From 606851de760b48292960a218a11788cb69a68ca1 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Mon, 25 Mar 2019 19:05:31 +0100 Subject: [PATCH] slapd: use LE certificate via dns --- group_vars/all/vars.yml | 5 +++++ group_vars/kitchen | 3 --- roles/slapd/handlers/main.yml | 3 +++ roles/slapd/meta/main.yml | 4 ++++ roles/slapd/tasks/main.yml | 11 +++++++++++ roles/slapd/templates/certs.j2 | 18 ++++++++++++++++++ 6 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 roles/slapd/meta/main.yml create mode 100644 roles/slapd/templates/certs.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index ca64094..da71c99 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -2,6 +2,9 @@ acertmgr_mode: webdir +acme_dnskey_file: /etc/acme/nsupdate.key +acme_dnskey_server: neon.binary-kitchen.net + dns_axfr_ips: - 216.218.133.2 - 2001:470:600::2 @@ -86,6 +89,8 @@ root_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETMJ1JTX+xKC7ML8Or+8wunwy1rjIkp7MfeZLzLIyvP tomoto" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd rudi@helheim" +slapd_san: ldap.binary.kitchen + snmp_allowed: - 172.23.2.5 - 172.23.2.6 diff --git a/group_vars/kitchen b/group_vars/kitchen index 76d5abb..cf08144 100644 --- a/group_vars/kitchen +++ b/group_vars/kitchen @@ -1,8 +1,5 @@ --- -acme_dnskey_file: /etc/acme/nsupdate.key -acme_dnskey_server: neon.binary-kitchen.net - dhcpd_failover: true dhcpd_primary: 172.23.2.3 dhcpd_secondary: 172.23.2.4 diff --git a/roles/slapd/handlers/main.yml b/roles/slapd/handlers/main.yml index 9d9efb3..d366412 100644 --- a/roles/slapd/handlers/main.yml +++ b/roles/slapd/handlers/main.yml @@ -1,4 +1,7 @@ --- +- name: Run acertmgr + command: /opt/acertmgr/acertmgr.py + - name: Restart slapd service: name=slapd state=restarted diff --git a/roles/slapd/meta/main.yml b/roles/slapd/meta/main.yml new file mode 100644 index 0000000..a456842 --- /dev/null +++ b/roles/slapd/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: +- { role: acertmgr } diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml index a66b68d..fa68d34 100644 --- a/roles/slapd/tasks/main.yml +++ b/roles/slapd/tasks/main.yml @@ -31,5 +31,16 @@ command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ldap/ssl/srv.key -out /etc/ldap/ssl/srv.crt -days 730 -subj "/CN={{ slapd_hostname }}" creates=/etc/ldap/ssl/srv.crt notify: Restart slapd +- name: Request nsupdate key for certificate + include_role: name=acme-dnskey-generate + vars: + acme_dnskey_san_domains: + - "{{ slapd_hostname }}" + - "{{ slapd_san }}" + +- name: Configure certificate manager for slapd + template: src=certs.j2 dest=/etc/acme/domains.d/{{ slapd_hostname }}.conf + notify: Run acertmgr + - name: Start slapd service: name=slapd state=started enabled=yes diff --git a/roles/slapd/templates/certs.j2 b/roles/slapd/templates/certs.j2 new file mode 100644 index 0000000..36b070f --- /dev/null +++ b/roles/slapd/templates/certs.j2 @@ -0,0 +1,18 @@ +--- + +{{ slapd_hostname }} {{ slapd_san }}: +- mode: dns.nsupdate + nsupdate_server: {{ acme_dnskey_server }} + nsupdate_keyfile: {{ acme_dnskey_file }} +- path: /etc/ldap/ssl/srv.key + user: openldap + group: openldap + perm: '400' + format: key + action: '/usr/sbin/service slapd restart' +- path: /etc/ldap/ssl/srv.crt + user: openldap + group: openldap + perm: '400' + format: crt,ca + action: '/usr/sbin/service slapd restart'