diff options
| author | Emil Renner Berthing <esmil@labitat.dk> | 2021-01-19 21:58:10 +0100 | 
|---|---|---|
| committer | Emil Renner Berthing <esmil@labitat.dk> | 2021-01-19 22:39:39 +0100 | 
| commit | d43cdbc412d6548447d3d4c6238fc56c99e09d98 (patch) | |
| tree | 8f5d9b7eabc3dfffaaa7be0088bae08777146aeb | |
| parent | 3da205a190c0b6f36a726d90afa4dc303ee84ffe (diff) | |
| download | labitat-ansible-d43cdbc412d6548447d3d4c6238fc56c99e09d98.tar.gz labitat-ansible-d43cdbc412d6548447d3d4c6238fc56c99e09d98.tar.xz labitat-ansible-d43cdbc412d6548447d3d4c6238fc56c99e09d98.zip | |
space_server: radius: use letsencrypt certificate
| -rwxr-xr-x | roles/space_server/files/radius/bootstrap | 28 | ||||
| -rwxr-xr-x | roles/space_server/files/radius/certbot.sh | 15 | ||||
| -rw-r--r-- | roles/space_server/files/radius/mods-available/eap | 12 | ||||
| -rw-r--r--[-rwxr-xr-x] | roles/space_server/files/radius/pythonpath.conf | 0 | ||||
| -rw-r--r-- | roles/space_server/files/radius/sites-available/labitat | 2 | ||||
| -rw-r--r-- | roles/space_server/tasks/radius.yml | 85 | 
6 files changed, 64 insertions, 78 deletions
| diff --git a/roles/space_server/files/radius/bootstrap b/roles/space_server/files/radius/bootstrap new file mode 100755 index 0000000..376aa78 --- /dev/null +++ b/roles/space_server/files/radius/bootstrap @@ -0,0 +1,28 @@ +#!/bin/sh + +set -e + +certname=space.labitat.dk +privkey="/etc/letsencrypt/live/$certname/privkey.pem" +fullchain="/etc/letsencrypt/live/$certname/fullchain.pem" + +umask 027 +cd "$(dirname $0)" + +if [ ! -f dh ]; then +  openssl dhparam -out dh 2048 +  chown root:radiusd dh +  chmod 640 dh +fi + +if ! diff -q "$privkey" privkey.pem >/dev/null 2>&1; then +  install -m640 -o root -g radiusd "$privkey" privkey.pem +fi + +if ! diff -q "$fullchain" fullchain.pem >/dev/null 2>&1; then +  install -m640 -o root -g radiusd "$fullchain" fullchain.pem +fi + +openssl verify -untrusted fullchain.pem fullchain.pem + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/files/radius/certbot.sh b/roles/space_server/files/radius/certbot.sh new file mode 100755 index 0000000..f6749a8 --- /dev/null +++ b/roles/space_server/files/radius/certbot.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +case "$RENEWED_LINEAGE" in +*/space.labitat.dk) +  install -m640 -o root -g radiusd \ +    "$RENEWED_LINEAGE/privkey.pem" \ +    "$RENEWED_LINEAGE/fullchain.pem" \ +    /etc/raddb/certs/ +  systemctl reload radiusd.service +  ;; +esac + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/files/radius/mods-available/eap b/roles/space_server/files/radius/mods-available/eap index 2136414..938370c 100644 --- a/roles/space_server/files/radius/mods-available/eap +++ b/roles/space_server/files/radius/mods-available/eap @@ -181,8 +181,8 @@ eap {  	#  authenticate via EAP-TLS!  This is likely not what you want.  	#  	tls-config tls-common { -		private_key_password = whatever -		private_key_file = ${certdir}/server.pem +	#	private_key_password = whatever +		private_key_file = ${certdir}/privkey.pem  		#  If Private key & Certificate are located in  		#  the same file, then private_key_file & @@ -218,7 +218,7 @@ eap {  		#  give advice which will work everywhere.  Instead,  		#  we give general guidelines.  		# -		certificate_file = ${certdir}/server.pem +		certificate_file = ${certdir}/fullchain.pem  		#  Trusted Root CA list  		# @@ -231,7 +231,7 @@ eap {  		#  In that case, this CA file should contain  		#  *one* CA certificate.  		# -		ca_file = ${cadir}/ca.pem +	#	ca_file = ${cadir}/ca.pem  	 	#  OpenSSL will automatically create certificate chains,  	 	#  unless we tell it to not do that.  The problem is that @@ -392,8 +392,8 @@ eap {  		#  tls_max_version.  		#  	#	disable_tlsv1_2 = no -		disable_tlsv1_1 = yes -		disable_tlsv1 = yes +	#	disable_tlsv1_1 = yes +	#	disable_tlsv1 = yes  		#  Set min / max TLS version.  