Skip to content
This repository has been archived by the owner on Apr 20, 2022. It is now read-only.

Generate a self-signed cert when none is provided #35

Merged
merged 2 commits into from
Nov 22, 2014
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 3 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -112,13 +112,10 @@ Lastly, test your certificate:

#### Self-signed TLS certificate

Self-signed certs are free, easy, but are not yet authenticated by TLS (but [will be](https://github.com/okTurtles/dnschain)).

To create a self-signed TLS cert, run the following commands:
If you don't purchase or set up an existing certificate, empress will generate
one for you on the server.

openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
Self-signed certs are free, easy, but are not yet authenticated by TLS (but [will be](https://github.com/okTurtles/dnschain)).

### 2. Get a Tarsnap machine key

Expand Down
20 changes: 0 additions & 20 deletions roles/common/files/wildcard_ca.pem

This file was deleted.

27 changes: 0 additions & 27 deletions roles/common/files/wildcard_private.key

This file was deleted.

20 changes: 0 additions & 20 deletions roles/common/files/wildcard_public_cert.crt

This file was deleted.

81 changes: 74 additions & 7 deletions roles/common/tasks/ssl.yml
Original file line number Diff line number Diff line change
@@ -1,15 +1,82 @@
# https://github.com/ansible/ansible/issues/3107
- name: Find existing SSL keys
sudo: no
local_action: command test -e roles/common/files/wildcard_private.key
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This key should be in a folder that in the top level directory, not buried deeply within the roles.

register: custom_cert
ignore_errors: yes

### Use an existing (valid?) cert, provided by the user ########################

- name: Copy SSL private key into place
copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
copy: >
src=wildcard_private.key
dest=/etc/ssl/private/wildcard_private.key
group=ssl-cert owner=root mode=640
when: custom_cert|success

- name: Copy SSL public certificate into place
copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
copy: >
src=wildcard_public_cert.crt
dest=/etc/ssl/certs/wildcard_public_cert.crt
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a future PR, let's move the keys to one folder (both the .key and the .crt), and let's put it in a place that's recommended by dovecot, which I believe @al3x also created an issue for in sovereign.

group=root owner=root mode=644
when: custom_cert|success

- name: Copy CA combined certificate into place
copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
copy: >
src=wildcard_ca.pem
dest=/etc/ssl/certs/wildcard_ca.pem
group=root owner=root mode=644
when: custom_cert|success

- name: Create a combined version of the public cert with intermediate and root CAs
shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
/etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem
shell: >
umask 022;
cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
/etc/ssl/certs/wildcard_combined.pem
args:
creates: /etc/ssl/certs/wildcard_combined.pem
when: custom_cert|success

### If the user didn't provide one, make a self-signed cert ####################

- name: Copy openssl.cnf
template: >
src=openssl.cnf.j2
dest=/etc/ssl/private/openssl.cnf
group=root owner=root mode=644
when: custom_cert|failed

- name: Generate a private key and CSR
shell: >
umask 027;
openssl req -nodes -newkey rsa:2048
-config /etc/ssl/private/openssl.cnf
-keyout /etc/ssl/private/wildcard_private.key
-out /etc/ssl/private/wildcard.csr
args:
creates: /etc/ssl/private/wildcard_private.key
when: custom_cert|failed

- name: Set SSL private key permissions
file: >
path=/etc/ssl/private/wildcard_private.key
group=ssl-cert owner=root mode=640
when: custom_cert|failed

- name: Generate a self-signed SSL public key
shell: >
umask 022;
openssl x509 -req -days 3650
-in /etc/ssl/private/wildcard.csr
-signkey /etc/ssl/private/wildcard_private.key
-out /etc/ssl/certs/wildcard_public_cert.crt
args:
creates: /etc/ssl/certs/wildcard_public_cert.crt
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's going all over the place! ick

It would be better to have all the cert stuff placed in one folder, so that users only have one place to go to delete the stuff, and then they can re-run the script to generate a new keypair.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be a separate PR.

when: custom_cert|failed

- name: Set permissions on combined public cert
file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
- name: Link public cert to the combined location
file: >
src=/etc/ssl/certs/wildcard_public_cert.crt
dest=/etc/ssl/certs/wildcard_combined.pem
state=link
when: custom_cert|failed
45 changes: 45 additions & 0 deletions roles/common/templates/openssl.cnf.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
[ ca ]
default_ca = CA_default # The default ca section
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 3650 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_anything

[ req ]
prompt = no
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req

[ req_attributes ]
unstructuredName = self-signed

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = self-signed
localityName = doesn't matter
0.organizationName = filler values
organizationalUnitName = go here
commonName = {{ domain }}
emailAddress = {{ admin_email }}

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true

[ alt_names ]
{% for dn in mail_virtual_domains %}
DNS.{{ loop.index }} = {{ dn }}
{% endfor %}
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@PiPeep Shouldn't this file be much longer? This doesn't seem to be the complete file from /usr/lib/ssl/openssl.cnf, why's that?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I stripped out everything that wasn't needed to generate a self-signed cert.