Giters

maxhoesel-ansible / ansible-collection-smallstep

Unofficial Ansible Collection for Smallstep CLI and the step-ca server

Home Page:https://github.com/smallstep

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Setting provisioner for sign SubCA certificate by step ca token

patsevanton opened this issue · comments

commented

Hello! Thanks for ansible-collection-smallstep!
I install step-ca by role with variable:

- hosts: smallstep
  become: yes
  tasks:
    - name: Install step-ca
      include_role:
        name: maxhoesel.smallstep.step_ca
      vars:
        step_ca_dns: "ca.mydomain.int"
        step_ca_name: "MyPrivateCA"
        step_ca_root_password: "incredibly secret password"
        step_ca_intermediate_password: "very secret password"

I try create certificate for SubCA

    - name: Generate an OpenSSL certificate signed with your Step-CA
      become: true
      ansible.builtin.shell:
        cmd: step-cli certificate sign --profile intermediate-ca --token $(step-cli ca token ca.mydomain.int --ca-url https://ca.mydomain.int --root root_ca.crt --password-file /etc/step-ca/.password.txt) ipa.csr ipa.crt | sudo tee -a ipa.crt
        chdir: /etc/step-ca/certs
      register: generate_ipa_crt
      vars:
        ansible_ssh_pipelining: no

    - name: stderr
      debug: msg="{{ generate_ipa_crt.stderr }}"

Get error:

  msg: |-
    cannot create a new token: the CA does not have any provisioner configured
    flag provided but not defined: -token

What type of provisioner i need configured for sign cert for SubCA?