diff options
| -rw-r--r-- | roles/common-LDAP/tasks/main.yml | 2 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index e86fa45..60ccc76 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -26,41 +26,41 @@ - name: Create directory /etc/ldap/ssl file: path=/etc/ldap/ssl state=directory owner=root group=root mode=0755 tags: - genkey # XXX: It's ugly to list all roles here, and to prunes them with a # conditional... - name: Generate a private key and a X.509 certificate for slapd # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't # support ECDSA; and slapd doesn't seem to support DHE (!?) so # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with # SHA-512. command: genkeypair.sh x509 --pubkey=/etc/ldap/ssl/{{ item.name }}.pem --privkey=/etc/ldap/ssl/{{ item.name }}.key --ou=LDAP {{ item.ou }} --cn={{ item.name }} - --usage=digitalSignature,keyEncipherment + --usage=digitalSignature,keyEncipherment,keyCertSign -t rsa -b 4096 -h sha256 --chown="root:openldap" --chmod=0640 register: r2 changed_when: r2.rc == 0 failed_when: r2.rc > 1 with_items: - { group: 'LDAP-provider', name: ldap.fripost.org, ou: } - { group: 'MX', name: mx, ou: --ou=SyncRepl } - { group: 'lists', name: lists, ou: --ou=SyncRepl } when: "item.group in group_names" tags: - genkey - name: Fetch slapd's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/ldap/ssl/{{ item.name }}.pem dest=certs/ldap/ fail_on_missing=yes flat=yes diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index dda0f28..d6539e2 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -43,41 +43,41 @@ usage() { Usage: $0 command [OPTIONS] Command: x509: generate a self-signed X.509 server certificate csr: generate a Certificate Signing Request dkim: generate a private key (to use for DKIM signing) Options: -t type: key type (default: rsa) -b bits: key length or EC curve (default: 2048 for RSA, 1024 for DSA, secp224r1 for ECDSA) -h digest: digest algorithm --ou: organizational Unit Name; can be repeated --cn: common Name (default: \$(hostname --fqdn) --dns: hostname for AltName; can be repeated -f: force; can be repeated (0: don't overwrite, default; 1: reuse private key if it exists; 2: overwrite both keys if they exist) --config: configuration file --pubkey: public key file (default: pubkey.pem) --privkey: private key file (default: privkey.pem; created with og-rwx) - --usage: key usage (default: digitalSignature,keyEncipherment) + --usage: key usage (default: digitalSignature,keyEncipherment,keyCertSign) --chmod: chmod the private key --chown: chown the private key Return values: 0 The key pair was successfully generated 1 The public or private key file exists, and -f is not set 2 The key generation failed EOF } dkiminfo() { echo "Add the following TXT record to your DNS zone:" echo "${cn:-$(date +%Y%m%d)}._domainkey\tIN\tTXT ( " # See https://tools.ietf.org/html/rfc4871#section-3.6.1 # t=s: the "i=" domain in signature headers MUST NOT be a subdomain of "d=" # s=email: limit DKIM signing to email openssl pkey -pubout <"$privkey" | sed '/^--.*--$/d' \ | { echo -n "v=DKIM1; k=$type; t=s; s=email; p="; tr -d '\n'; } \ | fold -w 250 \ | { sed 's/.*/\t"&"/'; echo ' )'; } @@ -154,41 +154,41 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then # see /usr/share/ssl-cert/ssleay.cnf cat >"$config" <<- EOF [ req ] distinguished_name = req_distinguished_name prompt = no policy = policy_anything req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] organizationName = Fripost organizationalUnitName = SSLcerts $(echo "$ou") commonName = $cn [ v3_req ] subjectAltName = email:admin@fripost.org${dns:+, $dns} basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method - keyUsage = critical, ${usage:-digitalSignature, keyEncipherment} + keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} EOF fi if [ -s "$privkey" -a $force -eq 0 ]; then echo "Error: private key exists: $privkey" >&2 [ "$cmd" = dkim ] && dkiminfo exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then # Ensure "$privkey" is created with umask 0077 mv -f "$(mktemp)" "$privkey" || exit 2 chmod "${chmod:-og-rwx}" "$privkey" || exit 2 [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2 openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && { dkiminfo; exit; } fi if [ "$cmd" = x509 -o "$cmd" = csr ]; then if [ -s "$pubkey" -a $force -eq 0 ]; then echo "Error: public key exists: $pubkey" >&2 exit 1 |