diff options
author | Matthieu Saulnier <fantom@fedoraproject.org> | 2020-07-06 00:52:06 +0200 |
---|---|---|
committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2020-07-06 00:52:06 +0200 |
commit | 770f0cfdc1e1de37b613537e0cd41d0ee3a6177d (patch) | |
tree | 5607dd55116f8e3e941b18732a2f95ef7a984c70 | |
parent | 7d50fd9ea87845a5c177b1d0b2a4a7862c202e97 (diff) | |
download | playbooks-ansible-770f0cfdc1e1de37b613537e0cd41d0ee3a6177d.tar.gz playbooks-ansible-770f0cfdc1e1de37b613537e0cd41d0ee3a6177d.tar.xz playbooks-ansible-770f0cfdc1e1de37b613537e0cd41d0ee3a6177d.zip |
new feature: key/crt/DHparam generation for each host is full auto
-rwxr-xr-x | bin/crtkey-gen.sh | 48 | ||||
-rwxr-xr-x | bin/dhparam-gen.sh | 20 | ||||
-rw-r--r-- | roles/mtaserver/templates/10-ssl.conf.j2 | 6 | ||||
-rw-r--r-- | roles/mtaserver/templates/main.cf.j2 | 5 | ||||
-rw-r--r-- | roles/proxy/tasks/crt.yml | 12 | ||||
-rw-r--r-- | roles/proxy/templates/squid.conf.j2 | 8 |
6 files changed, 84 insertions, 15 deletions
diff --git a/bin/crtkey-gen.sh b/bin/crtkey-gen.sh new file mode 100755 index 0000000..c227b6b --- /dev/null +++ b/bin/crtkey-gen.sh @@ -0,0 +1,48 @@ +#!/usr/bin/bash + + +DOMAIN="casperlefantom.net" +SERIAL="6" + +SERVERHOST="blackbird falcon manchester sd-129211 sd-94125" +CLIENTHOST="$SERVERHOST frhb11858flex frhb11859flex prattandwhitney rollsroyce" + +SERVERCONFDIR="$HOME/Documents/certificats/" +CLIENTCONFDIR="$SERVERCONFDIR/config-keycert-client/" +CERTDIR="$HOME/park-admin/playbooks-ansible/roles/proxy/files/certs/" +KEYDIR=$CERTDIR +CSRDIR=$CERTDIR +CADIR="/media/sdtopsecret/.CA-2" + + + +# pour la génération de certificats client +for i in $CLIENTHOST +do + openssl req -new -config $CLIENTCONFDIR/$i.cnf -newkey rsa:4096 -keyout $KEYDIR/$i.$SERIAL.key -out $CSRDIR/$i.$SERIAL.csr +done + + +# pour la génération de certificats serveur +for i in $SERVERHOST +do + openssl req -new -config $SERVERCONFDIR/$DOMAIN-openssl.cnf -newkey rsa:4096 -keyout $KEYDIR/$DOMAIN.$i.$SERIAL.key -out $CSRDIR/$DOMAIN.$i.$SERIAL.csr +done + + +# pour la signature de clés publique +if ( pushd $CADIR >/dev/null ) +then + for i in $SERVERHOST + do + openssl ca -batch -config openssl-server.cnf -in $CSRDIR/$DOMAIN.$i.$SERIAL.csr -out $CERTDIR/$DOMAIN.$i.$SERIAL.crt + done + + for i in $CLIENTHOST + do + openssl ca -batch -config openssl-client.cnf -in $CSRDIR/$i.$SERIAL.csr -out $CERTDIR/$i.$SERIAL.crt + done + popd >/dev/null +else + echo "CA inaccessible !" +fi diff --git a/bin/dhparam-gen.sh b/bin/dhparam-gen.sh new file mode 100755 index 0000000..cc29a4d --- /dev/null +++ b/bin/dhparam-gen.sh @@ -0,0 +1,20 @@ +#!/usr/bin/bash + + +SERIAL="10" +NBNEWFILE="2" +SERVERHOST="blackbird falcon manchester sd-129211 sd-94125" + +CERTDIR="$HOME/park-admin/playbooks-ansible/roles/proxy/files/certs/" +DHDIR=$CERTDIR + +LIMIT=$((SERIAL + NBNEWFILE)) + + +for i in $(seq $SERIAL $LIMIT) +do + for j in $SERVERHOST + do + openssl dhparam -rand /dev/urandom -out $DHDIR/dhparam-4096.$j.$i.pem 4096 + done +done diff --git a/roles/mtaserver/templates/10-ssl.conf.j2 b/roles/mtaserver/templates/10-ssl.conf.j2 index 216edda..88823b0 100644 --- a/roles/mtaserver/templates/10-ssl.conf.j2 +++ b/roles/mtaserver/templates/10-ssl.conf.j2 @@ -11,8 +11,8 @@ ssl = required # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/pki/tls/certs/{{ mtadomain.0 }}.{{ crtversion }}.crt -ssl_key = </etc/pki/tls/private/{{ mtadomain.0 }}.