From d43cdbc412d6548447d3d4c6238fc56c99e09d98 Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Tue, 19 Jan 2021 21:58:10 +0100 Subject: space_server: radius: use letsencrypt certificate --- roles/space_server/files/radius/bootstrap | 28 +++++++ roles/space_server/files/radius/certbot.sh | 15 ++++ roles/space_server/files/radius/mods-available/eap | 12 +-- roles/space_server/files/radius/pythonpath.conf | 0 .../files/radius/sites-available/labitat | 2 +- roles/space_server/tasks/radius.yml | 85 ++++------------------ 6 files changed, 64 insertions(+), 78 deletions(-) create mode 100755 roles/space_server/files/radius/bootstrap create mode 100755 roles/space_server/files/radius/certbot.sh mode change 100755 => 100644 roles/space_server/files/radius/pythonpath.conf diff --git a/roles/space_server/files/radius/bootstrap b/roles/space_server/files/radius/bootstrap new file mode 100755 index 0000000..376aa78 --- /dev/null +++ b/roles/space_server/files/radius/bootstrap @@ -0,0 +1,28 @@ +#!/bin/sh + +set -e + +certname=space.labitat.dk +privkey="/etc/letsencrypt/live/$certname/privkey.pem" +fullchain="/etc/letsencrypt/live/$certname/fullchain.pem" + +umask 027 +cd "$(dirname $0)" + +if [ ! -f dh ]; then + openssl dhparam -out dh 2048 + chown root:radiusd dh + chmod 640 dh +fi + +if ! diff -q "$privkey" privkey.pem >/dev/null 2>&1; then + install -m640 -o root -g radiusd "$privkey" privkey.pem +fi + +if ! diff -q "$fullchain" fullchain.pem >/dev/null 2>&1; then + install -m640 -o root -g radiusd "$fullchain" fullchain.pem +fi + +openssl verify -untrusted fullchain.pem fullchain.pem + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/files/radius/certbot.sh b/roles/space_server/files/radius/certbot.sh new file mode 100755 index 0000000..f6749a8 --- /dev/null +++ b/roles/space_server/files/radius/certbot.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +case "$RENEWED_LINEAGE" in +*/space.labitat.dk) + install -m640 -o root -g radiusd \ + "$RENEWED_LINEAGE/privkey.pem" \ + "$RENEWED_LINEAGE/fullchain.pem" \ + /etc/raddb/certs/ + systemctl reload radiusd.service + ;; +esac + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/files/radius/mods-available/eap b/roles/space_server/files/radius/mods-available/eap index 2136414..938370c 100644 --- a/roles/space_server/files/radius/mods-available/eap +++ b/roles/space_server/files/radius/mods-available/eap @@ -181,8 +181,8 @@ eap { # authenticate via EAP-TLS! This is likely not what you want. # tls-config tls-common { - private_key_password = whatever - private_key_file = ${certdir}/server.pem + # private_key_password = whatever + private_key_file = ${certdir}/privkey.pem # If Private key & Certificate are located in # the same file, then private_key_file & @@ -218,7 +218,7 @@ eap { # give advice which will work everywhere. Instead, # we give general guidelines. # - certificate_file = ${certdir}/server.pem + certificate_file = ${certdir}/fullchain.pem # Trusted Root CA list # @@ -231,7 +231,7 @@ eap { # In that case, this CA file should contain # *one* CA certificate. # - ca_file = ${cadir}/ca.pem + # ca_file = ${cadir}/ca.pem # OpenSSL will automatically create certificate chains, # unless we tell it to not do that. The problem is that @@ -392,8 +392,8 @@ eap { # tls_max_version. # # disable_tlsv1_2 = no - disable_tlsv1_1 = yes - disable_tlsv1 = yes + # disable_tlsv1_1 = yes + # disable_tlsv1 = yes # Set min / max TLS version. Mainly for Debian # "trusty", which disables older versions of TLS, and diff --git a/roles/space_server/files/radius/pythonpath.conf b/roles/space_server/files/radius/pythonpath.conf old mode 100755 new mode 100644 diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat index 6deb993..8b514f8 100644 --- a/roles/space_server/files/radius/sites-available/labitat +++ b/roles/space_server/files/radius/sites-available/labitat @@ -15,7 +15,7 @@ server labitat { authorize { filter_username preprocess - auth_log + #auth_log eap { ok = return diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml index 614d1b7..7ea88b1 100644 --- a/roles/space_server/tasks/radius.yml +++ b/roles/space_server/tasks/radius.yml @@ -110,78 +110,21 @@ # # certificates # -- name: Configure /etc/raddb/certs/passwords.mk - replace: - path: '/etc/raddb/certs/passwords.mk' - regexp: '^CA_DEFAULT_DAYS( *= *).*$' - replace: "CA_DEFAULT_DAYS\\1'3652'" - tags: radius-certs - -- name: Configure /etc/raddb/certs/ca.cnf - ini_file: - path: '/etc/raddb/certs/ca.cnf' - section: "{{ item.key.split('.',1)[0] }}" - option: "{{ item.key.split('.',1)[1] }}" - value: "{{ (item.value is string)|ternary(item.value,omit) }}" - state: "{{ (item.value is string)|ternary('present','absent') }}" - with_dict: - ' CA_default .default_days': '3652' - 'certificate_authority.countryName': 'DK' - 'certificate_authority.stateOrProvinceName': 'Copenhagen' - 'certificate_authority.localityName': 'Frederiksberg' - 'certificate_authority.organizationName': 'Labitat' - 'certificate_authority.emailAddress': 'noc@labitat.dk' - 'certificate_authority.commonName': '"Labitat Network Infrastructure CA"' - tags: radius-certs - -- name: Configure /etc/raddb/certs/server.cnf - ini_file: - path: '/etc/raddb/certs/server.cnf' - section: "{{ item.key.split('.',1)[0] }}" - option: "{{ item.key.split('.',1)[1] }}" - value: "{{ (item.value is string)|ternary(item.value,omit) }}" - state: "{{ (item.value is string)|ternary('present','absent') }}" - with_dict: - ' CA_default .default_days': '731' - 'server.countryName': 'DK' - 'server.stateOrProvinceName': 'Copenhagen' - 'server.localityName': 'Frederiksberg' - 'server.organizationName': 'Labitat' - 'server.emailAddress': 'noc@labitat.dk' - 'server.commonName': '"Labitat Radius Authentication 2020"' - tags: radius-certs - -- name: Configure /etc/raddb/certs/inner-server.cnf - ini_file: - path: '/etc/raddb/certs/inner-server.cnf' - section: "{{ item.key.split('.',1)[0] }}" - option: "{{ item.key.split('.',1)[1] }}" - value: "{{ (item.value is string)|ternary(item.value,omit) }}" - state: "{{ (item.value is string)|ternary('present','absent') }}" - with_dict: - ' CA_default .default_days': '731' - 'server.countryName': 'DK' - 'server.stateOrProvinceName': 'Copenhagen' - 'server.localityName': 'Frederiksberg' - 'server.organizationName': 'Labitat' - 'server.emailAddress': 'noc@labitat.dk' - 'server.commonName': '"Labitat Radius Inner Server Certificate 2020"' - tags: radius-certs +- name: Create our certificates bootstrap script + copy: + dest: '/etc/raddb/certs/bootstrap' + src: 'radius/bootstrap' + owner: root + group: radiusd + mode: 0750 -- name: Configure /etc/raddb/certs/client.cnf - ini_file: - path: '/etc/raddb/certs/client.cnf' - section: "{{ item.key.split('.',1)[0] }}" - option: "{{ item.key.split('.',1)[1] }}" - value: "{{ (item.value is string)|ternary(item.value,omit) }}" - state: "{{ (item.value is string)|ternary('present','absent') }}" - with_dict: - ' CA_default .default_days': '365' - 'client.countryName': 'DK' - 'client.stateOrProvinceName': 'Copenhagen' - 'client.localityName': 'Frederiksberg' - 'client.organizationName': 'Labitat' - tags: radius-certs +- name: Add certbot deploy hook + copy: + dest: '/etc/letsencrypt/renewal-hooks/deploy/radius.sh' + src: 'radius/certbot.sh' + owner: root + group: root + mode: 0755 # # radiusd.service -- cgit v1.2.1