diff --git a/.fixtures.yml b/.fixtures.yml index 751824f..e01d66e 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -6,6 +6,7 @@ fixtures: "concat": "git://github.com/puppetlabs/puppetlabs-concat.git" "facts": "https://github.com/puppetlabs/puppetlabs-facts.git" "inifile": "git://github.com/puppetlabs/puppetlabs-inifile.git" + "openssl": "https://github.com/camptocamp/puppet-openssl.git" "provision": "https://github.com/puppetlabs/provision.git" "puppet_agent": "https://github.com/puppetlabs/puppetlabs-puppet_agent.git" "stdlib": "git://github.com/puppetlabs/puppetlabs-stdlib.git" diff --git a/CHANGELOG.md b/CHANGELOG.md index 8540d25..93f00df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,8 +5,20 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). ## [Unreleased] +This release fixes a major bug when using self-signed certificates. In previous +releases the internal CA certificate was created without the required +extensions. As a result, using LDAPS could lead to various SSL errors. Note +that only *new* CA certificates will benefit from this bugfix. The README +contains instructions to purge the existing SSL certificates. + +### Added +* Add new dependency: camptocamp/openssl + +### Changed +* Use camptocamp/openssl to generate CA certificates ### Fixed +* Fix broken CA certificates by including the required CA extensions * Fix missing newline in cert bundle ## [2.1.0] - 2020-11-07 diff --git a/README.md b/README.md index 0dc1f1a..820c5a4 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ - [Modifying existing LDIF data](#modifying-existing-ldif-data) - [Adding new LDIF data](#adding-new-ldif-data) - [Adding baseline LDIF data](#adding-baseline-ldif-data) + - [Recreate SSL certs](#recreate-ssl-certs) 1. [Reference](#reference) 1. [Limitations](#limitations) - [Supported versions](#supported-versions) @@ -358,6 +359,48 @@ ds_389::instance { 'example': Note that while you can declare these via the `ds_389::add` define, puppet's resource load ordering may potentially result in it attempting to add the ldif before a configuration change that it requires. +### Recreate SSL certs + +Currently some manual steps are required to regenerate the SSL certificates. A new Bolt task would be nice, PRs welcome. :) + +As always, create a backup before attempting this procedure. + +Run the following shell commands as root to remove the existing certificates: + +```shell +export LDAP_INSTANCE="my-instance-name" + +test -d /etc/dirsrv/slapd-${LDAP_INSTANCE} || exit 1 + +systemctl stop dirsrv@${LDAP_INSTANCE} + +dd if=/dev/random count=1024 | sha256sum | awk '{print $1}' > /tmp/noisefile-${LDAP_INSTANCE} +cut -d: -f2 /etc/dirsrv/slapd-${LDAP_INSTANCE}/pin.txt > /tmp/passfile-${LDAP_INSTANCE} + +rm -f /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}CA.cnf \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}CA-Key.pem \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}CA.p12 \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}CA.pem \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}Cert-Key.pem \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/${LDAP_INSTANCE}Cert.pem \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/ssl_config.done \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/ssl.done \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/ssl_enable.done \ + /etc/dirsrv/slapd-${LDAP_INSTANCE}/ssl.ldif + +certutil -D -n "${LDAP_INSTANCE}Cert" -d /etc/dirsrv/slapd-${LDAP_INSTANCE} +certutil -D -n "${LDAP_INSTANCE}CA" -d /etc/dirsrv/slapd-${LDAP_INSTANCE} +``` + +Next edit `/etc/dirsrv/slapd-${LDAP_INSTANCE}/dse.ldif` and remove the following entries including their attributes: + +``` + cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config + cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config +``` + +Afterwards run Puppet to regenerate both the CA and the server certificates. + ## Reference Classes and parameters are documented in [REFERENCE.md](REFERENCE.md). diff --git a/manifests/instance.pp b/manifests/instance.pp index e103b1b..f51c87f 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -242,6 +242,14 @@ $sans = undef } + # Certificate attributes and filenames. + $ca_key = "${instance_path}/${server_id}CA-Key.pem" + $ca_conf = "${instance_path}/${server_id}CA.cnf" + $ca_cert = "${instance_path}/${server_id}CA.pem" + $ca_p12 = "${instance_path}/${server_id}CA.p12" + $ca_nickname = "${server_id}CA" + $ssl_cert_name = "${server_id}Cert" + # Create noise file. $temp_noise_file = "/tmp/noisefile-${server_id}" $temp_pass_file = "/tmp/passfile-${server_id}" @@ -254,7 +262,7 @@ notify => Exec["Generate password file: ${server_id}"], } - # Create pwd file. + # Create password file. exec { "Generate password file: ${server_id}": command => "echo ${root_dn_pass} > ${temp_pass_file}", path => $ds_389::path, @@ -262,28 +270,72 @@ notify => Exec["Create cert DB: ${server_id}"], } - # Create cert db. - exec { "Create cert DB: ${server_id}": + # Create nss db. + -> exec { "Create cert DB: ${server_id}": command => "certutil -N -d ${instance_path} -f ${temp_pass_file}", path => $ds_389::path, refreshonly => true, - notify => Exec["Generate key pair: ${server_id}"], + notify => Ssl_pkey["Generate CA private key: ${server_id}"], + } + + # Generate the private key for the CA. + -> ssl_pkey { "Generate CA private key: ${server_id}": + ensure => 'present', + name => $ca_key, + size => 4096, + } + + # Fix permissions of CA private key. + -> file { "Fix permissions of CA private key: ${server_id}": + ensure => 'present', + name => $ca_key, + mode => '0640', + owner => $user, + group => $group, + } + + # Create the OpenSSL config template for the CA cert. + -> file { "Create CA config: ${server_id}": + ensure => 'present', + name => $ca_conf, + content => epp('ds_389/openssl_ca.cnf.epp',{ + dc => $facts['networking']['fqdn'], + cn => $ca_nickname, + }), } - # Generate key pair. - exec { "Generate key pair: ${server_id}": - command => "certutil -G -d ${instance_path} -g 4096 -z ${temp_noise_file} -f ${temp_pass_file}", + # Create the CA certificate. + -> x509_cert { "Create CA cert: ${server_id}": + ensure => 'present', + name => $ca_cert, + template => $ca_conf, + private_key => $ca_key, + days => 3650, + req_ext => false, + } + + # Export CA cert to pkcs12, which is required for import into nss db. + # TODO: openssl::export::pkcs12 cannot be used, because it does not support + # a password file (yet). + -> exec { "Prepare CA cert for import (pkcs12): ${server_id}": + cwd => $instance_path, + command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${ca_p12} -password file:${temp_pass_file}", path => $ds_389::path, refreshonly => true, - notify => Exec["Make ca cert and add to database: ${server_id}"], + subscribe => [ + X509_cert["Create CA cert: ${server_id}"], + ], } - # Make certs and add to database. - exec { "Make ca cert and add to database: ${server_id}": + # Import CA cert+key into nss db. + -> exec { "Import CA cert: ${server_id}": cwd => $instance_path, - command => "certutil -S -n \"${server_id}CA\" -s \"cn=${server_id}CA,dc=${server_host}\" -x -t \"CT,,\" -v 120 -d ${instance_path} -k rsa -z ${temp_noise_file} -f ${temp_pass_file} ; sleep 2", # lint:ignore:140chars + command => "pk12util -i ${ca_p12} -d sql:${instance_path} -k ${temp_pass_file} -w ${temp_pass_file}", path => $ds_389::path, refreshonly => true, + subscribe => [ + X509_cert["Create CA cert: ${server_id}"], + ], notify => [ Exec["Make server cert and add to database: ${server_id}"], Exec["Clean up temp files: ${server_id}"], @@ -291,18 +343,48 @@ ], } - exec { "Add trust for CA: ${server_id}": - command => "certutil -M -n \"${server_id}CA\" -t CT,, -d ${instance_path}", + # Change nickname to make it clear that this is the CA cert. + -> exec { "Fix name of imported CA: ${server_id}": + cwd => $instance_path, + command => "certutil --rename -n \"${ca_nickname} - ${facts['networking']['fqdn']}\" --new-n \"${ca_nickname}\" -d sql:${instance_path}", # lint:ignore:140chars + path => $ds_389::path, + refreshonly => true, + subscribe => [ + X509_cert["Create CA cert: ${server_id}"], + ], + } + + # Configure trust attributes. + -> exec { "Add trust for CA: ${server_id}": + command => "certutil -M -n \"${ca_nickname}\" -t CT,C,C -d ${instance_path} -f ${temp_pass_file}", + path => $ds_389::path, + unless => "certutil -L -d ${instance_path} | grep \"${ca_nickname}\" | grep \"CTu,Cu,Cu\"", + subscribe => [ + X509_cert["Create CA cert: ${server_id}"], + ], + notify => Exec["Export CA cert: ${server_id}"], + } + + # Export ca cert. + -> exec { "Export CA cert: ${server_id}": + cwd => $instance_path, + command => "certutil -d ${instance_path} -L -n \"${ca_nickname}\" -a > ${ca_cert}", path => $ds_389::path, - unless => "certutil -L -d ${instance_path} | grep \"${server_id}CA\" | grep \"CT\"", - notify => Exec["Export CA cert: ${server_id}"], + creates => $ca_cert, } - # Make server cert and add to database. - $ssl_cert_name = "${server_id}Cert" + # Copy ca cert to openldap. + -> file { "${ds_389::cacerts_path}/${server_id}CA.pem": + ensure => file, + source => $ca_cert, + require => Exec["Export CA cert: ${server_id}"], + notify => Exec["Rehash cacertdir: ${server_id}"], + } + + # Create server cert and add to database. exec { "Make server cert and add to database: ${server_id}": cwd => $instance_path, - command => "certutil -S -n \"${ssl_cert_name}\" -m 101 -s \"cn=${server_host}\" -c \"${server_id}CA\" -t \"u,u,u\" -v 120 -d ${instance_path} -k rsa -z ${temp_noise_file} -f ${temp_pass_file} ${sans} ; sleep 2", # lint:ignore:140chars + command => "certutil -S -n \"${ssl_cert_name}\" -m 101 -s \"cn=${server_host}\" -c \"${ca_nickname}\" -t \"u,u,u\" -v 120 -d ${instance_path} -k rsa -z ${temp_noise_file} -f ${temp_pass_file} ${sans} && sleep 2", # lint:ignore:140chars path => $ds_389::path, refreshonly => true, notify => [ @@ -312,7 +394,8 @@ ], } - exec { "Add trust for server cert: ${server_id}": + # Configure trust attributes. + -> exec { "Add trust for server cert: ${server_id}": command => "certutil -M -n \"${ssl_cert_name}\" -t u,u,u -d ${instance_path}", path => $ds_389::path, unless => "certutil -L -d ${instance_path} | grep \"${ssl_cert_name}\" | grep \"u,u,u\"", @@ -320,30 +403,14 @@ } # Set perms on database directory. - exec { "Set permissions on database directory: ${server_id}": + -> exec { "Set permissions on database directory: ${server_id}": command => "chown ${user}:${group} ${instance_path}", path => $ds_389::path, refreshonly => true, } - # Export ca cert. - exec { "Export CA cert: ${server_id}": - cwd => $instance_path, - command => "certutil -d ${instance_path} -L -n \"${server_id}CA\" -a > ${server_id}CA.pem", - path => $ds_389::path, - creates => "${instance_path}/${server_id}CA.pem", - } - - # Copy ca cert to openldap. - file { "${ds_389::cacerts_path}/${server_id}CA.pem": - ensure => file, - source => "${instance_path}/${server_id}CA.pem", - require => Exec["Export CA cert: ${server_id}"], - notify => Exec["Rehash cacertdir: ${server_id}"], - } - - # Remove temp files (pwd and noise). - exec { "Clean up temp files: ${server_id}": + # Remove temp files (passwd and noise). + -> exec { "Clean up temp files: ${server_id}": command => "rm -f ${temp_noise_file} ${temp_pass_file}", path => $ds_389::path, refreshonly => true, diff --git a/metadata.json b/metadata.json index d92d48a..507d128 100644 --- a/metadata.json +++ b/metadata.json @@ -16,6 +16,10 @@ "name": "puppetlabs-inifile", "version_requirement": ">=3.0.0 <5.0.0" }, + { + "name": "camptocamp-openssl", + "version_requirement": ">=1.14.0 <2.0.0" + }, { "name": "puppetlabs-stdlib", "version_requirement": ">=4.25.0 <7.0.0" diff --git a/spec/classes/ds389_spec.rb b/spec/classes/ds389_spec.rb index 2972de3..0428884 100644 --- a/spec/classes/ds389_spec.rb +++ b/spec/classes/ds389_spec.rb @@ -1,9 +1,33 @@ require 'spec_helper' describe 'ds_389' do + # content blocks + let(:openssl_ca_cnf) do + '[ req ] +default_bits = 4096 +default_md = sha256 +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = v3_ca + +[ req_distinguished_name ] +DC = foo.example.com +CN = fooCA + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +' + end + on_supported_os(facterversion: '2.4').each do |os, os_facts| context "on #{os}" do - let(:facts) { os_facts } + let(:facts) do + os_facts.merge( + networking: { fqdn: 'foo.example.com' }, + ) + end context 'without any parameters' do it { is_expected.to compile } @@ -210,18 +234,30 @@ it { is_expected.to contain_ds_389__instance('foo') } it { is_expected.to contain_ds_389__service('foo') } it { is_expected.to contain_ds_389__ssl('foo') } - it { is_expected.to contain_exec('Add trust for CA: foo') } - it { is_expected.to contain_exec('Add trust for server cert: foo') } it { is_expected.to contain_exec('Clean up temp files: foo') } it { is_expected.to contain_exec('Create cert DB: foo') } it { is_expected.to contain_exec('Export CA cert: foo') } it { is_expected.to contain_exec('Export server cert: foo') } - it { is_expected.to contain_exec('Generate key pair: foo') } + it { is_expected.to contain_ssl_pkey('Generate CA private key: foo') } it { is_expected.to contain_exec('Generate noise file: foo') } it { is_expected.to contain_exec('Generate password file: foo') } it { is_expected.to contain_exec('Import ssl ldif: foo') } - it { is_expected.to contain_exec('Make ca cert and add to database: foo') } + + it { + is_expected.to contain_file('Create CA config: foo').with( + ensure: 'present', + content: openssl_ca_cnf, + ) + } + it { is_expected.to contain_x509_cert('Create CA cert: foo') } + it { is_expected.to contain_exec('Prepare CA cert for import (pkcs12): foo') } + it { is_expected.to contain_exec('Import CA cert: foo') } + it { is_expected.to contain_exec('Fix name of imported CA: foo') } + it { is_expected.to contain_exec('Add trust for CA: foo') } + it { is_expected.to contain_exec('Make server cert and add to database: foo') } + it { is_expected.to contain_exec('Add trust for server cert: foo') } + it { is_expected.to contain_exec('Rehash cacertdir: foo') } it { is_expected.to contain_exec('Restart foo to enable SSL') } it { is_expected.to contain_exec('Set permissions on database directory: foo') } diff --git a/spec/defines/instance_spec.rb b/spec/defines/instance_spec.rb index 2df96c2..18fcbf7 100644 --- a/spec/defines/instance_spec.rb +++ b/spec/defines/instance_spec.rb @@ -168,44 +168,34 @@ command: 'certutil -N -d /etc/dirsrv/slapd-specdirectory -f /tmp/passfile-specdirectory', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', refreshonly: true, - ).that_notifies('Exec[Generate key pair: specdirectory]') + ).that_notifies('Ssl_pkey[Generate CA private key: specdirectory]') } it { - is_expected.to contain_exec('Generate key pair: specdirectory').with( - command: 'certutil -G -d /etc/dirsrv/slapd-specdirectory -g 4096 -z /tmp/noisefile-specdirectory -f /tmp/passfile-specdirectory', - path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - refreshonly: true, - ).that_notifies('Exec[Make ca cert and add to database: specdirectory]') + is_expected.to contain_ssl_pkey('Generate CA private key: specdirectory').with( + size: 4096, + ) } it { - is_expected.to contain_exec('Make ca cert and add to database: specdirectory').with( - cwd: '/etc/dirsrv/slapd-specdirectory', - command: 'certutil -S -n "specdirectoryCA" -s "cn=specdirectoryCA,dc=foo.example.com" -x -t "CT,," -v 120 -d /etc/dirsrv/slapd-specdirectory -k rsa -z /tmp/noisefile-specdirectory -f /tmp/passfile-specdirectory ; sleep 2', # rubocop:disable LineLength - path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - refreshonly: true, - ).that_notifies( - [ - 'Exec[Make server cert and add to database: specdirectory]', - 'Exec[Clean up temp files: specdirectory]', - 'Exec[Add trust for CA: specdirectory]', - ], + is_expected.to contain_x509_cert('Create CA cert: specdirectory').with( + days: 3650, + req_ext: false, ) } it { is_expected.to contain_exec('Add trust for CA: specdirectory').with( - command: 'certutil -M -n "specdirectoryCA" -t CT,, -d /etc/dirsrv/slapd-specdirectory', + command: 'certutil -M -n "specdirectoryCA" -t CT,C,C -d /etc/dirsrv/slapd-specdirectory -f /tmp/passfile-specdirectory', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - unless: 'certutil -L -d /etc/dirsrv/slapd-specdirectory | grep "specdirectoryCA" | grep "CT"', + unless: 'certutil -L -d /etc/dirsrv/slapd-specdirectory | grep "specdirectoryCA" | grep "CTu,Cu,Cu"', ).that_notifies('Exec[Export CA cert: specdirectory]') } it { is_expected.to contain_exec('Make server cert and add to database: specdirectory').with( cwd: '/etc/dirsrv/slapd-specdirectory', - command: 'certutil -S -n "specdirectoryCert" -m 101 -s "cn=foo.example.com" -c "specdirectoryCA" -t "u,u,u" -v 120 -d /etc/dirsrv/slapd-specdirectory -k rsa -z /tmp/noisefile-specdirectory -f /tmp/passfile-specdirectory ; sleep 2', # rubocop:disable LineLength + command: 'certutil -S -n "specdirectoryCert" -m 101 -s "cn=foo.example.com" -c "specdirectoryCA" -t "u,u,u" -v 120 -d /etc/dirsrv/slapd-specdirectory -k rsa -z /tmp/noisefile-specdirectory -f /tmp/passfile-specdirectory && sleep 2', # rubocop:disable LineLength path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', refreshonly: true, ).that_notifies( @@ -235,7 +225,7 @@ it { is_expected.to contain_exec('Export CA cert: specdirectory').with( cwd: '/etc/dirsrv/slapd-specdirectory', - command: 'certutil -d /etc/dirsrv/slapd-specdirectory -L -n "specdirectoryCA" -a > specdirectoryCA.pem', + command: 'certutil -d /etc/dirsrv/slapd-specdirectory -L -n "specdirectoryCA" -a > /etc/dirsrv/slapd-specdirectory/specdirectoryCA.pem', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', creates: '/etc/dirsrv/slapd-specdirectory/specdirectoryCA.pem', ) @@ -867,44 +857,34 @@ command: 'certutil -N -d /etc/dirsrv/slapd-ldap01 -f /tmp/passfile-ldap01', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', refreshonly: true, - ).that_notifies('Exec[Generate key pair: ldap01]') + ).that_notifies('Ssl_pkey[Generate CA private key: ldap01]') } it { - is_expected.to contain_exec('Generate key pair: ldap01').with( - command: 'certutil -G -d /etc/dirsrv/slapd-ldap01 -g 4096 -z /tmp/noisefile-ldap01 -f /tmp/passfile-ldap01', - path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - refreshonly: true, - ).that_notifies('Exec[Make ca cert and add to database: ldap01]') + is_expected.to contain_ssl_pkey('Generate CA private key: ldap01').with( + size: 4096, + ) } it { - is_expected.to contain_exec('Make ca cert and add to database: ldap01').with( - cwd: '/etc/dirsrv/slapd-ldap01', - command: 'certutil -S -n "ldap01CA" -s "cn=ldap01CA,dc=ldap.test.org" -x -t "CT,," -v 120 -d /etc/dirsrv/slapd-ldap01 -k rsa -z /tmp/noisefile-ldap01 -f /tmp/passfile-ldap01 ; sleep 2', - path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - refreshonly: true, - ).that_notifies( - [ - 'Exec[Make server cert and add to database: ldap01]', - 'Exec[Clean up temp files: ldap01]', - 'Exec[Add trust for CA: ldap01]', - ], + is_expected.to contain_x509_cert('Create CA cert: ldap01').with( + days: 3650, + req_ext: false, ) } it { is_expected.to contain_exec('Add trust for CA: ldap01').with( - command: 'certutil -M -n "ldap01CA" -t CT,, -d /etc/dirsrv/slapd-ldap01', + command: 'certutil -M -n "ldap01CA" -t CT,C,C -d /etc/dirsrv/slapd-ldap01 -f /tmp/passfile-ldap01', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', - unless: 'certutil -L -d /etc/dirsrv/slapd-ldap01 | grep "ldap01CA" | grep "CT"', + unless: 'certutil -L -d /etc/dirsrv/slapd-ldap01 | grep "ldap01CA" | grep "CTu,Cu,Cu"', ).that_notifies('Exec[Export CA cert: ldap01]') } it { is_expected.to contain_exec('Make server cert and add to database: ldap01').with( cwd: '/etc/dirsrv/slapd-ldap01', - command: 'certutil -S -n "ldap01Cert" -m 101 -s "cn=ldap.test.org" -c "ldap01CA" -t "u,u,u" -v 120 -d /etc/dirsrv/slapd-ldap01 -k rsa -z /tmp/noisefile-ldap01 -f /tmp/passfile-ldap01 -8 ldap01.test.org,ldap02.test.org ; sleep 2', # rubocop:disable LineLength + command: 'certutil -S -n "ldap01Cert" -m 101 -s "cn=ldap.test.org" -c "ldap01CA" -t "u,u,u" -v 120 -d /etc/dirsrv/slapd-ldap01 -k rsa -z /tmp/noisefile-ldap01 -f /tmp/passfile-ldap01 -8 ldap01.test.org,ldap02.test.org && sleep 2', # rubocop:disable LineLength path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', refreshonly: true, ).that_notifies( @@ -934,7 +914,7 @@ it { is_expected.to contain_exec('Export CA cert: ldap01').with( cwd: '/etc/dirsrv/slapd-ldap01', - command: 'certutil -d /etc/dirsrv/slapd-ldap01 -L -n "ldap01CA" -a > ldap01CA.pem', + command: 'certutil -d /etc/dirsrv/slapd-ldap01 -L -n "ldap01CA" -a > /etc/dirsrv/slapd-ldap01/ldap01CA.pem', path: '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin', creates: '/etc/dirsrv/slapd-ldap01/ldap01CA.pem', ) diff --git a/templates/openssl_ca.cnf.epp b/templates/openssl_ca.cnf.epp new file mode 100644 index 0000000..1a6734f --- /dev/null +++ b/templates/openssl_ca.cnf.epp @@ -0,0 +1,15 @@ +[ req ] +default_bits = 4096 +default_md = sha256 +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = v3_ca + +[ req_distinguished_name ] +DC = <%= $dc %> +CN = <%= $cn %> + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true