From 5bbae181ee7f3bb9a05b567db98f8bd283368211 Mon Sep 17 00:00:00 2001
From: Andrea Cimbalo <cimbalo@gmail.com>
Date: Thu, 18 Aug 2016 01:47:46 +0200
Subject: [PATCH] add ssl certificate to dovecot

---
 files/test_ssl_ca.crt                         | 33 ++++++++
 mail.yaml                                     |  5 +-
 roles/dovecot/tasks/main.yaml                 | 79 +++++++++++++++++--
 roles/roundcube/handlers/main.yaml            |  2 +
 roles/roundcube/tasks/main.yaml               | 13 +++
 roles/roundcube/templates/my-roundcube.php.j2 | 16 ++--
 webmail.yaml                                  |  3 +-
 7 files changed, 131 insertions(+), 20 deletions(-)
 create mode 100644 files/test_ssl_ca.crt
 create mode 100644 roles/roundcube/handlers/main.yaml

diff --git a/files/test_ssl_ca.crt b/files/test_ssl_ca.crt
new file mode 100644
index 0000000..f1b4d70
--- /dev/null
+++ b/files/test_ssl_ca.crt
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFoTCCA4mgAwIBAgIJAPczDYaGgRcwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
+BAYTAklUMQ4wDAYDVQQIDAVJVEFMWTERMA8GA1UEBwwIRmxvcmVuY2UxDjAMBgNV
+BAoMBUxJTGlLMQ8wDQYDVQQLDAZzc2wgQ0ExFDASBgNVBAMMC2NhLmxpbGlrLml0
+MB4XDTE2MDgxNzIyMzEzNVoXDTE3MDgxNzIyMzEzNVowZzELMAkGA1UEBhMCSVQx
+DjAMBgNVBAgMBUlUQUxZMREwDwYDVQQHDAhGbG9yZW5jZTEOMAwGA1UECgwFTElM
+aUsxDzANBgNVBAsMBnNzbCBDQTEUMBIGA1UEAwwLY2EubGlsaWsuaXQwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCg2edLFA7/GGxVm9U0ctmw06/kVFuN
+387nkGabnd0QcpII3bJtraD52IdCDNburtvxxyAF6KOty9+YLtPNf8TZKj6aJE0W
+cOmNuvSk01LzHkR2aUtu6b72IZMEJlJ/5eZkVVOMl+e9e6K4TtkbkV3ymHf4wuru
+Jj2fZFRJJC5E8LmM0vIswTw827600dMdmukgJoa8tFd5X1lu0ryCHuLNyFiS5kYz
+8rvHJQRm86jGlVQqA352rx+EPPAwmXwBbdIAELKAzG6w6800VZEY5ExmehDsY56c
+8SuUbM7FG7lXvD6AGunpRoLYQ8pJka4OEhffp8KLbRy0/cme0MpXist8MbED1BVf
+Zw7okKIf1nyxhz63F390Wct186jUO5xMUKcyG6Fi09/muMD1Fc35GaDkbOGzOh70
+LQbzTcZ+L2AvDOtcj+MwW9y908kEwGuGU8+gdIZSz9Vyx9acAEzD5xOrDVe8BA4H
+7R/TUiBGbN9fwqLnvWqgc0jX9IgesmW3j7ttNsTNRemj0QETnHFJJq63Lp3XrpOs
+G+m6SFx7YxbfV3oD+sHzLC/Qh4ObR6swTspY42FnqV7/i6RI3RTFvggLhbehaP1z
+nlhzPBO/MwGbNZesKly6CxibMF4IzwqUZGFpY8wk97IXFba7D047oOsE3Qhd+DDG
+H0z9IZclARkBOwIDAQABo1AwTjAdBgNVHQ4EFgQUFeybkcFi64CNnwoWG6O2ZGLv
+BKIwHwYDVR0jBBgwFoAUFeybkcFi64CNnwoWG6O2ZGLvBKIwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAgEAB87AgEfGnPLFMqbbiyV7goOkoAyRNXbFey4+
+PmJBTXcXzEJhjuH7I+WZvIvjOt0Vw/9F3fePessQmngTedkqZ4nC+VhHZpXyJPbB
+TBYiXNf8RIEddw5xczPPgAxhnlV/wFCR8yZH0P+dkGCBBTp6fAtNb+Wf6ctaJgRF
+A+1qXspO16wH1v1uLQO4nDHP6LPFc66dJARoxIlXGjUq9yHEqag9nLh0K97aoX1Q
+Tb3isd+srV32ZyPeBGHzX8IIBR7dr7Ug0yl1JjfePCdrmxccJoqJv4ymEpkL1f4A
+mc14AeSKsZ+ED69jk/l0y0DhBZYzt17LxaMzfZZTJ6MGnDrhIwwdTMHCVw6aUEcL
+dOcIcgCcBu6JwsL4aP5rPgMIfjTskTIoTrFA11bB77XBMIeT1kbUNxFtwLmseLow
+PJsEXfRR9PYFe4JwrBEKAPqjNufmnWTuAJ2GK8OwdaAwVaBp7LpPH8j7Wki1EZrA
+6usoEsEQ5onjssl/lvXFJtUToo4kQlDXmrPEWj4rnpkpi8EP2JQ1bK3wShi9EAym
+GwUzqDBckCEp1REwppMX9h+eQxE3fC9+FpeBQNqs56iNEIT5hQzau4/bDzMkfVV4
+KPUjgGto/t3djwrmIZVdt1p/+0aMCWjWJdi27y0U4aK5lCqQwgGRGXmWbgpMgrV4
+Q/EXp+A=
+-----END CERTIFICATE-----
diff --git a/mail.yaml b/mail.yaml
index 97a080d..c8bdd0a 100644
--- a/mail.yaml
+++ b/mail.yaml
@@ -7,8 +7,9 @@
   roles:
       - role: postfix
         ldap_server: "{{ hostvars['ldap'].ansible_host }}"
-        fqdn_domain: "lilik.it"
+        fqdn_domain: "mail.lilik.it"
         lists_server: "{{ hostvars['lists'].ansible_host }}"
       - role: dovecot
-        fqdn_domain: "lilik.it"
+        domain: "lilik.it"
+        fqdn_domain: "mail.lilik.it"
         ldap_server: "{{ hostvars['ldap'].ansible_host }}"
diff --git a/roles/dovecot/tasks/main.yaml b/roles/dovecot/tasks/main.yaml
index d93c860..9711ce3 100644
--- a/roles/dovecot/tasks/main.yaml
+++ b/roles/dovecot/tasks/main.yaml
@@ -61,25 +61,88 @@
 - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="!include auth-ldap.conf.ext" state=present
   notify: restart dovecot
 
-- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_default_realm = {{ fqdn_domain }}"
+- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_default_realm = {{ domain }}"
   notify: restart dovecot
 
 - lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_mechanisms = login plain"
   notify: restart dovecot
 
-- blockinfile:
+- name: enable ssl key
+  blockinfile:
     dest: /etc/dovecot/conf.d/10-ssl.conf
     block: |
         ssl = yes
-        ssl_cert = </etc/dovecot/dovecot.pem
-        ssl_key = </etc/dovecot/private/dovecot.pem
+        ssl_cert = </etc/dovecot/dovecot.cert
+        ssl_key = </etc/dovecot/private/dovecot.key
+
+# # TODO: ssl, remove when dovecot will use a valid ssl certificate
+# - name: generate certificates
+#   shell: openssl req -new -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=10.0.58.13" -days 3650 -nodes -newkey rsa:4096 -out /etc/dovecot/dovecot.pem -keyout /etc/dovecot/private/dovecot.pem
+#   args:
+#     creates: /etc/dovecot/dovecot.pem
+#   notify: restart dovecot
+
+- name: generate the RSA key
+  shell: "openssl genrsa -out /etc/dovecot/private/dovecot.key 2048"
+  args:
+    creates: /etc/dovecot/private/dovecot.key
+  notify: restart dovecot
 
-# TODO: ssl, remove when dovecot will use a valid ssl certificate
-- name: generate certificates
-  shell: openssl req -new -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=10.0.58.13" -days 3650 -nodes -newkey rsa:4096 -out /etc/dovecot/dovecot.pem -keyout /etc/dovecot/private/dovecot.pem
+- name: create CSR
+  shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/dovecot/private/dovecot.key -out /etc/dovecot/private/dovecot.csr'
   args:
-    creates: /etc/dovecot/dovecot.pem
+    creates: /etc/dovecot/private/dovecot.csr
   notify: restart dovecot
 
