From ffa4504f81c0abecc62b068951ec147741028128 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:09:30 +0200 Subject: seperate cert and key deployment (#3918) --- puppet/modules/site_config/manifests/x509/cert.pp | 10 ++++++++++ puppet/modules/site_config/manifests/x509/cert_key.pp | 15 --------------- puppet/modules/site_config/manifests/x509/key.pp | 9 +++++++++ puppet/modules/site_couchdb/manifests/stunnel.pp | 12 ++++++++---- puppet/modules/site_mx/manifests/init.pp | 3 ++- puppet/modules/site_nickserver/manifests/init.pp | 6 ++++-- puppet/modules/site_openvpn/manifests/init.pp | 6 ++++-- puppet/modules/site_postfix/manifests/mx.pp | 6 ++++-- puppet/modules/site_stunnel/manifests/clients.pp | 3 ++- puppet/modules/site_webapp/manifests/apache.pp | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 3 ++- puppet/modules/soledad/manifests/server.pp | 6 ++++-- 12 files changed, 51 insertions(+), 31 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509/cert.pp delete mode 100644 puppet/modules/site_config/manifests/x509/cert_key.pp create mode 100644 puppet/modules/site_config/manifests/x509/key.pp diff --git a/puppet/modules/site_config/manifests/x509/cert.pp b/puppet/modules/site_config/manifests/x509/cert.pp new file mode 100644 index 00000000..7ed42959 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert.pp @@ -0,0 +1,10 @@ +class site_config::x509::cert { + + $x509 = hiera('x509') + $cert = $x509['cert'] + + x509::cert { $site_config::params::cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp deleted file mode 100644 index d55c6cf2..00000000 --- a/puppet/modules/site_config/manifests/x509/cert_key.pp +++ /dev/null @@ -1,15 +0,0 @@ -class site_config::x509::cert_key { - - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - - x509::key { $site_config::params::cert_name: - content => $key - } - - x509::cert { $site_config::params::cert_name: - content => $cert - } - -} diff --git a/puppet/modules/site_config/manifests/x509/key.pp b/puppet/modules/site_config/manifests/x509/key.pp new file mode 100644 index 00000000..32b59726 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/key.pp @@ -0,0 +1,9 @@ +class site_config::x509::key { + + $x509 = hiera('x509') + $key = $x509['key'] + + x509::key { $site_config::params::cert_name: + content => $key + } +} diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 7ba303fe..87c35f05 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -20,7 +20,8 @@ class site_couchdb::stunnel { - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca include x509::variables @@ -41,7 +42,8 @@ class site_couchdb::stunnel { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4', require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } @@ -60,7 +62,8 @@ class site_couchdb::stunnel { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4', require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } @@ -89,7 +92,8 @@ class site_couchdb::stunnel { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4', require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 527dc4a5..52c5f1d6 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,7 +2,8 @@ class site_mx { tag 'leap_service' Class['site_config::default'] -> Class['site_mx'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca include site_config::x509::client_ca diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index a12ed3a2..bf0511d5 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -38,7 +38,8 @@ class site_nickserver { $address_domain = $domain['full_suffix'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca # @@ -126,7 +127,8 @@ class site_nickserver { hasstatus => true, require => [ File['/etc/init.d/nickserver'], - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 6ab0d430..bf72c8d6 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,7 +20,8 @@ class site_openvpn { tag 'leap_service' - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca_bundle @@ -140,7 +141,8 @@ class site_openvpn { require => [ Package['openvpn'], File['/etc/openvpn'], - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca_bundle'] ]; } diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 32465e01..d56b526f 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,7 +8,8 @@ class site_postfix::mx { $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::client_ca postfix::config { @@ -48,7 +49,8 @@ submission inet n - n - - smtpd -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Client_ca'], User['vmail'] ] } diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index b2c8db1f..791fdbc5 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -23,7 +23,8 @@ define site_stunnel::clients ( rndfile => $rndfile, debuglevel => $debuglevel, require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index d604b00f..062344d7 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -12,7 +12,8 @@ class site_webapp::apache { $commercial_cert = $x509['commercial_cert'] $commercial_root = $x509['commercial_ca_cert'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca include x509::variables diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4b06cea6..ff230417 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,7 +17,8 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca group { 'leap-webapp': diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 0c073443..6ccd934a 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -9,7 +9,8 @@ class soledad::server { $couchdb_user = $couchdb['couchdb_admin_user']['username'] $couchdb_password = $couchdb['couchdb_admin_user']['password'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca $soledad = hiera('soledad') @@ -52,7 +53,8 @@ class soledad::server { require => [ Class['soledad'], Package['soledad-server'], - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } -- cgit v1.2.3 From 9fae612bd8d147321e0cb553610fcaf0140e84eb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:23:54 +0200 Subject: move commercial x509 deployment to site_x509 (Feature #3889) --- .../templates/vhosts.d/leap_webapp.conf.erb | 6 ++-- puppet/modules/site_config/manifests/params.pp | 10 ++++--- .../site_config/manifests/x509/commercial/ca.pp | 9 ++++++ .../site_config/manifests/x509/commercial/cert.pp | 10 +++++++ .../site_config/manifests/x509/commercial/key.pp | 9 ++++++ puppet/modules/site_webapp/manifests/apache.pp | 35 ++++------------------ 6 files changed, 43 insertions(+), 36 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509/commercial/ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/commercial/cert.pp create mode 100644 puppet/modules/site_config/manifests/x509/commercial/key.pp diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 3b376839..6059453b 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -16,9 +16,9 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem - SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key - SSLCertificateFile /etc/x509/certs/leap_webapp.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 008a4e1f..59a161e8 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -23,8 +23,10 @@ class site_config::params { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } - $ca_name = 'leap_ca' - $client_ca_name = 'leap_client_ca' - $ca_bundle_name = 'leap_ca_bundle' - $cert_name = 'leap' + $ca_name = 'leap_ca' + $client_ca_name = 'leap_client_ca' + $ca_bundle_name = 'leap_ca_bundle' + $cert_name = 'leap' + $commercial_ca_name = 'leap_commercial_ca' + $commercial_cert_name = 'leap_commercial' } diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp new file mode 100644 index 00000000..8f35759f --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::commercial::ca { + + $x509 = hiera('x509') + $ca = $x509['commercial_ca_cert'] + + x509::ca { $site_config::params::commercial_ca_name: + content => $ca + } +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/cert.pp b/puppet/modules/site_config/manifests/x509/commercial/cert.pp new file mode 100644 index 00000000..0c71a705 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/cert.pp @@ -0,0 +1,10 @@ +class site_config::x509::commercial::cert { + + $x509 = hiera('x509') + $cert = $x509['commercial_cert'] + + x509::cert { $site_config::params::commercial_cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/key.pp b/puppet/modules/site_config/manifests/x509/commercial/key.pp new file mode 100644 index 00000000..d32e85ef --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/key.pp @@ -0,0 +1,9 @@ +class site_config::x509::commercial::key { + + $x509 = hiera('x509') + $key = $x509['commercial_key'] + + x509::key { $site_config::params::commercial_cert_name: + content => $key + } +} diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 062344d7..6a199b9e 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -7,20 +7,14 @@ class site_webapp::apache { $web_domain = hiera('domain') $domain_name = $web_domain['name'] - $x509 = hiera('x509') - $commercial_key = $x509['commercial_key'] - $commercial_cert = $x509['commercial_cert'] - $commercial_root = $x509['commercial_ca_cert'] - - include site_config::x509::cert - include site_config::x509::key - include site_config::x509::ca - include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca - X509::Cert[$site_config::params::cert_name] ~> Service[apache] - X509::Key[$site_config::params::cert_name] ~> Service[apache] - X509::Ca[$site_config::params::ca_name] ~> Service[apache] + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] class { '::apache': no_default_site => true, ssl => true } @@ -40,21 +34,4 @@ class site_webapp::apache { content => template('site_apache/vhosts.d/api.conf.erb') } - x509::key { - 'leap_webapp': - content => $commercial_key, - notify => Service[apache]; - } - - x509::cert { - 'leap_webapp': - content => $commercial_cert, - notify => Service[apache]; - } - - x509::ca { - 'leap_webapp': - content => $commercial_root, - notify => Service[apache]; - } } -- cgit v1.2.3 From 02f17c426e6288f898a66a1a687b413ffe9a9b95 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 11:01:19 +0200 Subject: Webapp doesn't serve commercial cert (Bug #3916) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 9e2dbcaf..5f1f4c1d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -7,8 +7,7 @@ Listen 0.0.0.0:<%= api_port %> > - ServerName <%= domain_name %> - ServerAlias <%= api_domain %> + ServerName <%= api_domain %> SSLEngine on SSLProtocol -all +SSLv3 +TLSv1 -- cgit v1.2.3 From abb03cd19389188c38ccaeb96e3136cac5397563 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 17:15:35 +0200 Subject: https://bitmask.net/ca.crt gives 403 Forbidden (Bug #3919) --- puppet/modules/site_webapp/manifests/init.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ff230417..e630875c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,8 +17,7 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy - include site_config::x509::cert - include site_config::x509::key + include site_config::x509::cert_key include site_config::x509::ca group { 'leap-webapp': @@ -75,7 +74,7 @@ class site_webapp { '/srv/leap/webapp/public/ca.crt': ensure => link, require => Vcsrepo['/srv/leap/webapp'], - target => '/usr/local/share/ca-certificates/leap_api.crt'; + target => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"; "/srv/leap/webapp/public/${api_version}": ensure => directory, -- cgit v1.2.3