add ssl certificate to dovecot

8 years ago · 5bbae181ee
--- a/files/test_ssl_ca.crt
+++ b/files/test_ssl_ca.crt
@ -0,0 +1,33 @@
 -----BEGIN CERTIFICATE-----
 MIIFoTCCA4mgAwIBAgIJAPczDYaGgRcwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
 BAYTAklUMQ4wDAYDVQQIDAVJVEFMWTERMA8GA1UEBwwIRmxvcmVuY2UxDjAMBgNV
 BAoMBUxJTGlLMQ8wDQYDVQQLDAZzc2wgQ0ExFDASBgNVBAMMC2NhLmxpbGlrLml0
 MB4XDTE2MDgxNzIyMzEzNVoXDTE3MDgxNzIyMzEzNVowZzELMAkGA1UEBhMCSVQx
 DjAMBgNVBAgMBUlUQUxZMREwDwYDVQQHDAhGbG9yZW5jZTEOMAwGA1UECgwFTElM
 aUsxDzANBgNVBAsMBnNzbCBDQTEUMBIGA1UEAwwLY2EubGlsaWsuaXQwggIiMA0G
 CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCg2edLFA7/GGxVm9U0ctmw06/kVFuN
 387nkGabnd0QcpII3bJtraD52IdCDNburtvxxyAF6KOty9+YLtPNf8TZKj6aJE0W
 cOmNuvSk01LzHkR2aUtu6b72IZMEJlJ/5eZkVVOMl+e9e6K4TtkbkV3ymHf4wuru
 Jj2fZFRJJC5E8LmM0vIswTw827600dMdmukgJoa8tFd5X1lu0ryCHuLNyFiS5kYz
 8rvHJQRm86jGlVQqA352rx+EPPAwmXwBbdIAELKAzG6w6800VZEY5ExmehDsY56c
 8SuUbM7FG7lXvD6AGunpRoLYQ8pJka4OEhffp8KLbRy0/cme0MpXist8MbED1BVf
 Zw7okKIf1nyxhz63F390Wct186jUO5xMUKcyG6Fi09/muMD1Fc35GaDkbOGzOh70
 LQbzTcZ+L2AvDOtcj+MwW9y908kEwGuGU8+gdIZSz9Vyx9acAEzD5xOrDVe8BA4H
 7R/TUiBGbN9fwqLnvWqgc0jX9IgesmW3j7ttNsTNRemj0QETnHFJJq63Lp3XrpOs
 G+m6SFx7YxbfV3oD+sHzLC/Qh4ObR6swTspY42FnqV7/i6RI3RTFvggLhbehaP1z
 nlhzPBO/MwGbNZesKly6CxibMF4IzwqUZGFpY8wk97IXFba7D047oOsE3Qhd+DDG
 H0z9IZclARkBOwIDAQABo1AwTjAdBgNVHQ4EFgQUFeybkcFi64CNnwoWG6O2ZGLv
 BKIwHwYDVR0jBBgwFoAUFeybkcFi64CNnwoWG6O2ZGLvBKIwDAYDVR0TBAUwAwEB
 /zANBgkqhkiG9w0BAQsFAAOCAgEAB87AgEfGnPLFMqbbiyV7goOkoAyRNXbFey4+
 PmJBTXcXzEJhjuH7I+WZvIvjOt0Vw/9F3fePessQmngTedkqZ4nC+VhHZpXyJPbB
 TBYiXNf8RIEddw5xczPPgAxhnlV/wFCR8yZH0P+dkGCBBTp6fAtNb+Wf6ctaJgRF
 A+1qXspO16wH1v1uLQO4nDHP6LPFc66dJARoxIlXGjUq9yHEqag9nLh0K97aoX1Q
 Tb3isd+srV32ZyPeBGHzX8IIBR7dr7Ug0yl1JjfePCdrmxccJoqJv4ymEpkL1f4A
 mc14AeSKsZ+ED69jk/l0y0DhBZYzt17LxaMzfZZTJ6MGnDrhIwwdTMHCVw6aUEcL
 dOcIcgCcBu6JwsL4aP5rPgMIfjTskTIoTrFA11bB77XBMIeT1kbUNxFtwLmseLow
 PJsEXfRR9PYFe4JwrBEKAPqjNufmnWTuAJ2GK8OwdaAwVaBp7LpPH8j7Wki1EZrA
 6usoEsEQ5onjssl/lvXFJtUToo4kQlDXmrPEWj4rnpkpi8EP2JQ1bK3wShi9EAym
 GwUzqDBckCEp1REwppMX9h+eQxE3fC9+FpeBQNqs56iNEIT5hQzau4/bDzMkfVV4
 KPUjgGto/t3djwrmIZVdt1p/+0aMCWjWJdi27y0U4aK5lCqQwgGRGXmWbgpMgrV4
 Q/EXp+A=
 -----END CERTIFICATE-----
--- a/mail.yaml
+++ b/mail.yaml
@ -7,8 +7,9 @@
  roles:
      - role: postfix
        ldap_server: "{{ hostvars['ldap'].ansible_host }}"
        fqdn_domain: "lilik.it"
        fqdn_domain: "mail.lilik.it"
        lists_server: "{{ hostvars['lists'].ansible_host }}"
      - role: dovecot
        fqdn_domain: "lilik.it"
        domain: "lilik.it"
        fqdn_domain: "mail.lilik.it"
        ldap_server: "{{ hostvars['ldap'].ansible_host }}"
--- a/roles/dovecot/tasks/main.yaml
+++ b/roles/dovecot/tasks/main.yaml
@ -61,25 +61,88 @@
 - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="!include auth-ldap.conf.ext" state=present
  notify: restart dovecot

 - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_default_realm = {{ fqdn_domain }}"
 - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_default_realm = {{ domain }}"
  notify: restart dovecot

 - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_mechanisms = login plain"
  notify: restart dovecot

 - blockinfile:
 - name: enable ssl key
  blockinfile:
    dest: /etc/dovecot/conf.d/10-ssl.conf
    block: |
        ssl = yes
        ssl_cert = </etc/dovecot/dovecot.pem
        ssl_key = </etc/dovecot/private/dovecot.pem
        ssl_cert = </etc/dovecot/dovecot.cert
        ssl_key = </etc/dovecot/private/dovecot.key

 # # TODO: ssl, remove when dovecot will use a valid ssl certificate
 # - name: generate certificates
 #   shell: openssl req -new -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=10.0.58.13" -days 3650 -nodes -newkey rsa:4096 -out /etc/dovecot/dovecot.pem -keyout /etc/dovecot/private/dovecot.pem
 #   args:
 #     creates: /etc/dovecot/dovecot.pem
 #   notify: restart dovecot

 - name: generate the RSA key
  shell: "openssl genrsa -out /etc/dovecot/private/dovecot.key 2048"
  args:
    creates: /etc/dovecot/private/dovecot.key
  notify: restart dovecot

 # TODO: ssl, remove when dovecot will use a valid ssl certificate
 - name: generate certificates
  shell: openssl req -new -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=10.0.58.13" -days 3650 -nodes -newkey rsa:4096 -out /etc/dovecot/dovecot.pem -keyout /etc/dovecot/private/dovecot.pem
 - name: create CSR
  shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/dovecot/private/dovecot.key -out /etc/dovecot/private/dovecot.csr'
  args:
    creates: /etc/dovecot/dovecot.pem
    creates: /etc/dovecot/private/dovecot.csr
  notify: restart dovecot

 - name: check if dovecot cert key exist
  stat:
    path: /etc/dovecot/dovecot.cert
  register: dovecot_cert_key

 - block:
    - name: get pub key
      shell: "cat /etc/dovecot/private/dovecot.csr"
      register: pub_key
 #    - debug: var=pub_key
    - name: generate host request
      local_action: command ../ca_manager/make_ssl_host_request.py {{ pub_key.stdout|quote }} {{ fqdn_domain|quote }}
      register: cert_request
 #    - debug: var=cert_request
    - name: start sign request
      raw: "{{ cert_request.stdout|string }}"
      delegate_to: "{{item}}"
      delegate_facts: True
      with_items: "{{groups['cas']}}"
      register: request_result
 #    - debug: var=request_result

