the password for the CA private key #75

8 years ago · abf94989fc
parent 8b0fe4d8f3
commit abf94989fc
3 changed files with 27 additions and 7 deletions
--- a/config.cfg
+++ b/config.cfg
@ -70,6 +70,7 @@ congrats: |
  "#    Config files and certificates are in the ./configs/ directory.    #"
  "#              Go to https://whoer.net/ after connecting               #"
  "#        and ensure that all your traffic passes through the VPN.      #"
-  "#          Local DNS resolver and Proxy IP address: {{ local_service_ip }}"
-  "#                     The p12 password is {{ easyrsa_p12_export_password }}"
+  "#          Local DNS resolver and Proxy IP address: {{ local_service_ip }}     "
+  "#                     The p12 password is {{ easyrsa_p12_export_password }}      "
+  "#                  The CA key password is {{ easyrsa_CA_password }}      "
  "#----------------------------------------------------------------------#"
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -1,8 +1,14 @@
 - name: Gather Facts
  setup:

+- name: Generate password for the CA key
+  shell: >
+    < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-12};echo;
+  register: CA_password
+
 - set_fact:
    easyrsa_p12_export_password: "{{ (ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0] }}"
+    easyrsa_CA_password: "{{ CA_password.stdout }}"

 - name: Install StrongSwan
  apt: name=strongswan state=latest update_cache=yes
@ -89,7 +95,10 @@
  with_items: "{{ strongswan_plugins.stdout_lines }}"

 - name: Fetch easy-rsa-ipsec from git
-  git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git version=ed4de10d7ce0726357fb1bb4729f8eb440c06e2b dest="{{ easyrsa_dir }}"
+  git:
+    repo: git://github.com/ValdikSS/easy-rsa-ipsec.git
+    version: ipsec-with-patches
+    dest: "{{ easyrsa_dir }}"

 - name: Setup the vars file from our template
  template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars
@ -108,7 +117,7 @@

 - name: Build the CA pair
  shell: >
-    ./easyrsa build-ca nopass &&
+    ./easyrsa --batch build-ca -- -passout pass:"{{ easyrsa_CA_password }}" &&
    touch {{ easyrsa_dir }}/easyrsa3/pki/ca_initialized
  args:
    chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -118,7 +127,8 @@

 - name: Build the server pair
  shell: >
-    ./easyrsa --subject-alt-name='DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}' build-server-full {{ IP_subject_alt_name }} nopass &&
+    ./easyrsa gen-req {{ IP_subject_alt_name }} batch nopass -- -passin pass:qwe1 -subj "/CN={{ IP_subject_alt_name }}" &&
+    ./easyrsa --subject-alt-name='DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}' sign-req server {{ IP_subject_alt_name }} -- -passin pass:"{{ easyrsa_CA_password }}" &&
    touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
  args:
    chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -128,7 +138,8 @@

 - name: Build the client's pair
  shell: >
-    ./easyrsa build-client-full {{ item }} nopass &&
+    ./easyrsa gen-req {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
+    ./easyrsa --subject-alt-name='DNS:{{ item }}' sign-req client {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" &&
    touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
  args:
    chdir: '{{ easyrsa_dir }}/easyrsa3/'
--- a/users.yml
+++ b/users.yml
@ -25,6 +25,10 @@
      prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
      private: no

+    - name: "easyrsa_CA_password"
+      prompt: "Enter the password for the private CA key:\n"
+      private: yes
+
  tasks:
    - name: Add the server to the vpn-host group
      add_host:
@ -33,6 +37,7 @@
        ansible_ssh_user: "{{ server_user }}"
        ansible_python_interpreter: "/usr/bin/python2.7"
        ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
+        easyrsa_CA_password: "{{ easyrsa_CA_password }}"
        IP_subject: "{{ IP_subject }}"

    - name: Wait until SSH becomes ready...
@ -70,7 +75,8 @@

    - name: Build the client's pair
      shell: >
-        ./easyrsa build-client-full {{ item }} nopass &&
+        ./easyrsa gen-req {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
+        ./easyrsa --subject-alt-name='DNS:{{ item }}' sign-req client {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" &&
        touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
      args:
        chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -93,8 +99,10 @@

    - name: Revoke non-existing users
      shell: >
+        openssl ec -in pki/private/ca.key -out pki/private/ca.key -passin pass:"{{ easyrsa_CA_password }}" -passout pass:"" &&
        ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der &&
        ./easyrsa revoke {{ item }} &&
+        openssl ec -aes256 -in pki/private/ca.key -out pki/private/ca.key -passin pass:"" -passout pass:"{{ easyrsa_CA_password }}" &&
        ipsec rereadcrls
      args:
        chdir: '{{ easyrsa_dir }}/easyrsa3/'