raduis: use LE certificate via dns
This commit is contained in:
parent
d1a3fb6902
commit
50cab2429d
@ -11,3 +11,5 @@ name_servers:
|
|||||||
ntp_servers:
|
ntp_servers:
|
||||||
- 172.23.1.60
|
- 172.23.1.60
|
||||||
- 172.23.2.3
|
- 172.23.2.3
|
||||||
|
|
||||||
|
radius_cn: radius.binary.kitchen
|
||||||
|
|||||||
@ -1,4 +1,6 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
radius_hostname: radius2.binary.kitchen
|
||||||
|
|
||||||
slapd_hostname: ldap2.binary.kitchen
|
slapd_hostname: ldap2.binary.kitchen
|
||||||
slapd_role: slave
|
slapd_role: slave
|
||||||
|
|||||||
@ -8,5 +8,7 @@ ntp_servers:
|
|||||||
ntp_peers:
|
ntp_peers:
|
||||||
- 172.23.1.60
|
- 172.23.1.60
|
||||||
|
|
||||||
|
radius_hostname: radius1.binary.kitchen
|
||||||
|
|
||||||
slapd_hostname: ldap1.binary.kitchen
|
slapd_hostname: ldap1.binary.kitchen
|
||||||
slapd_role: slave
|
slapd_role: slave
|
||||||
|
|||||||
@ -79,7 +79,7 @@ eap {
|
|||||||
group = 19
|
group = 19
|
||||||
|
|
||||||
#
|
#
|
||||||
server_id = radius@radius1.binary.kitchen
|
server_id = radius@radius.binary.kitchen
|
||||||
|
|
||||||
# This has the same meaning as for TLS.
|
# This has the same meaning as for TLS.
|
||||||
fragment_size = 1020
|
fragment_size = 1020
|
||||||
|
|||||||
@ -1,4 +1,7 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Run acertmgr
|
||||||
|
command: /opt/acertmgr/acertmgr.py
|
||||||
|
|
||||||
- name: Restart freeradius
|
- name: Restart freeradius
|
||||||
service: name=freeradius state=restarted
|
service: name=freeradius state=restarted
|
||||||
|
|||||||
4
roles/radius/meta/main.yml
Normal file
4
roles/radius/meta/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: acertmgr }
|
||||||
@ -11,6 +11,17 @@
|
|||||||
file: path=/etc/freeradius/3.0/certs/srv.key owner=freerad mode=0400
|
file: path=/etc/freeradius/3.0/certs/srv.key owner=freerad mode=0400
|
||||||
notify: Restart freeradius
|
notify: Restart freeradius
|
||||||
|
|
||||||
|
- name: Request nsupdate key for certificate
|
||||||
|
include_role: name=acme-dnskey-generate
|
||||||
|
vars:
|
||||||
|
acme_dnskey_san_domains:
|
||||||
|
- "{{ radius_hostname }}"
|
||||||
|
- "{{ radius_cn }}"
|
||||||
|
|
||||||
|
- name: Configure certificate manager for radius
|
||||||
|
template: src=certs.j2 dest=/etc/acme/domains.d/{{ radius_hostname }}.conf
|
||||||
|
notify: Run acertmgr
|
||||||
|
|
||||||
- name: Create DH parameters
|
- name: Create DH parameters
|
||||||
command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
|
command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
|
|||||||
18
roles/radius/templates/certs.j2
Normal file
18
roles/radius/templates/certs.j2
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
{{ radius_cn }} {{ radius_hostname }}:
|
||||||
|
- mode: dns.nsupdate
|
||||||
|
nsupdate_server: {{ acme_dnskey_server }}
|
||||||
|
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||||
|
- path: /etc/freeradius/3.0/certs/srv.key
|
||||||
|
user: freerad
|
||||||
|
group: freerad
|
||||||
|
perm: '400'
|
||||||
|
format: key
|
||||||
|
action: '/usr/sbin/service freeradius restart'
|
||||||
|
- path: /etc/freeradius/3.0/certs/srv.crt
|
||||||
|
user: freerad
|
||||||
|
group: freerad
|
||||||
|
perm: '400'
|
||||||
|
format: crt,ca
|
||||||
|
action: '/usr/sbin/service freeradius restart'
|
||||||
Loading…
Reference in New Issue
Block a user