ISTI-ansible-roles
/
ansible-role-easy-rsa
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix the renewal scripts

This commit is contained in:
Andrea Dell'Amico 2023-01-27 13:13:14 +01:00
parent da047368bd
commit fef77c028b
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
7 changed files with 87 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
templates/client-host-certificate.sh.j2
View File

@ -23,10 +23,7 @@ fi
if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
echo "" echo ""
echo "A certificate already exists" echo "A certificate already exists"
echo "If you want to renew it, then remove the following files and run che command again:" echo "If you want to renew it, then use the command renew-client-host-certificate"
echo "${easy_rsa_issued_dir}/${host_arg}.crt"
echo "${easy_rsa_keys_dir}/${host_arg}.key"
echo "${easy_rsa_reqs_dir}/${host_arg}.req"
echo "" echo ""
exit 1 exit 1
fi fi

5
templates/personal-certificate.sh.j2
View File

@ -25,10 +25,7 @@ fi
if [ -f "${easy_rsa_issued_dir}/${name_arg}.crt" ] ; then if [ -f "${easy_rsa_issued_dir}/${name_arg}.crt" ] ; then
echo "" echo ""
echo "A certificate already exists" echo "A certificate already exists"
echo "If you want to renew it, then remove the following files and run che command again:" echo "If you want to renew it, then use the command renew-personal-certificate"
echo "${easy_rsa_issued_dir}/${name_arg}.crt"
echo "${easy_rsa_keys_dir}/${name_arg}.key"
echo "${easy_rsa_reqs_dir}/${name_arg}.req"
echo "" echo ""
exit 1 exit 1
fi fi

37
templates/renew-client-host-certificate.sh.j2
View File

@ -1,8 +1,10 @@
#!/bin/bash #!/bin/bash
_retval=
host_arg= host_arg=
if [ $# -ne 1 ] ; then if [ $# -ne 1 ] ; then
echo "You need to pass just one argument: the full hostname for wich the certificate is required" echo "You need to pass just one argument: the full hostname for wich the certificate renewal is required"
exit 1 exit 1
else else
host_arg="$1" host_arg="$1"
@ -11,24 +13,41 @@ fi
easy_rsa_base_dir={{ easy_rsa_pki_basedir }} easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
easy_vars_file="${easy_rsa_base_dir}/vars" easy_vars_file="${easy_rsa_base_dir}/vars"
if [ -f "${easy_vars_file}.tmpl" ] ; then if [ -f "${easy_vars_file}.tmpl" ] ; then
echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
exit 1 exit 1
fi fi
if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
rm -f "${easy_rsa_issued_dir}/${host_arg}.crt"
rm -f "${easy_rsa_keys_dir}/${host_arg}.key"
rm -f "${easy_rsa_reqs_dir}/${host_arg}.req"
else
echo "No previous certificate exists. This is not a renewal, aborting."
exit 1
fi
echo "" echo ""
echo "Starting the renewal of a client host certificate." echo "Starting the creation of the client host certificate."
echo "" echo ""
cd "$easy_rsa_base_dir" cd "$easy_rsa_base_dir"
./easyrsa renew "$host_arg" nopass ./easyrsa build-client-full "$host_arg" nopass
retval=$?
echo "" if [ $retval -eq 0 ] ; then
echo "Done." echo ""
echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" echo "Done."
echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
echo "" echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
echo "Remember that the key of the host certificates do not passphrase protected" echo ""
echo "Remember that the key of the host certificates do not passphrase protected"
else
echo ""
echo "Something went wrong, the certificate creation failed"
echo ""
fi
exit 0 exit 0