    - set_fact:
          request_output: "{{ request_result.results[0].stdout|string|from_json }}"
    - debug: var=request_output

    - name: generate get request
      local_action: command ../ca_manager/make_get_request.py {{ request_output.requestID }}
      register: get_request
 #    - debug: var=get_request

    - debug: msg="Please manualy confirm sign request with id {{ request_output.requestID }}"

    - name: wait for cert
      raw: "{{ get_request.stdout|string }}"
      delegate_to: "{{item}}"
      delegate_facts: True
      with_items: "{{groups['cas']}}"
      register: cert_result
 #    - debug: var=cert_result

    - set_fact:
          cert_key: "{{ cert_result.results[0].stdout|string|from_json }}"
 #    - debug: var=request_output

    - name: set pub key
      shell: "echo '{{ cert_key.result }}' > /etc/dovecot/dovecot.cert"
      register: set_pub_key
  when: not dovecot_cert_key.stat.exists

 - template: src=dovecot-ldap.conf.ext.j2 dest=/etc/dovecot/dovecot-ldap.conf.ext
  notify: restart dovecot
--- a/roles/roundcube/handlers/main.yaml
+++ b/roles/roundcube/handlers/main.yaml
@ -0,0 +1,2 @@
 - name: update-ca-certificates
  shell: update-ca-certificates
--- a/roles/roundcube/tasks/main.yaml
+++ b/roles/roundcube/tasks/main.yaml
@ -27,6 +27,19 @@
      owner: root
      group: www-data

 - name: copy test_ssl_ca.crt
  copy:
      src: "test_ssl_ca.crt"
      dest: "/usr/local/share/ca-certificates/test_ssl_ca.crt"
      mode: 0444
  notify: update-ca-certificates

 #TODO: remove when dovecot will use a valid dns record
 - name: '(FIX REMOVE THIS ACTION) add temporary host record'
  lineinfile:
    dest: /etc/hosts
    line: "{{ hostvars['mail'].ansible_host }}  {{ mail_server }}"
    regexp: "{{ mail_server }}$"

 - name: include my-roundcube.php
  lineinfile:
--- a/roles/roundcube/templates/my-roundcube.php.j2
+++ b/roles/roundcube/templates/my-roundcube.php.j2
@ -1,8 +1,8 @@
 <?php
 $config['default_host'] = 'ssl://{{ hostvars['mail'].ansible_host }}';
 $config['default_host'] = 'ssl://{{ mail_server }}';
 $config['default_port'] = 993;
 $config['imap_auth_type'] = 'login';
 $config['smtp_server'] = '{{ hostvars['mail'].ansible_host }}';
 $config['smtp_server'] = '{{ mail_server }}';
 $config['smtp_helo_host'] = 'webmail.lilik.it';
 $config['skin_logo'] = '/images/lilik-150x54.png';
 $config['username_domain'] = 'lilik.it';
@ -14,9 +14,9 @@ $config['default_imap_folders'] = array('INBOX', 'Drafts', 'Sent', 'Junk', 'Tras
 $config['create_default_folders'] = true;

 # TODO: ssl, remove when dovecot will use a valid ssl certificate
 $config['imap_conn_options'] = array(
  'ssl'         => array(
 	 'verify_peer'  => false,
 	 'verfify_peer_name' => false,
   ),
 );
 #$config['imap_conn_options'] = array(
 #  'ssl'         => array(
 #	 'verify_peer'  => false,
 #	 'verfify_peer_name' => false,
 #   ),
 #);
--- a/webmail.yaml
+++ b/webmail.yaml
@ -6,5 +6,4 @@
 - hosts: webmail
  roles:
      - role: roundcube
        # imap_server: "{{ hostvars['mail'].ansible_host }}"
        # fqdn_domain: "lilik.it"
        mail_server: "mail.lilik.it"