Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/pip/ansible-9.4.0
dependabot/github_actions/actions/setup-python-5.1.0
fix/14704
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e8947f318b'
${ noResults }
algo/roles/vpn/tasks/openssl.yml

188 lines
5.8 KiB
YAML
Raw Blame History

---
- block:
- name: Set subjectAltName as a fact
set_fact:
subjectAltName: "{{ subjectAltName_IP }}{% if ipv6_support %},IP:{{ ansible_default_ipv6['address'] }}{% endif %}{% if domain and subjectAltName_DNS %},DNS:{{ subjectAltName_DNS }}{% endif %}"
tags: always
- name: Ensure the pki directory does not exist
file:
dest: configs/{{ IP_subject_alt_name }}/pki
state: absent
when: keys_clean_all|bool == True
- name: Ensure the pki directories exist
file:
dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
state: directory
recurse: yes
with_items:
- ecparams
- certs
- crl
- newcerts
- private
- reqs
- name: Ensure the files exist
file:
dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
state: touch
with_items:
- ".rnd"
- "private/.rnd"
- "index.txt"
- "index.txt.attr"
- "serial"
- name: Generate the openssl server configs
template:
src: openssl.cnf.j2
dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf"
- name: Build the CA pair
shell: >
{{ openssl_bin }} ecparam -name secp384r1 -out ecparams/secp384r1.pem &&
{{ openssl_bin }} req -utf8 -new
-newkey ec:ecparams/secp384r1.pem
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
-keyout private/cakey.pem
-out cacert.pem -x509 -days 3650
-batch
-passout pass:"{{ CA_password }}" &&
touch {{ IP_subject_alt_name }}_ca_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: "{{ IP_subject_alt_name }}_ca_generated"
executable: bash
- name: Copy the CA certificate
copy:
src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
dest: "configs/{{ IP_subject_alt_name }}/cacert.pem"
mode: 0600
- name: Generate the serial number
shell: echo 01 > serial && touch serial_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: serial_generated
- name: Build the server pair
shell: >
{{ openssl_bin }} req -utf8 -new
-newkey ec:ecparams/secp384r1.pem
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
-keyout private/{{ IP_subject_alt_name }}.key
-out reqs/{{ IP_subject_alt_name }}.req -nodes
-passin pass:"{{ CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" -batch &&
{{ openssl_bin }} ca -utf8
-in reqs/{{ IP_subject_alt_name }}.req
-out certs/{{ IP_subject_alt_name }}.crt
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
-days 3650 -batch
-passin pass:"{{ CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" &&
touch certs/{{ IP_subject_alt_name }}_crt_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: certs/{{ IP_subject_alt_name }}_crt_generated
executable: bash
- name: Build the client's pair
shell: >
{{ openssl_bin }} req -utf8 -new
-newkey ec:ecparams/secp384r1.pem
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
-keyout private/{{ item }}.key
-out reqs/{{ item }}.req -nodes
-passin pass:"{{ CA_password }}"
-subj "/CN={{ item }}" -batch &&
{{ openssl_bin }} ca -utf8
-in reqs/{{ item }}.req
-out certs/{{ item }}.crt
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
-days 3650 -batch
-passin pass:"{{ CA_password }}"
-subj "/CN={{ item }}" &&
touch certs/{{ item }}_crt_generated
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: certs/{{ item }}_crt_generated
executable: bash
with_items: "{{ users }}"
- name: Build the client's p12
shell: >
{{ openssl_bin }} pkcs12
-in certs/{{ item }}.crt
-inkey private/{{ item }}.key
-export
-name {{ item }}
-out private/{{ item }}.p12
-passout pass:"{{ p12_export_password }}"
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
executable: bash
with_items: "{{ users }}"
register: p12
- name: Copy the p12 certificates
copy:
src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
mode: 0600
with_items:
- "{{ users }}"
- name: Get active users
shell: >
grep ^V index.txt |
grep -v "{{ IP_subject_alt_name }}" |
awk '{print $5}' |
sed 's/\/CN=//g'
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
register: valid_certs
- name: Revoke non-existing users
shell: >
{{ openssl_bin }} ca -gencrl
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
-passin pass:"{{ CA_password }}"
-revoke certs/{{ item }}.crt
-out crl/{{ item }}.crt
register: gencrl
args:
chdir: configs/{{ IP_subject_alt_name }}/pki/
creates: crl/{{ item }}.crt
executable: bash
when: item not in users
with_items: "{{ valid_certs.stdout_lines }}"
- name: Genereate new CRL file
shell: >
{{ openssl_bin }} ca -gencrl
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }}"))
-passin pass:"{{ CA_password }}"
-out crl/algo.root.pem
when:
- gencrl is defined
- gencrl.changed
args:
chdir: configs/{{ IP_subject_alt_name }}/pki/
executable: bash
delegate_to: localhost
become: no
- name: Copy the CRL to the vpn server
copy:
src: configs/{{ IP_subject_alt_name }}/pki/crl/algo.root.pem
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem"
when:
- gencrl is defined
- gencrl.changed
notify:
- rereadcrls
Reference in New Issue View Git Blame Copy Permalink