library/roles/openldap-server: Support for ssl when letsencrypt is enabled using the letsencrypt-acme-tool role.

2016-04-15 20:33:23 +02:00 · 2016-04-15 20:33:23 +02:00 · bb862c8405
parent 37ff28468e
commit bb862c8405
9 changed files with 83 additions and 3 deletions
--- a/letsencrypt-acmetool-client/defaults/main.yml
+++ b/letsencrypt-acmetool-client/defaults/main.yml
@ -5,6 +5,7 @@ letsencrypt_acme_debian_repo: 'deb http://ppa.launchpad.net/hlandau/rhea/ubuntu
 letsencrypt_acme_debian_repo_key: '9862409EF124EC763B84972FF5AC9651EDB58DFA'
 letsencrypt_acme_user: acme
 letsencrypt_acme_user_home: /var/lib/acme
+letsencrypt_acme_log_dir: /var/log/acme

 letsencrypt_acme_command: acmetool
 letsencrypt_acme_command_opts: '--batch --xlog.syslog --xlog.severity=info'
--- a/letsencrypt-acmetool-client/templates/letsencrypt-default.j2
+++ b/letsencrypt-acmetool-client/templates/letsencrypt-default.j2
@ -1,3 +1,4 @@
 LE_EMAIL={{ letsencrypt_acme_email }}
 LE_SERVICES_SCRIPT_DIR={{ letsencrypt_acme_services_scripts_dir }}
 LE_CERTS_DIR={{ letsencrypt_acme_certs_dir }}
+LE_LOG_DIR={{ letsencrypt_acme_log_dir }}
--- a/openldap-server/defaults/main.yml
+++ b/openldap-server/defaults/main.yml
@ -22,6 +22,10 @@ openldap_db_dir: /var/lib/ldap
 #  - dyngroup.ldif

 openldap_cleaner_cron_job: False
+openldap_letsencrypt_managed: False
+
+openldap_letsencrypt_ldif:
+  - olcSSL.ldif

 # Set slapd_admin_pwd in a vault file
 slapd_debconf_params:
--- a/openldap-server/files/olcSSL.ldif
+++ b/openldap-server/files/olcSSL.ldif
@ -0,0 +1,13 @@
+dn: cn=config
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/pki/openldap/chain.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/pki/openldap/privkey.pem
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/pki/openldap/cert.pem
+-
+add: olcTLSCACertificatePath
+olcTLSCACertificatePath: /etc/ssl/certs
+
--- a/openldap-server/files/openldap-letsencrypt-acme.sh
+++ b/openldap-server/files/openldap-letsencrypt-acme.sh
@ -0,0 +1,32 @@
+#!/bin/bash
+
+LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
+LE_CERTS_DIR=/var/lib/acme/live/$HOSTNAME
+LE_LOG_DIR=/var/log/acme
+OPENLDAP_CERTDIR=/etc/pki/openldap
+DATE=$( date )
+
+[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
+echo "$DATE" >> $LE_LOG_DIR/openldap.log
+
+if [ -f /etc/default/letsencrypt ] ; then
+    . /etc/default/letsencrypt
+else
+    echo "No letsencrypt default file" >> $LE_LOG_DIR/openldap.log
+fi
+
+mkdir -p $OPENLDAP_CERTDIR
+chown openldap:openldap $OPENLDAP_CERTDIR
+chmod 500 $OPENLDAP_CERTDIR
+echo "Copying the new certificate files" >> $LE_LOG_DIR/openldap.log
+cp $LE_CERTS_DIR/cert $OPENLDAP_CERTDIR/cert.pem
+cp $LE_CERTS_DIR/chain $OPENLDAP_CERTDIR/chain.pem
+cp $LE_CERTS_DIR/privkey $OPENLDAP_CERTDIR/privkey.pem
+chown openldap $OPENLDAP_CERTDIR/privkey.pem
+chmod 400 $OPENLDAP_CERTDIR/privkey.pem
+
+echo "Restart the openldap service" >> $LE_LOG_DIR/openldap.log
+service slapd restart >/dev/null 2>&1
+echo "Done." >> $LE_LOG_DIR/openldap.log
+
+exit 0
--- a/openldap-server/handlers/main.yml
+++ b/openldap-server/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Restart openldap
+  service: name=slapd state=restarted
+  when: openldap_service_enabled
+
--- a/openldap-server/tasks/main.yml
+++ b/openldap-server/tasks/main.yml
@ -4,5 +4,8 @@
  when: openldap_service_enabled
 - include: openldap_maintenance.yml
  when: openldap_service_enabled
+- include: openldap-letsencrypt.yml
+  when: openldap_letsencrypt_managed
+
  
  
--- a/openldap-server/tasks/openldap-letsencrypt.yml
+++ b/openldap-server/tasks/openldap-letsencrypt.yml
@ -0,0 +1,22 @@
+---
+- name: Install a script that fix the letsencrypt certificates for openldap and then reload the service
+  copy: src=openldap-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4550
+  when:
+    - openldap_letsencrypt_managed
+    - letsencrypt_acme_install
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'letsencrypt' ]
+
+- name: Copy the SSL ldif on the ldap server
+  copy: src=olcSSL.ldif dest=/etc/ldap/olcSSL.ldif
+  when:
+    - openldap_letsencrypt_managed
+    - letsencrypt_acme_install
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'letsencrypt' ]
+
+- name: Enable the openldap ssl configuration
+  shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/olcSSL.ldif ; touch /etc/ldap/.olcSSL.ldif.installed
+  args:
+    creates: /etc/ldap/.olcSSL.ldif.installed
+  notify: Restart openldap 
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'letsencrypt' ]
+
--- a/openldap-server/tasks/openldap_initializazion.yml
+++ b/openldap-server/tasks/openldap_initializazion.yml
@ -29,11 +29,10 @@
  tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]

 - name: Install some additional schemas
-  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/{{ item }}.installed
+  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
  args:
    creates: '/etc/ldap/schema/{{ item }}.installed'
-  with_items: '{{ openldap_additional_schemas }}'
-  when: openldap_additional_schemas is defined
+  with_items: '{{ openldap_additional_schemas | default([]) }}'
  tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]