From 1af3c572eedb0eaddcdc5c9c41d98ff59bb7b2c9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 24 May 2016 17:11:11 +0200 Subject: IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. There is no need to bother with X.509 cruft here. --- certs/ipsec/antilop.pem | 46 ++++++++------------------ certs/ipsec/benjamin.pem | 46 ++++++++------------------ certs/ipsec/civett.pem | 45 ++++++++----------------- certs/ipsec/elefant.pem | 46 ++++++++------------------ certs/ipsec/giraff.pem | 45 ++++++++----------------- certs/ipsec/mistral.pem | 46 ++++++++------------------ roles/common/files/usr/local/bin/genkeypair.sh | 5 ++- roles/common/tasks/ipsec.yml | 17 +++++----- roles/common/templates/etc/ipsec.conf.j2 | 5 +-- 9 files changed, 99 insertions(+), 202 deletions(-) diff --git a/certs/ipsec/antilop.pem b/certs/ipsec/antilop.pem index cdb3809..effcc1f 100644 --- a/certs/ipsec/antilop.pem +++ b/certs/ipsec/antilop.pem @@ -1,32 +1,14 @@ ------BEGIN CERTIFICATE----- -MIIFbjCCA1agAwIBAgIJAK1L1Q45QyGyMA0GCSqGSIb3DQEBDQUAMEcxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzEQ -MA4GA1UEAwwHYW50aWxvcDAeFw0xNjA1MjExMzIwMjBaFw0yNjA1MTkxMzIwMjBa -MEcxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQL -DAVJUFNlYzEQMA4GA1UEAwwHYW50aWxvcDCCAiIwDQYJKoZIhvcNAQEBBQADggIP -ADCCAgoCggIBAPZCYTbXuTseBaYueoPorgtGGUe6/e3j5SStzCwb4flNniqqVoCq -JXxSg72IAmwTrsnUwWx/iNm/g7N15/509rW5mE+YXksoDYORig32F9TtVEinUuHz -EDh+nYis/YzoOM1ErdDpQL880ydskTaqvKKLGdigaosvFUJMUYhqYPnw1opQIH5r -6YRqTz9l8GThuA+6Ujb7mlvSv6Pk4pMcRNb3cnDoDD2YJ0U0gOXah6Sw9VEFmh/U -bv0eietvLTy1RvqiC/I6IpR1kZb5jtTo5EHkXqc2hyDNppAWW59YmIoJNIFuC8/Q -nFM2d9JIP6RGY0bu5TaYmM4xpnSzgX0dIQ9ysZXP8uqZj/StaONtohxxpqnUiT+X -hQQdX2sW4/6vAyl5m6ukXqKPwapOuQN2ZDDRHWq68qoPu5w+b9AlKHUnpbxNh6JO -6M3e09TPg/+uQ8OBw37fRixIvfZlpWeGy513l1NKlnJwkjiR8jmnsbMQ8yKLrXbH -JXAXHI8J681JALVm1hi1uwr8N58Tg/L1MRpG1vIT9rmdNsUZWEWSmEt6FLWgKs5J -bMIx4jILrvxxaGOa40G7JuKiaKN7u5RqRm3IBWeoNPQN+axZj2pe3n2AqMZP8a5p -dYPz0mzE7xTCS++kYcmwHJwlylRbRGmAFHb22T/lnSR4WdaxcShnBI8hAgMBAAGj -XTBbMBwGA1UdEQQVMBOBEWFkbWluQGZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAw -DgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBQlgc0BvZLpfrqs9jXqUXVxMxYNlzAN -BgkqhkiG9w0BAQ0FAAOCAgEAIJ85xKCU/s4EbcodFL6walMLsaXKnEHo0oY29EUv -bGl+1qzlWuedwXti5ND+6a5iO8RMHtexOoQ+GTUBv/wMGgiElvkvtT9FsFxijnh3 -D4a3TqFQTVRTUuJVP/uULe18eScAyWVdArL1NJHDz/GoHjtUdzfCVKgTMNWIx4yC -E5i3IGJsGDAFLl19N5if+TfGjj90QkH1TzC4jOF6Y3oxkY4ZVwLtb0E/uR/zk8HI -9wF7lw2/5J+aqyyaWnsd66fzJGk/3lELWJbOvXN6KbS3YcWOhXrOV7ijdZRyaHWo -jB7nWRjLfb8KUSNXnzq4/8Zs3ka6WeBDB1pd4glcKeaMOdm5K/NspsS8ziGWHeoQ -XlFFxP/Msw5NlUvlSjZ3qZzNg4550Ci/FweBavGihSCakmkZMvq7Kvg67j6mStZS -Qm5t+sVTiJ036+m1TcUpfRJ9VPkYFhA25Bk+XKctxTu2Hcs2P9Q60oO3BGkTIoPQ -uKjE/HtTuLb7RtaMtUs8K1j9Pq9j9F271EAOb7JzQlhEt0w+QQyoiQVPOD0RZ6T3 -LAzXz0qX0fEk2DOf6jCjNJg4TJaWzLaVo4lkTv4dcYSvZlZnDwSX6h/LoizP6zYK -voqUuBt9+hksXPenDT/lCaYv2w+C4NdzsH4FQ5FUNPVqGdyqA9pynDxrjELkTaNp -DZw= ------END CERTIFICATE----- +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9kJhNte5Ox4Fpi56g+iu +C0YZR7r97ePlJK3MLBvh+U2eKqpWgKolfFKDvYgCbBOuydTBbH+I2b+Ds3Xn/nT2 +tbmYT5heSygNg5GKDfYX1O1USKdS4fMQOH6diKz9jOg4zUSt0OlAvzzTJ2yRNqq8 +oosZ2KBqiy8VQkxRiGpg+fDWilAgfmvphGpPP2XwZOG4D7pSNvuaW9K/o+TikxxE +1vdycOgMPZgnRTSA5dqHpLD1UQWaH9Ru/R6J628tPLVG+qIL8joilHWRlvmO1Ojk +QeRepzaHIM2mkBZbn1iYigk0gW4Lz9CcUzZ30kg/pEZjRu7lNpiYzjGmdLOBfR0h +D3Kxlc/y6pmP9K1o422iHHGmqdSJP5eFBB1faxbj/q8DKXmbq6Reoo/Bqk65A3Zk +MNEdarryqg+7nD5v0CUodSelvE2Hok7ozd7T1M+D/65Dw4HDft9GLEi99mWlZ4bL +nXeXU0qWcnCSOJHyOaexsxDzIoutdsclcBccjwnrzUkAtWbWGLW7Cvw3nxOD8vUx +GkbW8hP2uZ02xRlYRZKYS3oUtaAqzklswjHiMguu/HFoY5rjQbsm4qJoo3u7lGpG +bcgFZ6g09A35rFmPal7efYCoxk/xrml1g/PSbMTvFMJL76RhybAcnCXKVFtEaYAU +dvbZP+WdJHhZ1rFxKGcEjyECAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/ipsec/benjamin.pem b/certs/ipsec/benjamin.pem index 57c9052..bfb094e 100644 --- a/certs/ipsec/benjamin.pem +++ b/certs/ipsec/benjamin.pem @@ -1,32 +1,14 @@ ------BEGIN CERTIFICATE----- -MIIFcDCCA1igAwIBAgIJAJkbw4unO7z/MA0GCSqGSIb3DQEBDQUAMEgxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzER -MA8GA1UEAwwIYmVuamFtaW4wHhcNMTYwNTIxMTMyMTIwWhcNMjYwNTE5MTMyMTIw -WjBIMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhTU0xjZXJ0czEOMAwGA1UE -CwwFSVBTZWMxETAPBgNVBAMMCGJlbmphbWluMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEAwOODNQ5sdVXFrzAeo9bChbauUP69uXoc6OP/l1xB9kjzmErE -noAlVjKO05nUE6Uus03/RkEPdyaMCfKarAhbFHaowtylUjUcIsVJkGsem4vRtuLv -929vLx4TdL8BN5NCMsXOecoI5z//lfJ4YVfpmLQ+OUM8kWNcHOPRpnLLZq/Pwvn9 -3WbzWmxlcmVZUwq66f0N9zBSk8678TikZGx2dJ/HZwigswo0PSxTIbvE2eoDdFoh -i9RrBxpXTnsxCAXpFIV7SLobw+tQvuv+r2oK5oGOnHIGmJZWVC3bRIb+PPELeB1g -3TfNz7bP5PRKpXnP0cdK/0J2A+vQqArr8ACsgzxsKUb7t9OASLH14fQ25FJ3nsc+ -CS9snXIxJourd5d2cyhMe3xBo0tzPLC8sc3mwIyuz60o0pOjvIfzlYyldtYk3CTC -VKMs1UpLnea8DDIvzhWn+TLX2yAKS/KNG0Tw72aLc86ZUVKV0+fkwjRWtIAWSJQZ -L/tOl4iDyU+T9dG9dDR1KlsfW0JBGTkyZOLZrSBVQvDj/aUQjgc8e54MghJsS5Qd -AvD2rTO5liqB8YzHY77Nj2d4f5kqBHj41KwtGOQT4nXYI+rdOpkmkMj5kOGoeRIC -Sv+eszXADnHHtoPS73rjej0gseibSvvm9n3iKkd5mm2N2oZ9Q5pF52CUFfMCAwEA -AaNdMFswHAYDVR0RBBUwE4ERYWRtaW5AZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIw -ADAOBgNVHQ8BAf8EBAMCAqQwHQYDVR0OBBYEFEDI1UY3Ng7TSEMllOYaasPL05JK -MA0GCSqGSIb3DQEBDQUAA4ICAQCy/YSxqCu6r4H0+XPdoz9TYoIkW3V4f7nupw09 -q6Zhpnl4T5a7WJnY/6Pda9Y+4f1+uR1OMJ+kgH4K6RyCjzobgjEGpVlxBpmA/8Q/ -634zc1cUna/sa7Jd/taTnqTZRbT7C9aZyIkJoN0Cco/k8QI6gvsMmGDh37nS6keB -opy5XBTVEcysH8JPVlVFwGm+FL7n45GM7A4ju6wujeyAJ9I7IxFJM5d8B5r6zt5L -MAdMYdPDR6TRyKcmEbsb0Jq+dI8kQFRr0IApIb8m+Z3O0AyBqtdGX+EQIoXijGH0 -NRPN6YKPU1U0Ha2ti3VRalVSHuvk+/kBYNeCZA3DB0QT9obLOj/CrOMutfXtsNUU -eG7x+L/sjHnVSaKOQ5rtAcoF1GrqAGnmZTN0H9IbAG8/WU9pefNHQt7V5+5xtDmA -ywMHqRgYQKTD4CRhmGgqcHEr6ls7rhI7YbAoTgwbUMe9kHdVFiE3ZutYSkWln5E0 -Jc/K6LXo0kiwMgsEG98qNzlNRHsvp+UHuKaiuBD28HwLxGo1M5rp3MItm9FoMPpm -tUcEp2/6RJLrSZNLU6Lx9ZF3HIj0e42e+laIfu46o8ZEIsvwac3iZN/nonxTGaoy -n4W1AW/F8cXpO0YG7xtyHyTL+d/1WmurpXKgKmE+0mOMeAJjQn9G4aUl+/UkPlGb -V/aK7w== ------END CERTIFICATE----- +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwOODNQ5sdVXFrzAeo9bC +hbauUP69uXoc6OP/l1xB9kjzmErEnoAlVjKO05nUE6Uus03/RkEPdyaMCfKarAhb +FHaowtylUjUcIsVJkGsem4vRtuLv929vLx4TdL8BN5NCMsXOecoI5z//lfJ4YVfp +mLQ+OUM8kWNcHOPRpnLLZq/Pwvn93WbzWmxlcmVZUwq66f0N9zBSk8678TikZGx2 +dJ/HZwigswo0PSxTIbvE2eoDdFohi9RrBxpXTnsxCAXpFIV7SLobw+tQvuv+r2oK +5oGOnHIGmJZWVC3bRIb+PPELeB1g3TfNz7bP5PRKpXnP0cdK/0J2A+vQqArr8ACs +gzxsKUb7t9OASLH14fQ25FJ3nsc+CS9snXIxJourd5d2cyhMe3xBo0tzPLC8sc3m +wIyuz60o0pOjvIfzlYyldtYk3CTCVKMs1UpLnea8DDIvzhWn+TLX2yAKS/KNG0Tw +72aLc86ZUVKV0+fkwjRWtIAWSJQZL/tOl4iDyU+T9dG9dDR1KlsfW0JBGTkyZOLZ +rSBVQvDj/aUQjgc8e54MghJsS5QdAvD2rTO5liqB8YzHY77Nj2d4f5kqBHj41Kwt +GOQT4nXYI+rdOpkmkMj5kOGoeRICSv+eszXADnHHtoPS73rjej0gseibSvvm9n3i +Kkd5mm2N2oZ9Q5pF52CUFfMCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/ipsec/civett.pem b/certs/ipsec/civett.pem index d0de31f..b6a2a23 100644 --- a/certs/ipsec/civett.pem +++ b/certs/ipsec/civett.pem @@ -1,31 +1,14 @@ ------BEGIN CERTIFICATE----- -MIIFbDCCA1SgAwIBAgIJAN3ZQpjOL9/yMA0GCSqGSIb3DQEBDQUAMEYxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzEP -MA0GA1UEAwwGY2l2ZXR0MB4XDTE2MDUyMTEzMjE1NVoXDTI2MDUxOTEzMjE1NVow -RjEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2VydHMxDjAMBgNVBAsM -BUlQU2VjMQ8wDQYDVQQDDAZjaXZldHQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw -ggIKAoICAQDmnVdJXUgGbvTIH9jKK+eIHOkaJMAcC+lXLFAMee9t7YVsyrpmCdt4 -fVTQJFBwp9GiW1Y+dqBQBWvr9z6l/m68CsZOJoJ5Telmcv42tpoDtf0eEANo17/D -VRbQHJzJmAZQ7OkyPGFSKQy9XUqLq1+OkM+zRuy8TvnUa0mLdHR5ykEJl0P541mW -yn1LMQON5cRzVMHwTmDSnPhzn+7YQU2sHpHKJaLVPq+yXaN1JoUglySIjlquk6Ji -paAwMer8CHXnnjoQw+L6/bsZCc02Zz96M/CDqlow88Ut6o6qFR6L3B8go3qgSbbU -ERB4n9KcyUyhwp+joIE1J2TkEfguumVYrS/j00pHKz1Iug9z0HqXKesWEOwy0f9C -AbdpEnmk7+3nU8zJVVqmJjbdB2OS4Cy3R0jeNNu4P581NxEktETCSl3+bwAhvTN0 -QAs3mWNLuVEREoPGQr3sUq9kRfKah09VVgSHsQutf6/7A5oNd8zx48Ff3Mn7miS6 -aDbuWPLjCdRYczBO3y2PBQeZDANqa3SSTZvQgRFXnkey1Em1UtMIB3KCTYTuPU7G -jlm2q+T/f2yL5K3zNrF+6X8HIrFb6xIkoYy6SCNYH2S4bXsRI3KlCFH+mIHuQJg8 -hVTlNOABfOoM9ZXmt+9zkWcy4QQiUA6Rbrtu7JOg34PorIm6XYUANQIDAQABo10w -WzAcBgNVHREEFTATgRFhZG1pbkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4G -A1UdDwEB/wQEAwICpDAdBgNVHQ4EFgQUjtpNnjSQRjO6regLVnpSvcnBaxUwDQYJ -KoZIhvcNAQENBQADggIBAOZgyZp5le0PLCzMU1Qp96jfPUF0u/hdScQ9EVRzXjGT -S6qhrEv5XYOCxU4XBzika071FaYo8OrEV3oq+Y7MtdQbK3pMKhN7ilSiX/dYFM3t -cUEHwZ14e5OJ0NZfyWXk0GvGNURqn7r/AZWrfGn+uSe+ndxAZuV363NxQYPVbtTi -dK81lkyue3CwSGdGh3BgyRrQ86JWvcjpFaCQeOENUtwlBfGDNEwtQ7I52NIEKxpX -3pDvE0/x14JSx9pO3BXK6SH1zt/8bXiW9A8XEkMoVsAOL1ntrzCCLPM6mP2JEoDD -vAEr360T5T4cTTym+4Or3gPm9RMwEfca3ZHzZkxUXChKn+YZ4r9kpWVgIxoIGZdd -ZeoA/oO2feLPHM4whBP6x4tyceoqLyA11Gaj5JKtLJTGIb+1zjni8IVuINuWN/YD -ZOfn+lGsL/qft2hQ/UopSXDcnVj+dxPdcWaUCfTN3oOqLDSTmcR2bbLmVDL8oMef -pZlaSIJ6p4dGQAs4lwvROE8WTb6b21rNZy7O4Po2jpH5fhHsxgqEByvloYenaadV -Oian0DfuKXdI7K4v1kq6UfRRwR3LzNnE9Gy9aeSKyCFZhg67CAeKgt6i5VmgrDGw -rbIpPky5FUpUHkA1WMxP1Wl1ZESZRVLV2A1rUD4gzZiVV3cEM85r98GSogBleXR7 ------END CERTIFICATE----- +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5p1XSV1IBm70yB/Yyivn +iBzpGiTAHAvpVyxQDHnvbe2FbMq6ZgnbeH1U0CRQcKfRoltWPnagUAVr6/c+pf5u +vArGTiaCeU3pZnL+NraaA7X9HhADaNe/w1UW0BycyZgGUOzpMjxhUikMvV1Ki6tf +jpDPs0bsvE751GtJi3R0ecpBCZdD+eNZlsp9SzEDjeXEc1TB8E5g0pz4c5/u2EFN +rB6RyiWi1T6vsl2jdSaFIJckiI5arpOiYqWgMDHq/Ah15546EMPi+v27GQnNNmc/ +ejPwg6paMPPFLeqOqhUei9wfIKN6oEm21BEQeJ/SnMlMocKfo6CBNSdk5BH4Lrpl +WK0v49NKRys9SLoPc9B6lynrFhDsMtH/QgG3aRJ5pO/t51PMyVVapiY23QdjkuAs +t0dI3jTbuD+fNTcRJLREwkpd/m8AIb0zdEALN5ljS7lRERKDxkK97FKvZEXymodP +VVYEh7ELrX+v+wOaDXfM8ePBX9zJ+5okumg27ljy4wnUWHMwTt8tjwUHmQwDamt0 +kk2b0IERV55HstRJtVLTCAdygk2E7j1Oxo5Ztqvk/39si+St8zaxful/ByKxW+sS +JKGMukgjWB9kuG17ESNypQhR/piB7kCYPIVU5TTgAXzqDPWV5rfvc5FnMuEEIlAO +kW67buyToN+D6KyJul2FADUCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/ipsec/elefant.pem b/certs/ipsec/elefant.pem index 25561ae..22ed188 100644 --- a/certs/ipsec/elefant.pem +++ b/certs/ipsec/elefant.pem @@ -1,32 +1,14 @@ ------BEGIN CERTIFICATE----- -MIIFbjCCA1agAwIBAgIJAO+HSCLdxxt9MA0GCSqGSIb3DQEBDQUAMEcxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzEQ -MA4GA1UEAwwHZWxlZmFudDAeFw0xNjA1MjExMzIyMjFaFw0yNjA1MTkxMzIyMjFa -MEcxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQL -DAVJUFNlYzEQMA4GA1UEAwwHZWxlZmFudDCCAiIwDQYJKoZIhvcNAQEBBQADggIP -ADCCAgoCggIBALYLJRUZlY4xnWOJgaUsv9FDkTcTU2FtxMw4QHEL1lBRwl8gWx0O -2bAfF4Jm9lGEMTjryDrMbx3YfonZ+jC7ZEisPNjuP7VpUgI9VIeN0L0W1f8ROvvB -ByuRhC+1qitK1uU60jSQ+MdhkGeXz22d6xkthJi9v7ppx62rLlzQaS+GdumOuyvj -hG3f+Mcw8u0Lw/stZ+PDEiG33DF/iDKWJvxq53SFk22BAsvpE1NfmY4RYZOz2qPK -JGX2t6HPwwVW93vUKavAgYW2Tpy0iOoBi2zDU90md879Ttsju833NMk6g/RcrY15 -UsGep23LcXw/TGTzZa1Fsi8LxzfBwuTljmEye16j30HALxY7x68PmaPbER3WJy7A -gvO3QuHKzU8fyTrTCBysCRlEnt37r0LyiAHeoaV3Ij5lXAG/2F5iJHLpW5Gv8uM9 -2wHjTCNTSF3L25rsKHUvNUbO9OcYCVXS2wEiysY/UEqOHW2C2auUmh+I0bbpYjjZ -Xq/7KeGx43fdnmsG3W+KYtkZr4bvxZkscPAKvIMUx0DL/gjBA7Pv2BgMrF5XSxCj -moFU8QSp/W4HWvajkwdZOR7dn1WWFL81Ctvbb4ago6u48AY6a4FHP3kbThDyQKDi -8mL/YU35CiufgPX7N0k/pLYDViyRnC+WOi8Me5CPzZQSj7wtliyvGRKHAgMBAAGj -XTBbMBwGA1UdEQQVMBOBEWFkbWluQGZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAw -DgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBQ6/gMd6OCGn7QXO073QppLV5GfJDAN -BgkqhkiG9w0BAQ0FAAOCAgEAVUOkssSdKXMP95GcnbIeGCCcZ3/mieYfOHZ4ndPV -BaGd/4hmey29YNszRaAbAUOvdvnWHl3lcfgeu7H+qzKX/RpWnliL1CvtxNQ8ePor -dNYpr6ah0MTwiP2dfxX6tLyH+rGaADz6IkeFZ/ZKO7CPcxfedjmY7Snk4mCDVmbZ -XkDd1EkGePF6zU5wy/TRrckmoUm2cL2wXLv7hvIcDvKYta02+WspdRtKciw2RcNE -2igIfTt69U6U4e5+g4jXTW3gI8wM2xjr1NDrzTTE8519mmpsfrQeOBHKOJgWjJWJ -PjSwuaYrUIlYqB4mqL2BhakIuuH8P8Z68F9qelICiiSMGZu4wvZpIEDetaB0NlWP -u5YE8kG/xD85p1bFC9H5/e7f8LKQz/ZxpazsKlUvMB0q4WBpTcoBrjnfjprLOjf8 -aeJ0kcAUSy8pR49rq7k9j8+onDqGoVV9mzAH9hzD1itU0hHKEB0uKH48XMRBhnUn -ViXQZHRDuYDuUbvvKzss/Ul85S2OGwKWKUhOocFtDj57p38yCgbhffm31ja/N3Td -hPLDA9u9oIL6Hh5GzDGdx7z4MoV1eTAQqCK/rk7XVHyt9hb1ADRETLT2NlgovkQq -TFlHZ/9hCGAW8IcqzTDA4yCJ3XHZ8WLaUr9t3Rr7mUUnIB9cRJoZd3lkt/2bdvEI -OHI= ------END CERTIFICATE----- +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtgslFRmVjjGdY4mBpSy/ +0UORNxNTYW3EzDhAcQvWUFHCXyBbHQ7ZsB8Xgmb2UYQxOOvIOsxvHdh+idn6MLtk +SKw82O4/tWlSAj1Uh43QvRbV/xE6+8EHK5GEL7WqK0rW5TrSNJD4x2GQZ5fPbZ3r +GS2EmL2/umnHrasuXNBpL4Z26Y67K+OEbd/4xzDy7QvD+y1n48MSIbfcMX+IMpYm +/GrndIWTbYECy+kTU1+ZjhFhk7Pao8okZfa3oc/DBVb3e9Qpq8CBhbZOnLSI6gGL +bMNT3SZ3zv1O2yO7zfc0yTqD9FytjXlSwZ6nbctxfD9MZPNlrUWyLwvHN8HC5OWO +YTJ7XqPfQcAvFjvHrw+Zo9sRHdYnLsCC87dC4crNTx/JOtMIHKwJGUSe3fuvQvKI +Ad6hpXciPmVcAb/YXmIkculbka/y4z3bAeNMI1NIXcvbmuwodS81Rs705xgJVdLb +ASLKxj9QSo4dbYLZq5SaH4jRtuliONler/sp4bHjd92eawbdb4pi2Rmvhu/FmSxw +8Aq8gxTHQMv+CMEDs+/YGAysXldLEKOagVTxBKn9bgda9qOTB1k5Ht2fVZYUvzUK +29tvhqCjq7jwBjprgUc/eRtOEPJAoOLyYv9hTfkKK5+A9fs3ST+ktgNWLJGcL5Y6 +Lwx7kI/NlBKPvC2WLK8ZEocCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/ipsec/giraff.pem b/certs/ipsec/giraff.pem index 1abb655..4d7e9f8 100644 --- a/certs/ipsec/giraff.pem +++ b/certs/ipsec/giraff.pem @@ -1,31 +1,14 @@ ------BEGIN CERTIFICATE----- -MIIFbDCCA1SgAwIBAgIJAJJw5lIqPzO2MA0GCSqGSIb3DQEBDQUAMEYxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzEP -MA0GA1UEAwwGZ2lyYWZmMB4XDTE2MDUyMTEzMjI0N1oXDTI2MDUxOTEzMjI0N1ow -RjEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2VydHMxDjAMBgNVBAsM -BUlQU2VjMQ8wDQYDVQQDDAZnaXJhZmYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw -ggIKAoICAQDFN5v7clsY27jVOmh4kHMiPqcLSb7IEeYZNHnvRd1Vm6F/HRsniXCq -dujue1aoLscVLQMeiQd2R0g0oLIue8DG7FaQreWFmAmUK7kwsocQYZwgzLMvOtmc -0eGnG4B4xJjQTDTAuetv8zVJAoclJTxki3oOlyUKvoRU67q0hD93xguyKxxwGMnL -4qbrLcf7BrwTF2khWOEOy/PaYQDWxDFtoG6Z/HtG+PmiLD0EPbawZ3iUPXWCmXz3 -lftK+D4vL74MYRc6uy10XYT2yY0Lo9wxtPh1a918IBOuD+fP89povs/BWhI2BYyY -NplXJAzgkNz8zA/UmRuLcy6SoXx8YLsIaiDOL9bV3WzhdTXwQ17DqLY2SYktcp5i -Q5uC5IRLCY7moCTOMjeg6RDXaIz9DsShT0SNpxuZx/XF5g6HV/CdKMjNzKojPuMX -rBiVCIM/sp+r1p9rk7jDWy2sbS0TXOMFQf+scf2BZtFipoNZDhNZ3LfYg+HI9Zjo -Ic4GqSXQ5kS1n7OXxrh7XZCo/PzjVRxtJGnQCFEBtuGT10jF1Il7c4QPJgOa/XI0 -4OZE+nHcSfZjFXo1+hlJYcE+IggRSW+UzmKxbZYMrfKfgf+zwuaL3EC2XgzBuUjr -YptvXT+AtC2eThwvts4TmE7WBsGMqgIt5BPkrgqILD+c16ty4uBqlQIDAQABo10w -WzAcBgNVHREEFTATgRFhZG1pbkBmcmlwb3N0Lm9yZzAMBgNVHRMBAf8EAjAAMA4G -A1UdDwEB/wQEAwICpDAdBgNVHQ4EFgQUTdOW7rIhDPUoInZJ3KBO+tvvHMEwDQYJ -KoZIhvcNAQENBQADggIBADpn7Cv7Ua6jcA3gDfWqyx9DXH8q213b8ZSTiGdkwQjh -7DMM98u04cOKu/PLDQKbsW5IldZnd7vcPOowp40LlXoXWfmJFOHUtjmWzHieqLnn -9uxwVgqx1vtCP+XXNEKHc0LlVsRze0LQJducjtrV8cIOd7nnXyXwr5dc4Cb+u3SB -28gwuUSapdnCpTKKNoWgFeRAxQMaaV1v3lfkO4UKdT4bHNl+9b4BhOKCVB6ujgvC -R+iUoz2MAaP62m6f4pIPq+ftlaZFCbss6O6aCgqyCtt+8bTJZoGmig3iDzvzMK6D -lYf8i9rnTeBglBA7pcVzpmDFdMLIod6fpFnVpnun6fxyuS23ch9aJR4osuGVVLY/ -zasF7bbYHQJcggCTdK3ZdCnTV8BjEXBtzJ5b4pD4x+EBeohZ3gV57Wlyr2RHhu7s -IIDC9yp5B32gFhq58rKQz81cMC21eX25OiRFuLSP6DDQAuJYP3ULEs0GiGnG1+ly -pMTbXMwmQAr/GPQutGLqVgv8OqtxkBiPj0ntuucyjq5u+6AQz5v+4rc9gTbzYenU -io9pHYZJ5FQWHs1ouy3BAJstvn2HkKBBJu2SA8PfNw3WFysK6ERKEMjtIl/KASze -X/TgfTYkoaDqFtJdK1eRlipWiIqBbqb3A3h4XpiDIXg7QcdNLnT4I2AkBs2n9Nv6 ------END CERTIFICATE----- +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxTeb+3JbGNu41TpoeJBz +Ij6nC0m+yBHmGTR570XdVZuhfx0bJ4lwqnbo7ntWqC7HFS0DHokHdkdINKCyLnvA +xuxWkK3lhZgJlCu5MLKHEGGcIMyzLzrZnNHhpxuAeMSY0Ew0wLnrb/M1SQKHJSU8 +ZIt6DpclCr6EVOu6tIQ/d8YLsisccBjJy+Km6y3H+wa8ExdpIVjhDsvz2mEA1sQx +baBumfx7Rvj5oiw9BD22sGd4lD11gpl895X7Svg+Ly++DGEXOrstdF2E9smNC6Pc +MbT4dWvdfCATrg/nz/PaaL7PwVoSNgWMmDaZVyQM4JDc/MwP1Jkbi3MukqF8fGC7 +CGogzi/W1d1s4XU18ENew6i2NkmJLXKeYkObguSESwmO5qAkzjI3oOkQ12iM/Q7E +oU9Ejacbmcf1xeYOh1fwnSjIzcyqIz7jF6wYlQiDP7Kfq9afa5O4w1strG0tE1zj +BUH/rHH9gWbRYqaDWQ4TWdy32IPhyPWY6CHOBqkl0OZEtZ+zl8a4e12QqPz841Uc +bSRp0AhRAbbhk9dIxdSJe3OEDyYDmv1yNODmRPpx3En2YxV6NfoZSWHBPiIIEUlv +lM5isW2WDK3yn4H/s8Lmi9xAtl4MwblI62Kbb10/gLQtnk4cL7bOE5hO1gbBjKoC +LeQT5K4KiCw/nNercuLgapUCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/ipsec/mistral.pem b/certs/ipsec/mistral.pem index 5267b8e..936804a 100644 --- a/certs/ipsec/mistral.pem +++ b/certs/ipsec/mistral.pem @@ -1,32 +1,14 @@ ------BEGIN CERTIFICATE----- -MIIFbjCCA1agAwIBAgIJAIUSa/zsUYWuMA0GCSqGSIb3DQEBDQUAMEcxEDAOBgNV -BAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQLDAVJUFNlYzEQ -MA4GA1UEAwwHbWlzdHJhbDAeFw0xNjA1MjExMzIzMDlaFw0yNjA1MTkxMzIzMDla -MEcxEDAOBgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ4wDAYDVQQL -DAVJUFNlYzEQMA4GA1UEAwwHbWlzdHJhbDCCAiIwDQYJKoZIhvcNAQEBBQADggIP -ADCCAgoCggIBANHZ/qp0B3rFnhwHyXLXiLjrrDtfjTamYl/b0RSRv4DMQ3dml8hR -jFjr6P4f/UJkIHev0g1MwOXEaH2QqMFBq7YNsCnEPyUdokNZ2MEk6RcaKzixLJZr -hW1zQE6E44S3x1ZJzoqP2U4VA8nCKObIqsBcsciIBH8G2zTUz8oiNphUTn19XNq1 -K+wyqUX7O/ltq+ouUC/dQcLaS/CJIGAu9qqEZphou4W46kxXsApMgIY+9uD8bTCn -tsRTtFdsEDDoL5tpZTndVRktavC2jV8DOTlSaX3QjlpParLFZR24KQUEJkjprixx -xZ5Rbs7FhxCWjBd9PCS9aCr2dmjC5p9dQNFb5HOJTNkFQ5/UqmvKmOi95YPE+4LD -4pN5w597L04yGVjokN+yanLpk91HNn3j4psMYgaHPRcefyZnZ64nNB5QZL8NVgGs -L5IriWYzBKJyJhdtbZDIbjFIWBTBMy3H0eWZ3Lq43WH+F2jCUj4T+GRTwC3WZ+Xx -lM/MdnPjDY+sOaRyh1Q9A6xzd38S1Pb/5s35Yq6TET/0jMFg7nuCEiEljBldhEoF -TcvHa7K33myRFRx0oU6lALHEQ/3Q8fOcvUop14aFQPbSDfi4b2LmprXbDyeT1AaG -zQl/fsknriQTHhBK6Sthk2nl7EQDu4wnsekGKFIdubNGaMrMvgI1ezqXAgMBAAGj -XTBbMBwGA1UdEQQVMBOBEWFkbWluQGZyaXBvc3Qub3JnMAwGA1UdEwEB/wQCMAAw -DgYDVR0PAQH/BAQDAgKkMB0GA1UdDgQWBBS4plbjknpBjMnP8y1rd+6V3Ukr+TAN -BgkqhkiG9w0BAQ0FAAOCAgEAuNkWmCowz/8+NUL3gDBGIHrRXqlk+5YnD74j/ZrB -45DBc7vTPj30+C9kBggfmJp9KY/WzpVge4OrvCj7t5HgVCpjA/o63s3zKpQMXqOK -dSKPEGKqd1pI0rBfTcrdkSd151C3ThCZLfzdq5rQYaNLg4YcAOFjUox97vl5+Odk -Mgo6VYyF8hKVtIB7IubL2Vcywg3kk3NDS85CCsN5lOWrnAOAvSP/CjIFLqDkuM2A -L6n+tkcpDl213Xtnf8yzyl3Y0rmc0PtWcBLXOL7+euc5ja3gWVepvNfsnStUt6ik -0TViwffHOc8N63n7yuADB9tH2+Bx0O32B+fMUzr4j3keOqDkvvxElng9LA2i0pzG -Luw/jYarnFFwrvhKiwjS0JlmiJnKoclm/OiCl3eCtlQ9hEQfxHzx/n7Kj26W+4Ea -TPyMbG2YkWuJ+iN+qFse4r6A/vp60BHY+pyyTcZmqiB1xPKqiAEnrYPfxpSnuYzV -Qi+muD9xyr1IDanlOl4DqHMmhWW4WqUyJhrO9cOtokwvAhZq2r189e/wVlRs+Ysb -lmpc6sxvx78mJVTJdkaMAac8BBUZ/cWZNIGcmc6XNpRlSIc4Lib9BAC3IVu9FpFA -GnXpGOAUQ24SUtpt4O45pjbBTHR5ekeOL4sLge6g/lSqXrRBG7mSixGZGw3nbn1O -gng= ------END CERTIFICATE----- +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0dn+qnQHesWeHAfJcteI +uOusO1+NNqZiX9vRFJG/gMxDd2aXyFGMWOvo/h/9QmQgd6/SDUzA5cRofZCowUGr +tg2wKcQ/JR2iQ1nYwSTpFxorOLEslmuFbXNAToTjhLfHVknOio/ZThUDycIo5siq +wFyxyIgEfwbbNNTPyiI2mFROfX1c2rUr7DKpRfs7+W2r6i5QL91BwtpL8IkgYC72 +qoRmmGi7hbjqTFewCkyAhj724PxtMKe2xFO0V2wQMOgvm2llOd1VGS1q8LaNXwM5 +OVJpfdCOWk9qssVlHbgpBQQmSOmuLHHFnlFuzsWHEJaMF308JL1oKvZ2aMLmn11A +0Vvkc4lM2QVDn9Sqa8qY6L3lg8T7gsPik3nDn3svTjIZWOiQ37JqcumT3Uc2fePi +mwxiBoc9Fx5/Jmdnric0HlBkvw1WAawvkiuJZjMEonImF21tkMhuMUhYFMEzLcfR +5ZncurjdYf4XaMJSPhP4ZFPALdZn5fGUz8x2c+MNj6w5pHKHVD0DrHN3fxLU9v/m +zflirpMRP/SMwWDue4ISISWMGV2ESgVNy8drsrfebJEVHHShTqUAscRD/dDx85y9 +SinXhoVA9tIN+LhvYuamtdsPJ5PUBobNCX9+ySeuJBMeEErpK2GTaeXsRAO7jCex +6QYoUh25s0Zoysy+AjV7OpcCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 45e2181..01b279a 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -47,6 +47,7 @@ usage() { x509: generate a self-signed X.509 server certificate csr: generate a Certificate Signing Request dkim: generate a private key (to use for DKIM signing) + keypair: generate a key pair Options: -t type: key type (default: rsa) @@ -88,7 +89,7 @@ dkiminfo() { [ $# -gt 0 ] || { usage; exit 