Merge pull request #51 from palantirnet/self-signed-san

Generate better self-signed certs
palantirnet · Jul 27, 2018 · 49b266d · 49b266d
2 parents bae27be + b6a5b0b
commit 49b266d
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/conf/vagrant/Vagrantfile b/conf/vagrant/Vagrantfile
@@ -55,6 +55,7 @@ Vagrant.configure(2) do |config|
         ansible.extra_vars = {
             "project" => project,
             "hostname" => hostname,
+            "extra_hostnames" => extra_hostnames,
             "solr_enabled" => ansible_solr_enabled,
             "https_enabled" => ansible_https_enabled,
             "project_web_root" => ansible_project_web_root,

diff --git a/conf/vagrant/provisioning/roles/https/tasks/main.yml b/conf/vagrant/provisioning/roles/https/tasks/main.yml
@@ -13,9 +13,15 @@
   when: https_enabled == True
   tags: https
 
+- name: Add config for self-signed certs
+  become: True
+  template: src=san.cnf dest=/etc/apache2/ssl/san.cnf
+  when: https_enabled == True
+  tags: https
+
 - name: Generate self-signed certificate
   become: True
-  command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt -subj "/C=US/ST=Illinois/L=Evanston/O=Palantir.net, Inc./OU=DevOps/CN={{ hostname }}"
+  command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt -subj "/C=US/ST=Illinois/L=Evanston/O=Palantir.net, Inc./OU=DevOps/CN={{ hostname }}"  -config /etc/apache2/ssl/san.cnf
   when: https_enabled == True
   tags: https
 

diff --git a/conf/vagrant/provisioning/roles/https/templates/san.cnf b/conf/vagrant/provisioning/roles/https/templates/san.cnf
@@ -0,0 +1,19 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions     = v3_req
+x509_extensions    = v3_req
+
+[req_distinguished_name]
+commonName       = {{ hostname }}
+organizationName = Palantir.net, Inc.
+localityName     = Evanston
+countryName      = US
+
+[v3_req]
+# The extentions to add to a self-signed cert
+subjectKeyIdentifier = hash
+basicConstraints     = critical,CA:false
+subjectAltName       = DNS:{{ hostname }},DNS:www.{{ hostname }}{% for host in extra_hostnames  %}
+,DNS:{{ host }}
+{% endfor %}
+keyUsage             = critical,digitalSignature,keyEncipherment