From b382db3b255fb9e06acd7887881e70b3ce776206 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 20 Apr 2016 15:21:19 +0200 Subject: [PATCH] d4science-infrastructure/group_vars/ldap_liferay/all.yml: Enable ssl with the use of letsencrypt certificates. library/roles/haproxy/files: Fix to the acme scripts, the certificate path has become /etc/pki/haproxy/haproxy.pem. library/roles/openldap-server/tasks/openldap_initializazion.yml: Fix the certificates initialization. library/roles/ubuntu-deb-general/tasks/pki-basics.yml: Create a self signed certificate while waiting the letsencrypt one. --- haproxy/defaults/main.yml | 6 +- haproxy/files/haproxy-letsencrypt-acme.sh | 2 +- haproxy/files/haproxy-letsencrypt.sh | 4 +- haproxy/tasks/haproxy-service.yml | 26 ++++++--- letsencrypt-acmetool-client/tasks/main.yml | 7 ++- .../templates/cert-requirements.j2 | 3 + openldap-server/defaults/main.yml | 1 + .../tasks/openldap-letsencrypt.yml | 5 +- .../tasks/openldap_initializazion.yml | 3 + openldap-server/templates/slapd-default.j2 | 49 +++++++++++++++++ ubuntu-deb-general/tasks/main.yml | 2 +- ubuntu-deb-general/tasks/pki-basics.yml | 55 +++++++++++++++++++ ubuntu-deb-general/tasks/pki-dir.yml | 10 ---- 13 files changed, 148 insertions(+), 25 deletions(-) create mode 100644 openldap-server/templates/slapd-default.j2 create mode 100644 ubuntu-deb-general/tasks/pki-basics.yml delete mode 100644 ubuntu-deb-general/tasks/pki-dir.yml diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml index e1b04b3d..b7741d69 100644 --- a/haproxy/defaults/main.yml +++ b/haproxy/defaults/main.yml @@ -1,9 +1,9 @@ --- haproxy_latest_release: True haproxy_version: 1.6 -haproxy_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main" -# For Ubuntu: -# haproxy_latest_repo: "ppa:vbernat/haproxy-1.5" +haproxy_repo_key: 'http://haproxy.debian.net/bernat.debian.org.gpg' +haproxy_debian_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main" +haproxy_ubuntu_latest_repo: "ppa:vbernat/haproxy-{{ haproxy_version }}" haproxy_pkg_state: latest haproxy_enabled: True diff --git a/haproxy/files/haproxy-letsencrypt-acme.sh b/haproxy/files/haproxy-letsencrypt-acme.sh index 0dabd76f..17dbc17b 100644 --- a/haproxy/files/haproxy-letsencrypt-acme.sh +++ b/haproxy/files/haproxy-letsencrypt-acme.sh @@ -3,7 +3,7 @@ LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks LE_CERTS_DIR=/var/lib/acme/live/$HOSTNAME LE_LOG_DIR=/var/log/letsencrypt -HAPROXY_CERTDIR=/etc/pki/certs +HAPROXY_CERTDIR=/etc/pki/haproxy HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem DATE=$( date ) diff --git a/haproxy/files/haproxy-letsencrypt.sh b/haproxy/files/haproxy-letsencrypt.sh index de6ee66a..a5404587 100644 --- a/haproxy/files/haproxy-letsencrypt.sh +++ b/haproxy/files/haproxy-letsencrypt.sh @@ -3,7 +3,7 @@ LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME LE_LOG_DIR=/var/log/letsencrypt -HAPROXY_CERTDIR=/etc/pki/certs +HAPROXY_CERTDIR=/etc/pki/haproxy HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem DATE=$( date ) echo "$DATE" >> $LE_LOG_DIR/haproxy.log @@ -14,6 +14,8 @@ else echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log fi +[ ! -d $HAPROXY_CERTDIR ] && mkdir $HAPROXY_CERTDIR + echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE} chmod 440 ${HAPROXY_CERTFILE} diff --git a/haproxy/tasks/haproxy-service.yml b/haproxy/tasks/haproxy-service.yml index 51087dab..773e2341 100644 --- a/haproxy/tasks/haproxy-service.yml +++ b/haproxy/tasks/haproxy-service.yml @@ -1,19 +1,27 @@ --- - name: Get the haproxy repo key - apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present + apt_key: url={{ haproxy_repo_key }} state=present when: haproxy_latest_release - register: haproxy_repo tags: haproxy - name: Define the haproxy repository - apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes - when: haproxy_latest_release - register: haproxy_repo + apt_repository: repo='{{ haproxy_ubuntu_latest_repo }}' state=present update_cache=yes + when: + - haproxy_latest_release + - is_ubuntu + tags: haproxy + +- name: Define the haproxy repository + apt_repository: repo='{{ haproxy_debian_latest_repo }}' state=present update_cache=yes + when: + - haproxy_latest_release + - is_debian tags: haproxy - name: Install the haproxy package apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports when: