From c5a1327b68fdc9194e927573696f71943bf21359 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Mon, 16 Nov 2020 01:36:33 +0100 Subject: [PATCH] fix broken CA certificates by including the required CA extensions Previously several applications/libraries would complain that the CA is invalid due to the missing CA:TRUE attribute. It is *assumed* that the previous behaviour was intentional, because creating a CA cert with certutil expects user input, which is not possible when running this command with Puppet. This commit uses openssl to create CA certificates, which involves more steps, but reliably produces a fully functional CA. --- .fixtures.yml | 1 + CHANGELOG.md | 12 +++ README.md | 43 ++++++++++ manifests/instance.pp | 143 +++++++++++++++++++++++++--------- metadata.json | 4 + spec/classes/ds389_spec.rb | 46 +++++++++-- spec/defines/instance_spec.rb | 64 ++++++--------- templates/openssl_ca.cnf.epp | 15 ++++ 8 files changed, 243 insertions(+), 85 deletions(-) create mode 100644 templates/openssl_ca.cnf.epp diff --git a/.fixtures.yml b/.fixtures.yml index 751824f..e01d66e 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -6,6 +6,7 @@ fixtures: "concat": "git://github.com/puppetlabs/puppetlabs-concat.git" "facts": "https://github.com/puppetlabs/puppetlabs-facts.git" "inifile": "git://github.com/puppetlabs/puppetlabs-inifile.git" + "openssl": "https://github.com/camptocamp/puppet-openssl.git" "provision": "https://github.com/puppetlabs/provision.git" "puppet_agent": "https://github.com/puppetlabs/puppetlabs-puppet_agent.git" "stdlib": "git://github.com/puppetlabs/puppetlabs-stdlib.git" diff --git a/CHANGELOG.md b/CHANGELOG.md index 8540d25..93f00df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,8 +5,20 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). ## [Unreleased] +This release fixes a major bug when using self-signed certificates. In previous +releases the internal CA certificate was created without the required +extensions. As a result, using LDAPS could lead to various SSL errors. Note +that only *new* CA certificates will benefit from this bugfix. The README +contains instructions to purge the existing SSL certificates. + +### Added +* Add new dependency: camptocamp/openssl + +### Changed +* Use camptocamp/openssl to generate CA certificates ### Fixed +* Fix broken CA certificates by including the required CA extensions * Fix missing newline in cert bundle ## [2.1.0] - 2020-11-07 diff --git a/README.md b/README.md index 0dc1f1a..820c5a4 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ - [Modifying existing LDIF data](#modifying-existing-ldif-data) - [Adding new LDIF data](#adding-new-ldif-data) - [Adding baseline LDIF data](#adding-baseline-ldif-data) + - [Recreate SSL certs](#recreate-ssl-certs) 1. [Reference](#reference) 1. [Limitations](#limitations) - [Supported versions](#supported-versions) @@ -358,6 +359,48 @@ ds_389::instance { 'example': Note that while you can declare these via the `ds_389::add` define, puppet's resource load ordering may potentially result in it attempting to add the ldif before a configuration change that it requires. +### Recreate SSL certs + +Currently some manual steps are required to regenerate the SSL certificates. A new Bolt task would be nice, PRs welcome. :) + +As always, create a backup before attempting this procedure. + +Run the following shell commands as root to remove the existing certificates: + +```shell +export LDAP_INSTANCE="my-instance-name" + +test -d /etc/dirsrv/slapd-${LDAP_INSTANCE} || exit 1 + +systemctl stop dirsrv@${LDAP_INSTANCE} + +dd if=/dev/random count=1024 | sha256sum | awk '{print $1}' > /tmp/noisefile-${LDAP_INSTANCE} +cut -d: -f2 /etc/dirsrv/slapd-${LDAP_INSTANCE}/pin.txt > /tmp/passfile-${LDAP_INSTANCE} + +rm -f /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}CA.cnf \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}CA-Key.pem \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}CA.p12 \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}CA.pem \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}Cert-Key.pem \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}Cert.pem \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/ssl_config.done \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/ssl.done \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/ssl_enable.done \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/ssl.ldif + +certutil -D -n "${LDAP_INSTANCE}Cert" -d /etc/dirsrv/slapd-${LDAP_INSTANCE} +certutil -D -n "${LDAP_INSTANCE}CA" -d /etc/dirsrv/slapd-${LDAP_INSTANCE} +``` + +Next edit `/etc/dirsrv/slapd-${LDAP_INSTANCE}/dse.ldif` and remove the following entries including their attributes: + +``` + cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config + cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config +``` + +Afterwards run Puppet to regenerate both the CA and the server certificates. + ## Reference Classes and parameters are documented in [REFERENCE.md](REFERENCE.md). diff --git a/manifests/instance.pp b/manifests/instance.pp index e103b1b..f51c87f 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -242,6 +242,14 @@ $sans = undef } + # Certificate attributes and filenames. + $ca_key = "${instance_path}/${server_id}CA-Key.pem" + $ca_conf = "${instance_path}/${server_id}CA.cnf" + $ca_cert = "${instance_path}/${server_id}CA.pem" + $ca_p12 = "${instance_path}/${server_id}CA.p12" + $ca_nickname = "${server_id}CA" + $ssl_cert_name = "${server_id}Cert" + # Create noise file. $temp_noise_file = "/tmp/noisefile-${server_id}" $temp_pass_file = "/tmp/passfile-${server_id}" @@ -254,7 +262,7 @@ notify => Exec["Generate password file: ${server_id}"], } - # Create pwd file. + # Create password file. exec { "Generate password file: ${server_id}": command => "echo ${root_dn_pass} > ${temp_pass_file}", path => $ds_389::path, @@ -262,28 +270,72 @@ notify => Exec["Create cert DB: ${server_id}"], } - # Create cert db. - exec { "Create cert DB: ${server_id}": + # Create nss db. + -> exec { "Create cert DB: ${server_id}": command => "certutil -N -d ${instance_path} -f ${temp_pass_file}", path => $ds_389::path, refreshonly => true, - notify => Exec["Generate key pair: ${server_id}"], + notify => Ssl_pkey["Generate CA private key: ${server_id}"], + } + + # Generate the private key for the CA. + -> ssl_pkey { "Generate CA private key: ${server_id}": + ensure => 'present', + name => $ca_key, + size => 4096, + } + + # Fix permissions of CA private key. + -> file { "Fix permissions of CA private key: ${server_id}": + ensure => 'present', + name => $ca_key, + mode => '0640', + owner => $user, + group => $group, + } + + # Create the OpenSSL config template for the CA cert. + -> file { "Create CA config: ${server_id}": + ensure => 'present', + name => $ca_conf, + content => epp('ds_389/openssl_ca.cnf.epp',{ + dc => $facts['networking']['fqdn'], + cn => $ca_nickname, + }), } - # Generate key pair. - exec { "Generate key pair: ${server_id}": - command => "certutil -G -d ${instance_path} -g 4096 -z ${temp_noise_file} -f ${temp_pass_file}", + # Create the CA certificate. + -> x509_cert { "Create CA cert: ${server_id}": + ensure => 'present', + name => $ca_cert, + template => $ca_conf, + private_key => $ca_key, + days => 3650, + req_ext => false, + } + + # Export CA cert to pkcs12, which is required for import into nss db. + # TODO: openssl::export::pkcs12 cannot be used, because it does