summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-05-24 17:11:11 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-05-24 17:12:10 +0200
commit1af3c572eedb0eaddcdc5c9c41d98ff59bb7b2c9 (patch)
tree6af69fd639a051b483528b03959985ab806b2c1c /roles
parent61ee02ffb5402d93eae59001b91197957a8dcfe2 (diff)
IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.
There is no need to bother with X.509 cruft here.
Diffstat (limited to 'roles')
-rwxr-xr-xroles/common/files/usr/local/bin/genkeypair.sh5
-rw-r--r--roles/common/tasks/ipsec.yml17
-rw-r--r--roles/common/templates/etc/ipsec.conf.j25
3 files changed, 15 insertions, 12 deletions
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index 45e2181..01b279a 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -47,6 +47,7 @@ usage() {
x509: generate a self-signed X.509 server certificate
csr: generate a Certificate Signing Request
dkim: generate a private key (to use for DKIM signing)
+ keypair: generate a key pair
Options:
-t type: key type (default: rsa)
@@ -88,7 +89,7 @@ dkiminfo() {
[ $# -gt 0 ] || { usage; exit 2; }
cmd="$1"; shift
case "$cmd" in
- x509|csr|dkim) ;;
+ x509|csr|dkim|keypair) ;;
*) echo "Unrecognized command: $cmd" >&2; exit 2
esac
@@ -201,4 +202,6 @@ elif [ "$cmd" = x509 -o "$cmd" = csr ]; then
[ "$cmd" = x509 ] && x509=-x509 || x509=
openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2
fi
+elif [ "$cmd" = keypair -a "$pubkey" ]; then
+ openssl pkey -pubout <"$privkey" >"$pubkey"
fi
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index b82c281..ca03c98 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -54,12 +54,11 @@
notify:
- Restart IPSec
-- name: Generate a private key and a X.509 certificate for IPSec
- command: genkeypair.sh x509
+- name: Generate a key pair for IPSec public key authentication
+ command: genkeypair.sh keypair
--pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
--privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key
- --ou=IPSec --cn={{ inventory_hostname_short }}
- -t rsa -b 4096 -h sha512
+ -t rsa -b 4096
register: r4
changed_when: r4.rc == 0
failed_when: r4.rc > 1
@@ -68,18 +67,18 @@
tags:
- genkey
-- name: Fetch IPSec X.509 certificate
+- name: Fetch the public part of IPSec host key
# Ensure we don't fetch private data
become: False
- fetch_cmd: cmd="openssl x509"
- stdin=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
- dest=certs/ipsec/{{ inventory_hostname_short }}.pem
+ fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
+ dest=certs/ipsec/{{ inventory_hostname_short }}.pem
+ fail_on_missing=yes flat=yes
tags:
- genkey
# Don't copy our pubkey due to a possible race condition. Only the
# remote machine has authority regarding its key.
-- name: Copy IPSec X.509 certificates (except ours)
+- name: Copy the public part of IPSec peers' key
copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem
dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem
owner=root group=root
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
index 4d6aa68..938f6b8 100644
--- a/roles/common/templates/etc/ipsec.conf.j2
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -18,7 +18,8 @@ conn %default
leftauth = pubkey
left = %defaultroute
leftsubnet = {{ ipsec[inventory_hostname_short] | ipv4 }}/32
- leftcert = {{ inventory_hostname_short }}.pem
+ leftid = {{ inventory_hostname }}
+ leftsigkey = {{ inventory_hostname_short }}.pem
leftfirewall = yes
lefthostaccess = yes
rightauth = pubkey
@@ -34,7 +35,7 @@ conn {{ hostvars[host].inventory_hostname_short }}
{% if 'DynDNS' in hostvars[host].group_names %}
rightallowany = yes
{% endif %}
- rightcert = {{ hostvars[host].inventory_hostname_short }}.pem
+ rightsigkey = {{ hostvars[host].inventory_hostname_short }}.pem
rightsubnet = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 }}/32
{% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %}
mobike = yes