Home Explore Help
Register Sign In
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Files Issues 0 Pull Requests 0
Browse Source

Add installation of SSL (CA) certificates and private keys.

Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm 7 years ago
parent
e7b795349a
commit
85116304af
5 changed files with 226 additions and 3 deletions
Split View Show Diff Stats
  1. 34 0
      cert/StartSSL_Class1_CA.pem
  2. 34 0
      cert/StartSSL_Class2_CA.pem
  3. 79 0
      cert/ffho-cacert.pem
  4. 78 0
      cert/init.sls
  5. 1 3
      top.sls

+ 34 - 0
cert/StartSSL_Class1_CA.pem
View File 

@@ -0,0 +1,34 @@
 
+-----BEGIN CERTIFICATE-----
 
+MIIF5TCCA82gAwIBAgIQal3D5TtOT9B7aR6l/OxkazANBgkqhkiG9w0BAQsFADB9
 
+MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
 
+U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
 
+cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTUxMjE2MDEwMDA1WhcN
 
+MzAxMjE2MDEwMDA1WjB4MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20g
 
+THRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
 
+JjAkBgNVBAMTHVN0YXJ0Q29tIENsYXNzIDEgRFYgU2VydmVyIENBMIIBIjANBgkq
 
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2uz0qohni7BLYmaWv8lEaObCK0ygM86s
 
+eeN2w9FW4HWvQbQKRYDvy43kFuMmFD4RHkHn1Mk7sijXkJ/F8NH+5Tjbins7tFIC
 
+ZXd+Qe2ODCMcWbOLoYB54sM514tsZk6m3M4lZi3gmT7ISFiNdKpf/C3dZwasWea+
 
+dbLpwQWZEcM6oCXmW/6L3kwQAhC0GhJm2rBVrYEDvZq1EK3Bv+g5gAW8DVfusUai
 
+oyW0wfQdnKtOLv1M4rtezrKtE8T5tjyeKvFqMX93+LYVlT8Vs+sD12s3ncldqEDL
 
+U89IiBjg6FsbLfM2Ket/3RbfvggfQMPQshipdhrZL8q10jibTlViGQIDAQABo4IB
 
+ZDCCAWAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
 
+BQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6
 
+Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDBmBggrBgEFBQcBAQRaMFgwJAYI
 
+KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTAwBggrBgEFBQcwAoYk
 
+aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvY2EuY3J0MB0GA1UdDgQWBBTX
 
+kU4BxLC/+Mhnk0Sc5zP6rZMMrzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD
 
+0EGu8jA/BgNVHSAEODA2MDQGBFUdIAAwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3
 
+dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3DQEBCwUAA4ICAQCO5z+95Eu6
 
+gog9K9e7DatQXfeUL8zq1Ycj0HKo3ZvFhRjULAVrMj7JrURtfoZziTDl39gvMDhL
 
+voN5EFEYQWyre5ySsFgGeZQHIC0zhETILSyAE7JCKaEJ//APnkcQfx458GOuJvi+
 
+p2JpRxa8Sc/HVJ9HqA687QbbJFFZlUP5IqLtCb8yZVBURd4Nm/+01DXBzomoQPwA
 
+K3cYl9br6Q+eKmCKPKN6X4IT1gwtwXuca1f3OpZTbUFPdPz1KvP1qCFt+rNieSmO
 
+BN76Xa9ffzoBByzVdnvk2OHuopmJq/eHF+E3s+GFYT6Oxjrez/lEbBvgEmGyXZOZ
 
+aj6XeDnBxOIYRODfnZG99cy2q5WtDLHKuiMogJGO89PWaI2jK1Aq5sa0j55jp2Je
 
+FXbRieKw5CKreCIiNR9MpaffieLgbTcK1BSKjxUZtd7BqJ3x1lvD2jbe7WKqzusZ
 
+btPhFgrDDsgdw27zQokNYBZZaa1LwYZGZgddiAcLcYkilGobA2wLKk6eYz6VnatD
 
+dI4aQx6FkHWvKU0e7s/cUym6Px3vXrC4z6woAztC98XaorPO0pkL73P4dKSjnKYY
 
+rYsqe7BnBGtANf1XaG5Pm8BUWJ9WZAWin6KsJXTo8Nj0G4CRq7dq17LBnCbi9Qmp
 
+Szc2kuPNbrV8PvbTLIXupfZFFj0d9mpaFg==
 
+-----END CERTIFICATE-----

+ 34 - 0
cert/StartSSL_Class2_CA.pem
View File 

@@ -0,0 +1,34 @@
 
+-----BEGIN CERTIFICATE-----
 
+MIIF5TCCA82gAwIBAgIQJkO7MqFmSHrhnWx5xD/iZjANBgkqhkiG9w0BAQsFADB9
 
+MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
 
+U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
 
+cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTUxMjE2MDEwMDA1WhcN
 
+MzAxMjE2MDEwMDA1WjB4MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20g
 
+THRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
 
+JjAkBgNVBAMTHVN0YXJ0Q29tIENsYXNzIDIgSVYgU2VydmVyIENBMIIBIjANBgkq
 
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnL29gjx6E467y4OsHo42TCn1rC7JXUnv
 
+epzPE9KLbJiQi63JSLTr/QVGjhWFQBhqwXKlyTyBNGoOuV+yRoimqkPDdV6ZdnIn
 
+RwmKAnVhvMVd2WXeqSJtq5STa2nuOnLTwYBnyVsOIo9YdnvFhDXAGjQ3hXWQIq00
 
+f43XE8Fik+9EUG/oF7VLlIACAJnhotAj2dR2TvQmyBbEEN2PhLH3WANZklMbao2c
 
+sASqSwyOmAB5+35nSagpMYuuVa4ZSnm2EaF8emLxiiFK5InCBZjRG4u+YLrEv7+m
 
+KrnHOMVWkOE7mzKxtuHFYW2LRB++eJGLUdn1KiviZDS/ofOhIhfstwIDAQABo4IB
 
+ZDCCAWAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
 
+BQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6
 
+Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDBmBggrBgEFBQcBAQRaMFgwJAYI
 
+KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTAwBggrBgEFBQcwAoYk
 
+aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvY2EuY3J0MB0GA1UdDgQWBBSU
 
+3oVBKqXZRfZgLC5MkwmmLCN+PjAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD
 
+0EGu8jA/BgNVHSAEODA2MDQGBFUdIAAwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3
 
+dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3DQEBCwUAA4ICAQC16kMuZh8h
 
+lVsgzybaIix2qySQFU+rPgqSqeyrDSmJwpDbaKjwakm6LJ2DLX5MRFjNPCh+ArQf
 
+CU1UUJa65n7UaQWt6q8kUwifHcIn+fFJdNV3N4zdvlKxwveqBSQZiXeIUO/hHr1U
 
+i7Gw6s0On+K0fD9oNcgCRR3vPicB2frK7BhOFje6xowsWexxPfJHI69lCq73O7Ke
 
+xXqp/V8f8uGF8L4KU3xW6RDG57RrXh5+LNxUQmZ2tIAaPyHTND5zbxff8Z/ZbgGG
 
+HKbsuPkAUIG+bHpq5b6bf2x2NxMhqYSMI+GJJ9FmmiCV+P3+0ywBYGNhJkcFUYvo
 
+SUduHz+/RXd6G/ejrvKp58rbZ9iCISLZjpo5gYEfLIl6IQJcZPM8FIWKLKhtIoKX
 
+5ctNL3epV4DzIDZxLaSruEBQFeDQj6p/74pUYLQBP523anf6StXBtYgbfImRoIh4
 
+I8L85aB/TUyLOJA/sKx/WFrXOxE9K4q+Pf5tq3gzZEchM/btMYn1cw1GPUt4nHya
 
+zS52LrP0+Q77ao1Gza9svd8HE1NZ9NIVJO71QskqjxvGiTt048r4gLSXaM1zP2w9
 
+nMsIw1IpxXE8h9UHAllgh8oNHno5I9nLfynbEhXxGy9RlfcLN/J8iOqyagfgxrUy
 
+DPKMh5xGeLKMQSzjyQ1bV0WGC1JmJp+QDQ==
 
+-----END CERTIFICATE-----

+ 79 - 0
cert/ffho-cacert.pem
View File 

@@ -0,0 +1,79 @@
 
+Certificate:
 
