Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What to do with ./secrets/ after generation? #6

Open
leoj3n opened this issue May 30, 2019 · 1 comment
Open

What to do with ./secrets/ after generation? #6

leoj3n opened this issue May 30, 2019 · 1 comment

Comments

@leoj3n
Copy link

leoj3n commented May 30, 2019

The setup.sh script creates a fresh ./secrets/ directory in the root of the repository.

Someone familiar with cryptography probably knows the importance of every file in there, but it's not clear to me which files are necessary for getting back into consul/vault, if any, and how should those files be backed up securely if so.

I guess I'm looking for this information personally, but it might also be helpful added to the README.

Here is the output of all the files in ./secrets/ after running the setup.sh demo:

$ tree secrets
secrets
├── CA
│   ├── ca_cert.pem
│   ├── ca_cert.srl
│   └── ca_key.pem
├── consul-vault.cert.pem
├── consul-vault.csr.pem
├── consul-vault.key.pem
├── example.asc
├── example.asc.key
├── gossip.key
├── openssl-ext.cnf
├── openssl.cnf
└── vault.keys

1 directory, 12 files

I've annotated the _cert() function to better understand the files involved:

_cert() {
  tls_key="${tls_key:-./secrets/consul-vault.key.pem}"
  tls_cert="${tls_cert:-./secrets/consul-vault.cert.pem}"

  [ -f "${tls_key}" ] && echo 'TLS certificate exists!' && return
  # ---------------------------------------------------------------------------
  # -f "${tls_key}"                   [read] ./secrets/consul-vault.key.pem
  # ---------------------------------------------------------------------------

  [ -f "${tls_cert}" ] && echo 'TLS certificate exists!' && return
  # ---------------------------------------------------------------------------
  # -f "${tls_cert}"                  [read] ./secrets/consul-vault.cert.pem
  # ---------------------------------------------------------------------------

  echo
  bold '* Creating a private key for Consul and Vault...'
  openssl genrsa -out "${tls_key}" 2048
  # ---------------------------------------------------------------------------
  # -out "${tls_key}"                [write] ./secrets/consul-vault.key.pem
  # ---------------------------------------------------------------------------

  echo
  bold '* Generating a Certificate Signing Request for Consul and Vault...'

  cp "${openssl_config}" './secrets/openssl.cnf'
  # ---------------------------------------------------------------------------
  # cp "${openssl_config}"            [read] /usr/local/etc/openssl/openssl.cnf
  # cp                               [write] ./secrets/openssl.cnf
  # ---------------------------------------------------------------------------

  # The cert generation doesn't take the -config argument, so we need to create
  # the -extfile part and then cat it together with the regular config.
  echo '[ SAN ]' > 'secrets/openssl-ext.cnf'
  echo 'subjectAltName = DNS:vault,DNS:consul,IP:127.0.0.1' \
    >> './secrets/openssl-ext.cnf'
  # ---------------------------------------------------------------------------
  # echo                             [write] ./secrets/openssl-ext.cnf
  # ---------------------------------------------------------------------------

  cat './secrets/openssl-ext.cnf' >> './secrets/openssl.cnf'
  # ---------------------------------------------------------------------------
  # cat                              [write] ./secrets/openssl.cnf
  # ---------------------------------------------------------------------------

  openssl req \
    -config './secrets/openssl.cnf' \
    -reqexts 'SAN' \
    -extensions 'SAN' \
    -key "${tls_key}" \
    -new -sha256 \
    -out './secrets/consul-vault.csr.pem' \
    -subj "/C=US/ST=California/L=San Francisco/O=Example/OU=Example/CN=vault/[email protected]"
  # ---------------------------------------------------------------------------
  # -config                           [read] ./secrets/openssl.cnf
  # -key "${tls_key}"                 [read] ./secrets/consul-vault.key.pem
  # -out                             [write] ./secrets/consul-vault.csr.pem
  # ---------------------------------------------------------------------------

  echo
  bold '* Generating a TLS certificate for Consul and Vault...'
  openssl x509 -req -days 365 -sha256 \
    -CA "${ca_cert}" \
    -CAkey "${ca}/ca_key.pem" \
    -extensions 'SAN' \
    -extfile './secrets/openssl-ext.cnf' \
    -in './secrets/consul-vault.csr.pem' \
    -CAcreateserial \
    -out "${tls_cert}"
  # ---------------------------------------------------------------------------
  # -CA "${ca_cert}"                  [read] ./secrets/CA/ca_cert.pem
  # -CAkey "${ca}/ca_key.pem"         [read] ./secrets/CA/ca_key.pem
  # -extfile                          [read] ./secrets/openssl-ext.cnf         
  # -in                               [read] ./secrets/consul-vault.csr.pem
  # -CAcreateserial                  [write] ./secrets/CA/ca_cert.srl
  # -out                             [write] ./secrets/consul-vault.cert.pem
  # ---------------------------------------------------------------------------

  echo
  bold '* Verifying certificate...'
  openssl x509 -noout -text -in "${tls_cert}"
  # ---------------------------------------------------------------------------
  # -in "${tls_cert}"                 [read] ./secrets/consul-vault.cert.pem
  # ---------------------------------------------------------------------------
}

I also see that the consul and vault HCL configs end up looking like (respectively):

ca_file = "/usr/local/share/ca-certificates/ca_cert.pem"
cert_file = "/etc/ssl/certs/consul-vault.cert.pem"
key_file = "/etc/ssl/private/consul-vault.key.pem"
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_cert_file = "/etc/ssl/certs/consul-vault.cert.pem"
  tls_key_file = "/etc/ssl/private/consul-vault.key.pem"
}

So I'm just wondering which of these files I need to keep and if/how to keep them under lock and key.

@leoj3n
Copy link
Author

leoj3n commented May 30, 2019

It would also be extremely helpful to give examples (or short explanations) of how each of these files might be used later on after initially running the setup script.

EDIT: I know this might be common sense to some of you but guarantee this is over a lot of heads.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant