Majic Projects ~ [CLOSED] MAR-10 - Deploy TLS private keys and certificates to servers

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

You are not logged in

Majic Ansible Roles / Closed Feature request MAR-10 Deploy TLS private keys and certificates to servers

Votes

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Feature request Unknown issue type
Issue label

No label set
Category

Not determined
Targetted for

1.0.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 24, 2024 - 20:11

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 24, 2024 - 20:11

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

Apr 10, 2015
Last updated

Jan 20, 2016
Estimated time

Not estimated
Time spent

1 day No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

Currently the private keys and certificates are assumed to be deployed to servers manually by the system administrator.

This means that the procedure for setting-up a site (let's say the sample testsite) is roughly:

# Bootstrap servers via bootstrap.yml.
# Set-up servers via site.yml.
# Deploy the necessary private keys/certificates.
# Re-run site.yml

This feels a bit awkward, and it might not even serve any good purpose. Instead of a set-up like this, it would be better to deploy both private keys and certificates via Ansible.

This makes Ansible a bit of a bigger target, but on the other hand the private keys normally need to be backed-up somewhere anyway, and the backup system is no smaller target. With some smart encryption the risk to files on Ansible host might be minimal.

In general, a single truststore for all roles should be enough. This means the truststore should be deployed as part of the common role. The remaining roles should simply point their own configurations etc to this truststore. Eventually the application should take care of copying the truststore to desired destination, if it needs it in chroot etc.

For private key/certificates, each application should take care of its own.

This way the optimal separation between roles should be achievable, with minimal duplication.

Current roles that would need to be updated (the list should be verified before starting work):

* LDAP Client
* LDAP Server
* Prosody
* Mail Server
* Mail Forwarder

Todos (0 / 0)

Options

Issue created

Welcome to The Bug Genie

Log in with your username and password