Mainly for Debian  		#  "trusty", which disables older versions of TLS, and diff --git a/roles/space_server/files/radius/pythonpath.conf b/roles/space_server/files/radius/pythonpath.conf index 6a7f6ba..6a7f6ba 100755..100644 --- a/roles/space_server/files/radius/pythonpath.conf +++ b/roles/space_server/files/radius/pythonpath.conf diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat index 6deb993..8b514f8 100644 --- a/roles/space_server/files/radius/sites-available/labitat +++ b/roles/space_server/files/radius/sites-available/labitat @@ -15,7 +15,7 @@ server labitat {  	authorize {  		filter_username  		preprocess -		auth_log +		#auth_log  		eap {  			ok = return diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml index 614d1b7..7ea88b1 100644 --- a/roles/space_server/tasks/radius.yml +++ b/roles/space_server/tasks/radius.yml @@ -110,78 +110,21 @@  #  # certificates  # -- name: Configure /etc/raddb/certs/passwords.mk -  replace: -    path: '/etc/raddb/certs/passwords.mk' -    regexp: '^CA_DEFAULT_DAYS( *= *).*$' -    replace: "CA_DEFAULT_DAYS\\1'3652'" -  tags: radius-certs - -- name: Configure /etc/raddb/certs/ca.cnf -  ini_file: -    path: '/etc/raddb/certs/ca.cnf' -    section: "{{ item.key.split('.',1)[0] }}" -    option:  "{{ item.key.split('.',1)[1] }}" -    value:   "{{ (item.value is string)|ternary(item.value,omit) }}" -    state:   "{{ (item.value is string)|ternary('present','absent') }}" -  with_dict: -    ' CA_default .default_days': '3652' -    'certificate_authority.countryName': 'DK' -    'certificate_authority.stateOrProvinceName': 'Copenhagen' -    'certificate_authority.localityName': 'Frederiksberg' -    'certificate_authority.organizationName': 'Labitat' -    'certificate_authority.emailAddress': 'noc@labitat.dk' -    'certificate_authority.commonName': '"Labitat Network Infrastructure CA"' -  tags: radius-certs - -- name: Configure /etc/raddb/certs/server.cnf -  ini_file: -    path: '/etc/raddb/certs/server.cnf' -    section: "{{ item.key.split('.',1)[0] }}" -    option:  "{{ item.key.split('.',1)[1] }}" -    value:   "{{ (item.value is string)|ternary(item.value,omit) }}" -    state:   "{{ (item.value is string)|ternary('present','absent') }}" -  with_dict: -    ' CA_default .default_days': '731' -    'server.countryName': 'DK' -    'server.stateOrProvinceName': 'Copenhagen' -    'server.localityName': 'Frederiksberg' -    'server.organizationName': 'Labitat' -    'server.emailAddress': 'noc@labitat.dk' -    'server.commonName': '"Labitat Radius Authentication 2020"' -  tags: radius-certs - -- name: Configure /etc/raddb/certs/inner-server.cnf -  ini_file: -    path: '/etc/raddb/certs/inner-server.cnf' -    section: "{{ item.key.split('.',1)[0] }}" -    option:  "{{ item.key.split('.',1)[1] }}" -    value:   "{{ (item.value is string)|ternary(item.value,omit) }}" -    state:   "{{ (item.value is string)|ternary('present','absent') }}" -  with_dict: -    ' CA_default .default_days': '731' -    'server.countryName': 'DK' -    'server.stateOrProvinceName': 'Copenhagen' -    'server.localityName': 'Frederiksberg' -    'server.organizationName': 'Labitat' -    'server.emailAddress': 'noc@labitat.dk' -    'server.commonName': '"Labitat Radius Inner Server Certificate 2020"' -  tags: radius-certs +- name: Create our certificates bootstrap script +  copy: +    dest: '/etc/raddb/certs/bootstrap' +    src: 'radius/bootstrap' +    owner: root +    group: radiusd +    mode: 0750 -- name: Configure /etc/raddb/certs/client.cnf -  ini_file: -    path: '/etc/raddb/certs/client.cnf' -    section: "{{ item.key.split('.',1)[0] }}" -    option:  "{{ item.key.split('.',1)[1] }}" -    value:   "{{ (item.value is string)|ternary(item.value,omit) }}" -    state:   "{{ (item.value is string)|ternary('present','absent') }}" -  with_dict: -    ' CA_default .default_days': '365' -    'client.countryName': 'DK' -    'client.stateOrProvinceName': 'Copenhagen' -    'client.localityName': 'Frederiksberg' -    'client.organizationName': 'Labitat' -  tags: radius-certs +- name: Add certbot deploy hook +  copy: +    dest: '/etc/letsencrypt/renewal-hooks/deploy/radius.sh' +    src: 'radius/certbot.sh' +    owner: root +    group: root +    mode: 0755  #  # radiusd.service | 
