From 482d67ebb16a4e4720915f2702aa7c6ab7e5adea Mon Sep 17 00:00:00 2001 From: Rudolf Mayerhofer Date: Thu, 20 Sep 2018 18:30:42 +0200 Subject: [PATCH] Change BKCA to a system CA for migration to Let's Encrypt --- group_vars/all/vars.yml | 1 - roles/common/handlers/main.yml | 3 +++ roles/common/tasks/Debian.yml | 10 ++++++---- roles/common/tasks/FreeBSD.yml | 14 ++++++++++---- roles/common/templates/ldap.conf.j2 | 4 +++- roles/hackmd/templates/config.json.j2 | 2 +- roles/ldap-pam/templates/nslcd.conf.j2 | 3 ++- roles/mail/tasks/main.yml | 7 ++----- .../templates/dovecot/dovecot-ldap.conf.ext.j2 | 6 +++--- roles/mail/templates/postfix/ldap-aliases.cf.j2 | 2 +- .../mail/templates/postfix/ldap-virtual-maps.cf.j2 | 2 +- roles/slapd/templates/slapd.conf.j2 | 3 ++- 12 files changed, 34 insertions(+), 23 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 57a6d03..0470215 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -13,7 +13,6 @@ hackmd_dbuser: hackmd hackmd_dbpass: "{{ vault_hackmd_dbpass }}" hackmd_secret: "{{ vault_hackmd_secret }}" -ldap_ca: /etc/ldap/ssl/BKCA.crt ldap_uri: ldaps://ldap.binary.kitchen/ ldap_host: ldap.binary.kitchen ldap_base: dc=binary-kitchen,dc=de diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 041e8eb..94fe6ec 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -8,3 +8,6 @@ - name: update-initramfs command: update-initramfs -u -k all + +- name: update-ca-certificates + command: update-ca-certificates diff --git a/roles/common/tasks/Debian.yml b/roles/common/tasks/Debian.yml index 24a952f..4de0fea 100644 --- a/roles/common/tasks/Debian.yml +++ b/roles/common/tasks/Debian.yml @@ -50,14 +50,16 @@ - name: Set shell for root user user: name=root shell=/bin/zsh -- name: Create LDAP certificate directory - file: path=/etc/ldap/ssl state=directory +- name: Create BKCA certificate directory + file: path=/usr/local/share/ca-certificates state=directory + +- name: Copy BKCA certificate + copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444 + notify: update-ca-certificates - name: Create LDAP client config template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644 -- name: Copy LDAP certificate - copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444 - name: Disable hibernation/resume copy: src=resume dest=/etc/initramfs-tools/conf.d/resume diff --git a/roles/common/tasks/FreeBSD.yml b/roles/common/tasks/FreeBSD.yml index 367f49c..0f4883d 100644 --- a/roles/common/tasks/FreeBSD.yml +++ b/roles/common/tasks/FreeBSD.yml @@ -27,8 +27,14 @@ - { src: '.zshrc.local', dest: '/root/.zshrc.local' } - { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' } -- name: Create LDAP certificate directory - file: path=/etc/ldap/ssl state=directory +- name: Create BKCA certificate directory + file: path="{{ item }}" state=directory + loop: + - "/etc/ssl/certs" + - "/usr/local/etc/ssl/certs" -- name: Copy LDAP certificate - copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444 +- name: Copy BKCA certificate + copy: src=BKCA.crt dest="{{ item }}/BKCA.crt" mode=0444 + loop: + - "/etc/ssl/certs" + - "/usr/local/etc/ssl/certs" diff --git a/roles/common/templates/ldap.conf.j2 b/roles/common/templates/ldap.conf.j2 index 4622f5a..9026ab7 100644 --- a/roles/common/templates/ldap.conf.j2 +++ b/roles/common/templates/ldap.conf.j2 @@ -13,5 +13,7 @@ URI {{ ldap_uri }} #DEREF never # TLS certificates (needed for GnuTLS) -TLS_CACERT /etc/ldap/ssl/BKCA.crt +TLS_REQCERT demand +TLS_CACERTDIR /etc/ssl/certs +TLS_CACERT /etc/ssl/certs/ca-certificates.crt diff --git a/roles/hackmd/templates/config.json.j2 b/roles/hackmd/templates/config.json.j2 index aa1570a..f183845 100644 --- a/roles/hackmd/templates/config.json.j2 +++ b/roles/hackmd/templates/config.json.j2 @@ -37,7 +37,7 @@ "searchAttributes": ["cn", "uid"], "usernameField": "cn", "useridField": "uid", - "tlsca": "/etc/ldap/ssl/BKCA.crt" + "tlsca": "/etc/ssl/certs/ca-certificates.crt" }, "email": false } diff --git a/roles/ldap-pam/templates/nslcd.conf.j2 b/roles/ldap-pam/templates/nslcd.conf.j2 index 01a0948..f67a84a 100644 --- a/roles/ldap-pam/templates/nslcd.conf.j2 +++ b/roles/ldap-pam/templates/nslcd.conf.j2 @@ -32,4 +32,5 @@ base shadow {{ nslcd_base_shadow }} # SSL options tls_reqcert demand -tls_cacertfile {{ ldap_ca }} +tls_cacertfile /etc/ssl/certs/ca-certificates.crt +tls_cacertdir /etc/ssl/certs diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml index 3bb3929..af3e664 100644 --- a/roles/mail/tasks/main.yml +++ b/roles/mail/tasks/main.yml @@ -102,11 +102,8 @@ - postfix/virtual-alias notify: Run postmap -- name: Ensure postfix chroot has an LDAP CA directory - file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory - -- name: Ensure postfix chroot has the LDAP CA file - copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt +- name: Ensure postfix chroot has an up2date ca-certificates.crt file + copy: remote_src=yes src=/etc/ssl/certs/ca-certificates.crt dest=/var/spool/postfix/etc/ssl/certs/ca-certificates.crt - name: Ensure postfix certificates are available command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt diff --git a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 index 7e5a844..74543d1 100644 --- a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 +++ b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 @@ -43,10 +43,10 @@ dnpass = {{ ldap_bindpw }} #sasl_authz_id = # Use TLS to connect to the LDAP server. -tls = no +tls = yes # TLS options, currently supported only with OpenLDAP: -tls_ca_cert_file = {{ ldap_ca }} -#tls_ca_cert_dir = +tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt +tls_ca_cert_dir = /etc/ssl/certs #tls_cipher_suite = # TLS cert/key is used only if LDAP server requires a client certificate. #tls_cert_file = diff --git a/roles/mail/templates/postfix/ldap-aliases.cf.j2 b/roles/mail/templates/postfix/ldap-aliases.cf.j2 index 25fa1ed..7319ca7 100644 --- a/roles/mail/templates/postfix/ldap-aliases.cf.j2 +++ b/roles/mail/templates/postfix/ldap-aliases.cf.j2 @@ -1,5 +1,5 @@ server_host = {{ ldap_uri }} -tls_ca_cert_file = {{ ldap_ca }} +tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt tls_require_cert = yes bind = yes bind_dn = {{ ldap_binddn }} diff --git a/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2 b/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2 index 68812b5..f9e6f23 100644 --- a/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2 +++ b/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2 @@ -1,5 +1,5 @@ server_host = {{ ldap_uri }} -tls_ca_cert_file = {{ ldap_ca }} +tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt tls_require_cert = yes bind = yes bind_dn = {{ ldap_binddn }} diff --git a/roles/slapd/templates/slapd.conf.j2 b/roles/slapd/templates/slapd.conf.j2 index fd6931e..1383393 100644 --- a/roles/slapd/templates/slapd.conf.j2 +++ b/roles/slapd/templates/slapd.conf.j2 @@ -67,7 +67,8 @@ access to * TLSCertificateFile /etc/ldap/ssl/srv.crt TLSCertificateKeyFile /etc/ldap/ssl/srv.key -TLSCACertificateFile {{ ldap_ca }} +TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt +TLSCACertificatePath /etc/ssl/certs TLSCipherSuite NORMAL TLSVerifyClient never