LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

check ssl and ssh certificate validity

python3
Andrea Cimbalo 7 years ago
parent
aa5068db05
commit
fa1d96901d
2 changed files with 58 additions and 38 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +38
    -20
      roles/dovecot/tasks/main.yaml
  2. +20
    -18
      roles/ssh_server/tasks/main.yaml

+ 38
- 20
roles/dovecot/tasks/main.yaml View File

@ -106,30 +106,48 @@
ssl_key = </etc/dovecot/private/dovecot.key ssl_key = </etc/dovecot/private/dovecot.key
- name: generate the RSA key - name: generate the RSA key
openssl_privatekey:
path: "/etc/dovecot/private/dovecot.key"
size: 2048
state: present
type: RSA
# TODO: reenable openssl_privatekey when moving to ansible 2.3
# openssl_privatekey:
# path: "/etc/dovecot/private/dovecot.key"
# size: 2048
# state: present
# type: RSA
shell: "openssl genrsa -out /etc/dovecot/private/dovecot.key 2048"
args:
creates: /etc/dovecot/private/dovecot.key
notify: restart dovecot notify: restart dovecot
- name: generate CSR - name: generate CSR
openssl_csr:
commonName: "{{ fqdn_domain }}"
countryName: "IT"
digest: sha256
localityName: "TUSCANY"
organizationName: "IT"
path: "/etc/dovecot/private/dovecot.csr"
privatekey_path: "/etc/dovecot/private/dovecot.key"
state: present
stateOrProvinceName: "ITALY"
# TODO: reenable openssl_csr when moving to ansible 2.3
# openssl_csr:
# commonName: "{{ fqdn_domain }}"
# countryName: "IT"
# digest: sha256
# localityName: "TUSCANY"
# organizationName: "IT"
# path: "/etc/dovecot/private/dovecot.csr"
# privatekey_path: "/etc/dovecot/private/dovecot.key"
# state: present
# stateOrProvinceName: "ITALY"
shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/dovecot/private/dovecot.key -out /etc/dovecot/private/dovecot.csr'
args:
creates: /etc/dovecot/private/dovecot.csr
notify: restart dovecot notify: restart dovecot
- name: check if dovecot cert key exist
stat:
path: /etc/dovecot/dovecot.cert
register: dovecot_cert_key
- name: lookup ssl ca key
set_fact:
ssl_ca_key: "{{ lookup('file', 'test_ssl_ca.crt') }}"
- name: Update ssl CA key
copy:
content: "{{ ssl_ca_key }}"
dest: "/etc/dovecot/ssl_ca.crt"
- name: check if dovecot cert is valid
command: 'openssl verify -CAfile /etc/dovecot/ssl_ca.crt /etc/dovecot/dovecot.cert'
register: dovecot_cert_is_valid
changed_when: false
failed_when: false
- block: - block:
- name: get pub key - name: get pub key
@ -200,7 +218,7 @@
dest: "/etc/dovecot/dovecot.cert" dest: "/etc/dovecot/dovecot.cert"
register: set_pub_key register: set_pub_key
when: not dovecot_cert_key.stat.exists
when: 'dovecot_cert_is_valid.rc != 0'
- template: - template:
src: dovecot-ldap.conf.ext.j2 src: dovecot-ldap.conf.ext.j2


+ 20
- 18
roles/ssh_server/tasks/main.yaml View File

@ -1,4 +1,4 @@
# We can not use include_role here since it not share thje connection with the current role
# We can not use include_role here since it not share the connection with the current role
- include: roles/service/tasks/main.yaml - include: roles/service/tasks/main.yaml
vars: vars:
service_name: ssh service_name: ssh
@ -6,13 +6,26 @@
- openssh-server - openssh-server
- openssh-sftp-server - openssh-sftp-server
- name: Check if host certificate exists
stat:
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
register: vm_ssh_certificate_exists
- name: lookup user ca key
set_fact:
user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
- name: Update container user CA key
copy:
content: "ssh-rsa {{ user_ca_key }}"
dest: "/etc/ssh/user_ca.pub"
notify: restart ssh
- name: Check if host certificate is valid
shell: '[[ $(ssh-keygen -f /etc/ssh/ssh_host_ed25519_key-cert.pub -L |grep "$(ssh-keygen -f /etc/ssh/user_ca.pub -l|cut -d " " -f 2)" -A 3 |grep Valid |cut -d " " -f 13) > $(date +%Y-%m-%dT%H:%M:%S --date "+1 month") ]]'
args:
executable: /bin/bash
register: vm_has_valid_ssh_certificate
changed_when: false
failed_when: false
- debug: - debug:
var: vm_ssh_certificate_exists
var: vm_has_valid_ssh_certificate
verbosity: 2 verbosity: 2
- block: - block:
@ -85,18 +98,7 @@
dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub" dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
register: set_pub_key register: set_pub_key
notify: restart ssh notify: restart ssh
when: "not vm_ssh_certificate_exists.stat.exists"
- name: lookup user ca key
set_fact:
user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
- name: Update container user CA key
copy:
content: "ssh-rsa {{ user_ca_key }}"
dest: "/etc/ssh/user_ca.pub"
notify: restart ssh
when: "vm_has_valid_ssh_certificate.rc != 0"
- name: add certificate to sshd config - name: add certificate to sshd config
lineinfile: lineinfile:


Write Preview
Loading…
Cancel
Save