From 76ed37089b333c6435f471847ead1739c03efea6 2015-04-13 01:08:03 From: Branko Majic Date: 2015-04-13 01:08:03 Subject: [PATCH] MAR-10: Added support for deploying CA certificates to role 'common'. Make sure symlink truststore is deployed as file in Postfix chroot (for role mail_server). Small fix in handlers for role common (ls command is not necessary). Updated testsite configuration and documentation to refer to correct CA certificate file (for trust chain). --- diff --git a/.gitignore b/.gitignore index d68b3b271df134ddd3c21971866b3faa2b13844c..f1051fe9b0c6a7b834fe87c4d562d2c79ec88bf2 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,5 @@ *~ tmp/ docs/_build/ -testsite/preseed_files/ \ No newline at end of file +testsite/preseed_files/ +testsite/certs/ diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 7ae99c3633baecb12afe2f609f16efc8aeea440e..29ff6f1ef50cfccf4580d9d952ea3cf16a1af06c 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -200,6 +200,9 @@ The role implements the following: you put TLS private keys in central location where any operating system user can reach them provided they have appropriate read/write rights on the file itself, and provided they know the exact path of the file. +* Deploys CA certificate files, normally used for truststore purposes, to + ``/usr/local/share/ca-certificates/``, updating the TLS cache at + ``/etc/ssl/certs/`` along the way. Parameters @@ -245,6 +248,13 @@ Parameters server. Each element of the list should be a simple string denoting the name of the package. +**ca_certificates** (list, optional) + List of additional CA certificate files that should be deployed on the + server. Each element of the list should be a filepath to a CA certificate file + on originating (Ansible) host that should be copied to destination + server. Combinations of multiple CA certificates in the same file can be + specified as well. File names should end with ``.crt`` or ``.pem``. + Examples ~~~~~~~~ @@ -278,6 +288,8 @@ packages on all servers: - screen - debconf-utils + ca_certificates: + - ../certs/truststore.pem .. _ldap_client: diff --git a/docs/testsite.rst b/docs/testsite.rst index 224ea34a52ed14e0202ad70f51d5c5f2b638e76f..0f3d142119cd033b81f1b4e2e12167925c2846aa 100644 --- a/docs/testsite.rst +++ b/docs/testsite.rst @@ -68,6 +68,8 @@ The playbooks and configurations for test site make a couple of assumptions: ``admin``. The SSH key stored in it will be read from location ``~/.ssh/id_rsa`` (i.e. from home directory of user running the Ansible commands). +* The TLS truststore can be found in location ``certs/example_ca_chain.crt`` + relative to the ``testsite`` sub-directory. Additionally, some manual steps may be required to have a fully functioning system: @@ -84,19 +86,14 @@ system: ``/etc/ssl/private/xmpp.example.com.pem`` (*root:prosody, 640*). * Create TLS certificate for XMPP in location ``/etc/ssl/certs/xmpp.example.com.pem`` (*root:root, 644*). - * Install a truststore that contains the CA certifciate which has issued the - LDAP certificate in location ``/etc/ssl/certs/truststore.pem`` (*root:root, - 644*). * After all files are in place, re-run the ``site.yml`` playbook in order to restart necessary services etc. * On ``mail.example.com``, you should manually install the TLS private key and certificate in locations ``/etc/ssl/private/mail.example.com.pem`` (*root:ldap, 640*) and ``/etc/ssl/certs/mail.example.com.pem`` (*root:root, - 644*), respectively. You should also install a truststore that contains the CA - certifciate which has issued the LDAP certificate in location - ``/etc/ssl/certs/truststore.pem`` (*root:root, 644*). After that, restart the - servics ``dovecot`` and ``postfix``. + 644*), respectively. After that, restart the servics ``dovecot`` and + ``postfix``. * On ``mail.example.com``: @@ -108,9 +105,6 @@ system: ``/etc/ssl/private/mail.example.com_imap.pem`` (*root:openldap, 640*). * Create TLS certificate for IMAP in location ``/etc/ssl/certs/mail.example.com_imap.pem`` (*root:root, 644*). - * Install a truststore that contains the CA certifciate which has issued the - LDAP certificate in location ``/etc/ssl/certs/truststore.pem`` (*root:root, - 644*). * After all files are in place, re-run the ``site.yml`` playbook in order to restart necessary services etc. diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 535c0671596129840defe9996c05e5cc9ff0e4ea..1eff92c9daba7cecc1cba597a171f9100d87c7af 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -2,4 +2,5 @@ packages: [] os_users: [] -os_groups: [] \ No newline at end of file +os_groups: [] +ca_certificates: [] \ No newline at end of file diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 9b8e3c3b5e694ce1eb2e282758bed22548870615..5fcab47bf514e4a8aa47f19facce327965a15050 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,8 +1,10 @@ --- - name: Update PAM configuration - command: /bin/ls command: /usr/sbin/pam-auth-update --package - name: Restart SSH - service: name=ssh state=restarted \ No newline at end of file + service: name=ssh state=restarted + +- name: Update CA certificate cache + command: /usr/sbin/update-ca-certificates --fresh diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1fda4cbf3aa20fc14a882c0762b94bff1cb2f4c2..abd18521b412921c9a219a4863ebe6fc703608aa 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -48,4 +48,10 @@ - Restart SSH - name: Allow users to traverse directories to TLS private key files - file: path=/etc/ssl/private/ mode=o+x \ No newline at end of file + file: path=/etc/ssl/private/ mode=o+x + +- name: Deploy CA certificates + copy: src="{{ item }}" dest="/usr/local/share/ca-certificates/{{ item | basename | regex_replace('(?i)\.pem$', '.crt') }}" mode=644 owner=root group=root + with_items: ca_certificates + notify: + - Update CA certificate cache \ No newline at end of file diff --git a/roles/ldap_client/tasks/main.yml b/roles/ldap_client/tasks/main.yml index 639f195bae41d4612afc7bb493b9ccc20b066b9a..2138c1134c3d457f23242bc322514f815bbc549c 100644 --- a/roles/ldap_client/tasks/main.yml +++ b/roles/ldap_client/tasks/main.yml @@ -4,4 +4,4 @@ apt: name=ldap-utils state=installed - name: Deploy LDAP client configuration file - template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=644 \ No newline at end of file + template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=644 diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml index f31ab34fe852bc3ada4d011fe20e3541cc861b9d..2a4b460ee6b05815c74dec270175adb131d0b58c 100644 --- a/roles/mail_server/tasks/main.yml +++ b/roles/mail_server/tasks/main.yml @@ -46,7 +46,7 @@ - /var/spool/postfix/var/run/clamav - name: Copy the LDAP TLS truststore into Postfix chroot - command: rsync -pci "{{ mail_ldap_tls_truststore }}" "/var/spool/postfix/{{ mail_ldap_tls_truststore}}" + command: rsync -Lpci "{{ mail_ldap_tls_truststore }}" "/var/spool/postfix/{{ mail_ldap_tls_truststore}}" register: rsync_result changed_when: "rsync_result.stdout != ''" diff --git a/testsite/group_vars/all.yml b/testsite/group_vars/all.yml index f9a78ae269ceded3bb7e94d1fe5d5f74e0b5066f..4ecd5f92ef68d2cdcc39643ac771f662dc77487a 100644 --- a/testsite/group_vars/all.yml +++ b/testsite/group_vars/all.yml @@ -23,3 +23,6 @@ common_packages: - emacs23-nox - screen - debconf-utils + +ca_certificates: + - ../certs/example_ca_chain.pem \ No newline at end of file diff --git a/testsite/group_vars/ldap.yml b/testsite/group_vars/ldap.yml index ce1593fa43f9e9e57d405e9775b491d855b09719..d5eea5629acf5f03a120be71013f7c5bd41d65ae 100644 --- a/testsite/group_vars/ldap.yml +++ b/testsite/group_vars/ldap.yml @@ -17,7 +17,7 @@ ldap_client_config: value: cn=admin,dc=example,dc=com - comment: Set the LDAP TLS truststore option: TLS_CACERT - value: /etc/ssl/certs/truststore.pem + value: /etc/ssl/certs/example_ca_chain.pem ldap_server_config: domain: "example.com" diff --git a/testsite/group_vars/mail.yml b/testsite/group_vars/mail.yml index 5e8fddf1f98f29c0a4baaef8dc5daa936e60a9a6..b86d8e83640a25edfd0589bc599ec2cc12ac60ae 100644 --- a/testsite/group_vars/mail.yml +++ b/testsite/group_vars/mail.yml @@ -9,10 +9,10 @@ ldap_client_config: value: ldap://ldap.example.com/ - comment: Set the LDAP TLS truststore option: TLS_CACERT - value: /etc/ssl/certs/truststore.pem + value: /etc/ssl/certs/example_ca_chain.pem mail_ldap_url: ldap://ldap.example.com/ -mail_ldap_tls_truststore: /etc/ssl/certs/truststore.pem +mail_ldap_tls_truststore: /etc/ssl/certs/example_ca_chain.pem mail_ldap_root_dn: dc=example,dc=com mail_ldap_postfix_password: postfix mail_ldap_dovecot_password: dovecot diff --git a/testsite/group_vars/xmpp.yml b/testsite/group_vars/xmpp.yml index 7e912d9421b3a225c0990b03f088fad4463be5be..33609220e1b32faeed1915c4f3452102bb815140 100644 --- a/testsite/group_vars/xmpp.yml +++ b/testsite/group_vars/xmpp.yml @@ -12,7 +12,7 @@ ldap_client_config: value: cn=admin,dc=example,dc=com - comment: Set the LDAP TLS truststore option: TLS_CACERT - value: /etc/ssl/certs/truststore.pem + value: /etc/ssl/certs/example_ca_chain.pem local_mail_aliases: root: "root john.doe@example.com"