new feature: key/crt/DHparam generation for each host is full auto

author: Matthieu Saulnier <fantom@fedoraproject.org> 2020-07-06 00:52:06 +0200
committer: Matthieu Saulnier <fantom@fedoraproject.org> 2020-07-06 00:52:06 +0200
commit: 770f0cfdc1e1de37b613537e0cd41d0ee3a6177d (patch)
tree: 5607dd55116f8e3e941b18732a2f95ef7a984c70
parent: 7d50fd9ea87845a5c177b1d0b2a4a7862c202e97 (diff)
download: playbooks-ansible-770f0cfdc1e1de37b613537e0cd41d0ee3a6177d.tar.gz
playbooks-ansible-770f0cfdc1e1de37b613537e0cd41d0ee3a6177d.tar.xz
playbooks-ansible-770f0cfdc1e1de37b613537e0cd41d0ee3a6177d.zip
6 files changed, 84 insertions, 15 deletions
diff --git a/bin/crtkey-gen.sh b/bin/crtkey-gen.sh
new file mode 100755
index 0000000..c227b6b
--- /dev/null
+++ b/bin/crtkey-gen.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/bash
+
+
+DOMAIN="casperlefantom.net"
+SERIAL="6"
+
+SERVERHOST="blackbird falcon manchester sd-129211 sd-94125"
+CLIENTHOST="$SERVERHOST frhb11858flex frhb11859flex prattandwhitney rollsroyce"
+
+SERVERCONFDIR="$HOME/Documents/certificats/"
+CLIENTCONFDIR="$SERVERCONFDIR/config-keycert-client/"
+CERTDIR="$HOME/park-admin/playbooks-ansible/roles/proxy/files/certs/"
+KEYDIR=$CERTDIR
+CSRDIR=$CERTDIR
+CADIR="/media/sdtopsecret/.CA-2"
+
+
+
+# pour la génération de certificats client
+for i in $CLIENTHOST
+do
+    openssl req -new -config $CLIENTCONFDIR/$i.cnf -newkey rsa:4096 -keyout $KEYDIR/$i.$SERIAL.key -out $CSRDIR/$i.$SERIAL.csr
+done
+
+
+# pour la génération de certificats serveur
+for i in $SERVERHOST
+do
+    openssl req -new -config $SERVERCONFDIR/$DOMAIN-openssl.cnf -newkey rsa:4096 -keyout $KEYDIR/$DOMAIN.$i.$SERIAL.key -out $CSRDIR/$DOMAIN.$i.$SERIAL.csr
+done
+
+
+# pour la signature de clés publique
+if ( pushd $CADIR >/dev/null )
+then
+    for i in $SERVERHOST
+    do
+        openssl ca -batch -config openssl-server.cnf -in $CSRDIR/$DOMAIN.$i.$SERIAL.csr -out $CERTDIR/$DOMAIN.$i.$SERIAL.crt
+    done
+
+    for i in $CLIENTHOST
+    do
+        openssl ca -batch -config openssl-client.cnf -in $CSRDIR/$i.$SERIAL.csr -out $CERTDIR/$i.$SERIAL.crt
+    done
+    popd >/dev/null
+else
+    echo "CA inaccessible !"
+fi
diff --git a/bin/dhparam-gen.sh b/bin/dhparam-gen.sh
new file mode 100755
index 0000000..cc29a4d
--- /dev/null
+++ b/bin/dhparam-gen.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+
+SERIAL="10"
+NBNEWFILE="2"
+SERVERHOST="blackbird falcon manchester sd-129211 sd-94125"
+
+CERTDIR="$HOME/park-admin/playbooks-ansible/roles/proxy/files/certs/"
+DHDIR=$CERTDIR
+
+LIMIT=$((SERIAL + NBNEWFILE))
+
+
+for i in $(seq $SERIAL $LIMIT)
+do
+    for j in $SERVERHOST
+    do
+        openssl dhparam -rand /dev/urandom -out $DHDIR/dhparam-4096.$j.$i.pem 4096
+    done
+done
diff --git a/roles/mtaserver/templates/10-ssl.conf.j2 b/roles/mtaserver/templates/10-ssl.conf.j2
index 216edda..88823b0 100644
--- a/roles/mtaserver/templates/10-ssl.conf.j2
+++ b/roles/mtaserver/templates/10-ssl.conf.j2
@@ -11,8 +11,8 @@ ssl = required
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/pki/tls/certs/{{ mtadomain.0 }}.{{ crtversion }}.crt
-ssl_key = </etc/pki/tls/private/{{ mtadomain.0 }}.{{ crtversion }}.key
+ssl_cert = </etc/pki/tls/certs/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.crt
+ssl_key = </etc/pki/tls/private/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.key
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -56,7 +56,7 @@ ssl_require_crl = yes
 # gives on startup when ssl_dh is unset.
 #ssl_dh = </etc/dovecot/dh.pem
 {% if ansible_distribution == "Fedora" %}
-ssl_dh = </etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem
+ssl_dh = </etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem
 {% endif %}
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
diff --git a/roles/mtaserver/templates/main.cf.j2 b/roles/mtaserver/templates/main.cf.j2
index 2c1633d..f4cbbef 100644
--- a/roles/mtaserver/templates/main.cf.j2
+++ b/roles/mtaserver/templates/main.cf.j2
@@ -752,7 +752,7 @@ readme_directory = /usr/share/doc/postfix/README_FILES
 # the server certificate first, then the issuing CA(s) (bottom-up order).
 #
 {% if mtadomain is defined -%}
-smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ crtversion }}.crt
+smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.crt
 {% endif -%}
 
