ISTI-ansible-roles
/
ansible-role-easy-rsa
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Backport some fixes.

This commit is contained in:
Andrea Dell'Amico 2022-01-19 18:52:58 +01:00
parent 2b61560c77
commit 498405318d
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
5 changed files with 118 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
templates/check-x509-certs-expiration-date.sh.j2 Normal file
View File

@ -0,0 +1,36 @@
#!/bin/bash
#set -e
PUB_CERTS_DIR="/srv/CA/pki/issued"
# 1 day in seconds 86400
# 7 days in seconds: 604800
# 30 days in seconds: 2592000
DAYS="2592000"
RETVAL=
# Email settings
_sub=" will expire within $DAYS seconds (30 days):"
_from="isti-ca-noreply@isti.cnr.it"
_to="s2i2s@isti.cnr.it"
_openssl="/usr/bin/openssl"
for cert in "$PUB_CERTS_DIR/"*.crt ; do
#echo -n "$cert: "
#$_openssl x509 -enddate -noout -in "$cert" -checkend "$DAYS" | grep -q 'notAfter'
expiry_date=$( $_openssl x509 -enddate -noout -in "$cert" -checkend "$DAYS" )
RETVAL=$?
#echo "RETVAL: $RETVAL"
# Send email
if [ $RETVAL -ne 0 ] ; then
echo "$cert ${_sub} $expiry_date"
# mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date"
# # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
# source ~/bin/cli_app.sh
# push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
fi
done
exit 0

33
templates/client-host-certificate.sh.j2
View File

@ -1,5 +1,7 @@
#!/bin/bash #!/bin/bash
_retval=
host_arg= host_arg=
if [ $# -ne 1 ] ; then if [ $# -ne 1 ] ; then
echo "You need to pass just one argument: the full hostname for wich the certificate is required" echo "You need to pass just one argument: the full hostname for wich the certificate is required"
@ -11,24 +13,43 @@ fi
easy_rsa_base_dir={{ easy_rsa_pki_basedir }} easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
easy_vars_file="${easy_rsa_base_dir}/vars" easy_vars_file="${easy_rsa_base_dir}/vars"
if [ -f "${easy_vars_file}.tmpl" ] ; then if [ -f "${easy_vars_file}.tmpl" ] ; then
echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
exit 1 exit 1
fi fi
if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
echo ""
echo "A certificate already exists"
echo "If you want to renew it, then remove the following files and run che command again:"
echo "${easy_rsa_issued_dir}/${host_arg}.crt"
echo "${easy_rsa_keys_dir}/${host_arg}.key"
echo "${easy_rsa_reqs_dir}/${host_arg}.req"
echo ""
exit 1
fi
echo "" echo ""
echo "Starting the creation of a client host certificate." echo "Starting the creation of a client host certificate."
echo "" echo ""
cd "$easy_rsa_base_dir" cd "$easy_rsa_base_dir"
./easyrsa build-client-full "$host_arg" nopass ./easyrsa build-client-full "$host_arg" nopass
retval=$?
echo "" if [ $retval -eq 0 ] ; then
echo "Done." echo ""
echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" echo "Done."
echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
echo "" echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
echo "Remember that the key of the host certificates do not passphrase protected" echo ""
echo "Remember that the key of the host certificates do not passphrase protected"
else
echo ""
echo "Something went wrong, the certificate creation failed"
echo ""
fi
exit 0 exit 0

