Install ipaserver without ca

4221213f · Samuel Veloso · Thomas Woerner · 44af47d9 · 4221213f · 4221213f
Commit 4221213f authored 5 years ago by Samuel Veloso Committed by Thomas Woerner 5 years ago
--- a/roles/ipaserver/library/ipaserver_set_ds_password.py
+++ b/roles/ipaserver/library/ipaserver_set_ds_password.py
@@ -127,7 +127,7 @@ def main():
            no_hbac_allow=dict(required=False, type='bool', default=False),
            no_pkinit=dict(required=False, type='bool', default=False),
            dirsrv_config_file=dict(required=False),
-            _dirsrv_pkcs12_info=dict(required=False),
+            _dirsrv_pkcs12_info=dict(required=False, type='list'),
            # ssl certificate
            dirsrv_cert_files=dict(required=False, type='list', default=[]),
            subject_base=dict(required=False),

--- a/roles/ipaserver/library/ipaserver_setup_ca.py
+++ b/roles/ipaserver/library/ipaserver_setup_ca.py
@@ -191,7 +191,7 @@ def main():
            no_pkinit=dict(required=False, type='bool', default=False),
            dirsrv_config_file=dict(required=False),
            dirsrv_cert_files=dict(required=False, type='list'),
-            _dirsrv_pkcs12_info=dict(required=False),
+            _dirsrv_pkcs12_info=dict(required=False, type='list'),
            # certificate system
            external_ca=dict(required=False, type='bool', default=False),
            external_ca_type=dict(required=False),
@@ -322,18 +322,20 @@ def main():
                                     csr_generated=True)
    else:
        # Put the CA cert where other instances expect it
-        x509.write_certificate(options._http_ca_cert, paths.IPA_CA_CRT)
+        with open(paths.IPA_CA_CRT, "w") as http_ca_cert_file:
+            http_ca_cert_file.write(options._http_ca_cert)
        os.chmod(paths.IPA_CA_CRT, 0o444)
        if not options.no_pkinit:
-            x509.write_certificate(options._http_ca_cert,
+            with open(paths.KDC_CA_BUNDLE_PEM, "w") as http_ca_cert_file:
-                                   paths.KDC_CA_BUNDLE_PEM)
+                http_ca_cert_file.write(options._http_ca_cert)
        else:
            with open(paths.KDC_CA_BUNDLE_PEM, 'w'):
                pass
        os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444)
-        x509.write_certificate(options._http_ca_cert, paths.CA_BUNDLE_PEM)
+        with open(paths.CA_BUNDLE_PEM, "w") as http_ca_cert_file:
+            http_ca_cert_file.write(options._http_ca_cert)
        os.chmod(paths.CA_BUNDLE_PEM, 0o444)
    with redirect_stdout(ansible_log):

--- a/roles/ipaserver/library/ipaserver_setup_ds.py
+++ b/roles/ipaserver/library/ipaserver_setup_ds.py
@@ -126,7 +126,7 @@ def main():
            dirsrv_config_file=dict(required=False),
            # ssl certificate
            dirsrv_cert_files=dict(required=False, type='list', default=[]),
-            _dirsrv_pkcs12_info=dict(required=False),
+            _dirsrv_pkcs12_info=dict(required=False, type='list'),
            # certificate system
            external_cert_files=dict(required=False, type='list', default=[]),
            subject_base=dict(required=False),

--- a/roles/ipaserver/library/ipaserver_setup_http.py
+++ b/roles/ipaserver/library/ipaserver_setup_http.py
@@ -199,8 +199,8 @@ def main():
            # _update_hosts_file=dict(required=False, type='bool',
            #                         default=False),
-            _dirsrv_pkcs12_info=dict(required=False),
+            _dirsrv_pkcs12_info=dict(required=False, type='list'),
-            _http_pkcs12_info=dict(required=False),
+            _http_pkcs12_info=dict(required=False, type='list'),
        ),
    )

--- a/roles/ipaserver/library/ipaserver_setup_krb.py
+++ b/roles/ipaserver/library/ipaserver_setup_krb.py
@@ -160,7 +160,7 @@ def main():
            no_reverse=dict(required=False, type='bool', default=False),
            auto_forwarders=dict(required=False, type='bool', default=False),
-            _pkinit_pkcs12_info=dict(required=False),
+            _pkinit_pkcs12_info=dict(required=False, type='list'),
        ),
    )

