Merge a99fb0ee41 into 1edb95df9c

2025-09-06 12:03:38 +02:00 · 2018-03-26 07:52:43 +00:00 · 2018-03-26 07:52:43 +00:00 · 26a7db8530
commit 26a7db8530
parent 1edb95df9c a99fb0ee41
6 changed files with 75 additions and 51 deletions
--- a/27
+++ b/27
@ -519,12 +519,24 @@ if [ "x${IP_subject}" = "x" ]; then
 	exit 1
 fi

+  read -p "
+
+Enter the public DNS name of your server: (IMPORTANT! This name is used to verify the certificate)
+[$mydns]: " -r DNS_subject
+  DNS_subject=${DNS_subject:-$mydns}
+
+if [ "x${DNS_subject}" = "x" ]; then
+  echo "no public DNS name given. exiting."
+  exit 1
+fi
+
  ROLES="local vpn"
-  EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject"
+  EXTRA_VARS="server_ip=$server_ip server_user=$server_user DNS_subject_alt_name=$DNS_subject IP_subject_alt_name=$IP_subject"
  SKIP_TAGS+=" cloud update-alternatives"

  read -p "

+
 Was this server deployed by Algo previously?
 [y/N]: " -r Deployed_By_Algo
 Deployed_By_Algo=${Deployed_By_Algo:-n}
@ -599,11 +611,22 @@ exit 1
 fi

  read -p "
+
+Enter the public DNS name of your server: (IMPORTANT! This name is used to verify the certificate)
+[$mydns]: " -r DNS_subject
+  DNS_subject=${DNS_subject:-$mydns}
+
+if [ "x${DNS_subject}" = "x" ]; then
+  echo "no public DNS name given. exiting."
+  exit 1
+fi
+
+  read -p "
 Enter the password for the private CA key:
 $ADDITIONAL_PROMPT
 : " -rs easyrsa_CA_password

-ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled IP_subject_alt_name=$IP_subject easyrsa_CA_password=$easyrsa_CA_password" -t update-users --skip-tags common
+ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled DNS_subject_alt_name=$DNS_subject IP_subject_alt_name=$IP_subject easyrsa_CA_password=$easyrsa_CA_password" -t update-users --skip-tags common
 }

 case "$1" in
--- a/playbooks/facts/main.yml
+++ b/playbooks/facts/main.yml
@ -43,3 +43,4 @@
 - name: Define the commonName
  set_fact:
    IP_subject_alt_name: "{{ IP_subject_alt_name }}"
+    DNS_subject_alt_name: "{{ DNS_subject_alt_name }}"
--- a/roles/vpn/tasks/client_configs.yml
+++ b/roles/vpn/tasks/client_configs.yml
@ -4,18 +4,18 @@
  shell: cat private/{{ item }}.p12 | base64
  register:  PayloadContent
  args:
-    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+    chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
  with_items: "{{ users }}"

 - name: Set facts for mobileconfigs
  set_fact:
    proxy_enabled: false
-    PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
+    PayloadContentCA: "{{ lookup('file' , 'configs/{{ DNS_subject_alt_name }}/pki/cacert.pem')|b64encode }}"

 - name: Build the mobileconfigs
  template:
    src: mobileconfig.j2
-    dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig
+    dest: configs/{{ DNS_subject_alt_name }}/{{ item.0 }}.mobileconfig
    mode: 0600
  with_together:
    - "{{ users }}"
@ -25,7 +25,7 @@
 - name: Build the strongswan app android config
  template:
    src: sswan.j2
-    dest: configs/{{ IP_subject_alt_name }}/android_{{ item.0 }}.sswan
+    dest: configs/{{ DNS_subject_alt_name }}/android_{{ item.0 }}.sswan
    mode: 0600
  with_together:
    - "{{ users }}"
@ -35,7 +35,7 @@
 - name: Build the android helper html
  template:
    src: android_html_helper.j2
-    dest: configs/{{ IP_subject_alt_name }}/android_{{ item.0 }}_helper.html
+    dest: configs/{{ DNS_subject_alt_name }}/android_{{ item.0 }}_helper.html
    mode: 0600
  with_together:
    - "{{ users }}"
@ -44,7 +44,7 @@
 - name: Build the client ipsec config file
  template:
    src: client_ipsec.conf.j2
-    dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf
+    dest: configs/{{ DNS_subject_alt_name }}/ipsec_{{ item }}.conf
    mode: 0600
  with_items:
    - "{{ users }}"
@ -52,7 +52,7 @@
 - name: Build the client ipsec secret file
  template:
    src: client_ipsec.secrets.j2
-    dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets
+    dest: configs/{{ DNS_subject_alt_name }}/ipsec_{{ item }}.secrets
    mode: 0600
  with_items:
    - "{{ users }}"
@ -60,18 +60,18 @@
 - name: Create the windows check file
  file:
    state: touch
-    path: configs/{{ IP_subject_alt_name }}/.supports_windows
+    path: configs/{{ DNS_subject_alt_name }}/.supports_windows
  when: Win10_Enabled is defined and Win10_Enabled == "Y"

 - name: Check if the windows check file exists
  stat:
-    path: configs/{{ IP_subject_alt_name }}/.supports_windows
+    path: configs/{{ DNS_subject_alt_name }}/.supports_windows
  register: supports_windows

 - name: Build the windows client powershell script
  template:
    src: client_windows.ps1.j2
-    dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1
+    dest: configs/{{ DNS_subject_alt_name }}/windows_{{ item }}.ps1
    mode: 0600
  when: Win10_Enabled is defined and Win10_Enabled == "Y" or supports_windows.stat.exists == true
  with_items: "{{ users }}"
@ -82,4 +82,4 @@
    state: directory
    mode: 0700
  with_items:
-    - configs/{{ IP_subject_alt_name }}
+    - configs/{{ DNS_subject_alt_name }}
--- a/roles/vpn/tasks/distribute_keys.yml
+++ b/roles/vpn/tasks/distribute_keys.yml
@ -8,18 +8,18 @@
    group: "{{ item.group }}"
    mode: "{{ item.mode }}"
  with_items:
-    - src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
+    - src: "configs/{{ DNS_subject_alt_name }}/pki/cacert.pem"
      dest: "{{ config_prefix|default('/') }}etc/ipsec.d/cacerts/ca.crt"
      owner: strongswan
      group: "{{ root_group|default('root') }}"
      mode: "0600"
-    - src: "configs/{{ IP_subject_alt_name }}/pki/certs/{{ IP_subject_alt_name }}.crt"
-      dest: "{{ config_prefix|default('/') }}etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt"
+    - src: "configs/{{ DNS_subject_alt_name }}/pki/certs/{{ DNS_subject_alt_name }}.crt"
+      dest: "{{ config_prefix|default('/') }}etc/ipsec.d/certs/{{ DNS_subject_alt_name }}.crt"
      owner: strongswan
      group: "{{ root_group|default('root') }}"
      mode: "0600"
-    - src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ IP_subject_alt_name }}.key"
-      dest: "{{ config_prefix|default('/') }}etc/ipsec.d/private/{{ IP_subject_alt_name }}.key"
+    - src: "configs/{{ DNS_subject_alt_name }}/pki/private/{{ DNS_subject_alt_name }}.key"
+      dest: "{{ config_prefix|default('/') }}etc/ipsec.d/private/{{ DNS_subject_alt_name }}.key"
      owner: strongswan
      group: "{{ root_group|default('root') }}"
      mode: "0600"
--- a/roles/vpn/tasks/openssl.yml
+++ b/roles/vpn/tasks/openssl.yml
@ -3,13 +3,13 @@
 - block:
  - name: Ensure the pki directory does not exist
    file:
-      dest: configs/{{ IP_subject_alt_name }}/pki
+      dest: configs/{{ DNS_subject_alt_name }}/pki
      state: absent
    when: easyrsa_reinit_existent == True

  - name: Ensure the pki directories exist
    file:
-      dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
+      dest: "configs/{{ DNS_subject_alt_name }}/pki/{{ item }}"
      state: directory
      recurse: yes
    with_items:
@ -22,7 +22,7 @@

  - name: Ensure the files exist
    file:
-      dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
+      dest: "configs/{{ DNS_subject_alt_name }}/pki/{{ item }}"
      state: touch
    with_items:
      - ".rnd"
@ -34,56 +34,56 @@
  - name: Generate the openssl server configs
    template:
      src: openssl.cnf.j2
-      dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf"
+      dest: "configs/{{ DNS_subject_alt_name }}/pki/openssl.cnf"

  - name: Build the CA pair
    shell: >
      {{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
      {{ openssl_bin }} req -utf8 -new
      -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ DNS_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
      -keyout private/cakey.pem
      -out cacert.pem -x509 -days 3650
      -batch
      -passout pass:"{{ easyrsa_CA_password }}" &&
-      touch {{ IP_subject_alt_name }}_ca_generated
+      touch {{ DNS_subject_alt_name }}_ca_generated
    args:
-      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-      creates: "{{ IP_subject_alt_name }}_ca_generated"
+      chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
+      creates: "{{ DNS_subject_alt_name }}_ca_generated"
      executable: bash

  - name: Copy the CA certificate
    copy:
-      src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
-      dest: "configs/{{ IP_subject_alt_name }}/cacert.pem"
+      src: "configs/{{ DNS_subject_alt_name }}/pki/cacert.pem"
+      dest: "configs/{{ DNS_subject_alt_name }}/cacert.pem"
      mode: 0600

  - name: Generate the serial number
    shell: echo 01 > serial && touch serial_generated
    args:
-      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
      creates: serial_generated

  - name: Build the server pair
    shell: >
      {{ openssl_bin }} req -utf8 -new
      -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
-      -keyout private/{{ IP_subject_alt_name }}.key
-      -out reqs/{{ IP_subject_alt_name }}.req -nodes
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ DNS_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
+      -keyout private/{{ DNS_subject_alt_name }}.key
+      -out reqs/{{ DNS_subject_alt_name }}.req -nodes
      -passin pass:"{{ easyrsa_CA_password }}"
-      -subj "/CN={{ IP_subject_alt_name }}" -batch &&
+      -subj "/CN={{ DNS_subject_alt_name }}" -batch &&
      {{ openssl_bin }} ca -utf8
-      -in reqs/{{ IP_subject_alt_name }}.req
-      -out certs/{{ IP_subject_alt_name }}.crt
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
+      -in reqs/{{ DNS_subject_alt_name }}.req
+      -out certs/{{ DNS_subject_alt_name }}.crt
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ DNS_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
      -days 3650 -batch
      -passin pass:"{{ easyrsa_CA_password }}"
-      -subj "/CN={{ IP_subject_alt_name }}" &&
-      touch certs/{{ IP_subject_alt_name }}_crt_generated
+      -subj "/CN={{ DNS_subject_alt_name }}" &&
+      touch certs/{{ DNS_subject_alt_name }}_crt_generated
    args:
-      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-      creates: certs/{{ IP_subject_alt_name }}_crt_generated
+      chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
+      creates: certs/{{ DNS_subject_alt_name }}_crt_generated
      executable: bash

  - name: Build the client's pair
@ -104,7 +104,7 @@
      -subj "/CN={{ item }}" &&
      touch certs/{{ item }}_crt_generated
    args:
-      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
      creates: certs/{{ item }}_crt_generated
      executable: bash
    with_items: "{{ users }}"
@ -119,15 +119,15 @@
      -out private/{{ item }}.p12
      -passout pass:"{{ easyrsa_p12_export_password }}"
    args:
-      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
      executable: bash
    with_items: "{{ users }}"
    register: p12

  - name: Copy the p12 certificates
    copy:
-      src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
-      dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
+      src: "configs/{{ DNS_subject_alt_name }}/pki/private/{{ item }}.p12"
+      dest: "configs/{{ DNS_subject_alt_name }}/{{ item }}.p12"
      mode: 0600
    with_items:
      - "{{ users }}"
@ -135,11 +135,11 @@
  - name: Get active users
    shell: >
      grep ^V index.txt |
-      grep -v "{{ IP_subject_alt_name }}" |
+      grep -v "{{ DNS_subject_alt_name }}" |
      awk '{print $5}' |
      sed 's/\/CN=//g'
    args:
-      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      chdir: "configs/{{ DNS_subject_alt_name }}/pki/"
    register: valid_certs

  - name: Revoke non-existing users
@ -151,7 +151,7 @@
      -out crl/{{ item }}.crt
    register: gencrl
    args:
-      chdir: configs/{{ IP_subject_alt_name }}/pki/
+      chdir: configs/{{ DNS_subject_alt_name }}/pki/
      creates: crl/{{ item }}.crt
      executable: bash
    when: item not in users
@ -160,21 +160,21 @@
  - name: Genereate new CRL file
    shell: >
      {{ openssl_bin }} ca -gencrl
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ DNS_subject_alt_name }}"))
      -passin pass:"{{ easyrsa_CA_password }}"
      -out crl/algo.root.pem
    when:
      - gencrl is defined
      - gencrl.changed
    args:
-      chdir: configs/{{ IP_subject_alt_name }}/pki/
+      chdir: configs/{{ DNS_subject_alt_name }}/pki/
      executable: bash
  delegate_to: localhost
  become: no

 - name: Copy the CRL to the vpn server
  copy:
-    src: configs/{{ IP_subject_alt_name }}/pki/crl/algo.root.pem
+    src: configs/{{ DNS_subject_alt_name }}/pki/crl/algo.root.pem
    dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem"
  when:
    - gencrl is defined
--- a/tests/local-deploy.sh
+++ b/tests/local-deploy.sh
@ -2,7 +2,7 @@

 set -e

-DEPLOY_ARGS="server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"
+DEPLOY_ARGS="server_ip=$LXC_IP server_user=root DNS_subject_alt_name=example.com IP_subject_alt_name=$LXC_IP local_dns=Y"

 if [ "${LXC_NAME}" == "docker" ]
 then