library/roles/orientdb: Add ssl support into the configuration file, and a letsencryt hook when letsencrypt is used.

2017-02-22 13:33:53 +01:00 · 2017-02-22 13:33:53 +01:00 · ee5faf1366
parent 1ed78d5d73
commit ee5faf1366
4 changed files with 69 additions and 9 deletions
--- a/orientdb/defaults/main.yml
+++ b/orientdb/defaults/main.yml
@ -20,7 +20,9 @@ orientdb_configuration_files:
  - hazelcast.xml
  - automatic-backup.json

-orientdb_letsencrypt_ssl_enabled: False
+orientdb_ssl_enabled: False
+orientdb_letsencrypt_ssl_enabled: False  
+orientdb_ssl_client_auth_enabled: False

 orientdb_hooks_classes:
  - { name: 'org.gcube.informationsystem.orientdb.hooks.HeaderHook', position: 'REGULAR' }
@ -34,6 +36,8 @@ orientdb_hooks_classes:

 orientdb_binary_protocol_lower_port: 2424
 orientdb_binary_protocol_higher_port: 2430
+orientdb_ssl_protocol_lower_port: 2434
+orientdb_ssl_protocol_higher_port: 2440
 orientdb_http_protocol_lower_port: 2480
 orientdb_http_protocol_higher_port: 2490

--- a/orientdb/tasks/main.yml
+++ b/orientdb/tasks/main.yml
@ -66,6 +66,18 @@
  tags: orientdb
  when: orientdb_install

+- block:
+    - name: Create the acme hooks directory if it does not yet exist
+      file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+
+    - name: Install a letsencrypt hook to update the orientdb certificate
+      template: src=orientdb-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/orientdb owner=root group=root mode=4555
+
+  tags: [ 'orientdb', 'letsencrypt' ]
+  when:
+    - orientdb_install
+    - orientdb_letsencrypt_ssl_enabled
+

