-
Notifications
You must be signed in to change notification settings - Fork 221
/
server_keys.yml
162 lines (140 loc) · 4.3 KB
/
server_keys.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
- name: Create openvpn key directory
file:
path: "{{openvpn_key_dir}}"
state: directory
- name: Copy openssl server/ca extensions
copy:
src: "{{item}}"
dest: "{{openvpn_key_dir}}"
owner: root
group: root
mode: 0400
with_items:
- openssl-server.ext
- openssl-ca.ext
- name: Copy CA key
copy:
content: "{{openvpn_ca_key.key}}"
dest: "{{openvpn_key_dir}}/ca-key.pem"
mode: 0400
when: openvpn_ca_key is defined
- name: Copy CA cert
copy:
content: "{{openvpn_ca_key.crt}}"
dest: "{{openvpn_key_dir}}/ca.crt"
mode: 0444
when: openvpn_ca_key is defined
- name: Generate CA key
command: openssl req -nodes -newkey rsa:{{openvpn_rsa_bits}} -keyout ca-key.pem -out ca-csr.pem -days 3650 -subj /CN=OpenVPN-CA-{{inventory_hostname[:53]}}/
args:
chdir: "{{openvpn_key_dir}}"
creates: ca-key.pem
when: openvpn_ca_key is not defined
- name: Protect CA key
file:
path: "{{openvpn_key_dir}}/ca-key.pem"
mode: 0400
when: openvpn_ca_key is not defined
- name: Sign CA key
command: openssl x509 -req -in ca-csr.pem -out ca.crt -CAcreateserial -signkey ca-key.pem -sha256 -days 3650 -extfile openssl-ca.ext
args:
chdir: "{{openvpn_key_dir}}"
creates: ca.crt
when: openvpn_ca_key is not defined
- name: generate server key
command: openssl req -nodes -newkey rsa:{{openvpn_rsa_bits}} -keyout server.key -out server.csr -days 3650 -subj /CN=OpenVPN-Server-{{inventory_hostname[:49]}}/
args:
chdir: "{{openvpn_key_dir}}"
creates: server.key
- name: protect server key
file:
path: "{{openvpn_key_dir}}/server.key"
mode: 0400
- name: sign server key
command: openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca-key.pem -sha256 -days 3650 -CAcreateserial -extfile openssl-server.ext
args:
chdir: "{{openvpn_key_dir}}"
creates: server.crt
- name: Copy tls-auth key
copy:
content: "{{openvpn_tls_auth_key}}"
dest: "{{openvpn_key_dir}}/ta.key"
mode: 0400
when: openvpn_tls_auth_key is defined
- name: generate tls-auth key
command: openvpn --genkey --secret ta.key
args:
chdir: "{{openvpn_key_dir}}"
creates: ta.key
when: openvpn_tls_auth_key is not defined
# not a security issue, params aren't secret, just not generated by an attacker
# per http://security.stackexchange.com/questions/42415/openvpn-dhparam/42418#42418
- name: copy pre-generated DH params
copy:
src: dh.pem
dest: "{{openvpn_key_dir}}"
owner: root
group: root
mode: 0400
when: openvpn_use_pregenerated_dh_params|bool
# Alternatively, if you're concerned about logjam attacks
- name: generate dh params
command: openssl dhparam -out {{openvpn_key_dir}}/dh.pem {{openvpn_rsa_bits}}
args:
chdir: "{{openvpn_key_dir}}"
creates: dh.pem
when: not (openvpn_use_pregenerated_dh_params|bool)
- name: install ca.conf config file
template:
src: ca.conf.j2
dest: "{{openvpn_key_dir}}/ca.conf"
owner: root
group: root
mode: 744
- name: create initial certificate revocation list squence number
shell: "echo 00 > crl_number"
args:
chdir: "{{openvpn_key_dir}}"
creates: crl_number
- name: generate tls-auth key
command: openvpn --genkey --secret ta.key
args:
chdir: "{{openvpn_key_dir}}"
creates: ta.key
when: openvpn_tls_auth_key is not defined
- name: install revocation script
template:
src: revoke.sh.j2
dest: "{{openvpn_key_dir}}/revoke.sh"
owner: root
group: root
mode: 744
- name: check if certificate revocation list database exists
file:
path: "{{openvpn_key_dir}}/index.txt"
state: file
ignore_errors: true
register: file_result
- name: create certificate revocation list database if required
file:
path: "{{openvpn_key_dir}}/index.txt"
state: touch
when: file_result.state == 'absent'
- name: set up certificate revocation list
command: sh revoke.sh
args:
chdir: "{{ openvpn_key_dir }}"
creates: "{{ openvpn_key_dir }}/ca-crl.pem"
- name: install crl-cron script
template:
src: crl-cron.sh.j2
dest: "{{ openvpn_base_dir }}/crl-cron.sh"
owner: root
group: root
mode: 744
- name: Add cron to check every Saturday if the CRL needs to be renewed
cron:
name: "check if CRL will expire soon"
special_time: weekly
job: "sh {{ openvpn_base_dir }}/crl-cron.sh"
when: not ci_build