From 734d82cb276d6e3111f98f41b25b8dac45931b95 Mon Sep 17 00:00:00 2001 From: Blerim Sheqa Date: Fri, 24 Feb 2017 14:07:05 +0100 Subject: [PATCH 1/2] Create CA after icinga2 installation --- manifests/pki/ca.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/pki/ca.pp b/manifests/pki/ca.pp index 0952881d8..09035e95d 100644 --- a/manifests/pki/ca.pp +++ b/manifests/pki/ca.pp @@ -34,7 +34,8 @@ $ca_key = undef, ) { - include icinga2::params + include ::icinga2::params + require ::icinga2::config $ca_dir = $::icinga2::params::ca_dir $user = $::icinga2::params::user From bf3c62d19adb686447a7a051f9d4bf0a7c2d3b95 Mon Sep 17 00:00:00 2001 From: Blerim Sheqa Date: Tue, 28 Feb 2017 13:20:47 +0100 Subject: [PATCH 2/2] Create signed certificate with custom CA --- README.md | 60 ++++++++++++++++++++++++----- manifests/feature/api.pp | 29 ++------------ manifests/pki/ca.pp | 81 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 134 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index d73aff441..4189a9cad 100644 --- a/README.md +++ b/README.md @@ -522,17 +522,19 @@ file { '/var/lib/icinga2/ca/ca.key': } ``` -* Create a new CA with the `icinga2` CLI command and a certificate signed by this new CA. This is especially useful when -seting up a fresh Icinga 2 master from scratch. -``` +* Create a new CA with the `icinga2` CLI command and a certificate signed by this new CA. This is useful especially when +seting up a new Icinga 2 master. +```puppet class { '::icinga2': constants => { 'TicketSalt' => '5a3d695b8aef8f18452fc494593056a4', } } +class { '::icinga2::pki::ca': } + class { '::icinga2::feature::api': - pki => 'ca', + pki => 'none', endpoints => { 'localhost' => { 'host' => 'localhost', @@ -1142,13 +1144,13 @@ Provides multiple sources for the certificate and key. the configured 'ticket_salt' in a custom function. * `none` Does nothing and you either have to manage the files yourself as file resources or use the `ssl_key`, `ssl_cert`, `ssl_ca` parameters. -* `ca` Includes the `::icinga2::pki::ca` class to generate a fresh CA and generates an SSL certificate and key signed by +* `ca` (**deprecated**) Includes the `::icinga2::pki::ca` class to generate a fresh CA and generates an SSL certificate and key signed by this new CA. Defaults to `puppet` ##### `ssl_key_path` -Location of the private key. Default depends on platform: +Location of the private key. Default depends on your platform: * Linux `/etc/icinga2/pki/NodeName.key` * Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.key` @@ -1156,17 +1158,25 @@ Location of the private key. Default depends on platform: The Value of `NodeName` comes from the corresponding constant. ##### `ssl_cert_path` -Location of the certificate. Default depends on platform: +Location of the certificate. Default depends on your platform: * Linux `/etc/icinga2/pki/NodeName.crt` * Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.crt` The Value of `NodeName` comes from the corresponding constant. -##### `ssl_ca_path` -Location of the CA certificate. Default depends on platform: +##### `ssl_csr_path` +Location of the certificate signing request. Default depends on your platform: + +* Linux: `/etc/icinga2/pki/NodeName.csr` +* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.csr` + +The Value of `NodeName` comes from the corresponding constant. + +##### `ssl_cacert_path` +Location of the CA certificate. Default depends on your platform: -* Linux `/etc/icinga2/pki/ca.crt` +* Linux: `/etc/icinga2/pki/ca.crt` * Windows `C:/ProgramData/icinga2/etc/icinga2/pki/ca.crt` ##### `accept_config` @@ -1310,6 +1320,36 @@ Content of the CA certificate. If this is unset, a certificate will be generated ##### `ca_key` Content of the CA key. If this is unset, a key will be generated with the Icinga 2 CLI. +##### `ssl_key_path` +Location of the private key. Default depends on your platform: + +* Linux `/etc/icinga2/pki/NodeName.key` +* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.key` + +The Value of `NodeName` comes from the corresponding constant. + +##### `ssl_cert_path` +Location of the certificate. Default depends on your platform: + +* Linux `/etc/icinga2/pki/NodeName.crt` +* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.crt` + +The Value of `NodeName` comes from the corresponding constant. + +##### `ssl_csr_path` +Location of the certificate signing request. Default depends on your platform: + +* Linux: `/etc/icinga2/pki/NodeName.csr` +* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.csr` + +The Value of `NodeName` comes from the corresponding constant. + +##### `ssl_cacert_path` +Location of the CA certificate. Default depends on your platform: + +* Linux: `/etc/icinga2/pki/ca.crt` +* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/ca.crt` + ### Private Classes #### Class: `icinga2::repo` diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp index 42b5245e7..42f040161 100644 --- a/manifests/feature/api.pp +++ b/manifests/feature/api.pp @@ -175,7 +175,7 @@ validate_re($ensure, [ '^present$', '^absent$' ], "${ensure} isn't supported. Valid values are 'present' and 'absent'.") validate_re($pki, [ '^puppet$', '^none$', '^icinga2', '^ca' ], - "${pki} isn't supported. Valid values are 'puppet', 'none', 'icinga2' and 'ca'.") + "${pki} isn't supported. Valid values are 'puppet', 'none', 'icinga2' and 'ca (deprecated)'.") validate_bool($accept_config) validate_bool($accept_commands) validate_string($ticket_salt) @@ -310,32 +310,9 @@ } # icinga2 'ca': { - class { '::icinga2::pki::ca': } -> + class { '::icinga2::pki::ca': } - file { "${_ssl_cacert_path}": - source => "${ca_dir}/ca.crt", - } -> - - exec { 'icinga2 pki create certificate signing request': - command => "icinga2 pki new-cert --cn '${::fqdn}' --key '${_ssl_key_path}' --csr '${_ssl_csr_path}'", - creates => $_ssl_key_path, - } -> - file { - $_ssl_key_path: - mode => '0600'; - } - - exec { 'icinga2 pki sign certificate': - command => "icinga2 pki sign-csr --csr '${_ssl_csr_path}' --cert '${_ssl_cert_path}'", - subscribe => Exec['icinga2 pki create certificate signing request'], - refreshonly => true, - notify => Class['::icinga2::service'], - } -> - file { - $_ssl_cert_path:; - $_ssl_csr_path: - ensure => absent; - } + notice("This parameter is deprecated and will be removed in future versions! Please use ::icinga2::pki::ca instead") } # ca } # pki diff --git a/manifests/pki/ca.pp b/manifests/pki/ca.pp index 09035e95d..0788084fb 100644 --- a/manifests/pki/ca.pp +++ b/manifests/pki/ca.pp @@ -13,6 +13,29 @@ # [*ca_key*] # Content of the CA key. If this is unset, a key will be generated with the Icinga 2 CLI. # +# [*ssl_key_path*] +# Location of the private key. Default depends on platform: +# /etc/icinga2/pki/NodeName.key on Linux +# C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.key on Windows +# The Value of NodeName comes from the corresponding constant. +# +# [*ssl_cert_path*] +# Location of the certificate. Default depends on platform: +# /etc/icinga2/pki/NodeName.crt on Linux +# C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.crt on Windows +# The Value of NodeName comes from the corresponding constant. +# +# [*ssl_csr_path*] +# Location of the certificate signing request. Default depends on platform: +# /etc/icinga2/pki/NodeName.csr on Linux +# C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.csr on Windows +# The Value of NodeName comes from the corresponding constant. +# +# [*ssl_cacert_path*] +# Location of the CA certificate. Default is: +# /etc/icinga2/pki/ca.crt on Linux +# C:/ProgramData/icinga2/etc/icinga2/pki/ca.crt on Windows +# # === Examples # # Let Icinga 2 generate a CA for you: @@ -32,20 +55,52 @@ class icinga2::pki::ca( $ca_cert = undef, $ca_key = undef, + $ssl_key_path = undef, + $ssl_cert_path = undef, + $ssl_csr_path = undef, + $ssl_cacert_path = undef, ) { include ::icinga2::params require ::icinga2::config $ca_dir = $::icinga2::params::ca_dir + $pki_dir = $::icinga2::params::pki_dir $user = $::icinga2::params::user $group = $::icinga2::params::group + $node_name = $::icinga2::_constants['NodeName'] File { owner => $user, group => $group, } + Exec { + user => 'root', + path => $::path, + } + + if $ssl_key_path { + validate_absolute_path($ssl_key_path) + $_ssl_key_path = $ssl_key_path } + else { + $_ssl_key_path = "${pki_dir}/${node_name}.key" } + if $ssl_cert_path { + validate_absolute_path($ssl_cert_path) + $_ssl_cert_path = $ssl_cert_path } + else { + $_ssl_cert_path = "${pki_dir}/${node_name}.crt" } + if $ssl_csr_path { + validate_absolute_path($ssl_csr_path) + $_ssl_csr_path = $ssl_csr_path } + else { + $_ssl_csr_path = "${pki_dir}/${node_name}.csr" } + if $ssl_cacert_path { + validate_absolute_path($ssl_cacert_path) + $_ssl_cacert_path = $ssl_cacert_path } + else { + $_ssl_cacert_path = "${pki_dir}/ca.crt" } + if !$ca_cert or !$ca_key { $path = $::osfamily ? { 'windows' => 'C:/ProgramFiles/ICINGA2/sbin', @@ -91,5 +146,31 @@ }, tag => 'icinga2::config::file', } + } -> + + file { "${_ssl_cacert_path}": + source => "${ca_dir}/ca.crt", } + + exec { 'icinga2 pki create certificate signing request': + command => "icinga2 pki new-cert --cn '${::fqdn}' --key '${_ssl_key_path}' --csr '${_ssl_csr_path}'", + creates => $_ssl_key_path, + require => File["${_ssl_cacert_path}"] + } -> + file { + $_ssl_key_path: + mode => '0600'; + } + + exec { 'icinga2 pki sign certificate': + command => "icinga2 pki sign-csr --csr '${_ssl_csr_path}' --cert '${_ssl_cert_path}'", + subscribe => Exec['icinga2 pki create certificate signing request'], + refreshonly => true, + notify => Class['::icinga2::service'], + } -> + file { + $_ssl_cert_path:; + $_ssl_csr_path: + ensure => absent; + } }