summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-05-24 17:11:11 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-05-24 17:12:10 +0200
commit1af3c572eedb0eaddcdc5c9c41d98ff59bb7b2c9 (patch)
tree6af69fd639a051b483528b03959985ab806b2c1c
parent61ee02ffb5402d93eae59001b91197957a8dcfe2 (diff)
IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.
There is no need to bother with X.509 cruft here.
-rw-r--r--certs/ipsec/antilop.pem46
-rw-r--r--certs/ipsec/benjamin.pem46
-rw-r--r--certs/ipsec/civett.pem45
-rw-r--r--certs/ipsec/elefant.pem46
-rw-r--r--certs/ipsec/giraff.pem45
-rw-r--r--certs/ipsec/mistral.pem46
-rwxr-xr-xroles/common/files/usr/local/bin/genkeypair.sh5
-rw-r--r--roles/common/tasks/ipsec.yml17
-rw-r--r--roles/common/templates/etc/ipsec.conf.j25
9 files changed, 99 insertions, 202 deletions
diff --git a/certs/ipsec/antilop.pem b/certs/ipsec/antilop.pem
index cdb3809..effcc1f 100644
--- a/certs/ipsec/antilop.pem
+++ b/certs/ipsec/antilop.pem
@@ -1,32 +1,14 @@
------BEGIN CERTIFICATE-----
-MIIFbjCCA1agAwIBAgIJAK1L1Q45QyGyMA0GCSqGSIb3DQEBDQUAMEcxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzEQ
-MA4GA1UEAwwHYW50aWxvcDAeFw0xNjA1MjExMzIwMjBaFw0yNjA1MTkxMzIwMjBa
-MEcxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQL
-DAVJUFNlYzEQMA4GA1UEAwwHYW50aWxvcDCCAiIwDQYJKoZIhvcNAQEBBQADggIP
-ADCCAgoCggIBAPZCYTbXuTseBaYueoPorgtGGUe6/e3j5SStzCwb4flNniqqVoCq
-JXxSg72IAmwTrsnUwWx/iNm/g7N15/509rW5mE+YXksoDYORig32F9TtVEinUuHz
-EDh+nYis/YzoOM1ErdDpQL880ydskTaqvKKLGdigaosvFUJMUYhqYPnw1opQIH5r
-6YRqTz9l8GThuA+6Ujb7mlvSv6Pk4pMcRNb3cnDoDD2YJ0U0gOXah6Sw9VEFmh/U
-bv0eietvLTy1RvqiC/I6IpR1kZb5jtTo5EHkXqc2hyDNppAWW59YmIoJNIFuC8/Q
-nFM2d9JIP6RGY0bu5TaYmM4xpnSzgX0dIQ9ysZXP8uqZj/StaONtohxxpqnUiT+X
-hQQdX2sW4/6vAyl5m6ukXqKPwapOuQN2ZDDRHWq68qoPu5w+b9AlKHUnpbxNh6JO
-6M3e09TPg/+uQ8OBw37fRixIvfZlpWeGy513l1NKlnJwkjiR8jmnsbMQ8yKLrXbH
-JXAXHI8J681JALVm1hi1uwr8N58Tg/L1MRpG1vIT9rmdNsUZWEWSmEt6FLWgKs5J
-bMIx4jILrvxxaGOa40G7JuKiaKN7u5RqRm3IBWeoNPQN+axZj2pe3n2AqMZP8a5p
-dYPz0mzE7xTCS++kYcmwHJwlylRbRGmAFHb22T/lnSR4WdaxcShnBI8hAgMBAAGj
-XTBbMBwGA1UdEQQVMBOBEWFkbWluQGZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAw
-DgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBQlgc0BvZLpfrqs9jXqUXVxMxYNlzAN
-BgkqhkiG9w0BAQ0FAAOCAgEAIJ85xKCU/s4EbcodFL6walMLsaXKnEHo0oY29EUv
-bGl+1qzlWuedwXti5ND+6a5iO8RMHtexOoQ+GTUBv/wMGgiElvkvtT9FsFxijnh3
-D4a3TqFQTVRTUuJVP/uULe18eScAyWVdArL1NJHDz/GoHjtUdzfCVKgTMNWIx4yC
-E5i3IGJsGDAFLl19N5if+TfGjj90QkH1TzC4jOF6Y3oxkY4ZVwLtb0E/uR/zk8HI
-9wF7lw2/5J+aqyyaWnsd66fzJGk/3lELWJbOvXN6KbS3YcWOhXrOV7ijdZRyaHWo
-jB7nWRjLfb8KUSNXnzq4/8Zs3ka6WeBDB1pd4glcKeaMOdm5K/NspsS8ziGWHeoQ
-XlFFxP/Msw5NlUvlSjZ3qZzNg4550Ci/FweBavGihSCakmkZMvq7Kvg67j6mStZS
-Qm5t+sVTiJ036+m1TcUpfRJ9VPkYFhA25Bk+XKctxTu2Hcs2P9Q60oO3BGkTIoPQ
-uKjE/HtTuLb7RtaMtUs8K1j9Pq9j9F271EAOb7JzQlhEt0w+QQyoiQVPOD0RZ6T3
-LAzXz0qX0fEk2DOf6jCjNJg4TJaWzLaVo4lkTv4dcYSvZlZnDwSX6h/LoizP6zYK
-voqUuBt9+hksXPenDT/lCaYv2w+C4NdzsH4FQ5FUNPVqGdyqA9pynDxrjELkTaNp
-DZw=
------END CERTIFICATE-----
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9kJhNte5Ox4Fpi56g+iu
+C0YZR7r97ePlJK3MLBvh+U2eKqpWgKolfFKDvYgCbBOuydTBbH+I2b+Ds3Xn/nT2
+tbmYT5heSygNg5GKDfYX1O1USKdS4fMQOH6diKz9jOg4zUSt0OlAvzzTJ2yRNqq8
+oosZ2KBqiy8VQkxRiGpg+fDWilAgfmvphGpPP2XwZOG4D7pSNvuaW9K/o+TikxxE
+1vdycOgMPZgnRTSA5dqHpLD1UQWaH9Ru/R6J628tPLVG+qIL8joilHWRlvmO1Ojk
+QeRepzaHIM2mkBZbn1iYigk0gW4Lz9CcUzZ30kg/pEZjRu7lNpiYzjGmdLOBfR0h
+D3Kxlc/y6pmP9K1o422iHHGmqdSJP5eFBB1faxbj/q8DKXmbq6Reoo/Bqk65A3Zk
+MNEdarryqg+7nD5v0CUodSelvE2Hok7ozd7T1M+D/65Dw4HDft9GLEi99mWlZ4bL
+nXeXU0qWcnCSOJHyOaexsxDzIoutdsclcBccjwnrzUkAtWbWGLW7Cvw3nxOD8vUx
+GkbW8hP2uZ02xRlYRZKYS3oUtaAqzklswjHiMguu/HFoY5rjQbsm4qJoo3u7lGpG
+bcgFZ6g09A35rFmPal7efYCoxk/xrml1g/PSbMTvFMJL76RhybAcnCXKVFtEaYAU
+dvbZP+WdJHhZ1rFxKGcEjyECAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/ipsec/benjamin.pem b/certs/ipsec/benjamin.pem
index 57c9052..bfb094e 100644
--- a/certs/ipsec/benjamin.pem
+++ b/certs/ipsec/benjamin.pem
@@ -1,32 +1,14 @@
------BEGIN CERTIFICATE-----
-MIIFcDCCA1igAwIBAgIJAJkbw4unO7z/MA0GCSqGSIb3DQEBDQUAMEgxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzER
-MA8GA1UEAwwIYmVuamFtaW4wHhcNMTYwNTIxMTMyMTIwWhcNMjYwNTE5MTMyMTIw
-WjBIMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhTU0xjZXJ0czEOMAwGA1UE
-CwwFSVBTZWMxETAPBgNVBAMMCGJlbmphbWluMIICIjANBgkqhkiG9w0BAQEFAAOC
-Ag8AMIICCgKCAgEAwOODNQ5sdVXFrzAeo9bChbauUP69uXoc6OP/l1xB9kjzmErE
-noAlVjKO05nUE6Uus03/RkEPdyaMCfKarAhbFHaowtylUjUcIsVJkGsem4vRtuLv
-929vLx4TdL8BN5NCMsXOecoI5z//lfJ4YVfpmLQ+OUM8kWNcHOPRpnLLZq/Pwvn9
-3WbzWmxlcmVZUwq66f0N9zBSk8678TikZGx2dJ/HZwigswo0PSxTIbvE2eoDdFoh
-i9RrBxpXTnsxCAXpFIV7SLobw+tQvuv+r2oK5oGOnHIGmJZWVC3bRIb+PPELeB1g
-3TfNz7bP5PRKpXnP0cdK/0J2A+vQqArr8ACsgzxsKUb7t9OASLH14fQ25FJ3nsc+
-CS9snXIxJourd5d2cyhMe3xBo0tzPLC8sc3mwIyuz60o0pOjvIfzlYyldtYk3CTC
-VKMs1UpLnea8DDIvzhWn+TLX2yAKS/KNG0Tw72aLc86ZUVKV0+fkwjRWtIAWSJQZ
-L/tOl4iDyU+T9dG9dDR1KlsfW0JBGTkyZOLZrSBVQvDj/aUQjgc8e54MghJsS5Qd
-AvD2rTO5liqB8YzHY77Nj2d4f5kqBHj41KwtGOQT4nXYI+rdOpkmkMj5kOGoeRIC
-Sv+eszXADnHHtoPS73rjej0gseibSvvm9n3iKkd5mm2N2oZ9Q5pF52CUFfMCAwEA
-AaNdMFswHAYDVR0RBBUwE4ERYWRtaW5AZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIw
-ADAOBgNVHQ8BAf8EBAMCAqQwHQYDVR0OBBYEFEDI1UY3Ng7TSEMllOYaasPL05JK
-MA0GCSqGSIb3DQEBDQUAA4ICAQCy/YSxqCu6r4H0+XPdoz9TYoIkW3V4f7nupw09
-q6Zhpnl4T5a7WJnY/6Pda9Y+4f1+uR1OMJ+kgH4K6RyCjzobgjEGpVlxBpmA/8Q/
-634zc1cUna/sa7Jd/taTnqTZRbT7C9aZyIkJoN0Cco/k8QI6gvsMmGDh37nS6keB
-opy5XBTVEcysH8JPVlVFwGm+FL7n45GM7A4ju6wujeyAJ9I7IxFJM5d8B5r6zt5L