 - block:
    - name: Ensure that the service is disabled and stopped
--- a/orientdb/templates/orientdb-letsencrypt-acme.sh.j2
+++ b/orientdb/templates/orientdb-letsencrypt-acme.sh.j2
@ -0,0 +1,33 @@
+#!/bin/bash
+
+RETVAL=
+
+# Add the CA certificate if it's not already present
+keytool -list -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt | grep {{ java_keyring_letsencrypt_trusted_ca }}
+RETVAL=$?
+
+if [ $RETVAL -ne 0 ] ; then
+    keytool -trustcacerts -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt -importcert -alias {{ java_keyring_letsencrypt_trusted_ca }} -dname "CN={{ ansible_fqdn }}" -file {{ letsencrypt_acme_certs_dir }}/chain
+fi
+# Remove the old certificate
+keytool -storepass {{ java_keyring_pwd }} -keystore {{ java_keyring_file }} -delete -alias {{ ansible_fqdn }}
+
+# Check if the old certificate is still present. If so, we have a problem. Otherwise, import the new one
+keytool -list -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt | grep {{ ansible_fqdn }}
+RETVAL=$?
+if [ $RETVAL -ne 0 ] ; then
+    openssl pkcs12 -export -in {{ letsencrypt_acme_certs_dir }}/cert -inkey {{ letsencrypt_acme_certs_dir }}/privkey -CAfile {{ letsencrypt_acme_certs_dir }}/chain -name "{{ ansible_fqdn }}" -out /var/tmp/{{ ansible_fqdn }}.p12 -password pass:{{ java_keyring_pwd }}
+    keytool -importkeystore -srcstorepass {{ java_keyring_pwd }} -deststorepass {{ java_keyring_pwd }} -destkeystore {{ java_keyring_file }} -srckeystore /var/tmp/{{ ansible_fqdn }}.p12 -srcstoretype PKCS12
+    rm -f /var/tmp/{{ ansible_fqdn }}.p12
+else
+    logger "orientdb letsencrypt hook: the old certificate is still present inside the keystore, aborting."
+    exit 1
+fi
+
+chmod 440 {{ java_keyring_file }}
+chgrp {{ orientdb_user }} {{ java_keyring_file }}
+/etc/init.d/orientdb stop
+/etc/init.d/orientdb start
+logger "orientdb letsencrypt hook: the keystore has been updated with the renewed certificate."
+
+exit 0
--- a/orientdb/templates/orientdb-server-config.xml.j2
+++ b/orientdb/templates/orientdb-server-config.xml.j2
@ -38,20 +38,28 @@
        <sockets>
            <socket implementation="com.orientechnologies.orient.server.network.OServerTLSSocketFactory" name="ssl">
                <parameters>
+{% if orientdb_ssl_client_auth_enabled %}
+                    <parameter value="true" name="network.ssl.clientAuth"/>
+{% else %}
                    <parameter value="false" name="network.ssl.clientAuth"/>
-                    <parameter value="config/cert/orientdb.ks" name="network.ssl.keyStore"/>
-                    <parameter value="password" name="network.ssl.keyStorePassword"/>
-                    <parameter value="config/cert/orientdb.ks" name="network.ssl.trustStore"/>
-                    <parameter value="password" name="network.ssl.trustStorePassword"/>
+{% endif %}
+                    <parameter value="{{ java_keyring_file }}" name="network.ssl.keyStore"/>
+                    <parameter value="{{ java_keyring_pwd }}" name="network.ssl.keyStorePassword"/>
+                    <parameter value="{{ java_keyring_file }}" name="network.ssl.trustStore"/>
+                    <parameter value="{{ java_keyring_pwd }}" name="network.ssl.trustStorePassword"/>
                </parameters>
            </socket>
            <socket implementation="com.orientechnologies.orient.server.network.OServerTLSSocketFactory" name="https">
                <parameters>
+{% if orientdb_ssl_client_auth_enabled %}
+                    <parameter value="true" name="network.ssl.clientAuth"/>
+{% else %}
                    <parameter value="false" name="network.ssl.clientAuth"/>
-                    <parameter value="config/cert/orientdb.ks" name="network.ssl.keyStore"/>
-                    <parameter value="password" name="network.ssl.keyStorePassword"/>
-                    <parameter value="config/cert/orientdb.ks" name="network.ssl.trustStore"/>
-                    <parameter value="password" name="network.ssl.trustStorePassword"/>
+{% endif %}
+                    <parameter value="{{ java_keyring_file }}" name="network.ssl.keyStore"/>
+                    <parameter value="{{ java_keyring_pwd }}" name="network.ssl.keyStorePassword"/>
+                    <parameter value="{{ java_keyring_file }}" name="network.ssl.trustStore"/>
+                    <parameter value="{{ java_keyring_pwd }}" name="network.ssl.trustStorePassword"/>
                </parameters>
            </socket>
        </sockets>
@ -61,6 +69,9 @@
        </protocols>
        <listeners>
            <listener protocol="binary" socket="default" port-range="{{ orientdb_binary_protocol_lower_port }}-{{ orientdb_binary_protocol_higher_port }}" ip-address="0.0.0.0"/>
+{% if orientdb_ssl_enabled %}
+            <listener protocol="binary" socket="ssl" port-range="{{ orientdb_ssl_protocol_lower_port }}-{{ orientdb_ssl_protocol_higher_port }}" ip-address="0.0.0.0"/>
+{% endif %}
            <listener protocol="http" socket="default" port-range="{{ orientdb_http_protocol_lower_port }}-{{ orientdb_http_protocol_higher_port }}" ip-address="0.0.0.0">
                <commands>
                    <command implementation="com.orientechnologies.orient.server.network.protocol.http.command.get.OServerCommandGetStaticContent" pattern="GET|www GET|studio/ GET| GET|*.htm GET|*.html GET|*.xml GET|*.jpeg GET|*.jpg GET|*.png GET|*.gif GET|*.js GET|*.css GET|*.swf GET|*.ico GET|*.txt GET|*.otf GET|*.pjs GET|*.svg GET|*.json GET|*.woff GET|*.woff2 GET|*.ttf GET|*.svgz" stateful="false">