it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lmn-client/roles/lmn_wlan/tasks/eap-tls_issue-certificate.yaml
Finn Hercke 4dafbd8b85 Move migration from IWD to WPA-supplicant to role 
To ensure that migration only runs when EAP-TLS certificate is installed correctly
2025-03-24 08:56:01 +01:00

112 lines
3.8 KiB
YAML
Raw Blame History

---
# WPA-Enterprise (EAP-TLS) - (re-)enroll certificate on client
- name: Create private key for client certificate
community.crypto.openssl_privatekey:
path: /etc/ssl/private/{{ wlan_ssid }}.key
- name: Check if a certificate is already issued to client
ansible.builtin.stat:
path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
register: cert_already_issued
delegate_to: radius_server
- name: Revoke already existing client certificate
community.crypto.x509_crl:
path: "/etc/freeradius/3.0/certs/ca.crl"
privatekey_path: "/etc/freeradius/3.0/certs/ca.key"
privatekey_passphrase: "{{ wlan_eap_ca.password }}"
crl_mode: "update"
issuer:
C: "{{ wlan_eap_ca.C }}"
ST: "{{ wlan_eap_ca.ST }}"
L: "{{ wlan_eap_ca.L }}"
O: "{{ wlan_eap_ca.O }}"
emailAddress: "{{ wlan_eap_ca.emailAddress }}"
CN: "{{ wlan_eap_ca.CN }}"
last_update: "+0s"
next_update: "+365d"
revoked_certificates:
- path: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
revocation_date: "{{ ansible_date_time.iso8601_basic_short | replace('T', '') }}Z"
reason: "unspecified"
delegate_to: radius_server
when: cert_already_issued.stat.exists
- name: Create CSR for client certificate
community.crypto.openssl_csr_pipe:
common_name: "{{ ansible_hostname }}"
country_name: "{{ wlan_eap_ca.C }}"
state_or_province_name: "{{ wlan_eap_ca.ST }}"
locality_name: "{{ wlan_eap_ca.L }}"
organization_name: "{{ wlan_eap_ca.O }}"
privatekey_path: /etc/ssl/private/{{ wlan_ssid }}.key
email_address: "{{ wlan_eap_ca.emailAddress }}"
register: csr
- name: Sign CSR on Radius
community.crypto.x509_certificate_pipe:
csr_content: "{{ csr.csr }}"
provider: ownca
ownca_path: /etc/freeradius/3.0/certs/ca.pem
ownca_privatekey_path: /etc/freeradius/3.0/certs/ca.key
ownca_privatekey_passphrase: "{{ wlan_eap_ca.password }}"
ownca_not_after: +1825d # 5 Years
delegate_to: radius_server
register: certificate
- name: Create issued-Notice folder on radius-server
ansible.builtin.file:
dest: "/etc/freeradius/3.0/certs/issued"
state: directory
mode: '0755'
delegate_to: radius_server
- name: Copy client certificate to radius-server
ansible.builtin.copy:
dest: "/etc/freeradius/3.0/certs/issued/{{ ansible_hostname }}.crt"
mode: "0644"
content: "{{ certificate.certificate }}"
delegate_to: radius_server
- name: Write certificate to client
ansible.builtin.copy:
dest: /etc/ssl/certs/{{ wlan_ssid }}.crt
mode: '0644'
content: "{{ certificate.certificate }}"
- name: Check if NetworkManager config exists {{ wlan_ssid }}
ansible.builtin.stat:
path: /etc/NetworkManager/system-connections/{{ wlan_ssid }}.nmconnection
register: nm_connection
- name: Create or modify connection via nmcli {{ wlan_ssid }}
ansible.builtin.command: >
nmcli c {% if nm_connection.stat.exists %} modify {{ wlan_ssid }} {% else %} add {% endif %}
type wifi
ifname {{ ansible_interfaces | select('search', 'wl.+') | first }}
con-name "{{ wlan_ssid }}"
connection.permissions ""
802-11-wireless.ssid "{{ wlan_ssid }}"
802-11-wireless-security.key-mgmt wpa-eap
802-1x.eap tls
802-1x.identity {{ ansible_hostname }}
802-1x.client-cert /etc/ssl/certs/{{ wlan_ssid }}.crt
802-1x.private-key /etc/ssl/private/{{ wlan_ssid }}.key
802-1x.private-key-password dummy
changed_when: false
# Temporary fix used to migrate from IWD to WPA-Supplicant - Will be removed later
- name: Enable wpa-supplicant
ansible.builtin.systemd:
name: wpa_supplicant.service
enabled: true
- name: Disable iwd
ansible.builtin.systemd:
name: iwd.service
enabled: false
- name: Remove deprecated NetworkManager config
ansible.builtin.blockinfile:
path: /etc/NetworkManager/NetworkManager.conf
state: absent
Reference in a new issue View git blame Copy permalink