-
Notifications
You must be signed in to change notification settings - Fork 6
Generate a self-signed cert when none is provided #35
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
This file was deleted.
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,82 @@ | ||
# https://github.com/ansible/ansible/issues/3107 | ||
- name: Find existing SSL keys | ||
sudo: no | ||
local_action: command test -e roles/common/files/wildcard_private.key | ||
register: custom_cert | ||
ignore_errors: yes | ||
|
||
### Use an existing (valid?) cert, provided by the user ######################## | ||
|
||
- name: Copy SSL private key into place | ||
copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640 | ||
copy: > | ||
src=wildcard_private.key | ||
dest=/etc/ssl/private/wildcard_private.key | ||
group=ssl-cert owner=root mode=640 | ||
when: custom_cert|success | ||
|
||
- name: Copy SSL public certificate into place | ||
copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644 | ||
copy: > | ||
src=wildcard_public_cert.crt | ||
dest=/etc/ssl/certs/wildcard_public_cert.crt | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For a future PR, let's move the keys to one folder (both the .key and the .crt), and let's put it in a place that's recommended by dovecot, which I believe @al3x also created an issue for in sovereign. |
||
group=root owner=root mode=644 | ||
when: custom_cert|success | ||
|
||
- name: Copy CA combined certificate into place | ||
copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644 | ||
copy: > | ||
src=wildcard_ca.pem | ||
dest=/etc/ssl/certs/wildcard_ca.pem | ||
group=root owner=root mode=644 | ||
when: custom_cert|success | ||
|
||
- name: Create a combined version of the public cert with intermediate and root CAs | ||
shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem > | ||
/etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem | ||
shell: > | ||
umask 022; | ||
cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem > | ||
/etc/ssl/certs/wildcard_combined.pem | ||
args: | ||
creates: /etc/ssl/certs/wildcard_combined.pem | ||
when: custom_cert|success | ||
|
||
### If the user didn't provide one, make a self-signed cert #################### | ||
|
||
- name: Copy openssl.cnf | ||
template: > | ||
src=openssl.cnf.j2 | ||
dest=/etc/ssl/private/openssl.cnf | ||
group=root owner=root mode=644 | ||
when: custom_cert|failed | ||
|
||
- name: Generate a private key and CSR | ||
shell: > | ||
umask 027; | ||
openssl req -nodes -newkey rsa:2048 | ||
-config /etc/ssl/private/openssl.cnf | ||
-keyout /etc/ssl/private/wildcard_private.key | ||
-out /etc/ssl/private/wildcard.csr | ||
args: | ||
creates: /etc/ssl/private/wildcard_private.key | ||
when: custom_cert|failed | ||
|
||
- name: Set SSL private key permissions | ||
file: > | ||
path=/etc/ssl/private/wildcard_private.key | ||
group=ssl-cert owner=root mode=640 | ||
when: custom_cert|failed | ||
|
||
- name: Generate a self-signed SSL public key | ||
shell: > | ||
umask 022; | ||
openssl x509 -req -days 3650 | ||
-in /etc/ssl/private/wildcard.csr | ||
-signkey /etc/ssl/private/wildcard_private.key | ||
-out /etc/ssl/certs/wildcard_public_cert.crt | ||
args: | ||
creates: /etc/ssl/certs/wildcard_public_cert.crt | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's going all over the place! ick It would be better to have all the cert stuff placed in one folder, so that users only have one place to go to delete the stuff, and then they can re-run the script to generate a new keypair. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this should be a separate PR. |
||
when: custom_cert|failed | ||
|
||
- name: Set permissions on combined public cert | ||
file: name=/etc/ssl/certs/wildcard_combined.pem mode=644 | ||
- name: Link public cert to the combined location | ||
file: > | ||
src=/etc/ssl/certs/wildcard_public_cert.crt | ||
dest=/etc/ssl/certs/wildcard_combined.pem | ||
state=link | ||
when: custom_cert|failed |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
[ ca ] | ||
default_ca = CA_default # The default ca section | ||
name_opt = ca_default # Subject Name options | ||
cert_opt = ca_default # Certificate field options | ||
default_days = 3650 # how long to certify for | ||
default_crl_days = 30 # how long before next CRL | ||
default_md = default # use public key default MD | ||
preserve = no # keep passed DN ordering | ||
policy = policy_anything | ||
|
||
[ req ] | ||
prompt = no | ||
default_bits = 2048 | ||
distinguished_name = req_distinguished_name | ||
attributes = req_attributes | ||
x509_extensions = v3_ca # The extensions to add to the self signed cert | ||
string_mask = utf8only | ||
req_extensions = v3_req | ||
|
||
[ req_attributes ] | ||
unstructuredName = self-signed | ||
|
||
[ req_distinguished_name ] | ||
countryName = US | ||
stateOrProvinceName = self-signed | ||
localityName = doesn't matter | ||
0.organizationName = filler values | ||
organizationalUnitName = go here | ||
commonName = {{ domain }} | ||
emailAddress = {{ admin_email }} | ||
|
||
[ v3_req ] | ||
basicConstraints = CA:FALSE | ||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | ||
subjectAltName = @alt_names | ||
|
||
[ v3_ca ] | ||
subjectKeyIdentifier=hash | ||
authorityKeyIdentifier=keyid:always,issuer | ||
basicConstraints = CA:true | ||
|
||
[ alt_names ] | ||
{% for dn in mail_virtual_domains %} | ||
DNS.{{ loop.index }} = {{ dn }} | ||
{% endfor %} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @PiPeep Shouldn't this file be much longer? This doesn't seem to be the complete file from There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I stripped out everything that wasn't needed to generate a self-signed cert. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This key should be in a folder that in the top level directory, not buried deeply within the roles.