-MAdMYdPDR6TRyKcmEbsb0Jq+dI8kQFRr0IApIb8m+Z3O0AyBqtdGX+EQIoXijGH0
-NRPN6YKPU1U0Ha2ti3VRalVSHuvk+/kBYNeCZA3DB0QT9obLOj/CrOMutfXtsNUU
-eG7x+L/sjHnVSaKOQ5rtAcoF1GrqAGnmZTN0H9IbAG8/WU9pefNHQt7V5+5xtDmA
-ywMHqRgYQKTD4CRhmGgqcHEr6ls7rhI7YbAoTgwbUMe9kHdVFiE3ZutYSkWln5E0
-Jc/K6LXo0kiwMgsEG98qNzlNRHsvp+UHuKaiuBD28HwLxGo1M5rp3MItm9FoMPpm
-tUcEp2/6RJLrSZNLU6Lx9ZF3HIj0e42e+laIfu46o8ZEIsvwac3iZN/nonxTGaoy
-n4W1AW/F8cXpO0YG7xtyHyTL+d/1WmurpXKgKmE+0mOMeAJjQn9G4aUl+/UkPlGb
-V/aK7w==
------END CERTIFICATE-----
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwOODNQ5sdVXFrzAeo9bC
+hbauUP69uXoc6OP/l1xB9kjzmErEnoAlVjKO05nUE6Uus03/RkEPdyaMCfKarAhb
+FHaowtylUjUcIsVJkGsem4vRtuLv929vLx4TdL8BN5NCMsXOecoI5z//lfJ4YVfp
+mLQ+OUM8kWNcHOPRpnLLZq/Pwvn93WbzWmxlcmVZUwq66f0N9zBSk8678TikZGx2
+dJ/HZwigswo0PSxTIbvE2eoDdFohi9RrBxpXTnsxCAXpFIV7SLobw+tQvuv+r2oK
+5oGOnHIGmJZWVC3bRIb+PPELeB1g3TfNz7bP5PRKpXnP0cdK/0J2A+vQqArr8ACs
+gzxsKUb7t9OASLH14fQ25FJ3nsc+CS9snXIxJourd5d2cyhMe3xBo0tzPLC8sc3m
+wIyuz60o0pOjvIfzlYyldtYk3CTCVKMs1UpLnea8DDIvzhWn+TLX2yAKS/KNG0Tw
+72aLc86ZUVKV0+fkwjRWtIAWSJQZL/tOl4iDyU+T9dG9dDR1KlsfW0JBGTkyZOLZ
+rSBVQvDj/aUQjgc8e54MghJsS5QdAvD2rTO5liqB8YzHY77Nj2d4f5kqBHj41Kwt
+GOQT4nXYI+rdOpkmkMj5kOGoeRICSv+eszXADnHHtoPS73rjej0gseibSvvm9n3i
+Kkd5mm2N2oZ9Q5pF52CUFfMCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/ipsec/civett.pem b/certs/ipsec/civett.pem
index d0de31f..b6a2a23 100644
--- a/certs/ipsec/civett.pem
+++ b/certs/ipsec/civett.pem
@@ -1,31 +1,14 @@
------BEGIN CERTIFICATE-----
-MIIFbDCCA1SgAwIBAgIJAN3ZQpjOL9/yMA0GCSqGSIb3DQEBDQUAMEYxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzEP
-MA0GA1UEAwwGY2l2ZXR0MB4XDTE2MDUyMTEzMjE1NVoXDTI2MDUxOTEzMjE1NVow
-RjEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2VydHMxDjAMBgNVBAsM
-BUlQU2VjMQ8wDQYDVQQDDAZjaXZldHQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
-ggIKAoICAQDmnVdJXUgGbvTIH9jKK+eIHOkaJMAcC+lXLFAMee9t7YVsyrpmCdt4
-fVTQJFBwp9GiW1Y+dqBQBWvr9z6l/m68CsZOJoJ5Telmcv42tpoDtf0eEANo17/D
-VRbQHJzJmAZQ7OkyPGFSKQy9XUqLq1+OkM+zRuy8TvnUa0mLdHR5ykEJl0P541mW
-yn1LMQON5cRzVMHwTmDSnPhzn+7YQU2sHpHKJaLVPq+yXaN1JoUglySIjlquk6Ji
-paAwMer8CHXnnjoQw+L6/bsZCc02Zz96M/CDqlow88Ut6o6qFR6L3B8go3qgSbbU
-ERB4n9KcyUyhwp+joIE1J2TkEfguumVYrS/j00pHKz1Iug9z0HqXKesWEOwy0f9C
-AbdpEnmk7+3nU8zJVVqmJjbdB2OS4Cy3R0jeNNu4P581NxEktETCSl3+bwAhvTN0
-QAs3mWNLuVEREoPGQr3sUq9kRfKah09VVgSHsQutf6/7A5oNd8zx48Ff3Mn7miS6
-aDbuWPLjCdRYczBO3y2PBQeZDANqa3SSTZvQgRFXnkey1Em1UtMIB3KCTYTuPU7G
-jlm2q+T/f2yL5K3zNrF+6X8HIrFb6xIkoYy6SCNYH2S4bXsRI3KlCFH+mIHuQJg8
-hVTlNOABfOoM9ZXmt+9zkWcy4QQiUA6Rbrtu7JOg34PorIm6XYUANQIDAQABo10w
-WzAcBgNVHREEFTATgRFhZG1pbkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4G
-A1UdDwEB/wQEAwICpDAdBgNVHQ4EFgQUjtpNnjSQRjO6regLVnpSvcnBaxUwDQYJ
-KoZIhvcNAQENBQADggIBAOZgyZp5le0PLCzMU1Qp96jfPUF0u/hdScQ9EVRzXjGT
-S6qhrEv5XYOCxU4XBzika071FaYo8OrEV3oq+Y7MtdQbK3pMKhN7ilSiX/dYFM3t
-cUEHwZ14e5OJ0NZfyWXk0GvGNURqn7r/AZWrfGn+uSe+ndxAZuV363NxQYPVbtTi
-dK81lkyue3CwSGdGh3BgyRrQ86JWvcjpFaCQeOENUtwlBfGDNEwtQ7I52NIEKxpX
-3pDvE0/x14JSx9pO3BXK6SH1zt/8bXiW9A8XEkMoVsAOL1ntrzCCLPM6mP2JEoDD
-vAEr360T5T4cTTym+4Or3gPm9RMwEfca3ZHzZkxUXChKn+YZ4r9kpWVgIxoIGZdd
-ZeoA/oO2feLPHM4whBP6x4tyceoqLyA11Gaj5JKtLJTGIb+1zjni8IVuINuWN/YD
-ZOfn+lGsL/qft2hQ/UopSXDcnVj+dxPdcWaUCfTN3oOqLDSTmcR2bbLmVDL8oMef
-pZlaSIJ6p4dGQAs4lwvROE8WTb6b21rNZy7O4Po2jpH5fhHsxgqEByvloYenaadV
-Oian0DfuKXdI7K4v1kq6UfRRwR3LzNnE9Gy9aeSKyCFZhg67CAeKgt6i5VmgrDGw
-rbIpPky5FUpUHkA1WMxP1Wl1ZESZRVLV2A1rUD4gzZiVV3cEM85r98GSogBleXR7
------END CERTIFICATE-----
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5p1XSV1IBm70yB/Yyivn
+iBzpGiTAHAvpVyxQDHnvbe2FbMq6ZgnbeH1U0CRQcKfRoltWPnagUAVr6/c+pf5u
+vArGTiaCeU3pZnL+NraaA7X9HhADaNe/w1UW0BycyZgGUOzpMjxhUikMvV1Ki6tf
+jpDPs0bsvE751GtJi3R0ecpBCZdD+eNZlsp9SzEDjeXEc1TB8E5g0pz4c5/u2EFN
+rB6RyiWi1T6vsl2jdSaFIJckiI5arpOiYqWgMDHq/Ah15546EMPi+v27GQnNNmc/
+ejPwg6paMPPFLeqOqhUei9wfIKN6oEm21BEQeJ/SnMlMocKfo6CBNSdk5BH4Lrpl
+WK0v49NKRys9SLoPc9B6lynrFhDsMtH/QgG3aRJ5pO/t51PMyVVapiY23QdjkuAs
+t0dI3jTbuD+fNTcRJLREwkpd/m8AIb0zdEALN5ljS7lRERKDxkK97FKvZEXymodP
+VVYEh7ELrX+v+wOaDXfM8ePBX9zJ+5okumg27ljy4wnUWHMwTt8tjwUHmQwDamt0
+kk2b0IERV55HstRJtVLTCAdygk2E7j1Oxo5Ztqvk/39si+St8zaxful/ByKxW+sS
+JKGMukgjWB9kuG17ESNypQhR/piB7kCYPIVU5TTgAXzqDPWV5rfvc5FnMuEEIlAO
+kW67buyToN+D6KyJul2FADUCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/ipsec/elefant.pem b/certs/ipsec/elefant.pem
index 25561ae..22ed188 100644
--- a/certs/ipsec/elefant.pem
+++ b/certs/ipsec/elefant.pem
@@ -1,32 +1,14 @@
------BEGIN CERTIFICATE-----
-MIIFbjCCA1agAwIBAgIJAO+HSCLdxxt9MA0GCSqGSIb3DQEBDQUAMEcxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzEQ
-MA4GA1UEAwwHZWxlZmFudDAeFw0xNjA1MjExMzIyMjFaFw0yNjA1MTkxMzIyMjFa
-MEcxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQL
-DAVJUFNlYzEQMA4GA1UEAwwHZWxlZmFudDCCAiIwDQYJKoZIhvcNAQEBBQADggIP
-ADCCAgoCggIBALYLJRUZlY4xnWOJgaUsv9FDkTcTU2FtxMw4QHEL1lBRwl8gWx0O
-2bAfF4Jm9lGEMTjryDrMbx3YfonZ+jC7ZEisPNjuP7VpUgI9VIeN0L0W1f8ROvvB
-ByuRhC+1qitK1uU60jSQ+MdhkGeXz22d6xkthJi9v7ppx62rLlzQaS+GdumOuyvj
-hG3f+Mcw8u0Lw/stZ+PDEiG33DF/iDKWJvxq53SFk22BAsvpE1NfmY4RYZOz2qPK
-JGX2t6HPwwVW93vUKavAgYW2Tpy0iOoBi2zDU90md879Ttsju833NMk6g/RcrY15
-UsGep23LcXw/TGTzZa1Fsi8LxzfBwuTljmEye16j30HALxY7x68PmaPbER3WJy7A
-gvO3QuHKzU8fyTrTCBysCRlEnt37r0LyiAHeoaV3Ij5lXAG/2F5iJHLpW5Gv8uM9
-2wHjTCNTSF3L25rsKHUvNUbO9OcYCVXS2wEiysY/UEqOHW2C2auUmh+I0bbpYjjZ
-Xq/7KeGx43fdnmsG3W+KYtkZr4bvxZkscPAKvIMUx0DL/gjBA7Pv2BgMrF5XSxCj
-moFU8QSp/W4HWvajkwdZOR7dn1WWFL81Ctvbb4ago6u48AY6a4FHP3kbThDyQKDi
-8mL/YU35CiufgPX7N0k/pLYDViyRnC+WOi8Me5CPzZQSj7wtliyvGRKHAgMBAAGj
-XTBbMBwGA1UdEQQVMBOBEWFkbWluQGZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAw
-DgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBQ6/gMd6OCGn7QXO073QppLV5GfJDAN
-BgkqhkiG9w0BAQ0FAAOCAgEAVUOkssSdKXMP95GcnbIeGCCcZ3/mieYfOHZ4ndPV
-BaGd/4hmey29YNszRaAbAUOvdvnWHl3lcfgeu7H+qzKX/RpWnliL1CvtxNQ8ePor
-dNYpr6ah0MTwiP2dfxX6tLyH+rGaADz6IkeFZ/ZKO7CPcxfedjmY7Snk4mCDVmbZ
-XkDd1EkGePF6zU5wy/TRrckmoUm2cL2wXLv7hvIcDvKYta02+WspdRtKciw2RcNE
-2igIfTt69U6U4e5+g4jXTW3gI8wM2xjr1NDrzTTE8519mmpsfrQeOBHKOJgWjJWJ
-PjSwuaYrUIlYqB4mqL2BhakIuuH8P8Z68F9qelICiiSMGZu4wvZpIEDetaB0NlWP
-u5YE8kG/xD85p1bFC9H5/e7f8LKQz/ZxpazsKlUvMB0q4WBpTcoBrjnfjprLOjf8
-aeJ0kcAUSy8pR49rq7k9j8+onDqGoVV9mzAH9hzD1itU0hHKEB0uKH48XMRBhnUn
-ViXQZHRDuYDuUbvvKzss/Ul85S2OGwKWKUhOocFtDj57p38yCgbhffm31ja/N3Td
-hPLDA9u9oIL6Hh5GzDGdx7z4MoV1eTAQqCK/rk7XVHyt9hb1ADRETLT2NlgovkQq
-TFlHZ/9hCGAW8IcqzTDA4yCJ3XHZ8WLaUr9t3Rr7mUUnIB9cRJoZd3lkt/2bdvEI
-OHI=
------END CERTIFICATE-----
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtgslFRmVjjGdY4mBpSy/
+0UORNxNTYW3EzDhAcQvWUFHCXyBbHQ7ZsB8Xgmb2UYQxOOvIOsxvHdh+idn6MLtk
+SKw82O4/tWlSAj1Uh43QvRbV/xE6+8EHK5GEL7WqK0rW5TrSNJD4x2GQZ5fPbZ3r
+GS2EmL2/umnHrasuXNBpL4Z26Y67K+OEbd/4xzDy7QvD+y1n48MSIbfcMX+IMpYm
+/GrndIWTbYECy+kTU1+ZjhFhk7Pao8okZfa3oc/DBVb3e9Qpq8CBhbZOnLSI6gGL
+bMNT3SZ3zv1O2yO7zfc0yTqD9FytjXlSwZ6nbctxfD9MZPNlrUWyLwvHN8HC5OWO
+YTJ7XqPfQcAvFjvHrw+Zo9sRHdYnLsCC87dC4crNTx/JOtMIHKwJGUSe3fuvQvKI
+Ad6hpXciPmVcAb/YXmIkculbka/y4z3bAeNMI1NIXcvbmuwodS81Rs705xgJVdLb
+ASLKxj9QSo4dbYLZq5SaH4jRtuliONler/sp4bHjd92eawbdb4pi2Rmvhu/FmSxw
+8Aq8gxTHQMv+CMEDs+/YGAysXldLEKOagVTxBKn9bgda9qOTB1k5Ht2fVZYUvzUK
+29tvhqCjq7jwBjprgUc/eRtOEPJAoOLyYv9hTfkKK5+A9fs3ST+ktgNWLJGcL5Y6
+Lwx7kI/NlBKPvC2WLK8ZEocCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/ipsec/giraff.pem b/certs/ipsec/giraff.pem
index 1abb655..4d7e9f8 100644
--- a/certs/ipsec/giraff.pem
+++ b/certs/ipsec/giraff.pem
@@ -1,31 +1,14 @@
------BEGIN CERTIFICATE-----
-MIIFbDCCA1SgAwIBAgIJAJJw5lIqPzO2MA0GCSqGSIb3DQEBDQUAMEYxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzEP
-MA0GA1UEAwwGZ2lyYWZmMB4XDTE2MDUyMTEzMjI0N1oXDTI2MDUxOTEzMjI0N1ow
-RjEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2VydHMxDjAMBgNVBAsM
-BUlQU2VjMQ8wDQYDVQQDDAZnaXJhZmYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
-ggIKAoICAQDFN5v7clsY27jVOmh4kHMiPqcLSb7IEeYZNHnvRd1Vm6F/HRsniXCq
-dujue1aoLscVLQMeiQd2R0g0oLIue8DG7FaQreWFmAmUK7kwsocQYZwgzLMvOtmc
-0eGnG4B4xJjQTDTAuetv8zVJAoclJTxki3oOlyUKvoRU67q0hD93xguyKxxwGMnL
-4qbrLcf7BrwTF2khWOEOy/PaYQDWxDFtoG6Z/HtG+PmiLD0EPbawZ3iUPXWCmXz3
-lftK+D4vL74MYRc6uy10XYT2yY0Lo9wxtPh1a918IBOuD+fP89povs/BWhI2BYyY
-NplXJAzgkNz8zA/UmRuLcy6SoXx8YLsIaiDOL9bV3WzhdTXwQ17DqLY2SYktcp5i
