Skip to content
Permalink
Branch: master
Commits on Oct 18, 2017
  1. Merge branch 'mathieumd-patch-1'

    drybjed committed Oct 18, 2017
Commits on Oct 17, 2017
  1. Update apt cache when older than 1 day

    mathieumd committed Oct 17, 2017
    Maybe the cache_valid_time would better be configurable, though?
Commits on Sep 26, 2017
  1. Merge branch 'HelioCampos-test_trusty'

    drybjed committed Sep 26, 2017
Commits on Sep 25, 2017
  1. Testing playbook on trusty

    HelioCampos committed Sep 25, 2017
Commits on Jul 23, 2017
  1. Merge branch 'ypid-fix-selfsigned-sign-days'

    drybjed committed Jul 23, 2017
Commits on Jul 22, 2017
  1. debops-optimize

    ypid committed Jul 22, 2017
Commits on Jul 12, 2017
  1. Merge branch 'evilham-114-evilham-name_constraints-docs-visibility'

    drybjed committed Jul 12, 2017
  2. [docs] Fixed typo (debops-pki --> debops.pki)

    evilham committed Jul 12, 2017
Commits on Jul 11, 2017
  1. [docs] Fixed typo where a space was missing

    evilham committed Jul 11, 2017
  2. Added pki_authorities + name_constraints to getting-started

    evilham committed Jul 11, 2017
    Added a basic text pointing out that use of Name Constraints can break some setups and where to read more about it.
  3. [Docs] Added label for pki_authorities

    evilham committed Jul 11, 2017
    Added label for pki_authorities in docs/defaults-detailed.rst.
Commits on Jul 3, 2017
  1. Merge branch 'lk-minot-master'

    drybjed committed Jul 3, 2017
Commits on Jul 2, 2017
  1. Assert bash version using environment

    lk
    lk committed Jul 2, 2017
Commits on Jun 27, 2017
  1. Merge branch 'drybjed-fix-play_hosts'

    drybjed committed Jun 27, 2017
  2. Sign certificates only for hosts with facts

    drybjed committed Jun 27, 2017
Commits on Jun 20, 2017
  1. Merge branch 'BrzhkDev-patch-1'

    drybjed committed Jun 20, 2017
Commits on Jun 19, 2017
  1. Best sed tutorial ever.

    Brzhk committed Jun 19, 2017
  2. upgraded changelog

    Brzhk committed Jun 19, 2017
  3. bumped ansible min version and updated changelog

    Brzhk committed Jun 19, 2017
Commits on Jun 1, 2017
  1. Update main.yml

    Brzhk committed Jun 1, 2017
Commits on May 31, 2017
  1. always_run is deprecated. Use check_mode = no instead..

    Brzhk committed May 31, 2017
    [DEPRECATION WARNING]: always_run is deprecated. Use check_mode = no instead..
    This feature will be removed in version 2.4. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
Commits on Apr 25, 2017
  1. Merge branch 'ypid-ca-hardening-and-status-uri-change'

    drybjed committed Apr 25, 2017
  2. Fix note in changelog that name constraints are only set in new certs

    ypid committed Apr 25, 2017
Commits on Apr 24, 2017
  1. Document newly added authority params

    ypid committed Apr 24, 2017
  2. Improve changelog entry

    ypid committed Apr 24, 2017
Commits on Apr 19, 2017
  1. No need to specify name of realm as second time using `acme_domains`

    ypid committed Apr 19, 2017
Commits on Apr 17, 2017
  1. Support to change or disable CRL in PKI authorities using `item.crl`

    ypid committed Apr 17, 2017
    Closes: #87
  2. Use X509v3 name constraints to limit PKI authorities to `item.domain`

    ypid committed Apr 17, 2017
    Tested:
    
    ```
    /tmp/simple-https-server.py --certfile default.crt --keyfile default.key --hostname vz.example.com
    Serving at https://vz.example.com/
    ```
    
    ```
    curl https://vz.example.com --cacert CA.crt
    curl: (60) SSL certificate problem: permitted subtree violation
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    ```
    
    Further refs:
    
    * https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only/130674#130674
    * https://gist.github.com/JonathonReinhart/f26365364918b44d82bbd6b90269fbd6
Older
You can’t perform that action at this time.