+    Data:
 
+        Version: 3 (0x2)
 
+        Serial Number: 12161656026837094697 (0xa8c6e1b8a01d1129)
 
+    Signature Algorithm: sha256WithRSAEncryption
 
+        Issuer: C=DE, ST=NRW, O=Freifunk Hochstift, CN=CA/emailAddress=ops@ffho.net
 
+        Validity
 
+            Not Before: Sep  6 13:37:43 2015 GMT
 
+            Not After : Sep  3 13:37:43 2025 GMT
 
+        Subject: C=DE, ST=NRW, O=Freifunk Hochstift, CN=CA/emailAddress=ops@ffho.net
 
+        Subject Public Key Info:
 
+            Public Key Algorithm: rsaEncryption
 
+                Public-Key: (2048 bit)
 
+                Modulus:
 
+                    00:9b:41:d2:fc:2d:ff:20:dc:90:56:83:f4:50:71:
 
+                    2b:d5:5b:9c:3d:3a:61:56:05:22:cd:06:e0:2d:c2:
 
+                    13:0e:88:1f:26:4e:4b:6f:08:e8:ba:1a:c1:56:a2:
 
+                    62:03:c2:71:49:b3:e5:89:16:08:e4:48:14:ad:98:
 
+                    c1:8f:0e:d6:fa:50:56:f6:b8:9c:9d:74:42:b2:54:
 
+                    23:6e:c6:e3:45:52:b7:48:c5:48:79:94:5a:8b:38:
 
+                    77:20:43:80:46:6c:22:01:41:86:b9:de:71:e0:b0:
 
+                    19:b1:13:1c:64:e6:07:bc:88:22:99:6e:0e:d0:8a:
 
+                    25:3e:22:ae:64:6c:95:f5:8c:d0:43:be:88:83:2e:
 
+                    82:7e:c2:8d:0a:67:69:44:71:20:eb:1d:9b:16:c5:
 
+                    88:09:23:ef:7d:81:9d:72:c9:f9:8f:a7:cf:69:71:
 
+                    70:bb:0e:58:ef:ef:6c:48:47:3d:e8:6a:f7:f4:3a:
 
+                    cd:e8:70:62:71:96:25:0b:dd:6d:6a:35:5c:f1:84:
 
+                    96:b1:aa:87:1c:96:bf:3e:8e:ed:c4:ec:8d:9a:43:
 
+                    f5:a5:6f:1c:45:e5:16:10:de:7a:59:fb:6b:a7:cb:
 
+                    6d:21:3a:4b:33:0b:8d:ff:20:ee:dd:dd:01:36:f8:
 
+                    2e:e8:32:75:b2:3a:ef:0c:1b:61:40:d8:28:ff:07:
 
+                    ea:1f
 
+                Exponent: 65537 (0x10001)
 
+        X509v3 extensions:
 
+            X509v3 Subject Key Identifier: 
+                C4:79:EA:3C:1A:53:03:E7:3C:5B:48:44:E1:27:72:7D:F7:73:BC:45
 
+            X509v3 Authority Key Identifier: 
+                keyid:C4:79:EA:3C:1A:53:03:E7:3C:5B:48:44:E1:27:72:7D:F7:73:BC:45
 
+
 
+            X509v3 Basic Constraints: 
+                CA:TRUE
 
+    Signature Algorithm: sha256WithRSAEncryption
 
+         72:90:35:5b:1c:d7:93:5e:eb:d7:34:5c:0a:21:bf:e1:0c:d1:
 
