Fix: proper CA cert generation

Cristian Chiru · Cristian Chiru · commit be14a9ad424f · 2020-11-07T01:04:30.000+02:00
diff --git a/README.md b/README.md
@@ -19,6 +19,7 @@
 ## Usage
 - Copy directory `samples/ansible-inventory` to the project root
 - Edit `hosts` and `host_vars` to your needs
+    - `ip` is needed in host_vars to force /etc/hosts in container, avoiding name resolve issues
 - Create a `playbook-vars.yml` file, using the [sample](samples/playbook-vars.yml) as inspiration
 - Deploy: `./run-playbook.sh`
 - Remove: `./run-playbook.sh -e docker_compose_command=down`
@@ -49,7 +50,7 @@
 | docker_logging_max_file           | `5`                    | Maximum docker log files before recycling                                                             |
 | |
 | openldap_image                    | `tiredofit/openldap`   | Base docker image. At the moment, [tiredofit](https://hub.docker.com/r/tiredofit/openldap) release seems to be working better than oxisia one      |
-| openldap_version                  | `6.9.2`                | Docker image tag                                                                                      |
+| openldap_version                  | `7.1.5`                | Docker image tag                                                                                      |
 | |
 | ldap_port_plain                   | `389`                  | Plain ldap port                                                                                       |
 | ldap_port_ssl                     | `636`                  | TLS ldap port                                                                                         |
diff --git a/playbook.yml b/playbook.yml
@@ -15,13 +15,17 @@
   - copy:
       src: "{{ local_ldap_dir_certs }}/{{ item }}"
       dest: "{{ ldap_dir_certs }}/"
+      owner: 389
+      group: 389
     loop:
     - ca.crt
     - dhparam.pem
     - server.key
   - copy:
       src: "{{ local_ldap_dir_certs }}/{{ ansible_host }}.crt"
       dest: "{{ ldap_dir_certs }}/server.crt"
+      owner: 389
+      group: 389
   roles:
   - role: openldap
     tags: openldap
diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml
@@ -58,8 +58,6 @@ ldap_ppolicy_use_cracklib: 1
 
 ## TLS cipher suite. Default ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA
 ldap_tls_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA"
-## TLS DHParam Keysize. Default 2048
-ldap_tls_dh_param_keysize: 2048
 
 ldap_debug_mode: 'false'
 
diff --git a/roles/openldap/templates/docker-compose/tiredofit/openldap-docker-compose.yaml.j2 b/roles/openldap/templates/docker-compose/tiredofit/openldap-docker-compose.yaml.j2
@@ -6,7 +6,7 @@ services:
     volumes:
     - {{ ldap_dir_data }}:/var/lib/openldap
     - {{ ldap_dir_config }}:/etc/openldap/slapd.d
-    - {{ ldap_dir_certs }}:/assets/slapd/certs
+    - {{ ldap_dir_certs }}:/certs
     - {{ _ldap_dir_backup }}:/data/backup
     ports:
     - "{{ ldap_port_plain }}:389"
@@ -61,9 +61,11 @@ services:
       TLS_CIPHER_SUITE: "{{ ldap_tls_cipher_suite }}"
       TLS_CRT_FILENAME: "server.crt"
       TLS_DH_PARAM_FILENAME: "dhparam.pem"
-      TLS_DH_PARAM_KEYSIZE: "{{ ldap_tls_dh_param_keysize }}"
       TLS_ENFORCE: "false"
       TLS_KEY_FILENAME: "server.key"
+      TLS_CREATE_CA: "false"
+      TLS_CA_CRT_PATH: "/certs"
+      TLS_VERIFY_CLIENT: "demand"
 
       ENABLE_REPLICATION: "true"
       ## olcSyncRepl options used for the config database. Without rid and provider which are automatically added based on REPLICATION_HOSTS. Default binddn="cn=admin,cn=config" bindmethod=simple credentials=$CONFIG_PASS searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
@@ -82,3 +84,9 @@ services:
       DEBUG_MODE: "{{ ldap_debug_mode }}"
 