32
templates/personal-certificate.sh.j2
View File

@ -1,5 +1,7 @@
#!/bin/bash #!/bin/bash
_retval=
name_arg= name_arg=
email_arg= email_arg=
if [ $# -ne 2 ] ; then if [ $# -ne 2 ] ; then
@ -13,12 +15,24 @@ fi
easy_rsa_base_dir={{ easy_rsa_pki_basedir }} easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
easy_vars_file="${easy_rsa_base_dir}/vars" easy_vars_file="${easy_rsa_base_dir}/vars"
if [ -f "${easy_vars_file}.tmpl" ] ; then if [ -f "${easy_vars_file}.tmpl" ] ; then
echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
exit 1 exit 1
fi fi
if [ -f "${easy_rsa_issued_dir}/${name_arg}.crt" ] ; then
echo ""
echo "A certificate already exists"
echo "If you want to renew it, then remove the following files and run che command again:"
echo "${easy_rsa_issued_dir}/${name_arg}.crt"
echo "${easy_rsa_keys_dir}/${name_arg}.key"
echo "${easy_rsa_reqs_dir}/${name_arg}.req"
echo ""
exit 1
fi
echo "" echo ""
echo "Starting the creation of a client host certificate." echo "Starting the creation of a client host certificate."
echo "Remember that you need to supply a passphrase for the private key." echo "Remember that you need to supply a passphrase for the private key."
@ -32,10 +46,18 @@ sed -i -e "s/{{ easy_rsa_req_email }}/$email_arg/g" "$easy_vars_file"
./easyrsa build-client-full "$name_arg" ./easyrsa build-client-full "$name_arg"
mv -f "${easy_vars_file}.tmpl" "$easy_vars_file" mv -f "${easy_vars_file}.tmpl" "$easy_vars_file"
echo "" retval=$?
echo "Done."
echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt" if [ $retval -eq 0 ] ; then
echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key" echo ""
echo "" echo "Done."
echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt"
echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key"
echo ""
else
echo ""
echo "Something went wrong, the certificate creation failed"
echo ""
fi
exit 0 exit 0

33
templates/server-host-certificate.sh.j2
View File

@ -1,5 +1,7 @@
#!/bin/bash #!/bin/bash
_retval=
host_arg= host_arg=
if [ $# -ne 1 ] ; then if [ $# -ne 1 ] ; then
echo "You need to pass just one argument: the full hostname for wich the certificate is required" echo "You need to pass just one argument: the full hostname for wich the certificate is required"
@ -11,24 +13,43 @@ fi
easy_rsa_base_dir={{ easy_rsa_pki_basedir }} easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
easy_vars_file="${easy_rsa_base_dir}/vars" easy_vars_file="${easy_rsa_base_dir}/vars"
if [ -f "${easy_vars_file}.tmpl" ] ; then if [ -f "${easy_vars_file}.tmpl" ] ; then
echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
exit 1 exit 1
fi fi
if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
echo ""
echo "A certificate already exists"
echo "If you want to renew it, then remove the following files and run che command again:"
echo "${easy_rsa_issued_dir}/${host_arg}.crt"
echo "${easy_rsa_keys_dir}/${host_arg}.key"
echo "${easy_rsa_reqs_dir}/${host_arg}.req"
echo ""
exit 1
fi
echo "" echo ""
echo "Starting the creation of a server host certificate." echo "Starting the creation of a server host certificate."
echo "" echo ""
cd "$easy_rsa_base_dir" cd "$easy_rsa_base_dir"
./easyrsa build-server-full "$host_arg" nopass ./easyrsa build-server-full "$host_arg" nopass
retval=$?
echo "" if [ $retval -eq 0 ] ; then
echo "Done." echo ""
echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" echo "Done."
echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
echo "" echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
echo "Remember that the key of the host certificates do not passphrase protected" echo ""
echo "Remember that the key of the host certificates do not passphrase protected"
else
echo ""
echo "Something went wrong, the certificate creation failed"
echo ""
fi
exit 0 exit 0

1
vars/main.yml
View File

@ -21,4 +21,5 @@ easy_rsa_helper_scripts:
- 'renew-client-host-certificate' - 'renew-client-host-certificate'
- 'renew-server-host-certificate' - 'renew-server-host-certificate'
- 'renew-personal-certificate' - 'renew-personal-certificate'
- 'check-x509-certs-expiration-date'