not haproxy_latest_release + register: install_haproxy tags: haproxy - name: Install the haproxy package @@ -21,6 +29,7 @@ when: - haproxy_latest_release - is_debian + register: install_haproxy tags: haproxy - name: Install the haproxy package @@ -28,17 +37,20 @@ when: - haproxy_latest_release - is_ubuntu + register: install_haproxy tags: haproxy - name: Ensure that haproxy is enabled and started - service: name=haproxy state=restarted enabled=yes + service: name=haproxy state=started enabled=yes when: haproxy_enabled ignore_errors: True tags: haproxy - name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient service: name=rsyslog state=restarted - when: haproxy_enabled + when: + - haproxy_enabled + - ( install_haproxy | changed ) tags: haproxy - name: Ensure that haproxy is stopped and disabled if needed diff --git a/letsencrypt-acmetool-client/tasks/main.yml b/letsencrypt-acmetool-client/tasks/main.yml index a130ffb4..3eb0a2c8 100644 --- a/letsencrypt-acmetool-client/tasks/main.yml +++ b/letsencrypt-acmetool-client/tasks/main.yml @@ -23,7 +23,12 @@ tags: letsencrypt - name: Create the letsencrytp acme user - user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=yes shell=/bin/bash + user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/bin/bash + when: letsencrypt_acme_install + tags: letsencrypt + +- name: Create the letsencrytp acme home, if it does not exist already. In a separate step because it could be already there. + file: dest={{ letsencrypt_acme_user_home }} owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} state=directory recurse=yes when: letsencrypt_acme_install tags: letsencrypt diff --git a/letsencrypt-acmetool-client/templates/cert-requirements.j2 b/letsencrypt-acmetool-client/templates/cert-requirements.j2 index 3333ea41..61a88528 100644 --- a/letsencrypt-acmetool-client/templates/cert-requirements.j2 +++ b/letsencrypt-acmetool-client/templates/cert-requirements.j2 @@ -11,7 +11,10 @@ request: key: type: {{ letsencrypt_acme_key_type }} +{% if letsencrypt_acme_key_type == 'rsa' %} rsa-size: {{ letsencrypt_acme_rsa_key_size }} +{% else %} ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }} +{% endif %} diff --git a/openldap-server/defaults/main.yml b/openldap-server/defaults/main.yml index 2f5a2fd3..209176c4 100644 --- a/openldap-server/defaults/main.yml +++ b/openldap-server/defaults/main.yml @@ -8,6 +8,7 @@ openldap_pkg_list: - ldapscripts - db-util +openldap_slapd_services: 'ldap:/// ldapi:///' openldap_slapd_tcp_port: 389 openldap_slapd_ssl_port: 636 openldap_slapd_ssl_only: False diff --git a/openldap-server/tasks/openldap-letsencrypt.yml b/openldap-server/tasks/openldap-letsencrypt.yml index c224bbcd..9ba215ae 100644 --- a/openldap-server/tasks/openldap-letsencrypt.yml +++ b/openldap-server/tasks/openldap-letsencrypt.yml @@ -1,6 +1,6 @@ --- - name: Install a script that fix the letsencrypt certificates for openldap and then reload the service - copy: src=openldap-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4550 + copy: src=openldap-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/openldap owner=root group=root mode=4555 when: - openldap_letsencrypt_managed - letsencrypt_acme_install @@ -18,5 +18,8 @@ args: creates: /etc/ldap/.olcSSL.ldif.installed notify: Restart openldap + when: + - openldap_letsencrypt_managed + - letsencrypt_acme_install tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'letsencrypt' ] diff --git a/openldap-server/tasks/openldap_initializazion.yml b/openldap-server/tasks/openldap_initializazion.yml index 99f3180a..fe07686c 100644 --- a/openldap-server/tasks/openldap_initializazion.yml +++ b/openldap-server/tasks/openldap_initializazion.yml @@ -35,4 +35,7 @@ with_items: '{{ openldap_additional_schemas | default([]) }}' tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] +- name: Install the default environment for slapd + template: src=slapd-default.j2 dest=/etc/default/slapd owner=root group=root mode=0644 + tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] diff --git a/openldap-server/templates/slapd-default.j2 b/openldap-server/templates/slapd-default.j2 new file mode 100644 index 00000000..3d52bf8a --- /dev/null +++ b/openldap-server/templates/slapd-default.j2 @@ -0,0 +1,49 @@ +# Default location of the slapd.conf file or slapd.d cn=config directory. If +# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to +# /etc/ldap/slapd.conf). +SLAPD_CONF= + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" +{% if openldap_letsencrypt_managed %} +SLAPD_SERVICES="ldaps:/// {{ openldap_slapd_services }}" +{% else %} +SLAPD_SERVICES="{{ openldap_slapd_services }}" +{% endif %} + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd +SLAPD_OPTIONS="" diff --git a/ubuntu-deb-general/tasks/main.yml b/ubuntu-deb-general/tasks/main.yml index e09a43fa..4a14ea9c 100644 --- a/ubuntu-deb-general/tasks/main.yml +++ b/ubuntu-deb-general/tasks/main.yml @@ -22,7 +22,7 @@ - include: unattended-upgrades.yml - include: install_external_ca_cert.yml - include: manage_su_limits.yml -- include: pki-dir.yml +- include: pki-basics.yml - include: disable-unneeded-services.yml diff --git a/ubuntu-deb-general/tasks/pki-basics.yml b/ubuntu-deb-general/tasks/pki-basics.yml new file mode 100644 index 00000000..913d0f31 --- /dev/null +++ b/ubuntu-deb-general/tasks/pki-basics.yml @@ -0,0 +1,55 @@ +--- +- name: Ensure that the PKI directory exists + file: path={{ pki_dir }} state=directory owner=root group=root mode=0755 + tags: [ 'pki', 'ssl', 'letsencrypt' ] + +- name: Ensure that the PKI subdirectories exist + file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755 + with_items: '{{ pki_subdirs }}' + tags: [ 'pki', 'ssl', 'letsencrypt' ] + +- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the physical paths + file: path={{ item }} mode=0755 state=directory + with_items: + - '{{ letsencrypt_acme_user_home }}/live' + - '{{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert' + - '{{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert' + when: letsencrypt_acme_install is defined and letsencrypt_acme_install + tags: [ 'pki', 'ssl', 'letsencrypt' ] + +- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the certificate and private key + command: openssl req -x509 -newkey rsa:2048 -keyout {{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey -out {{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert -days 10 -nodes -subj '/CN=self signed certificate' + args: + creates: '{{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert' + when: letsencrypt_acme_install is defined and letsencrypt_acme_install + tags: [ 'pki', 'ssl', 'letsencrypt' ] + +- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the private key + file: src={{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/privkey state=link + when: letsencrypt_acme_install is defined and letsencrypt_acme_install + tags: [ 'pki', 'ssl', 'letsencrypt' ] + +- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the chain file + file: src={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/chain state=link + when: letsencrypt_acme_install is defined and letsencrypt_acme_install + tags: [ 'pki', 'ssl', 'letsencrypt' ] + +- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Check if a certificate already exists + stat: path={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }} + register: true_cert + tags: [ 'pki', 'ssl', 'letsencrypt' ] + +- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the certificate if there is not one + file: src={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert dest={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }} state=link + when: true_cert.stat.islnk is defined and true_cert.stat.islnk == False + tags: [ 'pki', 'ssl', 'letsencrypt' ] + +- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case + command: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem + args: + creates: '{{ pki_dir }}/haproxy/haproxy.pem' + when: + - letsencrypt_acme_install is defined and letsencrypt_acme_install + - haproxy_enabled is defined and haproxy_enabled + tags: [ 'pki', 'ssl', 'letsencrypt' ] + diff --git a/ubuntu-deb-general/tasks/pki-dir.yml b/ubuntu-deb-general/tasks/pki-dir.yml deleted file mode 100644 index 3c9d2432..00000000 --- a/ubuntu-deb-general/tasks/pki-dir.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Ensure that the PKI directory exists - file: path={{ pki_dir }} state=directory owner=root group=root mode=0755 - tags: [ 'pki', 'ssl' ] - -- name: Ensure that the PKI subdirectories exist - file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755 - with_items: '{{ pki_subdirs }}' - tags: [ 'pki', 'ssl' ] -