--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -967,37 +967,25 @@ def main():
        if options.http_pin is None:
            ansible_module.fail_json(
                msg="Apache Server private key unlock password required")
-        http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12(
+        http_pkcs12_info = [options.http_cert_files[0], options.http_pin]
-            cert_files=options.http_cert_files,
+        with open(options.ca_cert_files[0]) as http_ca_cert_file:
-            key_password=options.http_pin,
+            http_ca_cert = http_ca_cert_file.read()
-            key_nickname=options.http_cert_name,
-            ca_cert_files=options.ca_cert_files,
-            host_name=host_name)
-        http_pkcs12_info = (http_pkcs12_file.name, http_pin)
    if options.dirsrv_cert_files:
        if options.dirsrv_pin is None:
            ansible_module.fail_json(
                msg="Directory Server private key unlock password required")
-        dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12(
+        dirsrv_pkcs12_info = [options.dirsrv_cert_files[0], options.dirsrv_pin]
-            cert_files=options.dirsrv_cert_files,
+        with open(options.ca_cert_files[0]) as dirsrv_ca_cert_file:
-            key_password=options.dirsrv_pin,
+           dirsrv_ca_cert = dirsrv_ca_cert_file.read()
-            key_nickname=options.dirsrv_cert_name,
-            ca_cert_files=options.ca_cert_files,
-            host_name=host_name)
-        dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin)
    if options.pkinit_cert_files:
        if options.pkinit_pin is None:
            ansible_module.fail_json(
                msg="Kerberos KDC private key unlock password required")
-        pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12(
+        pkinit_pkcs12_info = [options.pkinit_cert_files[0], options.pkinit_pin]
-            cert_files=options.pkinit_cert_files,
+        with open(options.ca_cert_files[0]) as pkinit_ca_cert_file:
-            key_password=options.pkinit_pin,
+           pkinit_ca_cert = pkinit_ca_cert_file.read()
-            key_nickname=options.pkinit_cert_name,
-            ca_cert_files=options.ca_cert_files,
-            realm_name=realm_name)
-        pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin)
    if options.http_cert_files and options.dirsrv_cert_files and \
       http_ca_cert != dirsrv_ca_cert:

--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -286,6 +286,7 @@
      reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
      no_reverse: "{{ ipaserver_no_reverse }}"
      auto_forwarders: "{{ ipaserver_auto_forwarders }}"
+      _http_ca_cert: "{{ result_ipaserver_test._http_ca_cert }}"
    register: result_ipaserver_setup_ca
  - name: Copy /root/ipa.csr to "{{ inventory_hostname }}-ipa.csr"