-Q5uC5IRLCY7moCTOMjeg6RDXaIz9DsShT0SNpxuZx/XF5g6HV/CdKMjNzKojPuMX
-rBiVCIM/sp+r1p9rk7jDWy2sbS0TXOMFQf+scf2BZtFipoNZDhNZ3LfYg+HI9Zjo
-Ic4GqSXQ5kS1n7OXxrh7XZCo/PzjVRxtJGnQCFEBtuGT10jF1Il7c4QPJgOa/XI0
-4OZE+nHcSfZjFXo1+hlJYcE+IggRSW+UzmKxbZYMrfKfgf+zwuaL3EC2XgzBuUjr
-YptvXT+AtC2eThwvts4TmE7WBsGMqgIt5BPkrgqILD+c16ty4uBqlQIDAQABo10w
-WzAcBgNVHREEFTATgRFhZG1pbkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4G
-A1UdDwEB/wQEAwICpDAdBgNVHQ4EFgQUTdOW7rIhDPUoInZJ3KBO+tvvHMEwDQYJ
-KoZIhvcNAQENBQADggIBADpn7Cv7Ua6jcA3gDfWqyx9DXH8q213b8ZSTiGdkwQjh
-7DMM98u04cOKu/PLDQKbsW5IldZnd7vcPOowp40LlXoXWfmJFOHUtjmWzHieqLnn
-9uxwVgqx1vtCP+XXNEKHc0LlVsRze0LQJducjtrV8cIOd7nnXyXwr5dc4Cb+u3SB
-28gwuUSapdnCpTKKNoWgFeRAxQMaaV1v3lfkO4UKdT4bHNl+9b4BhOKCVB6ujgvC
-R+iUoz2MAaP62m6f4pIPq+ftlaZFCbss6O6aCgqyCtt+8bTJZoGmig3iDzvzMK6D
-lYf8i9rnTeBglBA7pcVzpmDFdMLIod6fpFnVpnun6fxyuS23ch9aJR4osuGVVLY/
-zasF7bbYHQJcggCTdK3ZdCnTV8BjEXBtzJ5b4pD4x+EBeohZ3gV57Wlyr2RHhu7s
-IIDC9yp5B32gFhq58rKQz81cMC21eX25OiRFuLSP6DDQAuJYP3ULEs0GiGnG1+ly
-pMTbXMwmQAr/GPQutGLqVgv8OqtxkBiPj0ntuucyjq5u+6AQz5v+4rc9gTbzYenU
-io9pHYZJ5FQWHs1ouy3BAJstvn2HkKBBJu2SA8PfNw3WFysK6ERKEMjtIl/KASze
-X/TgfTYkoaDqFtJdK1eRlipWiIqBbqb3A3h4XpiDIXg7QcdNLnT4I2AkBs2n9Nv6
------END CERTIFICATE-----
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxTeb+3JbGNu41TpoeJBz
+Ij6nC0m+yBHmGTR570XdVZuhfx0bJ4lwqnbo7ntWqC7HFS0DHokHdkdINKCyLnvA
+xuxWkK3lhZgJlCu5MLKHEGGcIMyzLzrZnNHhpxuAeMSY0Ew0wLnrb/M1SQKHJSU8
+ZIt6DpclCr6EVOu6tIQ/d8YLsisccBjJy+Km6y3H+wa8ExdpIVjhDsvz2mEA1sQx
+baBumfx7Rvj5oiw9BD22sGd4lD11gpl895X7Svg+Ly++DGEXOrstdF2E9smNC6Pc
+MbT4dWvdfCATrg/nz/PaaL7PwVoSNgWMmDaZVyQM4JDc/MwP1Jkbi3MukqF8fGC7
+CGogzi/W1d1s4XU18ENew6i2NkmJLXKeYkObguSESwmO5qAkzjI3oOkQ12iM/Q7E
+oU9Ejacbmcf1xeYOh1fwnSjIzcyqIz7jF6wYlQiDP7Kfq9afa5O4w1strG0tE1zj
+BUH/rHH9gWbRYqaDWQ4TWdy32IPhyPWY6CHOBqkl0OZEtZ+zl8a4e12QqPz841Uc
+bSRp0AhRAbbhk9dIxdSJe3OEDyYDmv1yNODmRPpx3En2YxV6NfoZSWHBPiIIEUlv
+lM5isW2WDK3yn4H/s8Lmi9xAtl4MwblI62Kbb10/gLQtnk4cL7bOE5hO1gbBjKoC
+LeQT5K4KiCw/nNercuLgapUCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/certs/ipsec/mistral.pem b/certs/ipsec/mistral.pem
index 5267b8e..936804a 100644
--- a/certs/ipsec/mistral.pem
+++ b/certs/ipsec/mistral.pem
@@ -1,32 +1,14 @@
------BEGIN CERTIFICATE-----
-MIIFbjCCA1agAwIBAgIJAIUSa/zsUYWuMA0GCSqGSIb3DQEBDQUAMEcxEDAOBgNV
-BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzEQ
-MA4GA1UEAwwHbWlzdHJhbDAeFw0xNjA1MjExMzIzMDlaFw0yNjA1MTkxMzIzMDla
-MEcxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQL
-DAVJUFNlYzEQMA4GA1UEAwwHbWlzdHJhbDCCAiIwDQYJKoZIhvcNAQEBBQADggIP
-ADCCAgoCggIBANHZ/qp0B3rFnhwHyXLXiLjrrDtfjTamYl/b0RSRv4DMQ3dml8hR
-jFjr6P4f/UJkIHev0g1MwOXEaH2QqMFBq7YNsCnEPyUdokNZ2MEk6RcaKzixLJZr
-hW1zQE6E44S3x1ZJzoqP2U4VA8nCKObIqsBcsciIBH8G2zTUz8oiNphUTn19XNq1
