openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
gitea/ansible-roles/pipeline/head This commit looks good Details

This commit is contained in:
Jérémy Dubois 2022-08-10 17:23:47 +02:00
parent 78dcec8656
commit de0c4fd314
3 changed files with 77 additions and 16 deletions

View File

@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Changed
* evocheck: upstream release 22.07.1
* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
### Fixed

View File

@ -62,7 +62,9 @@
group: shellpki
- name: Generate dhparam
command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048"
openssl_dhparam:
path: /etc/shellpki/dh2048.pem
size: 2048
- include_role:
name: evolix/remount-usr
@ -239,7 +241,7 @@
- include_role:
name: evolix/remount-usr
- name: Copy shellpki script
- name: Copy script to check expirations
copy:
src: "shellpki/cert-expirations.sh"
dest: "/usr/share/scripts/cert-expirations.sh"
@ -253,15 +255,43 @@
special_time: monthly
job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'
- name: Warn the user about command to execute manually
- name: Generate the CA password
set_fact:
ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}"
check_mode: no
changed_when: no
- name: Initialization of the CA
shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}'
- name: Creation of the server's certificate
shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}'
- name: Get the server key
shell: 'ls -tr /etc/shellpki/private/ | tail -1'
register: ca_key
check_mode: no
changed_when: no
- name: Configure the server key
replace:
path: /etc/openvpn/server.conf
regexp: 'key /etc/shellpki/private/TO_COMPLETE'
replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}'
- name: Restart OpenVPN
systemd:
name: "openvpn@server.service"
state: restarted
- name: Warn the user about manual checks
pause:
prompt: |
/!\ WARNING /!\
You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times.
You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked.
You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}".
You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed).
Finally, you can (re)start the OpenVPN service with "systemctl restart openvpn@server.service".
You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "systemctl restart openvpn@server.service".
The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN.
Take note of the generated CA password and store it in your password manager : {{ ca_pwd }}
Press enter to exit when it's done.

View File

@ -56,7 +56,9 @@
group: _shellpki
- name: Generate dhparam
command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048"
openssl_dhparam:
path: /etc/shellpki/dh2048.pem
size: 2048
- name: Fix CRL rights in shellpki command
lineinfile:
@ -175,7 +177,7 @@
notify: restart nrpe
when: nrpe_evolix_config.stat.exists
- name: Copy shellpki script
- name: Copy script to check expirations
copy:
src: "shellpki/cert-expirations.sh"
dest: "/usr/share/scripts/cert-expirations.sh"
@ -189,15 +191,43 @@
special_time: monthly
job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'
- name: Warn the user about command to execute manually
- name: Generate the CA password
set_fact:
ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}"
check_mode: no
changed_when: no
- name: Initialization of the CA
shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}'
- name: Creation of the server's certificate
shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}'
- name: Get the server key
shell: 'ls -tr /etc/shellpki/private/ | tail -1'
register: ca_key
check_mode: no
changed_when: no
- name: Configure the server key
replace:
path: /etc/openvpn/server.conf
regexp: 'key /etc/shellpki/private/TO_COMPLETE'
replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}'
- name: Restart OpenVPN
service:
name: openvpn
state: restarted
- name: Warn the user about manual checks
pause:
prompt: |
/!\ WARNING /!\
You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times.
You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked.
You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}".
You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed).
Finally, you can (re)start the OpenVPN service with "rcctl restart openvpn".
You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn".
The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN.
Take note of the generated CA password and store it in your password manager : {{ ca_pwd }}
Press enter to exit when it's done.