Skip to content
Snippets Groups Projects
Commit 5f574f79 authored by nimrod's avatar nimrod
Browse files

Improve TLS keys and certs handling in OpenBSD.

parent d4c33dfe
No related branches found
No related tags found
No related merge requests found
#!/bin/sh -e
# Update the CA certificates store.
test -d /etc/ssl/certs || echo "/etc/ssl/certs doesn't exist."
test -w /etc/ssl/cert.pem || chmod 0644 /etc/ssl/cert.pem
cat /etc/ssl/certs/*.pem > /etc/ssl/cert.pem
......@@ -2,7 +2,7 @@
# handlers file for ansible-common
- name: Update CA store
command: /usr/sbin/update-ca-certificates
command: '{{ update_ca_certificates[ansible_os_family] }}'
- name: Restart rsyslog
service:
......
......@@ -3,11 +3,11 @@
- name: Assert
assert:
that:
- "ansible_os_family in [ 'Debian' ]"
- "ansible_os_family in [ 'Debian', 'OpenBSD' ]"
- "extra_tls_certs is defined"
- name: apt install CA certificates
when: ansible_os_family == 'Debian'
when: ansible_pkg_mgr == 'apt'
apt:
name: ca-certificates
state: present
......
......@@ -17,43 +17,52 @@
mode: '{{ item.mode }}'
state: directory
- name: Get current CA store
get_url:
url: http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem
dest: /etc/ssl/certs/ca-certificates.pem
owner: root
group: wheel
mode: '0644'
- name: Copy update-ca-certifcates script
copy:
src: update-ca-certificates
dest: /usr/local/sbin/update-ca-certificates
owner: root
group: wheel
mode: '0755'
- stat:
path: /etc/ssl/private/ssl-cert-snakeoil.key
register: tls_stat_key
- name: Generate self-signed TLS key
when: not tls_stat_key.exists
command: /usr/sbin/openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048
when: not tls_stat_key.stat.exists
command: /usr/bin/openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048
- stat:
path: /etc/ssl/certs/ssl-cert-snakeoil.crt
path: /etc/ssl/certs/ssl-cert-snakeoil.pem
register: tls_stat_cert
- name: Generate self-signed TLS cert
when: not tls_stat_cert.exists
when: not tls_stat_cert.stat.exists
command: |
/usr/sbin/openssl req \
/usr/bin/openssl req \
-x509 \
-new \
-key /etc/ssl/private/snakeoil.key \
-key /etc/ssl/private/ssl-cert-snakeoil.key \
-nodes \
-out /etc/ssl/certs/snakeoil.crt \
-out /etc/ssl/certs/ssl-cert-snakeoil.pem \
-days 3650
-subj "/CN={{ ansible_fqdn }}"
register: tls_gen_snakeoil_cert
- name: Add self-signed TLS cert to certificate store
when: not tls_stat_cert.exists
command: |
/usr/sbin/openssl x509 \
-in /etc/ssl/certs/ssl-snake-oil.crt \
-text >> /etc/ssl/cert.pem
- name: Set TLS key and certificate
set_fact:
tls_key_path: '/etc/ssl/private/{{ tls_key|default("ssl-cert-snakeoil")|basename }}.key'
tls_cert_path: '/etc/ssl/certs/{{ tls_cert|default("ssl-cert-snakeoil")|basename }}.crt'
tls_ca_cert_path: '/etc/ssl/certs/{{ tls_ca_cert|default(tls_cert|default("ssl-cert-snakeoil"))|basename }}.crt'
tls_cert_path: '/etc/ssl/certs/{{ tls_cert|default("ssl-cert-snakeoil")|basename }}.pem'
tls_ca_cert_path: '/etc/ssl/certs/{{ tls_ca_cert|default(tls_cert|default("ssl-cert-snakeoil"))|basename }}.pem'
- name: Copy TLS certificate and key
when: tls_cert is defined and tls_key is defined and tls_ca_cert is defined
......@@ -73,11 +82,4 @@
register: tls_copy
- name: Update certificate authority store
when: tls_copy.changed
with_items:
- '{{ tls_cert_path }}'
- '{{ tls_ca_cert_path }}'
command: |
/usr/sbin/openssl x509 \
-in {{ item }} \
-text >> /etc/ssl/cert.pem
command: /usr/local/sbin/update-ca-certificates
......@@ -32,3 +32,10 @@ openbsd_collectd_version:
'5.8': 'collectd-5.5.0p1'
openbsd_pkg_mirror: http://www.mirrorservice.org/pub
ansible_python_interpreter: '{{ "/usr/local/bin/python2.7" if openbsd_bootstrap is defined else omit }}'
update_ca_certificates:
OpenBSD: /usr/local/sbin/update-ca-certificates
Debian: /usr/sbin/update-ca-certificates
ca_store:
OpenBSD: /etc/ssl/cert.pem
Debian: /etc/ssl/certs/ca-certificates.crt
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment