Remove the encryption keys after TLS cert renewal

This is done with awk, this was the best way I found to perform the multi-line deletion. It deletes both the AES AND 3DES sections The keys will be recreated on service restart https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ssl-and-attr-encryption Closes #152
2020-04-20 19:11:34 +02:00 · 2020-04-20 19:11:34 +02:00 · 1c920a8cb2
commit 1c920a8cb2
parent 5e3c8066f9
1 changed files with 17 additions and 13 deletions
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@ -112,6 +112,10 @@ nsslapd-allow-anonymous-access: off
  #{new_resource.hostname})
    openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
    pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
+    # Remove the encryption key entries from the current database.
+    # They will be recreated on restart for the new certificate
+    awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
+    mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
    systemctl restart #{service_name}
    ;;
  esac