check if NetworkManager config exists {{ ssid }}
  ansible.builtin.stat:
    path: /etc/NetworkManager/system-connections/{{ ssid }}.nmconnection