 # The full pathname of a file with the Postfix SMTP server RSA private key
@@ -760,7 +760,8 @@ smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ crtversion }}.crt
 # i.e. it must not be encrypted.
 #
 {% if mtadomain is defined -%}
-smtpd_tls_key_file = /etc/pki/tls/private/{{ mtadomain.0 }}.{{ crtversion }}.key
+smtpd_tls_key_file = /etc/pki/tls/private/{{ mtadomain.0 }}.{{ ansible_hostname }}.{{ crtversion }}.key
+smtpd_tls_dh1024_param_file = /etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem
 {% endif -%}
 
 # Announce STARTTLS support to remote SMTP clients, but do not require that
diff --git a/roles/proxy/tasks/crt.yml b/roles/proxy/tasks/crt.yml
index 2c78dd6..af66b78 100644
--- a/roles/proxy/tasks/crt.yml
+++ b/roles/proxy/tasks/crt.yml
@@ -4,7 +4,7 @@
 # aux services impactés (get file non-fatal)
 - name: Installation des fichiers certificat
   copy:
-    src: "certs/{{ maindomain }}.{{ crtversion }}.crt"
+    src: "certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt"
     dest: /etc/pki/tls/certs/
     owner: root
     group: root
@@ -14,7 +14,7 @@
 
 - name: Installation du fichier dhparam
   copy:
-    src: "certs/dhparam-4096.{{ crtversion }}.pem"
+    src: "certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem"
     dest: /etc/pki/tls/certs/
     owner: root
     group: root
@@ -24,7 +24,7 @@
 
 - name: Installation des fichiers clé
   copy:
-    src: "certs/{{ maindomain }}.{{ crtversion }}.key"
+    src: "certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.key"
     dest: /etc/pki/tls/private/
     owner: 0984
     group: root
@@ -42,7 +42,7 @@
 
 - name: Lien avec les anciens noms de certificat
   file:
-    src: "/etc/pki/tls/certs/{{ maindomain }}.{{ crtversion }}.crt"
+    src: "/etc/pki/tls/certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt"
     dest: /etc/pki/tls/certs/casperlefantom.1.crt
     state: link
   tags: keys
@@ -56,7 +56,7 @@
 
 - name: Lien avec les anciens noms de dhparam
   file:
-    src: "/etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem"
+    src: "/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem"
     dest: /etc/pki/tls/certs/dhparam-4096.pem
     state: link
   tags: keys
@@ -70,7 +70,7 @@
 
 - name: Lien avec les anciens noms de clé
   file:
-    src: "/etc/pki/tls/private/{{ maindomain }}.{{ crtversion }}.key"
+    src: "/etc/pki/tls/private/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.key"
     dest: /etc/pki/tls/private/casperlefantom.1.key
     state: link
   tags: keys
diff --git a/roles/proxy/templates/squid.conf.j2 b/roles/proxy/templates/squid.conf.j2
index e794cb8..6124a82 100644
--- a/roles/proxy/templates/squid.conf.j2
+++ b/roles/proxy/templates/squid.conf.j2
@@ -15,10 +15,10 @@ http_port [::1]:{{ item }} accel ignore-cc
 {% for item in iface %}
 http_port {{ item }}:{{ revport }} accel ignore-cc
 https_port {{ item }}:{{ revports }} accel ignore-cc  \
-           cert=/etc/pki/tls/certs/{{ maindomain }}.{{ crtversion }}.crt   \
-           key=/etc/pki/tls/private/{{ maindomain }}.{{ crtversion }}.key  \
-           tls-dh=secp384r1:/etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem  \
-           dhparams=/etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem  \
+           cert=/etc/pki/tls/certs/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.crt   \
+           key=/etc/pki/tls/private/{{ maindomain }}.{{ ansible_hostname }}.{{ crtversion }}.key  \
+           tls-dh=secp384r1:/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem  \
+           dhparams=/etc/pki/tls/certs/dhparam-4096.{{ ansible_hostname }}.{{ crtversion }}.pem  \
            crlfile=/etc/pki/tls/certs/crt-crl.pem         \
            cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4  \
            options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE      \
author	Matthieu Saulnier <fantom@fedoraproject.org>	2020-07-06 00:52:06 +0200
committer	Matthieu Saulnier <fantom@fedoraproject.org>	2020-07-06 00:52:06 +0200
commit	770f0cfdc1e1de37b613537e0cd41d0ee3a6177d (patch)
tree	5607dd55116f8e3e941b18732a2f95ef7a984c70
parent	7d50fd9ea87845a5c177b1d0b2a4a7862c202e97 (diff)
download	playbooks-ansible-770f0cfdc1e1de37b613537e0cd41d0ee3a6177d.tar.gz playbooks-ansible-770f0cfdc1e1de37b613537e0cd41d0ee3a6177d.tar.xz playbooks-ansible-770f0cfdc1e1de37b613537e0cd41d0ee3a6177d.zip