From d01c9a4d0a0a4aa936842bde378bc8b19d6dc0b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Mon, 20 Apr 2020 19:09:43 +0200
Subject: [PATCH 1/3] Fix the name of the deploy certbot hook

---
 site-cookbooks/kosmos-dirsrv/resources/instance.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index c27e472..97cd492 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -118,7 +118,7 @@ nsslapd-allow-anonymous-access: off
     done
     EOF
 
-    file "/etc/letsencrypt/renewal-hooks/deploy/dirsrrv" do
+    file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
       content dirsrv_hook
       mode 0755
       owner "root"

From 5e3c8066f9672afaf6b4490803a7565a26888f8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Mon, 20 Apr 2020 19:10:15 +0200
Subject: [PATCH 2/3] Add the missing certbot command to generate the LDAP TLS
 cert

This had been done manually on barnard. This will not be executed on
barnard again since the cert exists
---
 site-cookbooks/kosmos-dirsrv/resources/instance.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index 97cd492..0ef689b 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -129,9 +129,21 @@ nsslapd-allow-anonymous-access: off
       source 'nginx_conf_empty.erb'
       owner node["nginx"]["user"]
       mode 0640
+      notifies :reload, 'service[nginx]', :delayed
     end
 
     nginx_certbot_site new_resource.hostname do
+      notifies :run, "letsencrypt cert for #{domain}", :delayed
+    end
+
+    # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
+    # has been generated before. The renew cron will take care of renewing
+    execute "letsencrypt cert for #{domain}" do
+      command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{domain} -n"
+      only_if do
+        ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
+          !::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
+      end
       notifies :run, "execute[add tls config]", :immediately
     end
 

From 1c920a8cb2731f7a0fd335f0ae276ba3179fa50b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Mon, 20 Apr 2020 19:11:34 +0200
Subject: [PATCH 3/3] Remove the encryption keys after TLS cert renewal

This is done with awk, this was the best way I found to perform the
multi-line deletion. It deletes both the AES AND 3DES sections

The keys will be recreated on service restart

https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ssl-and-attr-encryption

Closes #152
---
 .../kosmos-dirsrv/resources/instance.rb       | 30 +++++++++++--------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index 0ef689b..de6b6fd 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -101,21 +101,25 @@ nsslapd-allow-anonymous-access: off
     include_recipe "kosmos-base::letsencrypt"
 
     dirsrv_hook = <<-EOF
-    #!/usr/bin/env bash
+#!/usr/bin/env bash
 
-    set -e
+set -e
 
-    # Copy the dirsrv certificate and restart the server if it has been renewed
-    # This is necessary because dirsrv uses a different format for the certificates
-    for domain in $RENEWED_DOMAINS; do
-      case $domain in
-      #{new_resource.hostname})
-        openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
-        pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
-        systemctl restart #{service_name}
-        ;;
-      esac
-    done
+# Copy the dirsrv certificate and restart the server if it has been renewed
+# This is necessary because dirsrv uses a different format for the certificates
+for domain in $RENEWED_DOMAINS; do
+  case $domain in
+  #{new_resource.hostname})
+    openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
+    pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
+    # Remove the encryption key entries from the current database.
+    # They will be recreated on restart for the new certificate
+    awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
+    mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
+    systemctl restart #{service_name}
+    ;;
+  esac
+done
     EOF
 
     file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do