Update RHV Certificates

rhv_setup.yml

@@ -9,6 +9,7 @@
     acme_email: ptoal@takeflight.ca
     challenge: dns-01
     dns_provider: dme
+    root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt
     domains:
       - rhv.mgmt.toal.ca
 
@@ -16,6 +17,7 @@
     - name: Ensure Let's Encrypt Account Exists
       acme_account:
           state: present
+          acme_directory: "{{ acme_directory }}"
           terms_agreed: true
           allow_creation: true
           contact:  
@@ -26,12 +28,82 @@
     - acme-certificate
 
     
-# - name: Install custom CA Certificate in RHV-M
-#   hosts: rhv.lab.toal.ca
+- name: Install custom CA Certificate in RHV-M
+  hosts: rhv.mgmt.toal.ca
+  become: true
   
-#   tasks:
-#     - name: Download LetsEncrypt Root/Intermediate Certificates
+  tasks:
+    - name: Certificate trust in store
+      copy: 
+        src: "{{ acme_rootchain_file }}"
+        dest: /etc/pki/ca-trust/source/anchors/
+      register: rootchain_result
+      notify: restart httpd
+
+    - name: Certificate store updated
+      command: /usr/bin/update-ca-trust
+      when: rootchain_result.changed
+      notify: restart httpd
       
+    - name: CA Rootchain in Apache config
+      copy: 
+        src: "{{ acme_rootchain_file }}"
+        dest: /etc/pki/ovirt-engine/apache-ca.pem
+        backup: yes
+      notify: restart httpd
+
+    - name: Private key installed
+      copy:
+        src: "{{ acme_key_file }}"
+        dest: /etc/pki/ovirt-engine/keys/apache.key.nopass
+        backup: yes
+      notify: restart httpd
+    
+    - name: Certificate installed
+      copy:
+        src: "{{ acme_cert_file }}"
+        dest: /etc/pki/ovirt-engine/certs/apache.cer
+        backup: yes
+      notify: restart httpd
+
+    - name: Trust Store Configuration
+      copy:
+        dest: /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
+        content: |
+          ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
+          ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
+      notify:
+        - restart ovn
+        - restart ovirt-engine
+      
+    - name: Websocket Proxy configuration
+      lineinfile:
+          path: /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
+          state: present
+          backup: yes
+          line: "{{ item }}"
+      loop:
+        - SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache.cer
+        - SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
+      notify:
+        - restart ovn
+        - restart ovirt-engine
+    
+  handlers:
+    - name: restart httpd
+      service:
+        name: httpd
+        state: restarted
+
+    - name: restart ovn
+      service: 
+        name: ovirt-provider-ovn
+        state: restarted
+
+    - name: restart ovirt-engine
+      service: 
+        name: ovirt-engine
+        state: restarted
 
 
 - name: Create RHV/ovirt VLANs
@@ -53,4 +125,4 @@
       loop: "{{ ovirt_networks }}"
       register: networkinfo
 
-    - debug: msg="{{networkinfo}}"
+    - debug: msg="{{networkinfo}}"