raduis: use LE certificate via dns

This commit is contained in:
Markus 2019-03-25 20:42:27 +01:00
parent d1a3fb6902
commit 50cab2429d
8 changed files with 43 additions and 1 deletions

View File

@ -11,3 +11,5 @@ name_servers:
ntp_servers: ntp_servers:
- 172.23.1.60 - 172.23.1.60
- 172.23.2.3 - 172.23.2.3
radius_cn: radius.binary.kitchen

View File

@ -1,4 +1,6 @@
--- ---
radius_hostname: radius2.binary.kitchen
slapd_hostname: ldap2.binary.kitchen slapd_hostname: ldap2.binary.kitchen
slapd_role: slave slapd_role: slave

View File

@ -8,5 +8,7 @@ ntp_servers:
ntp_peers: ntp_peers:
- 172.23.1.60 - 172.23.1.60
radius_hostname: radius1.binary.kitchen
slapd_hostname: ldap1.binary.kitchen slapd_hostname: ldap1.binary.kitchen
slapd_role: slave slapd_role: slave

View File

@ -79,7 +79,7 @@ eap {
group = 19 group = 19
# #
server_id = radius@radius1.binary.kitchen server_id = radius@radius.binary.kitchen
# This has the same meaning as for TLS. # This has the same meaning as for TLS.
fragment_size = 1020 fragment_size = 1020

View File

@ -1,4 +1,7 @@
--- ---
- name: Run acertmgr
command: /opt/acertmgr/acertmgr.py
- name: Restart freeradius - name: Restart freeradius
service: name=freeradius state=restarted service: name=freeradius state=restarted

View File

@ -0,0 +1,4 @@
---
dependencies:
- { role: acertmgr }

View File

@ -11,6 +11,17 @@
file: path=/etc/freeradius/3.0/certs/srv.key owner=freerad mode=0400 file: path=/etc/freeradius/3.0/certs/srv.key owner=freerad mode=0400
notify: Restart freeradius notify: Restart freeradius
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ radius_hostname }}"
- "{{ radius_cn }}"
- name: Configure certificate manager for radius
template: src=certs.j2 dest=/etc/acme/domains.d/{{ radius_hostname }}.conf
notify: Run acertmgr
- name: Create DH parameters - name: Create DH parameters
command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }} command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
with_items: with_items:

View File

@ -0,0 +1,18 @@
---
{{ radius_cn }} {{ radius_hostname }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/freeradius/3.0/certs/srv.key
user: freerad
group: freerad
perm: '400'
format: key
action: '/usr/sbin/service freeradius restart'
- path: /etc/freeradius/3.0/certs/srv.crt
user: freerad
group: freerad
perm: '400'
format: crt,ca
action: '/usr/sbin/service freeradius restart'