From 3b9a385b73b50ececa7d1e5b11510237e5fcc485 Mon Sep 17 00:00:00 2001 From: Avi Schwab Date: Mon, 9 Jul 2018 17:50:16 -0500 Subject: [PATCH 1/3] Add task to copy cnf template and use it --- conf/vagrant/provisioning/roles/https/tasks/main.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/conf/vagrant/provisioning/roles/https/tasks/main.yml b/conf/vagrant/provisioning/roles/https/tasks/main.yml index e4248ed..fdbbe55 100644 --- a/conf/vagrant/provisioning/roles/https/tasks/main.yml +++ b/conf/vagrant/provisioning/roles/https/tasks/main.yml @@ -13,9 +13,15 @@ when: https_enabled == True tags: https +- name: Add config for self-signed certs + become: True + template: src=san.cnf dest=/etc/apache2/ssl/san.cnf + when: https_enabled == True + tags: https + - name: Generate self-signed certificate become: True - command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt -subj "/C=US/ST=Illinois/L=Evanston/O=Palantir.net, Inc./OU=DevOps/CN={{ hostname }}" + command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt -subj "/C=US/ST=Illinois/L=Evanston/O=Palantir.net, Inc./OU=DevOps/CN={{ hostname }}" -config /etc/apache2/ssl/san.cnf when: https_enabled == True tags: https From 0df430949d146e66557c6b9e85e715c7e1eefda0 Mon Sep 17 00:00:00 2001 From: Avi Schwab Date: Mon, 9 Jul 2018 17:52:22 -0500 Subject: [PATCH 2/3] Add san.cnf via https://security.stackexchange.com/a/166645 --- .../provisioning/roles/https/templates/san.cnf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 conf/vagrant/provisioning/roles/https/templates/san.cnf diff --git a/conf/vagrant/provisioning/roles/https/templates/san.cnf b/conf/vagrant/provisioning/roles/https/templates/san.cnf new file mode 100644 index 0000000..840387a --- /dev/null +++ b/conf/vagrant/provisioning/roles/https/templates/san.cnf @@ -0,0 +1,17 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +x509_extensions = v3_req + +[req_distinguished_name] +commonName = {{ hostname }} +organizationName = Palantir.net, Inc. +localityName = Evanston +countryName = US + +[v3_req] +# The extentions to add to a self-signed cert +subjectKeyIdentifier = hash +basicConstraints = critical,CA:false +subjectAltName = DNS:{{ hostname }},DNS:www.{{ hostname }} +keyUsage = critical,digitalSignature,keyEncipherment From b6a5b0b2d0e537bd6a9958571ff884f3870dd64d Mon Sep 17 00:00:00 2001 From: Bec White Date: Fri, 27 Jul 2018 17:18:20 -0500 Subject: [PATCH 3/3] Add extra_hostnames to the HTTPS cert generation. --- conf/vagrant/Vagrantfile | 1 + conf/vagrant/provisioning/roles/https/templates/san.cnf | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/conf/vagrant/Vagrantfile b/conf/vagrant/Vagrantfile index da3fa3a..d42863b 100644 --- a/conf/vagrant/Vagrantfile +++ b/conf/vagrant/Vagrantfile @@ -55,6 +55,7 @@ Vagrant.configure(2) do |config| ansible.extra_vars = { "project" => project, "hostname" => hostname, + "extra_hostnames" => extra_hostnames, "solr_enabled" => ansible_solr_enabled, "https_enabled" => ansible_https_enabled, "project_web_root" => ansible_project_web_root, diff --git a/conf/vagrant/provisioning/roles/https/templates/san.cnf b/conf/vagrant/provisioning/roles/https/templates/san.cnf index 840387a..cf1b095 100644 --- a/conf/vagrant/provisioning/roles/https/templates/san.cnf +++ b/conf/vagrant/provisioning/roles/https/templates/san.cnf @@ -13,5 +13,7 @@ countryName = US # The extentions to add to a self-signed cert subjectKeyIdentifier = hash basicConstraints = critical,CA:false -subjectAltName = DNS:{{ hostname }},DNS:www.{{ hostname }} +subjectAltName = DNS:{{ hostname }},DNS:www.{{ hostname }}{% for host in extra_hostnames %} +,DNS:{{ host }} +{% endfor %} keyUsage = critical,digitalSignature,keyEncipherment