From de0c4fd31469d526b3d306bbe8ecaa7b5cda62b3 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 10 Aug 2022 17:23:47 +0200 Subject: [PATCH] openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command --- CHANGELOG.md | 1 + openvpn/tasks/debian.yml | 46 ++++++++++++++++++++++++++++++++------- openvpn/tasks/openbsd.yml | 46 ++++++++++++++++++++++++++++++++------- 3 files changed, 77 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b367df0b..d5203bc7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * evocheck: upstream release 22.07.1 +* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command ### Fixed diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 4c2f6c5d..d6b03ac9 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -62,7 +62,9 @@ group: shellpki - name: Generate dhparam - command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048" + openssl_dhparam: + path: /etc/shellpki/dh2048.pem + size: 2048 - include_role: name: evolix/remount-usr @@ -239,7 +241,7 @@ - include_role: name: evolix/remount-usr -- name: Copy shellpki script +- name: Copy script to check expirations copy: src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" @@ -253,15 +255,43 @@ special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' -- name: Warn the user about command to execute manually +- name: Generate the CA password + set_fact: + ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}" + check_mode: no + changed_when: no + +- name: Initialization of the CA + shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' + +- name: Creation of the server's certificate + shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' + +- name: Get the server key + shell: 'ls -tr /etc/shellpki/private/ | tail -1' + register: ca_key + check_mode: no + changed_when: no + +- name: Configure the server key + replace: + path: /etc/openvpn/server.conf + regexp: 'key /etc/shellpki/private/TO_COMPLETE' + replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}' + +- name: Restart OpenVPN + systemd: + name: "openvpn@server.service" + state: restarted + +- name: Warn the user about manual checks pause: prompt: | /!\ WARNING /!\ - You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times. - You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked. - You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}". - You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed). - Finally, you can (re)start the OpenVPN service with "systemctl restart openvpn@server.service". + You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "systemctl restart openvpn@server.service". + The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN. + + Take note of the generated CA password and store it in your password manager : {{ ca_pwd }} Press enter to exit when it's done. diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index d3238cea..f5d9e4ff 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -56,7 +56,9 @@ group: _shellpki - name: Generate dhparam - command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048" + openssl_dhparam: + path: /etc/shellpki/dh2048.pem + size: 2048 - name: Fix CRL rights in shellpki command lineinfile: @@ -175,7 +177,7 @@ notify: restart nrpe when: nrpe_evolix_config.stat.exists -- name: Copy shellpki script +- name: Copy script to check expirations copy: src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" @@ -189,15 +191,43 @@ special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' -- name: Warn the user about command to execute manually +- name: Generate the CA password + set_fact: + ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}" + check_mode: no + changed_when: no + +- name: Initialization of the CA + shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' + +- name: Creation of the server's certificate + shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' + +- name: Get the server key + shell: 'ls -tr /etc/shellpki/private/ | tail -1' + register: ca_key + check_mode: no + changed_when: no + +- name: Configure the server key + replace: + path: /etc/openvpn/server.conf + regexp: 'key /etc/shellpki/private/TO_COMPLETE' + replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}' + +- name: Restart OpenVPN + service: + name: openvpn + state: restarted + +- name: Warn the user about manual checks pause: prompt: | /!\ WARNING /!\ - You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times. - You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked. - You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}". - You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed). - Finally, you can (re)start the OpenVPN service with "rcctl restart openvpn". + You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn". + The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN. + + Take note of the generated CA password and store it in your password manager : {{ ca_pwd }} Press enter to exit when it's done.