From 1af3c572eedb0eaddcdc5c9c41d98ff59bb7b2c9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 24 May 2016 17:11:11 +0200 Subject: IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. There is no need to bother with X.509 cruft here. --- roles/common/files/usr/local/bin/genkeypair.sh | 5 ++++- roles/common/tasks/ipsec.yml | 17 ++++++++--------- roles/common/templates/etc/ipsec.conf.j2 | 5 +++-- 3 files changed, 15 insertions(+), 12 deletions(-) (limited to 'roles') diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 45e2181..01b279a 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -47,6 +47,7 @@ usage() { x509: generate a self-signed X.509 server certificate csr: generate a Certificate Signing Request dkim: generate a private key (to use for DKIM signing) + keypair: generate a key pair Options: -t type: key type (default: rsa) @@ -88,7 +89,7 @@ dkiminfo() { [ $# -gt 0 ] || { usage; exit 2; } cmd="$1"; shift case "$cmd" in - x509|csr|dkim) ;; + x509|csr|dkim|keypair) ;; *) echo "Unrecognized command: $cmd" >&2; exit 2 esac @@ -201,4 +202,6 @@ elif [ "$cmd" = x509 -o "$cmd" = csr ]; then [ "$cmd" = x509 ] && x509=-x509 || x509= openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 fi +elif [ "$cmd" = keypair -a "$pubkey" ]; then + openssl pkey -pubout <"$privkey" >"$pubkey" fi diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index b82c281..ca03c98 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -54,12 +54,11 @@ notify: - Restart IPSec -- name: Generate a private key and a X.509 certificate for IPSec - command: genkeypair.sh x509 +- name: Generate a key pair for IPSec public key authentication + command: genkeypair.sh keypair --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key - --ou=IPSec --cn={{ inventory_hostname_short }} - -t rsa -b 4096 -h sha512 + -t rsa -b 4096 register: r4 changed_when: r4.rc == 0 failed_when: r4.rc > 1 @@ -68,18 +67,18 @@ tags: - genkey -- name: Fetch IPSec X.509 certificate +- name: Fetch the public part of IPSec host key # Ensure we don't fetch private data become: False - fetch_cmd: cmd="openssl x509" - stdin=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem - dest=certs/ipsec/{{ inventory_hostname_short }}.pem + fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem + dest=certs/ipsec/{{ inventory_hostname_short }}.pem + fail_on_missing=yes flat=yes tags: - genkey # Don't copy our pubkey due to a possible race condition. Only the # remote machine has authority regarding its key. -- name: Copy IPSec X.509 certificates (except ours) +- name: Copy the public part of IPSec peers' key copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem owner=root group=root diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2 index 4d6aa68..938f6b8 100644 --- a/roles/common/templates/etc/ipsec.conf.j2 +++ b/roles/common/templates/etc/ipsec.conf.j2 @@ -18,7 +18,8 @@ conn %default leftauth = pubkey left = %defaultroute leftsubnet = {{ ipsec[inventory_hostname_short] | ipv4 }}/32 - leftcert = {{ inventory_hostname_short }}.pem + leftid = {{ inventory_hostname }} + leftsigkey = {{ inventory_hostname_short }}.pem leftfirewall = yes lefthostaccess = yes rightauth = pubkey @@ -34,7 +35,7 @@ conn {{ hostvars[host].inventory_hostname_short }} {% if 'DynDNS' in hostvars[host].group_names %} rightallowany = yes {% endif %} - rightcert = {{ hostvars[host].inventory_hostname_short }}.pem + rightsigkey = {{ hostvars[host].inventory_hostname_short }}.pem rightsubnet = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 }}/32 {% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %} mobike = yes -- cgit v1.2.3