From 70733167cdf859a6820aad1421c9b18b48061882 2015-08-17 22:31:39 From: Branko Majic Date: 2015-08-17 22:31:39 Subject: [PATCH] MAR-9: Created small utility playbook in testsite for generating the necessary TLS keys and certificates. Updated testsite configuration to be slightly different (no need for separate chain file I think). --- diff --git a/.gitignore b/.gitignore index 566c89dcce9150960ecda1ec9c38c30c75176ed7..383ffccd16e38c35b82d7f646c102dad251e822f 100644 --- a/.gitignore +++ b/.gitignore @@ -3,5 +3,9 @@ tmp/ docs/_build/ testsite/preseed_files/ + +# Ignore "temporary" files created with the playbook tls.yml (certs, keys, and +# host config files for GnuTLS - ca.cfg is versioned, though). testsite/tls/*.pem testsite/tls/*.key +testsite/tls/*.*_*.cfg \ No newline at end of file diff --git a/testsite/group_vars/all.yml b/testsite/group_vars/all.yml index 0b8f87e5ea2929484e9f23a1f943ac3f759de2b6..5d1da81cd183639a9233fb9c1ac4d1b8a86e4fe7 100644 --- a/testsite/group_vars/all.yml +++ b/testsite/group_vars/all.yml @@ -39,7 +39,7 @@ common_packages: - unzip ca_certificates: - - "{{ inventory_dir }}/tls/example_ca_chain.pem" + - "{{ inventory_dir }}/tls/ca.pem" incoming_connection_limit: 2/second diff --git a/testsite/group_vars/ldap.yml b/testsite/group_vars/ldap.yml index 591cbeb732a8a83057720db217fd1cc75456a778..7f56297fd68a7302742de3610564c0a63fa8f7a0 100644 --- a/testsite/group_vars/ldap.yml +++ b/testsite/group_vars/ldap.yml @@ -4,7 +4,7 @@ local_mail_aliases: root: "root john.doe@{{ testsite_domain }}" smtp_relay_host: mail.{{ testsite_domain }} -smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem +smtp_relay_truststore: /etc/ssl/certs/ca.pem ldap_client_config: - comment: Set the base DN @@ -18,7 +18,7 @@ ldap_client_config: value: cn=admin,{{ testsite_ldap_base }} - comment: Set the LDAP TLS truststore option: TLS_CACERT - value: /etc/ssl/certs/example_ca_chain.pem + value: /etc/ssl/certs/ca.pem ldap_server_config: domain: "{{ testsite_domain }}" diff --git a/testsite/group_vars/mail.yml b/testsite/group_vars/mail.yml index 0e12eefb05d1f696622fa0610b896b787b64e8e4..f6515ce090ce8403f9efaf9cb29476b1c2d3b43a 100644 --- a/testsite/group_vars/mail.yml +++ b/testsite/group_vars/mail.yml @@ -9,10 +9,10 @@ ldap_client_config: value: ldap://ldap.{{ testsite_domain }}/ - comment: Set the LDAP TLS truststore option: TLS_CACERT - value: /etc/ssl/certs/example_ca_chain.pem + value: /etc/ssl/certs/ca.pem mail_ldap_url: ldap://ldap.{{ testsite_domain }}/ -mail_ldap_tls_truststore: /etc/ssl/certs/example_ca_chain.pem +mail_ldap_tls_truststore: /etc/ssl/certs/ca.pem mail_ldap_root_dn: "{{ testsite_ldap_base }}" mail_ldap_postfix_password: postfix mail_ldap_dovecot_password: dovecot diff --git a/testsite/group_vars/web.yml b/testsite/group_vars/web.yml index d56ca04f24a5434f430921e35eb7724d3118f793..0095ed20df91bb04dac68ef7738dd525dff0c696 100644 --- a/testsite/group_vars/web.yml +++ b/testsite/group_vars/web.yml @@ -9,14 +9,14 @@ ldap_client_config: value: ldap://ldap.{{ testsite_domain }}/ - comment: Set the LDAP TLS truststore option: TLS_CACERT - value: /etc/ssl/certs/example_ca_chain.pem + value: /etc/ssl/certs/ca.pem local_mail_aliases: root: "root john.doe@{{ testsite_domain }}" smtp_relay_host: mail.{{ testsite_domain }} -smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem +smtp_relay_truststore: /etc/ssl/certs/ca.pem https_tls_key: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.key" https_tls_certificate: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.pem" diff --git a/testsite/group_vars/xmpp.yml b/testsite/group_vars/xmpp.yml index 302a4dc88ba6bac17e43a51ece9bb60769091c63..139f30977db7bd7271464af4c9df3539b1b8eb22 100644 --- a/testsite/group_vars/xmpp.yml +++ b/testsite/group_vars/xmpp.yml @@ -12,14 +12,14 @@ ldap_client_config: value: cn=admin,{{ testsite_ldap_base }} - comment: Set the LDAP TLS truststore option: TLS_CACERT - value: /etc/ssl/certs/example_ca_chain.pem + value: /etc/ssl/certs/ca.pem local_mail_aliases: root: "root john.doe@{{ testsite_domain }}" smtp_relay_host: mail.