Skip to content
This repository has been archived by the owner on Apr 20, 2022. It is now read-only.

Commit

Permalink
Merge pull request #35 from taoeffect/self-signed-ssl
Browse files Browse the repository at this point in the history 
Generate a self-signed cert when none is provided
  • Loading branch information
@taoeffect
taoeffect committed Nov 22, 2014
2 parents 3066490 + 34d18bc commit 6d71bbc
Show file tree
Hide file tree
Showing 6 changed files with 122 additions and 80 deletions.
9 changes: 3 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,13 +112,10 @@ Lastly, test your certificate:

#### Self-signed TLS certificate

Self-signed certs are free, easy, but are not yet authenticated by TLS (but [will be](https://github.com/okTurtles/dnschain)).

To create a self-signed TLS cert, run the following commands:
If you don't purchase or set up an existing certificate, empress will generate
one for you on the server.

openssl req -nodes -newkey rsa:2048 -keyout roles/common/files/wildcard_private.key -out mycert.csr
openssl x509 -req -days 365 -in mycert.csr -signkey roles/common/files/wildcard_private.key -out roles/common/files/wildcard_public_cert.crt
cp roles/common/files/wildcard_public_cert.crt roles/common/files/wildcard_ca.pem
Self-signed certs are free, easy, but are not yet authenticated by TLS (but [will be](https://github.com/okTurtles/dnschain)).

### 2. Get a Tarsnap machine key

Expand Down
20 changes: 0 additions & 20 deletions roles/common/files/wildcard_ca.pem
View file

This file was deleted.

27 changes: 0 additions & 27 deletions roles/common/files/wildcard_private.key
View file

This file was deleted.

20 changes: 0 additions & 20 deletions roles/common/files/wildcard_public_cert.crt
View file

This file was deleted.

81 changes: 74 additions & 7 deletions roles/common/tasks/ssl.yml
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,82 @@
# https://github.com/ansible/ansible/issues/3107
- name: Find existing SSL keys
sudo: no
local_action: command test -e roles/common/files/wildcard_private.key
register: custom_cert
ignore_errors: yes

### Use an existing (valid?) cert, provided by the user ########################

- name: Copy SSL private key into place
copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
copy: >
src=wildcard_private.key
dest=/etc/ssl/private/wildcard_private.key
group=ssl-cert owner=root mode=640
when: custom_cert|success

- name: Copy SSL public certificate into place
copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root mode=644
copy: >
src=wildcard_public_cert.crt
dest=/etc/ssl/certs/wildcard_public_cert.crt
group=root owner=root mode=644
when: custom_cert|success

- name: Copy CA combined certificate into place
copy: src=wildcard_ca.pem dest=/etc/ssl/certs/wildcard_ca.pem group=root owner=root mode=644
copy: >
src=wildcard_ca.pem
dest=/etc/ssl/certs/wildcard_ca.pem
group=root owner=root mode=644
when: custom_cert|success

- name: Create a combined version of the public cert with intermediate and root CAs
shell: cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
/etc/ssl/certs/wildcard_combined.pem creates=/etc/ssl/certs/wildcard_combined.pem
shell: >
umask 022;
cat /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_ca.pem >
/etc/ssl/certs/wildcard_combined.pem
args:
creates: /etc/ssl/certs/wildcard_combined.pem
when: custom_cert|success

### If the user didn't provide one, make a self-signed cert ####################

- name: Copy openssl.cnf
template: >
src=openssl.cnf.j2
dest=/etc/ssl/private/openssl.cnf
group=root owner=root mode=644
when: custom_cert|failed

- name: Generate a private key and CSR
shell: >
umask 027;
openssl req -nodes -newkey rsa:2048
-config /etc/ssl/private/openssl.cnf
-keyout /etc/ssl/private/wildcard_private.key
-out /etc/ssl/private/wildcard.csr
args:
creates: /etc/ssl/private/wildcard_private.key
when: custom_cert|failed

- name: Set SSL private key permissions
file: >
path=/etc/ssl/private/wildcard_private.key
group=ssl-cert owner=root mode=640
when: custom_cert|failed

- name: Generate a self-signed SSL public key
shell: >
umask 022;
openssl x509 -req -days 3650
-in /etc/ssl/private/wildcard.csr
-signkey /etc/ssl/private/wildcard_private.key
-out /etc/ssl/certs/wildcard_public_cert.crt
args:
creates: /etc/ssl/certs/wildcard_public_cert.crt
when: custom_cert|failed

- name: Set permissions on combined public cert
file: name=/etc/ssl/certs/wildcard_combined.pem mode=644
- name: Link public cert to the combined location
file: >
src=/etc/ssl/certs/wildcard_public_cert.crt
dest=/etc/ssl/certs/wildcard_combined.pem
state=link
when: custom_cert|failed
45 changes: 45 additions & 0 deletions roles/common/templates/openssl.cnf.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
[ ca ]
default_ca = CA_default # The default ca section
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 3650 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_anything

[ req ]
prompt = no
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req

[ req_attributes ]
unstructuredName = self-signed

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = self-signed
localityName = doesn't matter
0.organizationName = filler values
organizationalUnitName = go here
commonName = *.{{ domain }}
emailAddress = {{ admin_email }}

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true

[ alt_names ]
{% for dn in mail_virtual_domains %}
DNS.{{ loop.index }} = *.{{ dn }}
{% endfor %}

0 comments on commit 6d71bbc

Please sign in to comment.