{{ crtversion }}.key +ssl_cert = </etc/pki/tls/certs/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.crt +ssl_key = </etc/pki/tls/private/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -56,7 +56,7 @@ ssl_require_crl = yes # gives on startup when ssl_dh is unset. #ssl_dh = </etc/dovecot/dh.pem {% if ansible_distribution == "Fedora" %} -ssl_dh = </etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem +ssl_dh = </etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem {% endif %} # Minimum SSL protocol version to use. Potentially recognized values are SSLv3, diff --git a/roles/mtaserver/templates/main.cf.j2 b/roles/mtaserver/templates/main.cf.j2 index 2c1633d..f4cbbef 100644 --- a/roles/mtaserver/templates/main.cf.j2 +++ b/roles/mtaserver/templates/main.cf.j2 @@ -752,7 +752,7 @@ readme_directory = /usr/share/doc/postfix/README_FILES # the server certificate first, then the issuing CA(s) (bottom-up order). # {% if mtadomain is defined -%} -smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ crtversion }}.crt +smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.crt {% endif -%} # The full pathname of a file with the Postfix SMTP server RSA private key @@ -760,7 +760,8 @@ smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ crtversion }}.crt # i.e. it must not be encrypted. # {% if mtadomain is defined -%} -smtpd_tls_key_file = /etc/pki/tls/private/{{ mtadomain.0 }}.{{ crtversion }}.key +smtpd_tls_key_file = /etc/pki/tls/private/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.key +smtpd_tls_dh1024_param_file = /etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem {% endif -%} # Announce STARTTLS support to remote SMTP clients, but do not require that diff --git a/roles/proxy/tasks/crt.yml b/roles/proxy/tasks/crt.yml index 2c78dd6..af66b78 100644 --- a/roles/proxy/tasks/crt.yml +++ b/roles/proxy/tasks/crt.yml @@ -4,7 +4,7 @@ # aux services impactés (get file non-fatal) - name: Installation des fichiers certificat copy: - src: "certs/{{ maindomain }}.{{ crtversion }}.crt" + src: "certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt" dest: /etc/pki/tls/certs/ owner: root group: root @@ -14,7 +14,7 @@ - name: Installation du fichier dhparam copy: - src: "certs/dhparam-4096.{{ crtversion }}.pem" + src: "certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem" dest: /etc/pki/tls/certs/ owner: root group: root @@ -24,7 +24,7 @@ - name: Installation des fichiers clé copy: - src: "certs/{{ maindomain }}.{{ crtversion }}.key" + src: "certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.key" dest: /etc/pki/tls/private/ owner: 0984 group: root @@ -42,7 +42,7 @@ - name: Lien avec les anciens noms de certificat file: - src: "/etc/pki/tls/certs/{{ maindomain }}.{{ crtversion }}.crt" + src: "/etc/pki/tls/certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt" dest: /etc/pki/tls/certs/casperlefantom.1.crt state: link tags: keys @@ -56,7 +56,7 @@ - name: Lien avec les anciens noms de dhparam file: - src: "/etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem" + src: "/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem" dest: /etc/pki/tls/certs/dhparam-4096.pem state: link tags: keys @@ -70,7 +70,7 @@ - name: Lien avec les anciens noms de clé file: - src: "/etc/pki/tls/private/{{ maindomain }}.{{ crtversion }}.key" + src: "/etc/pki/tls/private/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.key" dest: /etc/pki/tls/private/casperlefantom.1.key state: link tags: keys diff --git a/roles/proxy/templates/squid.conf.j2 b/roles/proxy/templates/squid.conf.j2 index e794cb8..6124a82 100644 --- a/roles/proxy/templates/squid.conf.j2 +++ b/roles/proxy/templates/squid.conf.j2 @@ -15,10 +15,10 @@ http_port [::1]:{{ item }} accel ignore-cc {% for item in iface %} http_port {{ item }}:{{ revport }} accel ignore-cc https_port {{ item }}:{{ revports }} accel ignore-cc \ - cert=/etc/pki/tls/certs/{{ maindomain }}.{{ crtversion }}.crt \ - key=/etc/pki/tls/private/{{ maindomain }}.{{ crtversion }}.key \ - tls-dh=secp384r1:/etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem \ - dhparams=/etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem \ + cert=/etc/pki/tls/certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt \ + key=/etc/pki/tls/private/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.key \ + tls-dh=secp384r1:/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem \ + dhparams=/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem \ crlfile=/etc/pki/tls/certs/crt-crl.pem \ cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 \ options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE \ |