tpiccioli
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

library/roles/orientdb: Add ssl support into the configuration file, and a letsencryt hook when letsencrypt is used.

This commit is contained in:
Andrea Dell'Amico 2017-02-22 13:33:53 +01:00
parent 1ed78d5d73
commit ee5faf1366
4 changed files with 69 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
orientdb/defaults/main.yml
View File

@ -20,7 +20,9 @@ orientdb_configuration_files:
- hazelcast.xml - hazelcast.xml
- automatic-backup.json - automatic-backup.json
orientdb_ssl_enabled: False
orientdb_letsencrypt_ssl_enabled: False orientdb_letsencrypt_ssl_enabled: False
orientdb_ssl_client_auth_enabled: False
orientdb_hooks_classes: orientdb_hooks_classes:
- { name: 'org.gcube.informationsystem.orientdb.hooks.HeaderHook', position: 'REGULAR' } - { name: 'org.gcube.informationsystem.orientdb.hooks.HeaderHook', position: 'REGULAR' }
@ -34,6 +36,8 @@ orientdb_hooks_classes:
orientdb_binary_protocol_lower_port: 2424 orientdb_binary_protocol_lower_port: 2424
orientdb_binary_protocol_higher_port: 2430 orientdb_binary_protocol_higher_port: 2430
orientdb_ssl_protocol_lower_port: 2434
orientdb_ssl_protocol_higher_port: 2440
orientdb_http_protocol_lower_port: 2480 orientdb_http_protocol_lower_port: 2480
orientdb_http_protocol_higher_port: 2490 orientdb_http_protocol_higher_port: 2490

12
orientdb/tasks/main.yml
View File

@ -66,6 +66,18 @@
tags: orientdb tags: orientdb
when: orientdb_install when: orientdb_install
- block:
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
- name: Install a letsencrypt hook to update the orientdb certificate
template: src=orientdb-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/orientdb owner=root group=root mode=4555
tags: [ 'orientdb', 'letsencrypt' ]
when:
- orientdb_install
- orientdb_letsencrypt_ssl_enabled
- block: - block:
- name: Ensure that the service is disabled and stopped - name: Ensure that the service is disabled and stopped

33
orientdb/templates/orientdb-letsencrypt-acme.sh.j2 Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
RETVAL=
# Add the CA certificate if it's not already present
keytool -list -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt | grep {{ java_keyring_letsencrypt_trusted_ca }}
RETVAL=$?
if [ $RETVAL -ne 0 ] ; then
keytool -trustcacerts -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt -importcert -alias {{ java_keyring_letsencrypt_trusted_ca }} -dname "CN={{ ansible_fqdn }}" -file {{ letsencrypt_acme_certs_dir }}/chain
fi
# Remove the old certificate
keytool -storepass {{ java_keyring_pwd }} -keystore {{ java_keyring_file }} -delete -alias {{ ansible_fqdn }}
# Check if the old certificate is still present. If so, we have a problem. Otherwise, import the new one
keytool -list -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt | grep {{ ansible_fqdn }}
RETVAL=$?
if [ $RETVAL -ne 0 ] ; then
openssl pkcs12 -export -in {{ letsencrypt_acme_certs_dir }}/cert -inkey {{ letsencrypt_acme_certs_dir }}/privkey -CAfile {{ letsencrypt_acme_certs_dir }}/chain -name "{{ ansible_fqdn }}" -out /var/tmp/{{ ansible_fqdn }}.p12 -password pass:{{ java_keyring_pwd }}
keytool -importkeystore -srcstorepass {{ java_keyring_pwd }} -deststorepass {{ java_keyring_pwd }} -destkeystore {{ java_keyring_file }} -srckeystore /var/tmp/{{ ansible_fqdn }}.p12 -srcstoretype PKCS12
rm -f /var/tmp/{{ ansible_fqdn }}.p12
else
logger "orientdb letsencrypt hook: the old certificate is still present inside the keystore, aborting."
exit 1
fi
chmod 440 {{ java_keyring_file }}
chgrp {{ orientdb_user }} {{ java_keyring_file }}
/etc/init.d/orientdb stop
/etc/init.d/orientdb start
logger "orientdb letsencrypt hook: the keystore has been updated with the renewed certificate."
exit 0

