Install BKCA.crt as a system trusted CA
This will install the BKCA as a system trusted CA on Debian (and hopefully FreeBSD) and then removes all explicit certificate pinning from any configuration file which should force the use of all system trusted CAs at this point
This commit is contained in:
parent
1a511a9faf
commit
b0f21482af
|
@ -13,7 +13,6 @@ hackmd_dbuser: hackmd
|
|||
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
||||
hackmd_secret: "{{ vault_hackmd_secret }}"
|
||||
|
||||
ldap_ca: /etc/ldap/ssl/BKCA.crt
|
||||
ldap_uri: ldaps://ldap.binary.kitchen/
|
||||
ldap_host: ldap.binary.kitchen
|
||||
ldap_base: dc=binary-kitchen,dc=de
|
||||
|
|
|
@ -8,3 +8,6 @@
|
|||
|
||||
- name: update-initramfs
|
||||
command: update-initramfs -u -k all
|
||||
|
||||
- name: update-ca-certificates
|
||||
command: update-ca-certificates
|
||||
|
|
|
@ -57,7 +57,8 @@
|
|||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
||||
|
||||
- name: Copy LDAP certificate
|
||||
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
||||
copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444
|
||||
notify: update-ca-certificates
|
||||
|
||||
- name: Disable hibernation/resume
|
||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||
|
|
|
@ -28,7 +28,18 @@
|
|||
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
|
||||
|
||||
- name: Create LDAP certificate directory
|
||||
file: path=/etc/ldap/ssl state=directory
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: "directory"
|
||||
loop:
|
||||
- "/etc/ssl/certs"
|
||||
- "/usr/local/etc/ssl/certs"
|
||||
|
||||
- name: Copy LDAP certificate
|
||||
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
||||
copy:
|
||||
src: "BKCA.crt"
|
||||
dest: "{{ item }}/BKCA.crt"
|
||||
mode: "0444"
|
||||
loop:
|
||||
- "/etc/ssl/certs"
|
||||
- "/usr/local/etc/ssl/certs"
|
||||
|
|
|
@ -11,7 +11,3 @@ URI {{ ldap_uri }}
|
|||
#SIZELIMIT 12
|
||||
#TIMELIMIT 15
|
||||
#DEREF never
|
||||
|
||||
# TLS certificates (needed for GnuTLS)
|
||||
TLS_CACERT /etc/ldap/ssl/BKCA.crt
|
||||
|
||||
|
|
|
@ -37,7 +37,6 @@
|
|||
"searchAttributes": ["cn", "uid"],
|
||||
"usernameField": "cn",
|
||||
"useridField": "uid",
|
||||
"tlsca": "/etc/ldap/ssl/BKCA.crt"
|
||||
},
|
||||
"email": false
|
||||
}
|
||||
|
|
|
@ -32,4 +32,3 @@ base shadow {{ nslcd_base_shadow }}
|
|||
|
||||
# SSL options
|
||||
tls_reqcert demand
|
||||
tls_cacertfile {{ ldap_ca }}
|
||||
|
|
|
@ -105,9 +105,6 @@
|
|||
- name: Ensure postfix chroot has an LDAP CA directory
|
||||
file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory
|
||||
|
||||
- name: Ensure postfix chroot has the LDAP CA file
|
||||
copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt
|
||||
|
||||
- name: Ensure postfix certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||
notify: Restart postfix
|
||||
|
|
|
@ -43,9 +43,9 @@ dnpass = {{ ldap_bindpw }}
|
|||
#sasl_authz_id =
|
||||
|
||||
# Use TLS to connect to the LDAP server.
|
||||
tls = no
|
||||
tls = yes
|
||||
# TLS options, currently supported only with OpenLDAP:
|
||||
tls_ca_cert_file = {{ ldap_ca }}
|
||||
#tls_ca_cert_file =
|
||||
#tls_ca_cert_dir =
|
||||
#tls_cipher_suite =
|
||||
# TLS cert/key is used only if LDAP server requires a client certificate.
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
server_host = {{ ldap_uri }}
|
||||
tls_ca_cert_file = {{ ldap_ca }}
|
||||
tls_require_cert = yes
|
||||
bind = yes
|
||||
bind_dn = {{ ldap_binddn }}
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
server_host = {{ ldap_uri }}
|
||||
tls_ca_cert_file = {{ ldap_ca }}
|
||||
tls_require_cert = yes
|
||||
bind = yes
|
||||
bind_dn = {{ ldap_binddn }}
|
||||
|
|
|
@ -67,7 +67,6 @@ access to *
|
|||
|
||||
TLSCertificateFile /etc/ldap/ssl/srv.crt
|
||||
TLSCertificateKeyFile /etc/ldap/ssl/srv.key
|
||||
TLSCACertificateFile {{ ldap_ca }}
|
||||
TLSCipherSuite NORMAL
|
||||
TLSVerifyClient never
|
||||
|
||||
|
|
Loading…
Reference in New Issue