{{ testsite_domain }} -smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem +smtp_relay_truststore: /etc/ssl/certs/ca.pem prosody_administrators: - john.doe@{{ testsite_domain }} diff --git a/testsite/playbooks/tls.yml b/testsite/playbooks/tls.yml new file mode 100644 index 0000000000000000000000000000000000000000..542c263d75037e572521beca633e61c24bd08ef9 --- /dev/null +++ b/testsite/playbooks/tls.yml @@ -0,0 +1,52 @@ +--- + +- hosts: preseed + vars: + host_tls_info: + - hostname: ldap + service: ldap + name: LDAP + - hostname: mail + service: imap + name: IMAP + - hostname: mail + service: smtp + name: SMTP + - hostname: phpinfo + service: https + name: PHP Info + - hostname: web + service: https + name: Web + - hostname: wsgi + service: https + name: WSGI Hello World + - hostname: xmpp + service: xmpp + name: XMPP + tasks: + - name: Create GnuTLS certificate templates for all hosts + template: src="../tls/gnutls_server_certificate.cfg.j2" dest="../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.cfg" + with_items: host_tls_info + - name: Create the CA key + command: certtool --sec-param high --generate-privkey --outfile ../tls/ca.key + args: + creates: ../tls/ca.key + - name: Create the CA certificate + command: certtool --template ../tls/ca.cfg --generate-self-signed --load-privkey ../tls/ca.key --outfile ../tls/ca.pem + args: + creates: ../tls/ca.pem + - name: Create private keys for all hosts + command: certtool --sec-param normal --generate-privkey --outfile "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.key" + with_items: host_tls_info + args: + creates: "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.key" + - name: Issue certificates for all hosts + shell: sleep 1 && certtool --generate-certificate + --load-ca-privkey "../tls/ca.key" --load-ca-certificate "../tls/ca.pem" + --template "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.cfg" + --load-privkey "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.key" + --outfile "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.pem" + with_items: host_tls_info + args: + creates: "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.pem" \ No newline at end of file diff --git a/testsite/tls/templates/example_ca.cfg b/testsite/tls/ca.cfg similarity index 100% rename from testsite/tls/templates/example_ca.cfg rename to testsite/tls/ca.cfg diff --git a/testsite/tls/templates/ldap.example.com_ldap.cfg b/testsite/tls/gnutls_server_certificate.cfg.j2 similarity index 88% rename from testsite/tls/templates/ldap.example.com_ldap.cfg rename to testsite/tls/gnutls_server_certificate.cfg.j2 index 6dc4d541020235416c638ec920444d60c975d5b5..9ca53694d860c0c4cffaa150013e9a3bfd510e27 100644 --- a/testsite/tls/templates/ldap.example.com_ldap.cfg +++ b/testsite/tls/gnutls_server_certificate.cfg.j2 @@ -9,7 +9,7 @@ organization = "Example Inc." country = SE # The common name of the certificate owner. -cn = "Exampe Inc. LDAP Server" +cn = "Exampe Inc. {{ item.name }} Server" # In how many days, counting from today, this certificate will expire. expiration_days = 365 @@ -17,7 +17,7 @@ expiration_days = 365 # X.509 v3 extensions # A dnsname in case of a WWW server. -dns_name = "ldap.example.com" +dns_name = "{{ item.hostname }}.{{ testsite_domain }}" # Whether this certificate will be used for a TLS server tls_www_server diff --git a/testsite/tls/templates/mail.example.com_imap.cfg b/testsite/tls/templates/mail.example.com_imap.cfg deleted file mode 100644 index 1fdb956d5fd74c5af3f143ab00bd9c2467b4d3a5..0000000000000000000000000000000000000000 --- a/testsite/tls/templates/mail.example.com_imap.cfg +++ /dev/null @@ -1,27 +0,0 @@ -# X.509 Certificate options -# -# DN options - -# The organization of the subject. -organization = "Example Inc." - -# The country of the subject. Two letter code. -country = SE - -# The common name of the certificate owner. -cn = "Exampe Inc. IMAP Server" - -# In how many days, counting from today, this certificate will expire. -expiration_days = 365 - -# X.509 v3 extensions - -# A dnsname in case of a WWW server. -dns_name = "mail.example.com" - -# Whether this certificate will be used for a TLS server -tls_www_server - -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). -signing_key diff --git a/testsite/tls/templates/mail.example.com_smtp.cfg b/testsite/tls/templates/mail.example.com_smtp.cfg deleted file mode 100644 index 4a32651b000f27e57878864024f919da0cae09c2..0000000000000000000000000000000000000000 --- a/testsite/tls/templates/mail.example.com_smtp.cfg +++ /dev/null @@ -1,32 +0,0 @@ -# X.509 Certificate options -# -# DN options - -# The organization of the subject. -organization = "Example Inc." - -# The country of the subject. Two letter code. -country = SE - -# The common name of the certificate owner. -cn = "Exampe Inc. SMTP Server" - -# In how many days, counting from today, this certificate will expire. -expiration_days = 365 - -# X.509 v3 extensions - -# A dnsname in case of a WWW server. -dns_name = "mail.example.com" - -# Whether this certificate will be used for a TLS server -tls_www_server - -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). -signing_key - -# Whether this certificate will be used to encrypt data (needed -# in TLS RSA ciphersuites). Note that it is preferred to use different -# keys for encryption and signing. -encryption_key diff --git a/testsite/tls/templates/phpinfo.example.com_https.cfg b/testsite/tls/templates/phpinfo.example.com_https.cfg deleted file mode 100644 index 269d4850252c45804165f54b7e39641bbdcba6c9..0000000000000000000000000000000000000000 --- a/testsite/tls/templates/phpinfo.example.com_https.cfg +++ /dev/null @@ -1,32 +0,0 @@ -# X.509 Certificate options -# -# DN options - -# The organization of the subject. -organization = "Example Inc." - -# The country of the subject. Two letter code. -country = SE - -# The common name of the certificate owner. -cn = "Exampe Inc. PHP Info Server" - -# In how many days, counting from today, this certificate will expire. -expiration_days = 365 - -# X.509 v3 extensions - -# A dnsname in case of a WWW server. -dns_name = "phpinfo.example.com" - -# Whether this certificate will be used for a TLS server -tls_www_server - -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). -signing_key - -# Whether this certificate will be used to encrypt data (needed -# in TLS RSA ciphersuites). Note that it is preferred to use different -# keys for encryption and signing. -encryption_key diff --git a/testsite/tls/templates/web.example.com_https.cfg b/testsite/tls/templates/web.example.com_https.cfg deleted file mode 100644 index a422b6e124ec1f93e725c8a75c12c79599af6966..0000000000000000000000000000000000000000 --- a/testsite/tls/templates/web.example.com_https.cfg +++ /dev/null @@ -1,32 +0,0 @@ -# X.509 Certificate options -# -# DN options - -# The organization of the subject. -organization = "Example Inc." - -# The country of the subject. Two letter code. -country = SE - -# The common name of the certificate owner. -cn = "Exampe Inc. Web Server" - -# In how many days, counting from today, this certificate will expire. -expiration_days = 365 - -# X.509 v3 extensions - -# A dnsname in case of a WWW server. -dns_name = "web.example.com" - -# Whether this certificate will be used for a TLS server -tls_www_server - -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). -signing_key - -# Whether this certificate will be used to encrypt data (needed -# in TLS RSA ciphersuites). Note that it is preferred to use different -# keys for encryption and signing. -encryption_key diff --git a/testsite/tls/templates/wsgi.example.com_https.cfg b/testsite/tls/templates/wsgi.example.com_https.cfg deleted file mode 100644 index 442aa3e400ff278f2205d90b493d8d518b7b8b9b..0000000000000000000000000000000000000000 --- a/testsite/tls/templates/wsgi.example.com_https.cfg +++ /dev/null @@ -1,32 +0,0 @@ -# X.509 Certificate options -# -# DN options - -# The organization of the subject. -organization = "Example Inc." - -# The country of the subject. Two letter code. -country = SE - -# The common name of the certificate owner. -cn = "Exampe Inc. WSGI Hello World Server" - -# In how many days, counting from today, this certificate will expire. -expiration_days = 365 - -# X.509 v3 extensions - -# A dnsname in case of a WWW server. -dns_name = "wsgi.example.com" - -# Whether this certificate will be used for a TLS server -tls_www_server - -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). -signing_key - -# Whether this certificate will be used to encrypt data (needed -# in TLS RSA ciphersuites). Note that it is preferred to use different -# keys for encryption and signing. -encryption_key diff --git a/testsite/tls/templates/xmpp.example.com_xmpp.cfg b/testsite/tls/templates/xmpp.example.com_xmpp.cfg deleted file mode 100644 index d35b85b0c6f54d4629aad9a456cda9cbd786f738..0000000000000000000000000000000000000000 --- a/testsite/tls/templates/xmpp.example.com_xmpp.cfg +++ /dev/null @@ -1,32 +0,0 @@ -# X.509 Certificate options -# -# DN options - -# The organization of the subject. -organization = "Example Inc." - -# The country of the subject. Two letter code. -country = SE - -# The common name of the certificate owner. -cn = "Exampe Inc. XMPP Server" - -# In how many days, counting from today, this certificate will expire. -expiration_days = 365 - -# X.509 v3 extensions - -# A dnsname in case of a WWW server. -dns_name = "xmpp.example.com" - -# Whether this certificate will be used for a TLS server -tls_www_server - -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). -signing_key - -# Whether this certificate will be used to encrypt data (needed -# in TLS RSA ciphersuites). Note that it is preferred to use different -# keys for encryption and signing. -encryption_key