2; } cmd="$1"; shift case "$cmd" in - x509|csr|dkim) ;; + x509|csr|dkim|keypair) ;; *) echo "Unrecognized command: $cmd" >&2; exit 2 esac @@ -201,4 +202,6 @@ elif [ "$cmd" = x509 -o "$cmd" = csr ]; then [ "$cmd" = x509 ] && x509=-x509 || x509= openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 fi +elif [ "$cmd" = keypair -a "$pubkey" ]; then + openssl pkey -pubout <"$privkey" >"$pubkey" fi diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index b82c281..ca03c98 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -54,12 +54,11 @@ notify: - Restart IPSec -- name: Generate a private key and a X.509 certificate for IPSec - command: genkeypair.sh x509 +- name: Generate a key pair for IPSec public key authentication + command: genkeypair.sh keypair --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key - --ou=IPSec --cn={{ inventory_hostname_short }} - -t rsa -b 4096 -h sha512 + -t rsa -b 4096 register: r4 changed_when: r4.rc == 0 failed_when: r4.rc > 1 @@ -68,18 +67,18 @@ tags: - genkey -- name: Fetch IPSec X.509 certificate +- name: Fetch the public part of IPSec host key # Ensure we don't fetch private data become: False - fetch_cmd: cmd="openssl x509" - stdin=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem - dest=certs/ipsec/{{ inventory_hostname_short }}.pem + fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem + dest=certs/ipsec/{{ inventory_hostname_short }}.pem + fail_on_missing=yes flat=yes tags: - genkey # Don't copy our pubkey due to a possible race condition. Only the # remote machine has authority regarding its key. -- name: Copy IPSec X.509 certificates (except ours) +- name: Copy the public part of IPSec peers' key copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem owner=root group=root diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2 index 4d6aa68..938f6b8 100644 --- a/roles/common/templates/etc/ipsec.conf.j2 +++ b/roles/common/templates/etc/ipsec.conf.j2 @@ -18,7 +18,8 @@ conn %default leftauth = pubkey left = %defaultroute leftsubnet = {{ ipsec[inventory_hostname_short] | ipv4 }}/32 - leftcert = {{ inventory_hostname_short }}.pem + leftid = {{ inventory_hostname }} + leftsigkey = {{ inventory_hostname_short }}.pem leftfirewall = yes lefthostaccess = yes rightauth = pubkey @@ -34,7 +35,7 @@ conn {{ hostvars[host].inventory_hostname_short }} {% if 'DynDNS' in hostvars[host].group_names %} rightallowany = yes {% endif %} - rightcert = {{ hostvars[host].inventory_hostname_short }}.pem + rightsigkey = {{ hostvars[host].inventory_hostname_short }}.pem rightsubnet = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 }}/32 {% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %} mobike = yes -- cgit v1.2.3