Changeset - b3b2b6d5e9e2
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 7 years ago 2017-04-10 22:07:37
branko@majic.rs
MAR-99: Added documentation for the certificate verification functionality to both role reference and usage instructions.
2 files changed with 12 insertions and 0 deletions:
docs/rolereference.rst
4
docs/usage.rst
8
0 comments (0 inline, 0 general)
docs/rolereference.rst
Show inline comments
 
@@ -279,6 +279,10 @@ The role implements the following:
 
  (SSH), and also introduces rate-limitting for incoming ICMP echo request
 
  pacakges and (new) TCP connections. The rate-limitting is based on the source
 
  IP address, using the ``iptables hashlimit`` module.
 
* Sets-up system for performing checks on certificates (currently only if they
 
  expire within less than 30 days). Roles that want their certificates checked
 
  should deploy a ``.conf`` to directory ``/etc/check_certificate/`` with paths
 
  to certificate files, one per line. Certificates are checked on daily basis.
 

			




	
	
	
		
 

			




	
	
	
		
 
Role dependencies

			




        

    


    
    

    

        

                

                    docs/usage.rst
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -548,6 +548,14 @@ one up first. This includes both the LDAP *server* and *client* configuration.

			




	
	
	
		
 
   includes ``ldap_server`` too. So, let's make a slight detour to create a CA

			




	
	
	
		
 
   of our own, plus the necessary server certificate for the LDAP service...

			




	
	
	
		
 

			




	
	
	
		
 
   .. note::

			




	
	
	
		
 
      Another useful feature the roles implement is a check to see if

			




	
	
	
		
 
      certificates will expire within the next 30 days. This check is performed

			




	
	
	
		
 
      via cronjob at midnight, and results will end-up being delivered to the

			




	
	
	
		
 
      ``root`` user on local server. Later on, once you have configured the mail

			




	
	
	
		
 
      server, you should be able to set-up the necessary aliases to have the

			




	
	
	
		
 
      mails delivered to non-local accounts too.

			




	
	
	
		
 

			




	
	
	
		
 
   1. Let's first install a couple of more tools on the Ansible server, since we

			




	
	
	
		
 
      will be using ``certtool`` for our improvised CA needs (run this as

			




	
	
	
		
 
      ``root``)::

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.