34
templates/renew-personal-certificate.sh.j2
View File

@ -1,5 +1,7 @@
#!/bin/bash #!/bin/bash
_retval=
name_arg= name_arg=
email_arg= email_arg=
if [ $# -ne 2 ] ; then if [ $# -ne 2 ] ; then
@ -13,14 +15,24 @@ fi
easy_rsa_base_dir={{ easy_rsa_pki_basedir }} easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
easy_vars_file="${easy_rsa_base_dir}/vars" easy_vars_file="${easy_rsa_base_dir}/vars"
if [ -f "${easy_vars_file}.tmpl" ] ; then if [ -f "${easy_vars_file}.tmpl" ] ; then
echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
exit 1 exit 1
fi fi
if [ -f "${easy_rsa_issued_dir}/${name_arg}.crt" ] ; then
rm -f "${easy_rsa_issued_dir}/${name_arg}.crt"
rm -f "${easy_rsa_keys_dir}/${name_arg}.key"
rm -f "${easy_rsa_reqs_dir}/${name_arg}.req"
else
echo "No previous certificate exists. This is not a renewal, aborting."
exit 1
fi
echo "" echo ""
echo "Starting the renewal of a client host certificate." echo "Starting the creation of a client host certificate."
echo "Remember that you need to supply a passphrase for the private key." echo "Remember that you need to supply a passphrase for the private key."
echo "" echo ""
@ -29,13 +41,21 @@ sleep 5
cd "$easy_rsa_base_dir" cd "$easy_rsa_base_dir"
cp -f "$easy_vars_file" "${easy_vars_file}.tmpl" cp -f "$easy_vars_file" "${easy_vars_file}.tmpl"
sed -i -e "s/{{ easy_rsa_req_email }}/$email_arg/g" "$easy_vars_file" sed -i -e "s/{{ easy_rsa_req_email }}/$email_arg/g" "$easy_vars_file"
./easyrsa renew "$name_arg" ./easyrsa build-client-full "$name_arg"
mv -f "${easy_vars_file}.tmpl" "$easy_vars_file" mv -f "${easy_vars_file}.tmpl" "$easy_vars_file"
echo "" retval=$?
echo "Done."
echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt" if [ $retval -eq 0 ] ; then
echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key" echo ""
echo "" echo "Done."
echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt"
echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key"
echo ""
else
echo ""
echo "Something went wrong, the certificate creation failed"
echo ""
fi
exit 0 exit 0

35
templates/renew-server-host-certificate.sh.j2
View File

@ -1,5 +1,7 @@
#!/bin/bash #!/bin/bash
_retval=
host_arg= host_arg=
if [ $# -ne 1 ] ; then if [ $# -ne 1 ] ; then
echo "You need to pass just one argument: the full hostname for wich the certificate is required" echo "You need to pass just one argument: the full hostname for wich the certificate is required"
@ -11,24 +13,41 @@ fi
easy_rsa_base_dir={{ easy_rsa_pki_basedir }} easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
easy_vars_file="${easy_rsa_base_dir}/vars" easy_vars_file="${easy_rsa_base_dir}/vars"
if [ -f "${easy_vars_file}.tmpl" ] ; then if [ -f "${easy_vars_file}.tmpl" ] ; then
echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
exit 1 exit 1
fi fi
if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
rm -f "${easy_rsa_issued_dir}/${host_arg}.crt"
rm -f "${easy_rsa_keys_dir}/${host_arg}.key"
rm -f "${easy_rsa_reqs_dir}/${host_arg}.req"
else
echo "No previous certificate exists. This is not a renewal, aborting."
exit 1
fi
echo "" echo ""
echo "Starting the renewal of a server host certificate." echo "Starting the creation of a server host certificate."
echo "" echo ""
cd "$easy_rsa_base_dir" cd "$easy_rsa_base_dir"
./easyrsa renew "$host_arg" nopass ./easyrsa build-server-full "$host_arg" nopass
retval=$?
echo "" if [ $retval -eq 0 ] ; then
echo "Done." echo ""
echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" echo "Done."
echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
echo "" echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
echo "Remember that the key of the host certificates do not passphrase protected" echo ""
echo "Remember that the key of the host certificates do not passphrase protected"
else
echo ""
echo "Something went wrong, the certificate creation failed"
echo ""
fi
exit 0 exit 0

2
templates/safessl-easyrsa.cnf
View File

@ -55,7 +55,7 @@ emailAddress = optional
# Easy-RSA request handling # Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN # We key off $DN_MODE to determine how to format the DN
[ req ] [ req ]
default_bits = 3072 default_bits = 4096
default_keyfile = privkey.pem default_keyfile = privkey.pem
default_md = sha384 default_md = sha384
distinguished_name = cn_only distinguished_name = cn_only

7
templates/server-host-certificate.sh.j2
View File

@ -22,11 +22,8 @@ fi
if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
echo "" echo ""
echo "A certificate already exists" echo "A certificate already exists."
echo "If you want to renew it, then remove the following files and run che command again:" echo "If you want to renew it, then use the command renew-server-host-certificate"
echo "${easy_rsa_issued_dir}/${host_arg}.crt"
echo "${easy_rsa_keys_dir}/${host_arg}.key"
echo "${easy_rsa_reqs_dir}/${host_arg}.req"
echo "" echo ""
exit 1 exit 1
fi fi