Skip to content

Commit

Permalink
Merge pull request #151 from jaredledvina/fix/update-to-handle-docs-S…
Browse files Browse the repository at this point in the history 
…AN-#150

SSL Generation - Move to more native Ansible code
  • Loading branch information
@jaredledvina
jaredledvina committed May 6, 2018
2 parents 71d1fc1 + a365413 commit 727415d
Show file tree
Hide file tree
Showing 4 changed files with 153 additions and 12 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,11 @@ This project adheres to [Semantic Versioning](http://semver.org/)
The format is based on [Keep a Changelog](http://keepachangelog.com/).

## [Unreleased]
### Fixed:
- Automated SSL key & cert generation fails on systems with Python 2.6 or older (@jaredledvina)

### Changed
- Port over the latest ssl_tools code to more native Ansible `command` instructions for greater flexibility (@jaredledvina)

## [2.3.0] - 2018-05-04
### Fixed
Expand Down
1 change: 0 additions & 1 deletion defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,6 @@ sensu_ssl_client_key: "{{ sensu_ssl_tool_base_path }}/client/key.pem"
sensu_ssl_server_cacert: "{{ sensu_ssl_tool_base_path }}/sensu_ca/cacert.pem"
sensu_ssl_server_cert: "{{ sensu_ssl_tool_base_path }}/server/cert.pem"
sensu_ssl_server_key: "{{ sensu_ssl_tool_base_path }}/server/key.pem"
sensu_ssl_tool_version: "1.2"
dynamic_data_store: "{{ playbook_dir }}/data/store"
static_data_store: "{{ playbook_dir}}/data/static"

Expand Down
104 changes: 93 additions & 11 deletions tasks/ssl_generate.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,29 +4,111 @@

- include_vars: "{{ ansible_distribution }}.yml"

- name: Ensure OpenSSL is installed
package:
name: openssl
state: installed

- name: Ensure SSL generation directory exists
file:
dest: "{{ sensu_config_path }}/ssl_generation"
dest: "{{ sensu_config_path }}/{{ item }}"
state: directory
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
when: sensu_master
with_items:
- ssl_generation
- ssl_generation/sensu_ssl_tool
- ssl_generation/sensu_ssl_tool/client
- ssl_generation/sensu_ssl_tool/server
- ssl_generation/sensu_ssl_tool/sensu_ca
- ssl_generation/sensu_ssl_tool/sensu_ca/private
- ssl_generation/sensu_ssl_tool/sensu_ca/certs

- name: Ensure OpenSSL configuration is in place
template:
src: openssl.cnf.j2
dest: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/openssl.cnf"
owner: "{{ sensu_user_name }}"
group: "{{ sensu_group_name }}"
when: sensu_master

- block:
- name: Ensure the Sensu CA serial configuration
shell: 'echo 01 > sensu_ca/serial'
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/serial"
register: sensu_ca_new_serial

- name: Ensure sensu_ca/index.txt exists
file:
dest: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/index.txt"
state: touch
when: sensu_ca_new_serial is changed

#TODO: The following mirrors the commands used in sensu_ssl_tool/ssl_certs.sh
# from the 1.3 version of the script. Ideally, this moves into the native openssl_* modules.
# See https://docs.sensu.io/sensu-core/1.3/reference/ssl/#reference-documentation for limitations and further instructions
- name: Generate Sensu CA certificate
command: openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 1825 -out cacert.pem -outform PEM -subj /CN=SensuCA/ -nodes
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.pem"

- name: Generate CA cert
command: openssl x509 -in cacert.pem -out cacert.cer -outform DER
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.cer"

- name: Generate server keys
command: openssl genrsa -out key.pem 2048
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/key.pem"

- name: Generate server certificate signing request
command: openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=sensu/O=server/ -nodes
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/req.pem"

- name: Sign the server certificate
command: openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/cert.pem"

- name: Convert server certificate and key to PKCS12 formart
command: openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secret
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/keycert.p12"

- name: Generate client key
command: openssl genrsa -out key.pem 2048
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/key.pem"

- name: Generate client certificate signing request
command: openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=sensu/O=client/ -nodes
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/req.pem"

- name: Untar the ssl_certs tarball from sensuapp.org
unarchive:
- name: Sign the client certificate
command: openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
args:
src: http://sensuapp.org/docs/{{ sensu_ssl_tool_version }}/files/sensu_ssl_tool.tar
dest: "{{ sensu_config_path }}/ssl_generation/"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool"
copy: no
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/cert.pem"

- name: Generate SSL certs
command: "{{ __bash_path }} {{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/ssl_certs.sh generate"
- name: Convert client key/certificate to PKCS12 format
command: openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secret
args:
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/keycert.p12"

when: sensu_master|bool
become: true
Expand Down
56 changes: 56 additions & 0 deletions templates/openssl.cnf.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{{ ansible_managed | comment }}
# Source: http://docs.sensu.io/sensu-core/1.3/files/sensu_ssl_tool.tar

[ ca ]
default_ca = sensu_ca

[ sensu_ca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days = 7
default_days = 1825
default_md = sha1

policy = sensu_ca_policy
x509_extensions = certificate_extensions

[ sensu_ca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional

[ certificate_extensions ]
basicConstraints = CA:false

[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions

[ root_ca_distinguished_name ]
commonName = sensu

[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign

[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

0 comments on commit 727415d

Please sign in to comment.