-K+wyqUX7O/ltq+ouUC/dQcLaS/CJIGAu9qqEZphou4W46kxXsApMgIY+9uD8bTCn
-tsRTtFdsEDDoL5tpZTndVRktavC2jV8DOTlSaX3QjlpParLFZR24KQUEJkjprixx
-xZ5Rbs7FhxCWjBd9PCS9aCr2dmjC5p9dQNFb5HOJTNkFQ5/UqmvKmOi95YPE+4LD
-4pN5w597L04yGVjokN+yanLpk91HNn3j4psMYgaHPRcefyZnZ64nNB5QZL8NVgGs
-L5IriWYzBKJyJhdtbZDIbjFIWBTBMy3H0eWZ3Lq43WH+F2jCUj4T+GRTwC3WZ+Xx
-lM/MdnPjDY+sOaRyh1Q9A6xzd38S1Pb/5s35Yq6TET/0jMFg7nuCEiEljBldhEoF
-TcvHa7K33myRFRx0oU6lALHEQ/3Q8fOcvUop14aFQPbSDfi4b2LmprXbDyeT1AaG
-zQl/fsknriQTHhBK6Sthk2nl7EQDu4wnsekGKFIdubNGaMrMvgI1ezqXAgMBAAGj
-XTBbMBwGA1UdEQQVMBOBEWFkbWluQGZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAw
-DgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBS4plbjknpBjMnP8y1rd+6V3Ukr+TAN
-BgkqhkiG9w0BAQ0FAAOCAgEAuNkWmCowz/8+NUL3gDBGIHrRXqlk+5YnD74j/ZrB
-45DBc7vTPj30+C9kBggfmJp9KY/WzpVge4OrvCj7t5HgVCpjA/o63s3zKpQMXqOK
-dSKPEGKqd1pI0rBfTcrdkSd151C3ThCZLfzdq5rQYaNLg4YcAOFjUox97vl5+Odk
-Mgo6VYyF8hKVtIB7IubL2Vcywg3kk3NDS85CCsN5lOWrnAOAvSP/CjIFLqDkuM2A
-L6n+tkcpDl213Xtnf8yzyl3Y0rmc0PtWcBLXOL7+euc5ja3gWVepvNfsnStUt6ik
-0TViwffHOc8N63n7yuADB9tH2+Bx0O32B+fMUzr4j3keOqDkvvxElng9LA2i0pzG
-Luw/jYarnFFwrvhKiwjS0JlmiJnKoclm/OiCl3eCtlQ9hEQfxHzx/n7Kj26W+4Ea
-TPyMbG2YkWuJ+iN+qFse4r6A/vp60BHY+pyyTcZmqiB1xPKqiAEnrYPfxpSnuYzV
-Qi+muD9xyr1IDanlOl4DqHMmhWW4WqUyJhrO9cOtokwvAhZq2r189e/wVlRs+Ysb
-lmpc6sxvx78mJVTJdkaMAac8BBUZ/cWZNIGcmc6XNpRlSIc4Lib9BAC3IVu9FpFA
-GnXpGOAUQ24SUtpt4O45pjbBTHR5ekeOL4sLge6g/lSqXrRBG7mSixGZGw3nbn1O
-gng=
------END CERTIFICATE-----
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0dn+qnQHesWeHAfJcteI
+uOusO1+NNqZiX9vRFJG/gMxDd2aXyFGMWOvo/h/9QmQgd6/SDUzA5cRofZCowUGr
+tg2wKcQ/JR2iQ1nYwSTpFxorOLEslmuFbXNAToTjhLfHVknOio/ZThUDycIo5siq
+wFyxyIgEfwbbNNTPyiI2mFROfX1c2rUr7DKpRfs7+W2r6i5QL91BwtpL8IkgYC72
+qoRmmGi7hbjqTFewCkyAhj724PxtMKe2xFO0V2wQMOgvm2llOd1VGS1q8LaNXwM5
+OVJpfdCOWk9qssVlHbgpBQQmSOmuLHHFnlFuzsWHEJaMF308JL1oKvZ2aMLmn11A
+0Vvkc4lM2QVDn9Sqa8qY6L3lg8T7gsPik3nDn3svTjIZWOiQ37JqcumT3Uc2fePi
+mwxiBoc9Fx5/Jmdnric0HlBkvw1WAawvkiuJZjMEonImF21tkMhuMUhYFMEzLcfR
+5ZncurjdYf4XaMJSPhP4ZFPALdZn5fGUz8x2c+MNj6w5pHKHVD0DrHN3fxLU9v/m
+zflirpMRP/SMwWDue4ISISWMGV2ESgVNy8drsrfebJEVHHShTqUAscRD/dDx85y9
+SinXhoVA9tIN+LhvYuamtdsPJ5PUBobNCX9+ySeuJBMeEErpK2GTaeXsRAO7jCex
+6QYoUh25s0Zoysy+AjV7OpcCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index 45e2181..01b279a 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -47,6 +47,7 @@ usage() {
x509: generate a self-signed X.509 server certificate
csr: generate a Certificate Signing Request
dkim: generate a private key (to use for DKIM signing)
+ keypair: generate a key pair
Options:
-t type: key type (default: rsa)
@@ -88,7 +89,7 @@ dkiminfo() {
[ $# -gt 0 ] || { usage; exit 2; }
cmd="$1"; shift
case "$cmd" in