27
orientdb/templates/orientdb-server-config.xml.j2
View File

@ -38,20 +38,28 @@
<sockets> <sockets>
<socket implementation="com.orientechnologies.orient.server.network.OServerTLSSocketFactory" name="ssl"> <socket implementation="com.orientechnologies.orient.server.network.OServerTLSSocketFactory" name="ssl">
<parameters> <parameters>
{% if orientdb_ssl_client_auth_enabled %}
<parameter value="true" name="network.ssl.clientAuth"/>
{% else %}
<parameter value="false" name="network.ssl.clientAuth"/> <parameter value="false" name="network.ssl.clientAuth"/>
<parameter value="config/cert/orientdb.ks" name="network.ssl.keyStore"/> {% endif %}
<parameter value="password" name="network.ssl.keyStorePassword"/> <parameter value="{{ java_keyring_file }}" name="network.ssl.keyStore"/>
<parameter value="config/cert/orientdb.ks" name="network.ssl.trustStore"/> <parameter value="{{ java_keyring_pwd }}" name="network.ssl.keyStorePassword"/>
<parameter value="password" name="network.ssl.trustStorePassword"/> <parameter value="{{ java_keyring_file }}" name="network.ssl.trustStore"/>
<parameter value="{{ java_keyring_pwd }}" name="network.ssl.trustStorePassword"/>
</parameters> </parameters>
</socket> </socket>
<socket implementation="com.orientechnologies.orient.server.network.OServerTLSSocketFactory" name="https"> <socket implementation="com.orientechnologies.orient.server.network.OServerTLSSocketFactory" name="https">
<parameters> <parameters>
{% if orientdb_ssl_client_auth_enabled %}
<parameter value="true" name="network.ssl.clientAuth"/>
{% else %}
<parameter value="false" name="network.ssl.clientAuth"/> <parameter value="false" name="network.ssl.clientAuth"/>
<parameter value="config/cert/orientdb.ks" name="network.ssl.keyStore"/> {% endif %}
<parameter value="password" name="network.ssl.keyStorePassword"/> <parameter value="{{ java_keyring_file }}" name="network.ssl.keyStore"/>
<parameter value="config/cert/orientdb.ks" name="network.ssl.trustStore"/> <parameter value="{{ java_keyring_pwd }}" name="network.ssl.keyStorePassword"/>
<parameter value="password" name="network.ssl.trustStorePassword"/> <parameter value="{{ java_keyring_file }}" name="network.ssl.trustStore"/>
<parameter value="{{ java_keyring_pwd }}" name="network.ssl.trustStorePassword"/>
</parameters> </parameters>
</socket> </socket>
</sockets> </sockets>
@ -61,6 +69,9 @@
</protocols> </protocols>
<listeners> <listeners>
<listener protocol="binary" socket="default" port-range="{{ orientdb_binary_protocol_lower_port }}-{{ orientdb_binary_protocol_higher_port }}" ip-address="0.0.0.0"/> <listener protocol="binary" socket="default" port-range="{{ orientdb_binary_protocol_lower_port }}-{{ orientdb_binary_protocol_higher_port }}" ip-address="0.0.0.0"/>
{% if orientdb_ssl_enabled %}
<listener protocol="binary" socket="ssl" port-range="{{ orientdb_ssl_protocol_lower_port }}-{{ orientdb_ssl_protocol_higher_port }}" ip-address="0.0.0.0"/>
{% endif %}
<listener protocol="http" socket="default" port-range="{{ orientdb_http_protocol_lower_port }}-{{ orientdb_http_protocol_higher_port }}" ip-address="0.0.0.0"> <listener protocol="http" socket="default" port-range="{{ orientdb_http_protocol_lower_port }}-{{ orientdb_http_protocol_higher_port }}" ip-address="0.0.0.0">
<commands> <commands>
<command implementation="com.orientechnologies.orient.server.network.protocol.http.command.get.OServerCommandGetStaticContent" pattern="GET|www GET|studio/ GET| GET|*.htm GET|*.html GET|*.xml GET|*.jpeg GET|*.jpg GET|*.png GET|*.gif GET|*.js GET|*.css GET|*.swf GET|*.ico GET|*.txt GET|*.otf GET|*.pjs GET|*.svg GET|*.json GET|*.woff GET|*.woff2 GET|*.ttf GET|*.svgz" stateful="false"> <command implementation="com.orientechnologies.orient.server.network.protocol.http.command.get.OServerCommandGetStaticContent" pattern="GET|www GET|studio/ GET| GET|*.htm GET|*.html GET|*.xml GET|*.jpeg GET|*.jpg GET|*.png GET|*.gif GET|*.js GET|*.css GET|*.swf GET|*.ico GET|*.txt GET|*.otf GET|*.pjs GET|*.svg GET|*.json GET|*.woff GET|*.woff2 GET|*.ttf GET|*.svgz" stateful="false">