From c6c91d7256a7225dd09aeaa9fc650f625011e14d Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Mon, 25 Mar 2019 19:58:06 +0100 Subject: [PATCH] Migrate LDAP from BKCA to Let's Encrypt --- roles/bk-dss/templates/config.cfg.j2 | 2 +- roles/common/files/BKCA.crt | 33 ---------------------------- roles/common/tasks/Debian.yml | 7 ++---- roles/common/tasks/FreeBSD.yml | 12 ---------- 4 files changed, 3 insertions(+), 51 deletions(-) delete mode 100644 roles/common/files/BKCA.crt diff --git a/roles/bk-dss/templates/config.cfg.j2 b/roles/bk-dss/templates/config.cfg.j2 index a29afa9..f2a7e26 100644 --- a/roles/bk-dss/templates/config.cfg.j2 +++ b/roles/bk-dss/templates/config.cfg.j2 @@ -2,7 +2,7 @@ DEBUG = True SECRET_KEY = "{{ dss_secret }}" SESSION_TIMEOUT = 3600 -LDAP_CA = "/usr/local/share/ca-certificates/BKCA.crt" +LDAP_CA = "/etc/ssl/certs/ca-certificates.crt" LDAP_URI = "ldaps://{{ ldap_host }}" LDAP_BASE = "{{ ldap_base }}" diff --git a/roles/common/files/BKCA.crt b/roles/common/files/BKCA.crt deleted file mode 100644 index d961296..0000000 --- a/roles/common/files/BKCA.crt +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFuTCCA6GgAwIBAgIJANVP+EmgIyEFMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV -BAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMRMwEQYDVQQHDApSZWdlbnNidXJnMRww -GgYDVQQKDBNCaW5hcnkgS2l0Y2hlbiBlLlYuMR8wHQYDVQQDDBZCaW5hcnkgS2l0 -Y2hlbiBSb290IENBMB4XDTE1MDUyMjA3MDcyN1oXDTI1MDUxOTA3MDcyN1owczEL -MAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExEzARBgNVBAcMClJlZ2Vuc2J1 -cmcxHDAaBgNVBAoME0JpbmFyeSBLaXRjaGVuIGUuVi4xHzAdBgNVBAMMFkJpbmFy -eSBLaXRjaGVuIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCwBmbxYSdTH+Ti2UdjpLRbSjA4uMRjJpVus0IviOtjr5nbfx/uA4b+UuhU0FS6 -69vjuBeheu85SCQLZVA3If2qttlBNPvW8/WzQtmHqAK4jMGTIeD5PNH75bhIafMu -LWz5nRcagWoKVeumi9dhFofuoO6uSv1BdSbwK3gYkt5guKl5Pio9HITSFP961ndQ -n6dBLPvy4m+pJ6MZxhzaQIvxRr9uVRJieHH9Yl/CQcl2d1YQ24/KNiFFdF2NPyKE -+eFl8UWl/6sHS8tqLwhs4qeJCL1ir/1bjr8mZigflBE4mwtuV8EDF0pWWOyYehii -NLcS3LfLzv25N9mwhwGMJqLTDihtkcBCNx3c2qFrri1MvXy/KFrHKh2jt9pvgYDX -M2+g+tm+aWXfylu6k1GOIByT5ALktUzhfwuxk0SdplZNUqSfu1DccvxP9hbtSZPP -EnARbcTD/wOCSDj+nSG8scUIo3pNHddh0zx+W16kwBoNGHJX+g7vkMJikvYlHo2i -6CRdx47MknCgj/jQSPlajxAH5zzDcABbFRoRKh/esDEeGaKMKVyKJJFlx4CmHQ53 -zc/jV3VjQo5yL1v3YUYllccZeXmGQb5UJoSRfpE+mvO9+EYAxWLydswNeQI1f1r8 -CTWlD4tT0gooZzGKpw58Zp3IacXIzjDT5Ri2xfB+Oo4WaQIDAQABo1AwTjAdBgNV -HQ4EFgQU7MXazC3sn6xTIDkKtBv4AvYcob0wHwYDVR0jBBgwFoAU7MXazC3sn6xT -IDkKtBv4AvYcob0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAq/fD -BfaVi1KjRANxHKXmADqN0UpSdVoB2qKsj9nJ07fdS38rUqA+QjU+zmCufVkmMxKf -es3qZz5fOHkVHAiOt65XWFtYK62JByr4LomLDVDWSM4BmbU4aB8ix9ZPOr+NmB4B -QX99w0aMknO/ohVQ7InubgsXMaKA8kggCtpBQkfwcF2ntIGvyeuPJYwAWG19iH4a -uAvOdgyDCuta6UI5UPCdYdArFv3hn6+ht60tMdxo1qq9KUlyqZ3AX1Xd4+krLlCI -Kp+qfcyJ1igD5wT50egOAvc9SydFaXgAUIjt3oY5YYvP+MWmVMI107jl4jfMnQeI -G5qIEy9luhrjqJaHfLHyT10IaU/uZB7ZvZx7ElIo1YlTlIcMU8Wg6CJponDh/1aw -PbQhtuzk60N5905zDnpSHJSa91JcpVsLPv2ykQfimA8HNH2xS7ORXUJzwvEB1vhM -KnGMQB0px7HQtTTCKcDFeqZXygi4nXNygrp+swnO869jV4e6ReeV/RB7nxjd307J -gpRdtBbIambnFP74nJUhRk/60VlCDz92f+CTosHM6rdlOxFyX69cZZhoCFU5u4wF -ODqfxRzNJPhChozXcciAcLfhx89x0ob92XQenzZzFtylDvUAskhdhTMFLKGHstH7 -Q8Xr0jNYp5PaGNC5m+m9ngLYe6GzxGol7dLJElc= ------END CERTIFICATE----- diff --git a/roles/common/tasks/Debian.yml b/roles/common/tasks/Debian.yml index 744638e..d7cb340 100644 --- a/roles/common/tasks/Debian.yml +++ b/roles/common/tasks/Debian.yml @@ -49,11 +49,8 @@ - name: Set shell for root user user: name=root shell=/bin/zsh -- name: Create BKCA certificate directory - file: path=/usr/local/share/ca-certificates state=directory - -- name: Copy BKCA certificate - copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444 +- name: Remove BKCA certificate + file: path=/usr/local/share/ca-certificates/BKCA.crt state=absent notify: update-ca-certificates - name: Create LDAP client config diff --git a/roles/common/tasks/FreeBSD.yml b/roles/common/tasks/FreeBSD.yml index 03f6e30..abd94bc 100644 --- a/roles/common/tasks/FreeBSD.yml +++ b/roles/common/tasks/FreeBSD.yml @@ -25,15 +25,3 @@ with_items: - { src: '.zshrc', dest: '/root/.zshrc' } - { src: '.zshrc.local', dest: '/root/.zshrc.local' } - -- name: Create BKCA certificate directory - file: path="{{ item }}" state=directory - loop: - - "/etc/ssl/certs" - - "/usr/local/etc/ssl/certs" - -- name: Copy BKCA certificate - copy: src=BKCA.crt dest="{{ item }}/BKCA.crt" mode=0444 - loop: - - "/etc/ssl/certs" - - "/usr/local/etc/ssl/certs"