not support + # a password file (yet). + -> exec { "Prepare CA cert for import (pkcs12): ${server_id}": + cwd => $instance_path, + command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${ca_p12} -password file:${temp_pass_file}", path => $ds_389::path, refreshonly => true, - notify => Exec["Make ca cert and add to database: ${server_id}"], + subscribe => [ + X509_cert["Create CA cert: ${server_id}"], + ], } - # Make certs and add to database. - exec { "Make ca cert and add to database: ${server_id}": + # Import CA cert+key into nss db. + -> exec { "Import CA cert: ${server_id}": cwd => $instance_path, - command => "certutil -S -n \"${server_id}CA\" -s \"cn=${server_id}CA,dc=${server_host}\" -x -t \"CT,,\" -v 120 -d ${instance_path} -k rsa -z ${temp_noise_file} -f ${temp_pass_file} ; sleep 2", # lint:ignore:140chars + command => "pk12util -i ${ca_p12} -d sql:${instance_path} -k ${temp_pass_file} -w ${temp_pass_file}", path => $ds_389::path, refreshonly => true, + subscribe => [ + X509_cert["Create CA cert: ${server_id}"], + ], notify => [ Exec["Make server cert and add to database: ${server_id}"], Exec["Clean up temp files: ${server_id}"], @@ -291,18 +343,48 @@ ], } - exec { "Add trust for CA: ${server_id}": - command => "certutil -M -n \"${server_id}CA\" -t CT,, -d ${instance_path}", + # Change nickname to make it clear that this is the CA cert. + -> exec { "Fix name of imported CA: ${server_id}": + cwd => $instance_path, + command => "certutil --rename -n \"${ca_nickname} - ${facts['networking']['fqdn']}\" --new-n \"${ca_nickname}\" -d sql:${instance_path}", # lint:ignore:140chars + path => $ds_389::path, + refreshonly => true, + subscribe => [ + X509_cert["Create CA cert: ${server_id}"], + ], + } + + # Configure trust attributes. + -> exec { "Add trust for CA: ${server_id}": + command => "certutil -M -n \"${ca_nickname}\" -t CT,C,C -d ${instance_path} -f ${temp_pass_file}", + path => $ds_389::path, + unless => "certutil -L -d ${instance_path} | grep \"${ca_nickname}\" | grep \"CTu,Cu,Cu\"", + subscribe => [ + X509_cert["Create CA cert: ${server_id}"], + ], + notify => Exec["Export CA cert: ${server_id}"], + } + + # Export ca cert. + -> exec { "Export CA cert: ${server_id}": + cwd => $instance_path, + command => "certutil -d ${instance_path} -L -n \"${ca_nickname}\" -a > ${ca_cert}", path => $ds_389::path, - unless => "certutil -L -d ${instance_path} | grep \"${server_id}CA\" | grep \"CT\"", - notify => Exec["Export CA cert: ${server_id}"], + creates => $ca_cert, } - # Make server cert and add to database. - $ssl_cert_name = "${server_id}Cert" + # Copy ca cert to openldap. + -> file { "${ds_389::cacerts_path}/${server_id}CA.pem": + ensure => file, + source => $ca_cert, + require => Exec["Export CA cert: ${server_id}"], + notify => Exec["Rehash cacertdir: ${server_id}"], + } + + # Create server cert and add to database. exec { "Make server cert and add to database: ${server_id}": cwd => $instance_path, - command => "certutil -S -n \"${ssl_cert_name}\" -m 101 -s \"cn=${server_host}\" -c \"${server_id}CA\" -t \"u,u,u\" -v 120 -d ${instance_path} -k rsa -z ${temp_noise_file} -f ${temp_pass_file} ${sans} ; sleep 2", # lint:ignore:140chars + command => "certutil -S -n \"${ssl_cert_name}\" -m 101 -s \"cn=${server_host}\" -c \"${ca_nickname}\" -t \"u,u,u\" -v 120 -d ${instance_path} -k rsa -z ${temp_noise_file} -f ${temp_pass_file} ${sans} && sleep 2", # lint:ignore:140chars path => $ds_389::path, refreshonly => true, notify => [ @@ -312,7 +394,8 @@ ], } - exec { "Add trust for server cert: ${server_id}": + # Configure trust attributes. + -> exec { "Add trust for server cert: ${server_id}": command => "certutil -M -n \"${ssl_cert_name}\" -t u,u,u -d ${instance_path}", path => $ds_389::path, unless => "certutil -L -d ${instance_path} | grep \"${ssl_cert_name}\" | grep \"u,u,u\"", @@ -320,30 +403,14 @@ } # Set perms on database directory. - exec { "Set permissions on database directory: ${server_id}": + -> exec { "Set permissions on database directory: ${server_id}": command => "chown ${user}:${group} ${instance_path}", path => $ds_389::path, refreshonly => true, } - # Export ca cert. - exec { "Export CA cert: ${server_id}": - cwd => $instance_path, - command => "certutil -d ${instance_path} -L -n \"${server_id}CA\" -a > ${server_id}CA.pem", - path => $ds_389::path, - creates => "${instance_path}/${server_id}CA.pem", - } - - # Copy ca cert to openldap. - file { "${ds_389::cacerts_path}/${server_id}CA.pem": - ensure => file, - source => "${instance_path}/${server_id}CA.pem", - require => Exec["Export CA cert: ${server_id}"], - notify => Exec["Rehash cacertdir: ${server_id}"], - } - - # Remove temp files (pwd and noise). - exec { "Clean up temp files: ${server_id}": + # Remove temp files (passwd and noise). + -> exec { "Clean up temp files: ${server_id}": command => "rm -f ${temp_noise_file} ${temp_pass_file}", path => $ds_389::path, refreshonly => true, diff --git a/metadata.json b/metadata.json index d92d48a..507d128 100644 --- a/metadata.json +++ b/metadata.json @@ -16,6 +16,10 @@ "name": "puppetlabs-inifile", "version_requirement": ">=3.0.0 <5.0.0" }, + { + "name": "camptocamp-openssl", + "version_requirement": ">=1.14.0 <2.0.0" + }, { "name": "puppetlabs-stdlib", "version_requirement": ">=4.25.0 <7.0.0" diff --git a/spec/classes/ds389_spec.rb b/spec/classes/ds389_spec.rb index 2972de3..0428884 100644 --- a/spec/classes/ds389_spec.rb +++ b/spec/classes/ds389_spec.rb @@ -1,9 +1,33 @@ require 'spec_helper' describe 'ds_389' do + # content blocks + let(:openssl_ca_cnf) do + '[ req ] +default_bits = 4096 +default_md = sha256 +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = v3_ca + +[ req_distinguished_name ] +DC = foo.example.com +CN = fooCA + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +' + end + on_supported_os(facterversion: '2.4').each do |os, os_facts| context "on #{os}" do - let(:facts) { os_facts } + let(:facts) do + os_facts.merge( + networking: { fqdn: 'foo.example.com' }, + ) + end context 'without any parameters' do it { is_expected.to compile } @@ -210,18 +234,30 @@ it { is_expected.to contain_ds_389__instance('foo') } it { is_expected.to contain_ds_389__service('foo') } it { is_expected.to contain_ds_389__ssl('foo') } - it { is_expected.to contain_exec('Add trust for CA: foo') } - it { is_expected.to contain_exec('Add trust for server cert: foo') } it { is_expected.to contain_exec('Clean up temp files: foo') } it { is_expected.to contain_exec('Create cert DB: foo') } it { is_expected.to contain_exec('Export CA cert: foo') } it { is_expected.to contain_exec('Export server cert: foo') } - it { is_expected.to contain_exec('Generate key pair: foo') } + it { is_expected.to contain_ssl_pkey('Generate CA private key: foo') } it { is_expected.to contain_exec('Generate noise file: foo') } it { is_expected.to contain_exec('Generate password file: foo') } it { is_expected.to contain_exec('Import ssl ldif: foo') } - it { is_expected.to contain_exec('Make ca cert and add to database: foo') } + + it { + is_expected.to contain_file('Create CA config: foo').with( + ensure: 'present', + content: openssl_ca_cnf, + ) + } + it { is_expected.to contain_x509_cert('Create CA cert: foo') } + it { is_expected.to contain_exec('Prepare CA cert for import (pkcs12): foo') } + it { is_expected.to contain_exec('Import CA cert: foo') } + it { is_expected.to contain_exec('Fix name of imported CA: foo') } + it { is_expected.to contain_exec('Add trust for CA: foo') } + it { is_expected.to contain_exec('Make server cert and add to database: foo') } + it { is_expected.to contain_exec('Add trust for server cert: foo') } + it { is_expected.to contain_exec('Rehash cacertdir: foo') } it { is_expected.to contain_exec('Restart foo to enable SSL') } it { is_expected.to contain_exec('Set permissions on database directory: foo') } diff --git a/spec/defines/instance_spec.rb b/spec/defines/instance_spec.rb index 2df96c2..18fcbf7 100644 --- a/spec/defines/instance_spec.rb +++ b/spec/defines/instance_spec.rb @@ -168,44 +168,34 @@ command: 'certutil -N -d /etc/dirsrv/slapd-specdirectory -f /tmp/passfile-specdirectory', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', refreshonly: true, - ).that_notifies('Exec[Generate key pair: specdirectory]') + ).that_notifies('Ssl_pkey[Generate CA private key: specdirectory]') } it { - is_expected.to contain_exec('Generate key pair: specdirectory').with( - command: 'certutil -G -d /etc/dirsrv/slapd-specdirectory -g 4096 -z /tmp/noisefile-specdirectory -f /tmp/passfile-specdirectory', - path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - refreshonly: true, - ).that_notifies('Exec[Make ca cert and add to database: specdirectory]') + is_expected.to contain_ssl_pkey('Generate CA private key: specdirectory').with( + size: 4096, + ) } it { - is_expected.to contain_exec('Make ca cert and add to database: specdirectory').with( - cwd: '/etc/dirsrv/slapd-specdirectory', - command: 'certutil -S -n "specdirectoryCA" -s "cn=specdirectoryCA,dc=foo.example.com" -x -t "CT,," -v 120 -d /etc/dirsrv/slapd-specdirectory -k rsa -z /tmp/noisefile-specdirectory -f /tmp/passfile-specdirectory ; sleep 2', # rubocop:disable LineLength - path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - refreshonly: true, - ).that_notifies( - [ - 'Exec[Make server cert and add to database: specdirectory]', - 'Exec[Clean up temp files: specdirectory]', - 'Exec[Add trust for CA: specdirectory]', - ], + is_expected.to contain_x509_cert('Create CA cert: specdirectory').with( + days: 3650, + req_ext: false, ) } it { is_expected.to contain_exec('Add trust for CA: specdirectory').with( - command: 'certutil -M -n "specdirectoryCA" -t CT,, -d /etc/dirsrv/slapd-specdirectory', + command: 'certutil -M -n "specdirectoryCA" -t CT,C,C -d /etc/dirsrv/slapd-specdirectory -f /tmp/passfile-specdirectory', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - unless: 'certutil -L -d /etc/dirsrv/slapd-specdirectory | grep "specdirectoryCA" | grep "CT"', + unless: 'certutil -L -d /etc/dirsrv/slapd-specdirectory | grep "specdirectoryCA" | grep "CTu,Cu,Cu"', ).that_notifies('Exec[Export CA cert: specdirectory]') } it { is_expected.to contain_exec('Make server cert and add to database: specdirectory').with( cwd: '/etc/dirsrv/slapd-specdirectory', - command: 'certutil -S -n "specdirectoryCert" -m 101 -s "cn=foo.example.com" -c "specdirectoryCA" -t "u,u,u" -v 120 -d /etc/dirsrv/slapd-specdirectory -k rsa -z /tmp/noisefile-specdirectory -f /tmp/passfile-specdirectory ; sleep 2', # rubocop:disable LineLength + command: 'certutil -S -n "specdirectoryCert" -m 101 -s "cn=foo.example.com" -c "specdirectoryCA" -t "u,u,u" -v 120 -d /etc/dirsrv/slapd-specdirectory -k rsa -z /tmp/noisefile-specdirectory -f /tmp/passfile-specdirectory && sleep 2', # rubocop:disable LineLength path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', refreshonly: true, ).that_notifies( @@ -235,7 +225,7 @@ it { is_expected.to contain_exec('Export CA cert: specdirectory').with( cwd: '/etc/dirsrv/slapd-specdirectory', - command: 'certutil -d /etc/dirsrv/slapd-specdirectory -L -n "specdirectoryCA" -a > specdirectoryCA.pem', + command: 