+- name: check if dovecot cert key exist
+  stat:
+    path: /etc/dovecot/dovecot.cert
+  register: dovecot_cert_key
+
+- block:
+    - name: get pub key
+      shell: "cat /etc/dovecot/private/dovecot.csr"
+      register: pub_key
+#    - debug: var=pub_key
+    - name: generate host request
+      local_action: command ../ca_manager/make_ssl_host_request.py {{ pub_key.stdout|quote }} {{ fqdn_domain|quote }}
+      register: cert_request
+#    - debug: var=cert_request
+    - name: start sign request
+      raw: "{{ cert_request.stdout|string }}"
+      delegate_to: "{{item}}"
+      delegate_facts: True
+      with_items: "{{groups['cas']}}"
+      register: request_result
+#    - debug: var=request_result
+
+    - set_fact:
+          request_output: "{{ request_result.results[0].stdout|string|from_json }}"
+    - debug: var=request_output
+
+    - name: generate get request
+      local_action: command ../ca_manager/make_get_request.py {{ request_output.requestID }}
+      register: get_request
+#    - debug: var=get_request
+
+    - debug: msg="Please manualy confirm sign request with id {{ request_output.requestID }}"
+
+    - name: wait for cert
+      raw: "{{ get_request.stdout|string }}"
+      delegate_to: "{{item}}"
+      delegate_facts: True
+      with_items: "{{groups['cas']}}"
+      register: cert_result
+#    - debug: var=cert_result
+
+    - set_fact:
+          cert_key: "{{ cert_result.results[0].stdout|string|from_json }}"
+#    - debug: var=request_output
+
+    - name: set pub key
+      shell: "echo '{{ cert_key.result }}' > /etc/dovecot/dovecot.cert"
+      register: set_pub_key
+  when: not dovecot_cert_key.stat.exists
+
 - template: src=dovecot-ldap.conf.ext.j2 dest=/etc/dovecot/dovecot-ldap.conf.ext
   notify: restart dovecot
diff --git a/roles/roundcube/handlers/main.yaml b/roles/roundcube/handlers/main.yaml
new file mode 100644
index 0000000..bdd7ff1
--- /dev/null
+++ b/roles/roundcube/handlers/main.yaml
@@ -0,0 +1,2 @@
+- name: update-ca-certificates
+  shell: update-ca-certificates
diff --git a/roles/roundcube/tasks/main.yaml b/roles/roundcube/tasks/main.yaml
index 3deb1dd..cbe8ea8 100644
--- a/roles/roundcube/tasks/main.yaml
+++ b/roles/roundcube/tasks/main.yaml
@@ -27,6 +27,19 @@
       owner: root
       group: www-data
 
+- name: copy test_ssl_ca.crt
+  copy:
+      src: "test_ssl_ca.crt"
+      dest: "/usr/local/share/ca-certificates/test_ssl_ca.crt"
+      mode: 0444
+  notify: update-ca-certificates
+
+#TODO: remove when dovecot will use a valid dns record
+- name: '(FIX REMOVE THIS ACTION) add temporary host record'
+  lineinfile:
+    dest: /etc/hosts
+    line: "{{ hostvars['mail'].ansible_host }}  {{ mail_server }}"
+    regexp: "{{ mail_server }}$"
 
 - name: include my-roundcube.php
   lineinfile:
diff --git a/roles/roundcube/templates/my-roundcube.php.j2 b/roles/roundcube/templates/my-roundcube.php.j2
index 3898248..6796ced 100644
--- a/roles/roundcube/templates/my-roundcube.php.j2
+++ b/roles/roundcube/templates/my-roundcube.php.j2
@@ -1,8 +1,8 @@
 <?php
-$config['default_host'] = 'ssl://{{ hostvars['mail'].ansible_host }}';
+$config['default_host'] = 'ssl://{{ mail_server }}';
 $config['default_port'] = 993;
 $config['imap_auth_type'] = 'login';
-$config['smtp_server'] = '{{ hostvars['mail'].ansible_host }}';
+$config['smtp_server'] = '{{ mail_server }}';
 $config['smtp_helo_host'] = 'webmail.lilik.it';
 $config['skin_logo'] = '/images/lilik-150x54.png';
 $config['username_domain'] = 'lilik.it';
@@ -14,9 +14,9 @@ $config['default_imap_folders'] = array('INBOX', 'Drafts', 'Sent', 'Junk', 'Tras
 $config['create_default_folders'] = true;
 
 # TODO: ssl, remove when dovecot will use a valid ssl certificate
-$config['imap_conn_options'] = array(
-  'ssl'         => array(
-	 'verify_peer'  => false,
-	 'verfify_peer_name' => false,
-   ),
-);
+#$config['imap_conn_options'] = array(
+#  'ssl'         => array(
+#	 'verify_peer'  => false,
+#	 'verfify_peer_name' => false,
+#   ),
+#);
diff --git a/webmail.yaml b/webmail.yaml
index d54ac9c..96bb621 100644
--- a/webmail.yaml
+++ b/webmail.yaml
@@ -6,5 +6,4 @@
 - hosts: webmail
   roles:
       - role: roundcube
-        # imap_server: "{{ hostvars['mail'].ansible_host }}"
-        # fqdn_domain: "lilik.it"
+        mail_server: "mail.lilik.it"