kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 28 Pull Requests 3 Projects 2 Activity

Remove the encryption keys after TLS cert renewal

Browse Source 
This is done with awk, this was the best way I found to perform the
multi-line deletion. It deletes both the AES AND 3DES sections

The keys will be recreated on service restart

https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ssl-and-attr-encryption

Closes #152
This commit is contained in:
Greg Karékinian 2020-04-20 19:11:34 +02:00
parent 5e3c8066f9
commit 1c920a8cb2
1 changed files with 17 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
site-cookbooks/kosmos-dirsrv/resources/instance.rb
View File

@ -101,21 +101,25 @@ nsslapd-allow-anonymous-access: off
include_recipe "kosmos-base::letsencrypt" include_recipe "kosmos-base::letsencrypt"
dirsrv_hook = <<-EOF dirsrv_hook = <<-EOF
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -e
# Copy the dirsrv certificate and restart the server if it has been renewed # Copy the dirsrv certificate and restart the server if it has been renewed
# This is necessary because dirsrv uses a different format for the certificates # This is necessary because dirsrv uses a different format for the certificates
for domain in $RENEWED_DOMAINS; do for domain in $RENEWED_DOMAINS; do
case $domain in case $domain in
#{new_resource.hostname}) #{new_resource.hostname})
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass: openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W '' pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
systemctl restart #{service_name} # Remove the encryption key entries from the current database.
;; # They will be recreated on restart for the new certificate
esac awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
done mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
systemctl restart #{service_name}
;;
esac
done
EOF EOF
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do