diff options
| author | Matthieu Saulnier <fantom@fedoraproject.org> | 2021-02-28 03:38:43 +0100 |
|---|---|---|
| committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2021-02-28 03:38:43 +0100 |
| commit | 16912cd8389c5ce6aad9fc568152b8694ecf2ae9 (patch) | |
| tree | 9bc72b8813f32212df7bc59a897bc026fd8e62e0 | |
| parent | 05116345d8ca660dafec1d141bce401a3bc0ad9b (diff) | |
| download | playbooks-ansible-16912cd8389c5ce6aad9fc568152b8694ecf2ae9.tar.gz playbooks-ansible-16912cd8389c5ce6aad9fc568152b8694ecf2ae9.tar.xz playbooks-ansible-16912cd8389c5ce6aad9fc568152b8694ecf2ae9.zip | |
Enable certs x509 fullchain for services
| -rw-r--r-- | roles/imserver/tasks/config.yml | 1 | ||||
| -rw-r--r-- | roles/imserver/tasks/crt.yml | 8 | ||||
| -rw-r--r-- | roles/imserver/templates/ejabberd.yml.j2 | 4 | ||||
| -rw-r--r-- | roles/mtaserver/tasks/crt.yml | 36 | ||||
| -rw-r--r-- | roles/mtaserver/templates/10-ssl.conf.j2 | 6 | ||||
| -rw-r--r-- | roles/mtaserver/templates/main.cf.j2 | 6 | ||||
| -rw-r--r-- | roles/proxy/tasks/crt.yml | 17 | ||||
| -rw-r--r-- | roles/proxy/templates/squid.conf.j2 | 16 |
8 files changed, 62 insertions, 32 deletions
diff --git a/roles/imserver/tasks/config.yml b/roles/imserver/tasks/config.yml index b1b67ef..44ba293 100644 --- a/roles/imserver/tasks/config.yml +++ b/roles/imserver/tasks/config.yml @@ -6,3 +6,4 @@ group: ejabberd mode: 0640 notify: restart ejabberd + tags: keys diff --git a/roles/imserver/tasks/crt.yml b/roles/imserver/tasks/crt.yml index 23bc5f5..dbf3b47 100644 --- a/roles/imserver/tasks/crt.yml +++ b/roles/imserver/tasks/crt.yml @@ -1,7 +1,7 @@ - name: Installation des fichiers certificat pour ejabberd copy: - src: "certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt" - dest: /etc/pki/tls/certs/{{ maindomain }}.{{ ansible_hostname }}.ejabberd.crt + src: "certs/{{ maindomain }}.{{ ansible_hostname }}.ejabberd.{{ crtversion }}.crt" + dest: /etc/pki/tls/certs/{{ maindomain }}.ejabberd.crt owner: root group: root mode: 0644 @@ -20,8 +20,8 @@ - name: Installation de la clé pour ejabberd copy: - src: "certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.key" - dest: /etc/pki/tls/private/{{ maindomain }}.{{ ansible_hostname }}.ejabberd.key + src: "certs/{{ maindomain }}.{{ ansible_hostname }}.ejabberd.{{ crtversion }}.key" + dest: /etc/pki/tls/private/{{ maindomain }}.ejabberd.key owner: ejabberd group: root mode: 0440 diff --git a/roles/imserver/templates/ejabberd.yml.j2 b/roles/imserver/templates/ejabberd.yml.j2 index 904abd9..63f4c82 100644 --- a/roles/imserver/templates/ejabberd.yml.j2 +++ b/roles/imserver/templates/ejabberd.yml.j2 @@ -12,8 +12,8 @@ log_rotate_count: 1 log_rate_limit: 100 certfiles: - - "/etc/pki/tls/certs/{{ maindomain }}.{{ ansible_hostname }}.ejabberd.crt" - - "/etc/pki/tls/private/{{ maindomain }}.{{ ansible_hostname }}.ejabberd.key" + - "/etc/pki/tls/certs/{{ maindomain }}.ejabberd.crt" + - "/etc/pki/tls/private/{{ maindomain }}.ejabberd.key" - "/etc/pki/tls/certs/mon-ca.crt" s2s_dhfile: "/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.ejabberd.pem" diff --git a/roles/mtaserver/tasks/crt.yml b/roles/mtaserver/tasks/crt.yml index ec75a61..468bfae 100644 --- a/roles/mtaserver/tasks/crt.yml +++ b/roles/mtaserver/tasks/crt.yml @@ -1,7 +1,7 @@ - name: Installation des fichiers certificat pour postfix copy: - src: "certs/{{ basedomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt" - dest: /etc/pki/tls/certs/{{ basedomain }}.{{ ansible_hostname }}.postfix.crt + src: "certs/{{ basedomain }}.{{ ansible_hostname }}.postfix.{{ crtversion }}.crt" + dest: /etc/pki/tls/certs/{{ basedomain }}.postfix.crt owner: root group: root mode: 0644 @@ -22,8 +22,8 @@ - name: Installation des fichiers clé pour postfix copy: - src: "certs/{{ basedomain }}.{{ ansible_hostname }}.{{ crtversion }}.key" - dest: /etc/pki/tls/private/{{ basedomain }}.{{ ansible_hostname }}.postfix.key + src: "certs/{{ basedomain }}.