smallstep au lieu de mkcert dans la vm
This commit is contained in:
parent
4117afd993
commit
41e7591163
@ -55,10 +55,13 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
|
|||||||
|
|
||||||
|
|
||||||
# On place les certifs
|
# On place les certifs
|
||||||
|
# On place les certifs
|
||||||
|
if [ -f tls/root_ca.crt ]; then
|
||||||
|
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
|
||||||
|
/usr/sbin/update-ca-certificates --fresh
|
||||||
|
fi
|
||||||
if [ -d letsencrypt ]; then
|
if [ -d letsencrypt ]; then
|
||||||
cp -ar letsencrypt /etc/
|
cp -ar letsencrypt /etc/
|
||||||
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
|
|
||||||
/usr/sbin/update-ca-certificates --fresh
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# On sauve le proxy APT
|
# On sauve le proxy APT
|
||||||
|
@ -55,10 +55,12 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
|
|||||||
|
|
||||||
|
|
||||||
# On place les certifs
|
# On place les certifs
|
||||||
|
if [ -f tls/root_ca.crt ]; then
|
||||||
|
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
|
||||||
|
/usr/sbin/update-ca-certificates --fresh
|
||||||
|
fi
|
||||||
if [ -d letsencrypt ]; then
|
if [ -d letsencrypt ]; then
|
||||||
cp -ar letsencrypt /etc/
|
cp -ar letsencrypt /etc/
|
||||||
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
|
|
||||||
/usr/sbin/update-ca-certificates --fresh
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# On sauve le proxy APT
|
# On sauve le proxy APT
|
||||||
|
@ -23,9 +23,8 @@ if [ -f /clawsmail/addclawsuser.sh ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# On place les certifs
|
# On place les certifs
|
||||||
if [ -d letsencrypt ]; then
|
if [ -f tls/root_ca.crt ]; then
|
||||||
cp -ar letsencrypt /etc/
|
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
|
||||||
cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/root.crt
|
|
||||||
/usr/sbin/update-ca-certificates --fresh
|
/usr/sbin/update-ca-certificates --fresh
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -34,7 +33,7 @@ echo -e '{
|
|||||||
"policies": {
|
"policies": {
|
||||||
"Certificates": {
|
"Certificates": {
|
||||||
"ImportEnterpriseRoots": true,
|
"ImportEnterpriseRoots": true,
|
||||||
"Install": ["/etc/ssl/certs/root.pem"]
|
"Install": ["/etc/ssl/certs/root_ca.pem"]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}' > /usr/lib/firefox-esr/distribution/policies.json
|
}' > /usr/lib/firefox-esr/distribution/policies.json
|
||||||
|
@ -14,6 +14,11 @@ apt-get update
|
|||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
|
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
|
||||||
cp dns.conf /etc/unbound/unbound.conf.d/
|
cp dns.conf /etc/unbound/unbound.conf.d/
|
||||||
|
|
||||||
|
# On place les certifs
|
||||||
|
if [ -f tls/root_ca.crt ]; then
|
||||||
|
cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
|
||||||
|
/usr/sbin/update-ca-certificates --fresh
|
||||||
|
fi
|
||||||
|
|
||||||
# Install smallstep CA / ACME server
|
# Install smallstep CA / ACME server
|
||||||
cd /tmp
|
cd /tmp
|
||||||
@ -23,7 +28,7 @@ wget "https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.24.2
|
|||||||
dpkg -i step-ca_0.24.2_amd64.deb
|
dpkg -i step-ca_0.24.2_amd64.deb
|
||||||
|
|
||||||
echo "password" > /root/ca-passwordfile
|
echo "password" > /root/ca-passwordfile
|
||||||
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="letsencrypt/local/rootCA.pem" --key "letsencrypt/local/rootCA-key.pem"
|
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca_key"
|
||||||
echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local
|
echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local
|
||||||
chmod +x /etc/rc.local
|
chmod +x /etc/rc.local
|
||||||
|
|
||||||
|
@ -143,48 +143,25 @@ SystemMaxFileSize=2M
|
|||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# CA et certifs avec mkcert
|
# CA et certifs avec smallstep
|
||||||
|
|
||||||
echo -e "\n #### mkcert\n"
|
echo -e "\n #### smallstep\n"
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools
|
cd /tmp
|
||||||
|
wget "https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.24.4/step-cli_0.24.4_amd64.deb"
