Skip to content
Snippets Groups Projects
Commit 5f574f79 authored by nimrod's avatar nimrod
Browse files

Improve TLS keys and certs handling in OpenBSD.

parent d4c33dfe
Branches
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
files/update-ca-certificates 0 → 100644
+ 7
0
View file @ 5f574f79
#!/bin/sh -e
# Update the CA certificates store.
test -d /etc/ssl/certs || echo "/etc/ssl/certs doesn't exist."
test -w /etc/ssl/cert.pem || chmod 0644 /etc/ssl/cert.pem
cat /etc/ssl/certs/*.pem > /etc/ssl/cert.pem
handlers/main.yml
+ 1
1
View file @ 5f574f79
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
# handlers file for ansible-common # handlers file for ansible-common
- name: Update CA store - name: Update CA store
command: /usr/sbin/update-ca-certificates command: '{{ update_ca_certificates[ansible_os_family] }}'
- name: Restart rsyslog - name: Restart rsyslog
service: service:
......
tasks/add_tls_cert.yml
+ 2
2
View file @ 5f574f79
...@@ -3,11 +3,11 @@ ...@@ -3,11 +3,11 @@
- name: Assert - name: Assert
assert: assert:
that: that:
- "ansible_os_family in [ 'Debian' ]" - "ansible_os_family in [ 'Debian', 'OpenBSD' ]"
- "extra_tls_certs is defined" - "extra_tls_certs is defined"
- name: apt install CA certificates - name: apt install CA certificates
when: ansible_os_family == 'Debian' when: ansible_pkg_mgr == 'apt'
apt: apt:
name: ca-certificates name: ca-certificates
state: present state: present
......
tasks/tls_cert_OpenBSD.yml
+ 26
24
View file @ 5f574f79
...@@ -17,43 +17,52 @@ ...@@ -17,43 +17,52 @@
mode: '{{ item.mode }}' mode: '{{ item.mode }}'
state: directory state: directory
- name: Get current CA store
get_url:
url: http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem
dest: /etc/ssl/certs/ca-certificates.pem
owner: root
group: wheel
mode: '0644'
- name: Copy update-ca-certifcates script
copy:
src: update-ca-certificates
dest: /usr/local/sbin/update-ca-certificates
owner: root
group: wheel
mode: '0755'
- stat: - stat:
path: /etc/ssl/private/ssl-cert-snakeoil.key path: /etc/ssl/private/ssl-cert-snakeoil.key
register: tls_stat_key register: tls_stat_key
- name: Generate self-signed TLS key - name: Generate self-signed TLS key
when: not tls_stat_key.exists when: not tls_stat_key.stat.exists
command: /usr/sbin/openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048 command: /usr/bin/openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048
- stat: - stat:
path: /etc/ssl/certs/ssl-cert-snakeoil.crt path: /etc/ssl/certs/ssl-cert-snakeoil.pem
register: tls_stat_cert register: tls_stat_cert
- name: Generate self-signed TLS cert - name: Generate self-signed TLS cert
when: not tls_stat_cert.exists when: not tls_stat_cert.stat.exists
command: | command: |
/usr/sbin/openssl req \ /usr/bin/openssl req \
-x509 \ -x509 \
-new \ -new \
-key /etc/ssl/private/snakeoil.key \ -key /etc/ssl/private/ssl-cert-snakeoil.key \
-nodes \ -nodes \
-out /etc/ssl/certs/snakeoil.crt \ -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
-days 3650 -days 3650
-subj "/CN={{ ansible_fqdn }}" -subj "/CN={{ ansible_fqdn }}"
register: tls_gen_snakeoil_cert register: tls_gen_snakeoil_cert
- name: Add self-signed TLS cert to certificate store
when: not tls_stat_cert.exists
command: |
/usr/sbin/openssl x509 \
-in /etc/ssl/certs/ssl-snake-oil.crt \
-text >> /etc/ssl/cert.pem
- name: Set TLS key and certificate - name: Set TLS key and certificate
set_fact: set_fact:
tls_key_path: '/etc/ssl/private/{{ tls_key|default("ssl-cert-snakeoil")|basename }}.key' tls_key_path: '/etc/ssl/private/{{ tls_key|default("ssl-cert-snakeoil")|basename }}.key'
tls_cert_path: '/etc/ssl/certs/{{ tls_cert|default("ssl-cert-snakeoil")|basename }}.crt' tls_cert_path: '/etc/ssl/certs/{{ tls_cert|default("ssl-cert-snakeoil")|basename }}.pem'
tls_ca_cert_path: '/etc/ssl/certs/{{ tls_ca_cert|default(tls_cert|default("ssl-cert-snakeoil"))|basename }}.crt' tls_ca_cert_path: '/etc/ssl/certs/{{ tls_ca_cert|default(tls_cert|default("ssl-cert-snakeoil"))|basename }}.pem'
- name: Copy TLS certificate and key - name: Copy TLS certificate and key
when: tls_cert is defined and tls_key is defined and tls_ca_cert is defined when: tls_cert is defined and tls_key is defined and tls_ca_cert is defined
...@@ -73,11 +82,4 @@ ...@@ -73,11 +82,4 @@
register: tls_copy register: tls_copy
- name: Update certificate authority store - name: Update certificate authority store
when: tls_copy.changed command: /usr/local/sbin/update-ca-certificates
with_items:
- '{{ tls_cert_path }}'
- '{{ tls_ca_cert_path }}'
command: |
/usr/sbin/openssl x509 \
-in {{ item }} \
-text >> /etc/ssl/cert.pem
vars/main.yml
+ 7
0
View file @ 5f574f79
...@@ -32,3 +32,10 @@ openbsd_collectd_version: ...@@ -32,3 +32,10 @@ openbsd_collectd_version:
'5.8': 'collectd-5.5.0p1' '5.8': 'collectd-5.5.0p1'
openbsd_pkg_mirror: http://www.mirrorservice.org/pub openbsd_pkg_mirror: http://www.mirrorservice.org/pub
ansible_python_interpreter: '{{ "/usr/local/bin/python2.7" if openbsd_bootstrap is defined else omit }}'
update_ca_certificates:
OpenBSD: /usr/local/sbin/update-ca-certificates
Debian: /usr/sbin/update-ca-certificates
ca_store:
OpenBSD: /etc/ssl/cert.pem
Debian: /etc/ssl/certs/ca-certificates.crt
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment