This repository has been archived by the owner on Apr 20, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #35 from taoeffect/self-signed-ssl
Generate a self-signed cert when none is provided
- Loading branch information
Showing
6 changed files
with
122 additions
and
80 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,82 @@ | ||
# https://github.com/ansible/ansible/issues/3107 | ||
- name: Find existing SSL keys | ||
sudo: no | ||
local_action: command test -e roles/common/files/wildcard_private.key | ||
register: custom_cert | ||
ignore_errors: yes | ||
|
||
### Use an existing (valid?) cert, provided by the user ######################## | ||
|
||
- name: Copy SSL private key into place | ||
copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640 | ||
copy: > | ||
src=wildcard_private.key | ||
dest=/etc/ssl/private/wildcard_private.key | ||
group=ssl-cert owner=root mode=640 | ||
when: custom_cert|success | ||
|
||
- name: Copy SSL public certificate into place | ||
copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644 | ||
copy: > | ||
src=wildcard_public_cert.crt | ||
dest=/etc/ssl/certs/wildcard_public_cert.crt | ||
group=root owner=root mode=644 | ||
when: custom_cert|success | ||
|
||
- name: Copy CA combined certificate into place | ||
copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644 | ||
copy: > | ||
src=wildcard_ca.pem | ||
dest=/etc/ssl/certs/wildcard_ca.pem | ||
group=root owner=root mode=644 | ||
when: custom_cert|success | ||
|
||
- name: Create a combined version of the public cert with intermediate and root CAs | ||
shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem > | ||
/etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem | ||
shell: > | ||
umask 022; | ||
cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem > | ||
/etc/ssl/certs/wildcard_combined.pem | ||
args: | ||
creates: /etc/ssl/certs/wildcard_combined.pem | ||
when: custom_cert|success | ||
|
||
### If the user didn't provide one, make a self-signed cert #################### | ||
|
||
- name: Copy openssl.cnf | ||
template: > | ||
src=openssl.cnf.j2 | ||
dest=/etc/ssl/private/openssl.cnf | ||
group=root owner=root mode=644 | ||
when: custom_cert|failed | ||
|
||
- name: Generate a private key and CSR | ||
shell: > | ||
umask 027; | ||
openssl req -nodes -newkey rsa:2048 | ||
-config /etc/ssl/private/openssl.cnf | ||
-keyout /etc/ssl/private/wildcard_private.key | ||
-out /etc/ssl/private/wildcard.csr | ||
args: | ||
creates: /etc/ssl/private/wildcard_private.key | ||
when: custom_cert|failed | ||
|
||
- name: Set SSL private key permissions | ||
file: > | ||
path=/etc/ssl/private/wildcard_private.key | ||
group=ssl-cert owner=root mode=640 | ||
when: custom_cert|failed | ||
|
||
- name: Generate a self-signed SSL public key | ||
shell: > | ||
umask 022; | ||
openssl x509 -req -days 3650 | ||
-in /etc/ssl/private/wildcard.csr | ||
-signkey /etc/ssl/private/wildcard_private.key | ||
-out /etc/ssl/certs/wildcard_public_cert.crt | ||
args: | ||
creates: /etc/ssl/certs/wildcard_public_cert.crt | ||
when: custom_cert|failed | ||
|
||
- name: Set permissions on combined public cert | ||
file: name=/etc/ssl/certs/wildcard_combined.pem mode=644 | ||
- name: Link public cert to the combined location | ||
file: > | ||
src=/etc/ssl/certs/wildcard_public_cert.crt | ||
dest=/etc/ssl/certs/wildcard_combined.pem | ||
state=link | ||
when: custom_cert|failed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
[ ca ] | ||
default_ca = CA_default # The default ca section | ||
name_opt = ca_default # Subject Name options | ||
cert_opt = ca_default # Certificate field options | ||
default_days = 3650 # how long to certify for | ||
default_crl_days = 30 # how long before next CRL | ||
default_md = default # use public key default MD | ||
preserve = no # keep passed DN ordering | ||
policy = policy_anything | ||
|
||
[ req ] | ||
prompt = no | ||
default_bits = 2048 | ||
distinguished_name = req_distinguished_name | ||
attributes = req_attributes | ||
x509_extensions = v3_ca # The extensions to add to the self signed cert | ||
string_mask = utf8only | ||
req_extensions = v3_req | ||
|
||
[ req_attributes ] | ||
unstructuredName = self-signed | ||
|
||
[ req_distinguished_name ] | ||
countryName = US | ||
stateOrProvinceName = self-signed | ||
localityName = doesn't matter | ||
0.organizationName = filler values | ||
organizationalUnitName = go here | ||
commonName = *.{{ domain }} | ||
emailAddress = {{ admin_email }} | ||
|
||
[ v3_req ] | ||
basicConstraints = CA:FALSE | ||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | ||
subjectAltName = @alt_names | ||
|
||
[ v3_ca ] | ||
subjectKeyIdentifier=hash | ||
authorityKeyIdentifier=keyid:always,issuer | ||
basicConstraints = CA:true | ||
|
||
[ alt_names ] | ||
{% for dn in mail_virtual_domains %} | ||
DNS.{{ loop.index }} = *.{{ dn }} | ||
{% endfor %} |