+         1c:37:28:38:c1:15:d0:7e:48:00:f7:82:16:f3:a6:50:72:e8:
 
+         69:e3:69:ef:d3:2d:41:8c:a9:74:b4:7e:59:80:f4:4c:36:24:
 
+         8a:db:c3:0d:bc:f4:5c:89:cb:e1:e3:98:45:4d:4f:72:68:31:
 
+         c0:21:5e:50:5d:d8:8f:13:c5:8f:16:89:8b:d3:50:db:91:c3:
 
+         6c:28:9b:3e:de:90:ea:f9:44:1f:d4:97:2f:d0:ff:98:56:17:
 
+         4b:d3:f7:af:e3:76:61:f0:07:68:18:5e:4b:64:ce:d3:0e:b0:
 
+         69:99:84:2a:11:d4:74:e6:a8:51:e7:dc:38:5d:fa:e1:ce:39:
 
+         a6:99:74:ec:9c:06:84:73:71:1d:70:12:ea:aa:2c:15:4c:57:
 
+         cd:51:dd:46:72:8c:24:06:66:1d:b5:d8:15:67:3d:10:b1:da:
 
+         17:85:15:7e:77:02:8f:92:08:1d:cd:26:29:91:8d:83:7c:7d:
 
+         8d:f9:24:17:4d:65:d8:67:2e:61:14:df:93:8f:4b:4c:73:7b:
 
+         e7:57:f4:7b:02:41:3e:21:14:09:2f:88:fe:6a:44:15:f7:cb:
 
+         da:14:0d:9c:8b:2c:df:fd:8b:78:3f:ec:5a:03:c0:55:31:03:
 
+         61:f7:62:84
 
+-----BEGIN CERTIFICATE-----
 
+MIIDlzCCAn+gAwIBAgIJAKjG4bigHREpMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
 
+BAYTAkRFMQwwCgYDVQQIDANOUlcxGzAZBgNVBAoMEkZyZWlmdW5rIEhvY2hzdGlm
 
+dDELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG9wc0BmZmhvLm5ldDAeFw0x
 
