openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
gitea/ansible-roles/pipeline/head This commit looks good Details

This commit is contained in:
Jérémy Dubois 2022-08-10 17:23:47 +02:00
parent 78dcec8656
commit de0c4fd314
3 changed files with 77 additions and 16 deletions

View File

@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Changed ### Changed
* evocheck: upstream release 22.07.1 * evocheck: upstream release 22.07.1
* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
### Fixed ### Fixed

View File

@ -62,7 +62,9 @@
group: shellpki group: shellpki
- name: Generate dhparam - name: Generate dhparam
command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048" openssl_dhparam:
path: /etc/shellpki/dh2048.pem
size: 2048
- include_role: - include_role:
name: evolix/remount-usr name: evolix/remount-usr
@ -239,7 +241,7 @@
- include_role: - include_role:
name: evolix/remount-usr name: evolix/remount-usr
- name: Copy shellpki script - name: Copy script to check expirations
copy: copy:
src: "shellpki/cert-expirations.sh" src: "shellpki/cert-expirations.sh"
dest: "/usr/share/scripts/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh"
@ -253,15 +255,43 @@
special_time: monthly special_time: monthly
job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'
- name: Warn the user about command to execute manually - name: Generate the CA password
set_fact:
ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}"
check_mode: no
changed_when: no
- name: Initialization of the CA
shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}'
- name: Creation of the server's certificate
shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}'
- name: Get the server key
shell: 'ls -tr /etc/shellpki/private/ | tail -1'
register: ca_key
check_mode: no
changed_when: no
- name: Configure the server key
replace:
path: /etc/openvpn/server.conf
regexp: 'key /etc/shellpki/private/TO_COMPLETE'
replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}'
- name: Restart OpenVPN
systemd:
name: "openvpn@server.service"
state: restarted
- name: Warn the user about manual checks
pause: pause:
prompt: | prompt: |
/!\ WARNING /!\ /!\ WARNING /!\
You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times. You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "systemctl restart openvpn@server.service".
You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked. The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN.
You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}".
You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed). Take note of the generated CA password and store it in your password manager : {{ ca_pwd }}
Finally, you can (re)start the OpenVPN service with "systemctl restart openvpn@server.service".
Press enter to exit when it's done. Press enter to exit when it's done.

View File

@ -56,7 +56,9 @@
group: _shellpki group: _shellpki
- name: Generate dhparam - name: Generate dhparam
command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048" openssl_dhparam:
path: /etc/shellpki/dh2048.pem
size: 2048
- name: Fix CRL rights in shellpki command - name: Fix CRL rights in shellpki command
lineinfile: lineinfile:
@ -175,7 +177,7 @@
notify: restart nrpe notify: restart nrpe
when: nrpe_evolix_config.stat.exists when: nrpe_evolix_config.stat.exists
- name: Copy shellpki script - name: Copy script to check expirations
copy: copy:
src: "shellpki/cert-expirations.sh" src: "shellpki/cert-expirations.sh"
dest: "/usr/share/scripts/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh"
@ -189,15 +191,43 @@
special_time: monthly special_time: monthly
job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'
- name: Warn the user about command to execute manually - name: Generate the CA password
set_fact:
ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}"
check_mode: no
changed_when: no
- name: Initialization of the CA
shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}'
- name: Creation of the server's certificate
shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}'
- name: Get the server key
shell: 'ls -tr /etc/shellpki/private/ | tail -1'
register: ca_key
check_mode: no
changed_when: no
- name: Configure the server key
replace:
path: /etc/openvpn/server.conf
regexp: 'key /etc/shellpki/private/TO_COMPLETE'
replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}'
- name: Restart OpenVPN
service:
name: openvpn
state: restarted
- name: Warn the user about manual checks
pause: pause:
prompt: | prompt: |
/!\ WARNING /!\ /!\ WARNING /!\
You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times. You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn".
You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked. The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN.
You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}".
You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed). Take note of the generated CA password and store it in your password manager : {{ ca_pwd }}
Finally, you can (re)start the OpenVPN service with "rcctl restart openvpn".
Press enter to exit when it's done. Press enter to exit when it's done.