|
||||||
|
dpkg -i step-cli_0.24.4_amd64.deb
|
||||||
|
echo "password" > /root/ca-passwordfile
|
||||||
|
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile"
|
||||||
|
|
||||||
mkdir -p /root/mkcert
|
mkdir -p /root/tls
|
||||||
cd /root/mkcert
|
cp /root/.step/certs/root_ca.crt /root/tls/
|
||||||
if [ ! -f mkcert ]; then
|
cp /root/.step/secrets/root_ca_key /root/tls/
|
||||||
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
|
step crypto change-pass /root/tls/root_ca_key --no-password --insecure --password-file="/root/ca-passwordfile" --force
|
||||||
chmod +x mkcert
|
|
||||||
mkdir -p /etc/letsencrypt/local/
|
|
||||||
export CAROOT=/etc/letsencrypt/local/
|
|
||||||
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
|
|
||||||
cd "${CAROOT}"
|
|
||||||
cat > "${CAROOT}/kaz.sns.cnf" <<EOF
|
|
||||||
[ req ]
|
|
||||||
prompt = no
|
|
||||||
distinguished_name = dn
|
|
||||||
req_extensions = req_ext
|
|
||||||
|
|
||||||
[ dn ]
|
step certificate create "*.kaz.sns" /root/tls/wildcard.crt /root/tls/wildcard.key --profile leaf --ca /root/.step/certs/intermediate_ca.crt --ca-key /root/.step/secrets/intermediate_ca_key --ca-password-file /root/ca-passwordfile --bundle --force --no-password --insecure
|
||||||
CN = *.kaz.sns
|
|
||||||
emailAddress = admin@kaz.sns
|
|
||||||
O = KAZ
|
|
||||||
OU = Dev
|
|
||||||
L = Vannes
|
|
||||||
ST = France
|
|
||||||
C = FR
|
|
||||||
|
|
||||||
[ req_ext ]
|
|
||||||
subjectAltName = @alt_names
|
|
||||||
|
|
||||||
[alt_names]
|
|
||||||
DNS.0 = *.kaz.sns
|
|
||||||
EOF
|
|
||||||
openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout kaz.sns.key -out kaz.sns.csr -config kaz.sns.cnf
|
|
||||||
/root/mkcert/mkcert -csr "${CAROOT}/kaz.sns.csr" # cert et clé dans /etc/letsencrypt/local/
|
|
||||||
|
|
||||||
mkdir -p /etc/letsencrypt/live/kaz.sns/
|
mkdir -p /etc/letsencrypt/live/kaz.sns/
|
||||||
ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem
|
ln -sf /root/tls/wildcard.crt /etc/letsencrypt/live/kaz.sns/fullchain.pem
|
||||||
ln -s ../../local/kaz.sns.key /etc/letsencrypt/live/kaz.sns/privkey.pem
|
ln -sf /root/tls/wildcard.key /etc/letsencrypt/live/kaz.sns/privkey.pem
|
||||||
fi
|
|
||||||
|
|
||||||
# Cache docker registry
|
# Cache docker registry
|
||||||
echo "proxy:
|
echo "proxy:
|
||||||
@ -219,10 +196,10 @@ auth:
|
|||||||
cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
|
cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
|
||||||
|
|
||||||
# crypto keys
|
# crypto keys
|
||||||
cp -ar /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/
|
cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/
|
||||||
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
|
cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/
|
||||||
cp -ar /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/
|
cp -ar /root/tls /root/snster-kaz/isp-a/home/
|
||||||
cp -ar /etc/letsencrypt /root/snster-kaz/mica/infra/
|
cp -ar /root/tls /root/snster-kaz/mica/infra/
|
||||||
|
|
||||||
|
|
||||||
# On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév
|
# On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév
|
||||||
|
@ -26,10 +26,10 @@ git switch "${KAZBRANCH}"
|
|||||||
# On écrase les anciens fichiers
|
# On écrase les anciens fichiers
|
||||||
cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/
|
cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/
|
||||||
# crypto keys
|
# crypto keys
|
||||||
cp -ar /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/
|
cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/
|
||||||
cp -ar /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/
|
cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/
|
||||||
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
|
cp -ar /root/tls /root/snster-kaz/isp-a/home/
|
||||||
cp -ar /etc/letsencrypt /root/snster-kaz/mica/infra/
|
cp -ar /root/tls /root/snster-kaz/mica/infra/
|
||||||
|
|
||||||
# On détruit et reconstruit tout sauf kaz-prod
|
# On détruit et reconstruit tout sauf kaz-prod
|
||||||
SNSTER="snster -c /root/snster-kaz"
|
SNSTER="snster -c /root/snster-kaz"
|
||||||
|
Loading…
Reference in New Issue
Block a user