{{ ansible_hostname }}.postfix.{{ crtversion }}.key" + dest: /etc/pki/tls/private/{{ basedomain }}.postfix.key owner: root group: root mode: 0440 @@ -31,12 +31,22 @@ notify: restart postfix tags: keys +# regénérer le fullchain.pem avec le nouveau cert sur chaque hôte +# distant. +# essayer de faire passer en args une variable pour basedomain +- name: Mise à jour du fichier fullchain.pem + shell: cat /etc/pki/tls/certs/casperlefantom.net.postfix.crt /etc/pki/ca-trust/source/anchors/root.pem > /etc/pki/tls/certs/casperlefantom.net.postfix.fullchain.crt + args: + executable: /usr/bin/zsh + when: mtadomain is defined + tags: keys + - name: Installation des fichiers certificat pour dovecot copy: - src: "certs/{{ basedomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt" - dest: /etc/pki/tls/certs/{{ basedomain }}.{{ ansible_hostname }}.dovecot.crt + src: "certs/{{ basedomain }}.{{ ansible_hostname }}.dovecot.{{ crtversion }}.crt" + dest: /etc/pki/tls/certs/{{ basedomain }}.dovecot.crt owner: root group: root mode: 0644 @@ -57,11 +67,21 @@ - name: Installation des fichiers clé pour dovecot copy: - src: "certs/{{ basedomain }}.{{ ansible_hostname }}.{{ crtversion }}.key" - dest: /etc/pki/tls/private/{{ basedomain }}.{{ ansible_hostname }}.dovecot.key + src: "certs/{{ basedomain }}.{{ ansible_hostname }}.dovecot.{{ crtversion }}.key" + dest: /etc/pki/tls/private/{{ basedomain }}.dovecot.key owner: root group: root mode: 0440 when: mtadomain is defined notify: restart dovecot tags: keys + +# regénérer le fullchain.pem avec le nouveau cert sur chaque hôte +# distant. +# essayer de faire passer en args une variable pour basedomain +- name: Mise à jour du fichier fullchain.pem + shell: cat /etc/pki/tls/certs/casperlefantom.net.dovecot.crt /etc/pki/ca-trust/source/anchors/root.pem > /etc/pki/tls/certs/casperlefantom.net.dovecot.fullchain.crt + args: + executable: /usr/bin/zsh + when: mtadomain is defined + tags: keys diff --git a/roles/mtaserver/templates/10-ssl.conf.j2 b/roles/mtaserver/templates/10-ssl.conf.j2 index 88823b0..e8fd7e3 100644 --- a/roles/mtaserver/templates/10-ssl.conf.j2 +++ b/roles/mtaserver/templates/10-ssl.conf.j2 @@ -11,8 +11,8 @@ ssl = required # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/pki/tls/certs/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.crt -ssl_key = </etc/pki/tls/private/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.key +ssl_cert = </etc/pki/tls/certs/{{ mtadomain.0 }}.dovecot.fullchain.crt +ssl_key = </etc/pki/tls/private/{{ mtadomain.0 }}.dovecot.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -56,7 +56,7 @@ ssl_require_crl = yes # gives on startup when ssl_dh is unset. #ssl_dh = </etc/dovecot/dh.pem {% if ansible_distribution == "Fedora" %} -ssl_dh = </etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem +ssl_dh = </etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.dovecot.pem {% endif %} # Minimum SSL protocol version to use. Potentially recognized values are SSLv3, diff --git a/roles/mtaserver/templates/main.cf.j2 b/roles/mtaserver/templates/main.cf.j2 index f2fd09c..6f003ae 100644 --- a/roles/mtaserver/templates/main.cf.j2 +++ b/roles/mtaserver/templates/main.cf.j2 @@ -757,7 +757,7 @@ readme_directory = /usr/share/doc/postfix/README_FILES # the server certificate first, then the issuing CA(s) (bottom-up order). # {% if mtadomain is defined -%} -smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.crt +smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.postfix.fullchain.crt {% endif -%} # The full pathname of a file with the Postfix SMTP server RSA private key @@ -765,8 +765,8 @@ smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ ansible_hostname } # i.e. it must not be encrypted. # {% if mtadomain is defined -%} -smtpd_tls_key_file = /etc/pki/tls/private/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.key -smtpd_tls_dh1024_param_file = /etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem +smtpd_tls_key_file = /etc/pki/tls/private/{{ mtadomain.0 }}.postfix.key +smtpd_tls_dh1024_param_file = /etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.postfix.pem {% endif -%} # Announce STARTTLS support to remote SMTP clients, but do not require that diff --git a/roles/proxy/tasks/crt.yml b/roles/proxy/tasks/crt.yml index bea1495..61071d3 100644 --- a/roles/proxy/tasks/crt.yml +++ b/roles/proxy/tasks/crt.yml @@ -1,7 +1,7 @@ - name: Installation des fichiers certificat pour squid copy: - src: "certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt" - dest: /etc/pki/tls/certs/{{ maindomain }}.{{ ansible_hostname }}.squid.crt + src: "certs/{{ maindomain }}.{{ ansible_hostname }}.squid.{{ crtversion }}.crt" + dest: /etc/pki/tls/certs/{{ maindomain }}.squid.crt owner: root group: root mode: 0644 @@ -20,10 +20,19 @@ - name: Installation des fichiers clé pour squid copy: - src: "certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.key" - dest: /etc/pki/tls/private/{{ maindomain }}.{{ ansible_hostname }}.squid.key + src: "certs/{{ maindomain }}.{{ ansible_hostname }}.squid.{{ crtversion }}.key" + dest: /etc/pki/tls/private/{{ maindomain }}.squid.key owner: root group: root mode: 0440 notify: restart squid tags: keys + +# regénérer le fullchain.pem avec le nouveau cert sur chaque hôte +# distant. +# essayer de faire passer en args une variable pour basedomain +- name: Mise à jour du fichier fullchain.pem + shell: cat /etc/pki/tls/certs/casperlefantom.net.squid.crt /etc/pki/ca-trust/source/anchors/root.pem > /etc/pki/tls/certs/casperlefantom.net.squid.fullchain.crt + args: + executable: /usr/bin/zsh + tags: keys diff --git a/roles/proxy/templates/squid.conf.j2 b/roles/proxy/templates/squid.conf.j2 index 318de0e..0c3eb20 100644 --- a/roles/proxy/templates/squid.conf.j2 +++ b/roles/proxy/templates/squid.conf.j2 @@ -17,10 +17,10 @@ http_port [::1]:{{ item }} accel ignore-cc {% for item in iface %} http_port {{ item }}:{{ revport }} accel ignore-cc https_port {{ item }}:{{ revports }} accel ignore-cc \ - cert=/etc/pki/tls/certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt \ - key=/etc/pki/tls/private/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.key \ - tls-dh=secp384r1:/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem \ - dhparams=/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem \ + cert=/etc/pki/tls/certs/{{ maindomain }}.squid.fullchain.crt \ + key=/etc/pki/tls/private/{{ maindomain }}.squid.key \ + tls-dh=secp384r1:/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.squid.pem \ + dhparams=/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.squid.pem \ crlfile=/etc/pki/tls/certs/crt-crl.pem \ cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 \ options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE \ @@ -30,10 +30,10 @@ https_port {{ item }}:{{ revports }} accel ignore-cc \ {% if ansible_default_ipv6.address is defined -%} http_port [{{ ansible_default_ipv6.address }}]:{{ revport }} accel ignore-cc https_port [{{ ansible_default_ipv6.address }}]:{{ revports }} accel ignore-cc \ - cert=/etc/pki/tls/certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt \ - key=/etc/pki/tls/private/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.key \ - tls-dh=secp384r1:/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem \ - dhparams=/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem \ + cert=/etc/pki/tls/certs/{{ maindomain }}.squid.fullchain.crt \ + key=/etc/pki/tls/private/{{ maindomain }}.squid.key \ + tls-dh=secp384r1:/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.squid.pem \ + dhparams=/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.squid.pem \ crlfile=/etc/pki/tls/certs/crt-crl.pem \ cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 \ options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE \ |