random password for the p12 certificates #135

config.cfg

@@ -9,10 +9,6 @@ users:
 # Avoid using '+' in your email address otherwise auditd will fail to start.
 auditd_action_mail_acct: email@example.com
 
-# Exported certificates will be protected by the password below:
-easyrsa_p12_export_password: vpnpws
-
-
 ### Advanced users only below this line ###
 
 easyrsa_dir: /opt/easy-rsa-ipsec
@@ -74,3 +70,14 @@ local_service_ip: 172.16.0.1
 pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}"
 VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}"
 CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}"
+
+congrats: |
+  "#----------------------------------------------------------------------#"
+  "#                          Congratulations!                            #"
+  "#                     Your Algo server is running.                     #"
+  "#    Config files and certificates are in the ./configs/ directory.    #"
+  "#              Go to https://whoer.net/ after connecting               #"
+  "#        and ensure that all your traffic passes through the VPN.      #"
+  "#          Local DNS resolver and Proxy IP address: {{ local_service_ip }}"
+  "#                     The p12 password is {{ easyrsa_p12_export_password }}"
+  "#----------------------------------------------------------------------#"

deploy.yml

@@ -53,16 +53,5 @@
     - { role: vpn, tags: [ 'vpn' ] }
 
   post_tasks:
-    - shell: |
-        echo "#----------------------------------------------------------------------#"
-        echo "#                          Congratulations!                            #"
-        echo "#                     Your Algo server is running.                     #"
-        echo "#    Config files and certificates are in the ./configs/ directory.    #"
-        echo "#              Go to https://whoer.net/ after connecting               #"
-        echo "#        and ensure that all your traffic passes through the VPN.      #"
-        echo "#          Local DNS resolver and Proxy IP address: {{ local_service_ip }}"
-        echo "#----------------------------------------------------------------------#"
-      tags: always
-      register: congrats
-    - debug: msg="{{ congrats.stdout_lines }}"
+    - debug: msg="{{ congrats.split('\n') }}"
       tags: always

roles/cloud-azure/tasks/main.yml

@@ -63,7 +63,6 @@
     groups: vpn-host
     ansible_ssh_user: ubuntu
     ansible_python_interpreter: "/usr/bin/python2.7"
-    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: azure
     ipv6_support: no
 

roles/cloud-digitalocean/tasks/main.yml

@@ -32,7 +32,6 @@
     ansible_python_interpreter: "/usr/bin/python2.7"
     do_access_token: "{{ do_access_token }}"
     do_droplet_id: "{{ do.droplet.id }}"
-    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: digitalocean
     ipv6_support: yes
 

roles/cloud-ec2/tasks/main.yml

@@ -103,7 +103,6 @@
     groupname: vpn-host
     ansible_ssh_user: ubuntu
     ansible_python_interpreter: "/usr/bin/python2.7"
-    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: ec2
     ipv6_support: no
   with_items: "{{ ec2.tagged_instances }}"

roles/cloud-gce/tasks/main.yml

@@ -20,7 +20,6 @@
     groups: vpn-host
     ansible_ssh_user: ubuntu
     ansible_python_interpreter: "/usr/bin/python2.7"
-    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: gce
     ipv6_support: no
 

roles/local/tasks/main.yml

@@ -4,7 +4,6 @@
     groups: vpn-host
     ansible_ssh_user: "{{ server_user }}"
     ansible_python_interpreter: "/usr/bin/python2.7"
-    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: local
   when: server_ip != "localhost"
 
@@ -15,7 +14,6 @@
     ansible_ssh_user: "{{ server_user }}"
     ansible_python_interpreter: "/usr/bin/python2.7"
     ansible_connection: local
-    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
     cloud_provider: local
   when: server_ip == "localhost"
 

roles/vpn/tasks/main.yml

@@ -1,6 +1,9 @@
 - name: Gather Facts
   setup:
 
+- set_fact:
+    easyrsa_p12_export_password: "{{ (ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0] }}"
+
 - name: Install StrongSwan
   apt: name=strongswan state=latest update_cache=yes
 
@@ -134,11 +137,9 @@
 
 - name: Build the client's p12
   shell: >
-    openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
-    touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
+    openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:"{{ easyrsa_p12_export_password }}"
   args:
     chdir: '{{ easyrsa_dir }}/easyrsa3/'
-    creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
   with_items: "{{ users }}"
 
 - name: Copy the CA cert to the strongswan directory

users.yml

@@ -21,11 +21,6 @@
       default: "n"
       private: no
 
-    - name: "easyrsa_p12_export_password"
-      prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
-      default: "vpnpw"
-      private: yes
-
     - name: "IP_subject"
       prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
       private: no
@@ -37,7 +32,6 @@
         groupname: vpn-host
         ansible_ssh_user: "{{ server_user }}"
         ansible_python_interpreter: "/usr/bin/python2.7"
-        easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
         ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
         IP_subject: "{{ IP_subject }}"
 
@@ -67,6 +61,13 @@
     - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
 
   tasks:
+
+    - name: Gather Facts
+      setup:
+
+    - set_fact:
+        easyrsa_p12_export_password: "{{ (ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0] }}"
+
     - name: Build the client's pair
       shell: >
         ./easyrsa build-client-full {{ item }} nopass &&
@@ -78,11 +79,9 @@
 
     - name: Build the client's p12
       shell: >
-        openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
-        touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
+        openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }}
       args:
         chdir: '{{ easyrsa_dir }}/easyrsa3/'
-        creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
       with_items: "{{ users }}"
 
     - name: Get active users
@@ -150,4 +149,9 @@
 
     - name: SSH | Fetch users SSH private keys
       fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
+      when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
       with_items: "{{ users }}"
+
+  post_tasks:
+    - debug: msg="{{ congrats.split('\n') }}"
+      tags: always