+NTA5MDYxMzM3NDNaFw0yNTA5MDMxMzM3NDNaMGIxCzAJBgNVBAYTAkRFMQwwCgYD
 
+VQQIDANOUlcxGzAZBgNVBAoMEkZyZWlmdW5rIEhvY2hzdGlmdDELMAkGA1UEAwwC
 
+Q0ExGzAZBgkqhkiG9w0BCQEWDG9wc0BmZmhvLm5ldDCCASIwDQYJKoZIhvcNAQEB
 
+BQADggEPADCCAQoCggEBAJtB0vwt/yDckFaD9FBxK9VbnD06YVYFIs0G4C3CEw6I
 
+HyZOS28I6LoawVaiYgPCcUmz5YkWCORIFK2YwY8O1vpQVva4nJ10QrJUI27G40VS
 
+t0jFSHmUWos4dyBDgEZsIgFBhrneceCwGbETHGTmB7yIIpluDtCKJT4irmRslfWM
 
+0EO+iIMugn7CjQpnaURxIOsdmxbFiAkj732BnXLJ+Y+nz2lxcLsOWO/vbEhHPehq
 
+9/Q6zehwYnGWJQvdbWo1XPGElrGqhxyWvz6O7cTsjZpD9aVvHEXlFhDeeln7a6fL
 
+bSE6SzMLjf8g7t3dATb4LugydbI67wwbYUDYKP8H6h8CAwEAAaNQME4wHQYDVR0O
 
+BBYEFMR56jwaUwPnPFtIROEncn33c7xFMB8GA1UdIwQYMBaAFMR56jwaUwPnPFtI
 
+ROEncn33c7xFMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHKQNVsc
 
+15Ne69c0XAohv+EM0Rw3KDjBFdB+SAD3ghbzplBy6Gnjae/TLUGMqXS0flmA9Ew2
 
+JIrbww289FyJy+HjmEVNT3JoMcAhXlBd2I8TxY8WiYvTUNuRw2womz7ekOr5RB/U
 
+ly/Q/5hWF0vT96/jdmHwB2gYXktkztMOsGmZhCoR1HTmqFHn3Dhd+uHOOaaZdOyc
 
+BoRzcR1wEuqqLBVMV81R3UZyjCQGZh212BVnPRCx2heFFX53Ao+SCB3NJimRjYN8
 
+fY35JBdNZdhnLmEU35OPS0xze+dX9HsCQT4hFAkviP5qRBX3y9oUDZyLLN/9i3g/
 
+7FoDwFUxA2H3YoQ=
 
+-----END CERTIFICATE-----

+ 78 - 0
cert/init.sls
View File 

@@ -0,0 +1,78 @@
 
+#
 
+# SSL Certificates
 
+#
 
+
 
+openssl:
 
+  pkg.installed:
 
+    - name: openssl
 
+
 
+
 
+c_rehash:
 
+  cmd.wait:
 
+    - name: /usr/bin/c_rehash >/dev/null 2>/dev/null
 
+    - watch: []
 
+
 
+
 
+# FFHO internal CA
 
+/etc/ssl/certs/ffho-cacert.pem:
 
+  file.managed:
 
+    - source: salt://cert/ffho-cacert.pem
 
+    - user: root
 
+    - group: root
 
+    - mode: 644
 
+    - watch_in:
 
+      - cmd: c_rehash
 
+
 
+
 
+# StartSSL Class1intermediate CA certificate
 
+/etc/ssl/certs/StartSSL_Class1_CA.pem:
 
+  file.managed:
 
+    - source: salt://cert/StartSSL_Class1_CA.pem
 
+    - user: root
 
+    - group: root
 
+    - mode: 644
 
+    - watch_in:
 
+      - cmd: c_rehash
 
+
 
+
 
+# StartSSL Class2 intermediate CA certificate
 
+/etc/ssl/certs/StartSSL_Class2_CA.pem:
 
+  file.managed:
 
+    - source: salt://cert/StartSSL_Class2_CA.pem
 
+    - user: root
 
+    - group: root
 
+    - mode: 644
 
+    - watch_in:
 
+      - cmd: c_rehash
 
+
 
+
 
+# Are there any certificates defined or referenced in the node pillar?
 
+{% for cn in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':certs', {})|sort %}
 
+  {% set pillar_name = None %}
 
+
 
+  {% set cert_config = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':certs:' ~ cn) %}
 
+  {# "cert" and "privkey" provided in node config? #}
 
+  {% if 'cert' in cert_config and 'privkey' in cert_config %}
 
+    {% set pillar_name = 'nodes:' ~ grains['id'] ~ ':certs:' ~ cn %}
 
+
 
+  {# <cn> only referenced in node config and cert/privkey stored in "cert" pillar? #}
 
+  {% elif cert_config.get ('install', False) == True %}
 
+    {% set pillar_name = 'cert:' ~ cn %}
 
+  {% endif %}
 
+
 
+  {% if pillar_name != None %}
 
+/etc/ssl/certs/{{ cn }}.cert.pem:
 
+  file.managed:
 
+    - contents_pillar: {{ pillar_name }}:cert
 
+    - user: root
 
+    - group: root
 
+    - mode: 644
 
+
 
+/etc/ssl/private/{{ cn }}.key.pem:
 
+  file.managed:
 
+    - contents_pillar: {{ pillar_name }}:privkey
 
+    - user: root
 
+    - group: root
 
+    - mode: 400
 
+  {% endif %}
 
+{% endfor %}

+ 1 - 3
top.sls
View File 

@@ -4,7 +4,7 @@ base:
 
     - ffinfo
 
     - apt
 
     - bash
 
-    - cert.x509
 
+    - cert
 
     - console-tools
 
     - kernel
 
     - locales
 
@@ -19,8 +19,6 @@ base:
 
     - vim
 
     - unattended-upgrades
 
 
-#    - ffpb
 
-#    - monitoring.node
 
 #    - tinc
 
 
 #