       ENABLE_ZABBIX: "{{ ldap_enable_zabbix }}"
+    extra_hosts:
+{% for host in ansible_play_hosts %}
+{% if hostvars[host]['ansible_host'] != ansible_host %}
+    - {{ hostvars[host]['ansible_host'] }}:{{ hostvars[host]['ip'] }}
+{% endif %}
+{% endfor %}
diff --git a/roles/openssl/defaults/main.yml b/roles/openssl/defaults/main.yml
@@ -1,2 +1,4 @@
 local_ldap_dir_certs: /etc/ssl/private
-ldap_tls_dh_param_keysize: 2048
+force_generate: no
+ldap_tls_keysize: 2048
+ldap_ca_subject: LDAP CA
diff --git a/roles/openssl/tasks/main.yml b/roles/openssl/tasks/main.yml
@@ -2,11 +2,14 @@
   file:
     path: "{{ local_ldap_dir_certs }}"
     state: directory
+    owner: 389
+    group: 389
 
 - name: Generate private keys
   openssl_privatekey:
     path: "{{ local_ldap_dir_certs }}/{{ item }}.key"
     backup: yes
+    force: "{{ force_generate }}"
   loop:
   - "server"
   - "ca"
@@ -15,8 +18,16 @@
   openssl_csr:
     path: "{{ local_ldap_dir_certs }}/ca.csr"
     privatekey_path: "{{ local_ldap_dir_certs }}/ca.key"
-    common_name: LDAP CA
+    common_name: "{{ ldap_ca_subject }}"
+    key_usage:
+    - digitalSignature
+    - keyEncipherment
+    - keyCertSign
+    extended_key_usage:
+    - clientAuth
+    - serverAuth
     backup: yes
+    force: "{{ force_generate }}"
 
 - name: Generate CA certificate
   openssl_certificate:
@@ -25,13 +36,15 @@
     csr_path: "{{ local_ldap_dir_certs}}/ca.csr"
     provider: selfsigned
     backup: yes
+    force: "{{ force_generate }}"
 
 - name: Generate server CSR
   openssl_csr:
     path: "{{ local_ldap_dir_certs }}/{{ hostvars[item]['ansible_host'] }}.csr"
     privatekey_path: "{{ local_ldap_dir_certs }}/server.key"
     common_name: "{{ hostvars[item]['ansible_host'] }}"
     backup: yes
+    force: "{{ force_generate }}"
   loop: "{{ groups['nodes'] }}"
 
 - name: Sign server certificate
@@ -43,13 +56,15 @@
     ownca_path: "{{ local_ldap_dir_certs }}/ca.crt"
     ownca_privatekey_path: "{{ local_ldap_dir_certs }}/ca.key"
     backup: yes
+    force: "{{ force_generate }}"
   loop: "{{ groups['nodes'] }}"
 
 - name: Generate Diffie-Hellman parameters
   openssl_dhparam:
     path: "{{ local_ldap_dir_certs }}/dhparam.pem"
-    size: "{{ ldap_tls_dh_param_keysize }}"
+    size: "{{ ldap_tls_keysize }}"
     backup: yes
+    force: "{{ force_generate }}"
 
 - name: Set appropriate permissions
   file:
diff --git a/samples/ansible-inventory/host_vars/myhost1 b/samples/ansible-inventory/host_vars/myhost1
@@ -1,2 +1,3 @@
+ip: 1.2.3.1
 ansible_host: myhost1.fqdn
 ansible_port: 22
diff --git a/samples/ansible-inventory/host_vars/myhost2 b/samples/ansible-inventory/host_vars/myhost2
@@ -1,2 +1,3 @@
+ip: 1.2.3.2
 ansible_host: myhost1.fqdn
 ansible_port: 22
diff --git a/samples/ansible-inventory/host_vars/myhost3 b/samples/ansible-inventory/host_vars/myhost3
@@ -1,2 +1,3 @@
+ip: 1.2.3.3
 ansible_host: myhost1.fqdn
 ansible_port: 22

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
	`1`	`+ip: 1.2.3.1`
`1`	`2`	`ansible_host: myhost1.fqdn`
`2`	`3`	`ansible_port: 22`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
	`1`	`+ip: 1.2.3.2`
`1`	`2`	`ansible_host: myhost1.fqdn`
`2`	`3`	`ansible_port: 22`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
	`1`	`+ip: 1.2.3.3`
`1`	`2`	`ansible_host: myhost1.fqdn`
`2`	`3`	`ansible_port: 22`