- x509|csr|dkim) ;;
+ x509|csr|dkim|keypair) ;;
*) echo "Unrecognized command: $cmd" >&2; exit 2
esac
@@ -201,4 +202,6 @@ elif [ "$cmd" = x509 -o "$cmd" = csr ]; then
[ "$cmd" = x509 ] && x509=-x509 || x509=
openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2
fi
+elif [ "$cmd" = keypair -a "$pubkey" ]; then
+ openssl pkey -pubout <"$privkey" >"$pubkey"
fi
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index b82c281..ca03c98 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -54,12 +54,11 @@
notify:
- Restart IPSec
-- name: Generate a private key and a X.509 certificate for IPSec
- command: genkeypair.sh x509
+- name: Generate a key pair for IPSec public key authentication
+ command: genkeypair.sh keypair
--pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
--privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key
- --ou=IPSec --cn={{ inventory_hostname_short }}
- -t rsa -b 4096 -h sha512
+ -t rsa -b 4096
register: r4
changed_when: r4.rc == 0
failed_when: r4.rc > 1
@@ -68,18 +67,18 @@
tags:
- genkey
-- name: Fetch IPSec X.509 certificate
+- name: Fetch the public part of IPSec host key
# Ensure we don't fetch private data
become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
- dest=certs/ipsec/{{ inventory_hostname_short }}.pem
+ fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
+ dest=certs/ipsec/{{ inventory_hostname_short }}.pem
+ fail_on_missing=yes flat=yes
tags:
- genkey
# Don't copy our pubkey due to a possible race condition. Only the
# remote machine has authority regarding its key.
-- name: Copy IPSec X.509 certificates (except ours)
+- name: Copy the public part of IPSec peers' key
copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem
dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem
owner=root group=root
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
index 4d6aa68..938f6b8 100644
--- a/roles/common/templates/etc/ipsec.conf.j2
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -18,7 +18,8 @@ conn %default
leftauth = pubkey
left = %defaultroute
leftsubnet = {{ ipsec[inventory_hostname_short] | ipv4 }}/32
- leftcert = {{ inventory_hostname_short }}.pem
+ leftid = {{ inventory_hostname }}
+ leftsigkey = {{ inventory_hostname_short }}.pem
leftfirewall = yes
lefthostaccess = yes
rightauth = pubkey
@@ -34,7 +35,7 @@ conn {{ hostvars[host].inventory_hostname_short }}
{% if 'DynDNS' in hostvars[host].group_names %}
rightallowany = yes
{% endif %}
- rightcert = {{ hostvars[host].inventory_hostname_short }}.pem
+ rightsigkey = {{ hostvars[host].inventory_hostname_short }}.pem
rightsubnet = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 }}/32
{% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %}
mobike = yes