'certutil -d /etc/dirsrv/slapd-specdirectory -L -n "specdirectoryCA" -a > /etc/dirsrv/slapd-specdirectory/specdirectoryCA.pem', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', creates: '/etc/dirsrv/slapd-specdirectory/specdirectoryCA.pem', ) @@ -867,44 +857,34 @@ command: 'certutil -N -d /etc/dirsrv/slapd-ldap01 -f /tmp/passfile-ldap01', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', refreshonly: true, - ).that_notifies('Exec[Generate key pair: ldap01]') + ).that_notifies('Ssl_pkey[Generate CA private key: ldap01]') } it { - is_expected.to contain_exec('Generate key pair: ldap01').with( - command: 'certutil -G -d /etc/dirsrv/slapd-ldap01 -g 4096 -z /tmp/noisefile-ldap01 -f /tmp/passfile-ldap01', - path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - refreshonly: true, - ).that_notifies('Exec[Make ca cert and add to database: ldap01]') + is_expected.to contain_ssl_pkey('Generate CA private key: ldap01').with( + size: 4096, + ) } it { - is_expected.to contain_exec('Make ca cert and add to database: ldap01').with( - cwd: '/etc/dirsrv/slapd-ldap01', - command: 'certutil -S -n "ldap01CA" -s "cn=ldap01CA,dc=ldap.test.org" -x -t "CT,," -v 120 -d /etc/dirsrv/slapd-ldap01 -k rsa -z /tmp/noisefile-ldap01 -f /tmp/passfile-ldap01 ; sleep 2', - path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - refreshonly: true, - ).that_notifies( - [ - 'Exec[Make server cert and add to database: ldap01]', - 'Exec[Clean up temp files: ldap01]', - 'Exec[Add trust for CA: ldap01]', - ], + is_expected.to contain_x509_cert('Create CA cert: ldap01').with( + days: 3650, + req_ext: false, ) } it { is_expected.to contain_exec('Add trust for CA: ldap01').with( - command: 'certutil -M -n "ldap01CA" -t CT,, -d /etc/dirsrv/slapd-ldap01', + command: 'certutil -M -n "ldap01CA" -t CT,C,C -d /etc/dirsrv/slapd-ldap01 -f /tmp/passfile-ldap01', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - unless: 'certutil -L -d /etc/dirsrv/slapd-ldap01 | grep "ldap01CA" | grep "CT"', + unless: 'certutil -L -d /etc/dirsrv/slapd-ldap01 | grep "ldap01CA" | grep "CTu,Cu,Cu"', ).that_notifies('Exec[Export CA cert: ldap01]') } it { is_expected.to contain_exec('Make server cert and add to database: ldap01').with( cwd: '/etc/dirsrv/slapd-ldap01', - command: 'certutil -S -n "ldap01Cert" -m 101 -s "cn=ldap.test.org" -c "ldap01CA" -t "u,u,u" -v 120 -d /etc/dirsrv/slapd-ldap01 -k rsa -z /tmp/noisefile-ldap01 -f /tmp/passfile-ldap01 -8 ldap01.test.org,ldap02.test.org ; sleep 2', # rubocop:disable LineLength + command: 'certutil -S -n "ldap01Cert" -m 101 -s "cn=ldap.test.org" -c "ldap01CA" -t "u,u,u" -v 120 -d /etc/dirsrv/slapd-ldap01 -k rsa -z /tmp/noisefile-ldap01 -f /tmp/passfile-ldap01 -8 ldap01.test.org,ldap02.test.org && sleep 2', # rubocop:disable LineLength path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', refreshonly: true, ).that_notifies( @@ -934,7 +914,7 @@ it { is_expected.to contain_exec('Export CA cert: ldap01').with( cwd: '/etc/dirsrv/slapd-ldap01', - command: 'certutil -d /etc/dirsrv/slapd-ldap01 -L -n "ldap01CA" -a > ldap01CA.pem', + command: 'certutil -d /etc/dirsrv/slapd-ldap01 -L -n "ldap01CA" -a > /etc/dirsrv/slapd-ldap01/ldap01CA.pem', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', creates: '/etc/dirsrv/slapd-ldap01/ldap01CA.pem', ) diff --git a/templates/openssl_ca.cnf.epp b/templates/openssl_ca.cnf.epp new file mode 100644 index 0000000..1a6734f --- /dev/null +++ b/templates/openssl_ca.cnf.epp @@ -0,0 +1,15 @@ +[ req ] +default_bits = 4096 +default_md = sha256 +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = v3_ca + +[ req_distinguished_name ] +DC = <%= $dc %> +CN = <%= $cn %> + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true