--- a/tests/ca-less/certificates/pkinit/extensions.conf
+++ b/tests/ca-less/certificates/pkinit/extensions.conf
+[kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.5
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+[kdc_princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:kdc_principal_seq
+[kdc_principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:kdc_principals
+[kdc_principals]
+princ1=GeneralString:krbtgt
+princ2=GeneralString:${ENV::REALM}
--- a/tests/ca-less/generate-certificates.sh
+++ b/tests/ca-less/generate-certificates.sh
+#!/usr/bin/env bash
+ROOT_CA_DIR="certificates/root-ca"
+DIRSRV_CERTS_DIR="certificates/dirsrv"
+HTTPD_CERTS_DIR="certificates/httpd"
+PKINIT_CERTS_DIR="certificates/pkinit"
+PKCS12_PASSWORD="SomePKCS12password"
+# generate_ipa_pkcs12_certificate \
+#    $cert_name $ipa_fqdn $certs_dir $root_ca_cert $root_ca_private_key extensions_file extensions_name
+function generate_ipa_pkcs12_certificate {
+    cert_name=$1
+    ipa_fqdn=$2
+    certs_dir=$3
+    root_ca_cert=$4
+    root_ca_private_key=$5
+    extensions_file=$6
+    extensions_name=$7
+    # Generate CSR and private key
+    openssl req -new -newkey rsa:4096 -nodes \
+        -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${ipa_fqdn}" \
+        -keyout ${certs_dir}/private.key \
+        -out ${certs_dir}/request.csr
+    # Sign CSR to generate PEM certificate
+    if [ -z "${extensions_file}" ]; then
+        openssl x509 -req -days 365 -sha256 \
+            -CAcreateserial \
+            -CA ${root_ca_cert} \
+            -CAkey ${root_ca_private_key} \
+            -in ${certs_dir}/request.csr \
+            -out ${certs_dir}/cert.pem
+    else
+        openssl x509 -req -days 365 -sha256 \
+            -CAcreateserial \
+            -CA ${ROOT_CA_DIR}/cert.pem \
+            -CAkey ${ROOT_CA_DIR}/private.key \
+            -extfile ${extensions_file} \
+            -extensions ${extensions_name} \
+            -in ${certs_dir}/request.csr \
+            -out ${certs_dir}/cert.pem
+    fi
+    # Convert certificate to PKCS12 format
+    openssl pkcs12 -export \
+        -name ${cert_name} \
+        -certfile ${root_ca_cert} \
+        -in ${certs_dir}/cert.pem \
+        -inkey ${certs_dir}/private.key \
+        -passout "pass:${PKCS12_PASSWORD}" \
+        -out ${certs_dir}/cert.p12
+}
+master=$1
+if [ -z "$master" ]; then
+    echo "ERROR: master is not set"
+    echo
+    echo "usage: $0 master-fqdn replica-fqdn domain"
+    exit 0;
+fi
+replica=$2
+if [ -z "$master" ]; then
+    echo "ERROR: replica is not set"
+    echo
+    echo "usage: $0 master-fqdn replica-fqdn domain"
+    exit 0;
+fi
+domain=$3
+if [ -z "$domain" ]; then
+    echo "ERROR: domain is not set"
+    echo
+    echo "usage: $0 master-fqdn replica-fqdn domain"
+    exit 0;
+fi
+# Generate root CA
+if [ ! -f "${ROOT_CA_DIR}/cert.pem" ]; then
+    openssl genrsa \
+        -out ${ROOT_CA_DIR}/private.key 4096
+    openssl req -new -x509 -sha256 -nodes -days 3650 \
+        -subj "/C=US/ST=Test/L=Testing/O=Default" \
+        -key ${ROOT_CA_DIR}/private.key \
+        -out ${ROOT_CA_DIR}/cert.pem
+fi
+# [ipaserver] Generate a certificate for the Directory Server
+if [ ! -f "${DIRSRV_CERTS_DIR}/ipaserver/cert.p12" ]; then
+    generate_ipa_pkcs12_certificate \
+        "dirsrv-cert" \
+        $master \
+        "${DIRSRV_CERTS_DIR}/ipaserver" \
+        "${ROOT_CA_DIR}/cert.pem" \
+        "${ROOT_CA_DIR}/private.key"
+else
+    echo "[ipaserver] Certificate for the Directory Server already exists."
+fi
+# [ipaserver] Generate a certificate for the Apache server
+if [ ! -f "${HTTPD_CERTS_DIR}/ipaserver/cert.p12" ]; then
+    generate_ipa_pkcs12_certificate \
+        "httpd-cert" \
+        $master \
+        "${HTTPD_CERTS_DIR}/ipaserver" \
+        "${ROOT_CA_DIR}/cert.pem" \
+        "${ROOT_CA_DIR}/private.key"
+else
+    echo "[ipaserver] Certificate for the Apache server already exists."
+fi
+# [ipaserver] Generate a certificate for the KDC PKINIT
+if [ ! -f "${PKINIT_CERTS_DIR}/ipaserver/cert.p12" ]; then
+    export REALM=${domain^^}
+    generate_ipa_pkcs12_certificate \
+        "pkinit-cert" \
+        $master \
+        "${PKINIT_CERTS_DIR}/ipaserver" \
+        "${ROOT_CA_DIR}/cert.pem" \
+        "${ROOT_CA_DIR}/private.key" \
+        "${PKINIT_CERTS_DIR}/extensions.conf" \
+        "kdc_cert"
+else
+    echo "[ipaserver] Certificate for the KDC PKINIT already exists."
+fi
\ No newline at end of file
--- a/tests/ca-less/install_server_without_ca.yml
+++ b/tests/ca-less/install_server_without_ca.yml
+---
+- name: Test ipaserver installation without CA
+  hosts: ipaserver
+  become: true
+  vars:
+    # Root CA certificate
+    ipaserver_ca_cert_files:
+      - /root/freeipa/certificates/root-ca.crt
+    # Directory server certificates
+    ipaserver_dirsrv_cert_name: dirsrv-cert
+    ipaserver_dirsrv_cert_files:
+      - /root/freeipa/certificates/dirsrv.p12
+    ipaserver_dirsrv_pin: SomePKCS12password
+    # Apache certificates
+    ipaserver_http_cert_name: httpd-cert
+    ipaserver_http_cert_files:
+      - /root/freeipa/certificates/httpd.p12
+    ipaserver_http_pin: SomePKCS12password
+    # PKINIT configuration
+    ipaserver_no_pkinit: no
+    ipaserver_pkinit_cert_name: pkinit-cert
+    ipaserver_pkinit_cert_files:
+      - /root/freeipa/certificates/pkinit.p12
+    ipaserver_pkinit_pin: SomePKCS12password
+  pre_tasks:
+    - name: Copy certificates
+      copy:
+        src: "{{ playbook_dir }}/certificates/{{ item }}/ipaserver/cert.p12"
+        dest: "/root/freeipa/certificates/{{ item }}.p12"
+        owner: root
+        group: root
+        mode: "0644"
+      with_items:
+        - dirsrv
+        - httpd
+        - pkinit
+  roles:
+    - role: ipaserver
+      state: present
\ No newline at end of file
--- a/tests/ca-less/inventory
+++ b/tests/ca-less/inventory
+[ipaserver]
+ipaserver.test.local
+[ipaserver:vars]
+ipaserver_domain=test.local
+ipaserver_realm=TEST.LOCAL
+ipaadmin_password=SomeADMINpassword
+ipadm_password=SomeDMpassword
+ipaserver_install_packages=yes
+ipaserver_setup_dns=no
\ No newline at end of file