Merge pull request #2063 from cfe-lab/UpdateSSLCertificates

Added an Ansible script for updating the SSL certificates.
cfe-lab · Jul 22, 2024 · 656059b · 656059b
2 parents fdc132c + 9c12e38
commit 656059b
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 16 deletions.
diff --git a/cluster-setup/README.md b/cluster-setup/README.md
@@ -186,12 +186,25 @@ These must be acquired securely from IT or within the software group, and placed
 
 The files needed are:
 
-* `DigiCertCA.crt`: the DigiCert certificate authority (CA) key, which specifies that DigiCert
-  issued the key.
-* `star_cfe.crt`: the wildcard certificate issued by DigiCert, which certifies that this server
-  belongs to the `cfenet.ubc.ca` or `bccfe.ca` domain.
+* `star_cfe_chained.crt`: the chained SSL certificate; and
 * `star_cfe.key`: our private signing key, used to issue a public key for HTTPS connections.
 
+The chained SSL certificate `star_cfe_chained.crt` is made up of three things:
+
+* The wildcard certificate issued by DigiCert, which certifies that this server belongs to the 
+  `cfenet.ubc.ca` or `bccfe.ca` domain.
+* The intermediate certificate/certificate signing request (CSR).
+* The root certificate.
+
+For example, if the wildcard certificate is named `star_cfe.crt` (this is what we called it in the past),
+the intermediate certificate is named `intermediate.csr`, and the root certificate is named
+`DigiCertCA.crt` (this is what we called it in the past), the chained SSL certificate would be 
+generated by executing
+
+    cat star_cfe.crt intermediate.csr DigiCertCA.crt > star_cfe_chained.crt.
+
+The chained certificate can be verified with `openssl verify star_cfe_chained.crt`.
+
 These will then be used in the next step to configure Apache.
 
 ### Set up network drives

diff --git a/cluster-setup/deployment/roles/kive_server/files/001-kive-ssl.conf b/cluster-setup/deployment/roles/kive_server/files/001-kive-ssl.conf
@@ -14,9 +14,9 @@
 
         SSLEngine on
 
-        SSLCertificateFile      /etc/ssl/certs/star_cfe.crt
+        SSLCertificateFile      /etc/ssl/certs/star_cfe_chained.crt
         SSLCertificateKeyFile /etc/ssl/private/star_cfe.key
-        SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt
+        # SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt
 
         #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
         <FilesMatch "\.(cgi|shtml|phtml|php)$">

diff --git a/cluster-setup/deployment/roles/kive_server/tasks/main.yml b/cluster-setup/deployment/roles/kive_server/tasks/main.yml
@@ -156,8 +156,8 @@
 
     - name: install SSL certificate
       copy:
-        src: star_cfe.crt
-        dest: /etc/ssl/certs/star_cfe.crt
+        src: star_cfe_chained.crt
+        dest: /etc/ssl/certs/star_cfe_chained.crt
         owner: root
         group: root
 
@@ -169,12 +169,12 @@
         group: root
         mode: "0600"
 
-    - name: install SSL certificate chain file
-      copy:
-        src: DigiCertCA.crt
-        dest: /etc/ssl/certs/DigiCertCA.crt
-        owner: root
-        group: root
+#    - name: install SSL certificate chain file
+#      copy:
+#        src: DigiCertCA.crt
+#        dest: /etc/ssl/certs/DigiCertCA.crt
+#        owner: root
+#        group: root
 
 
 - name: set up log purging
@@ -276,14 +276,14 @@
           command:
             cmd: "a2enconf rotate-kive-logs"
 
-    - name: install the httpd site configuration for Kive
+    - name: install the Apache SSL site configuration for Kive
       copy:
         src: 001-kive-ssl.conf
         dest: /etc/apache2/sites-available
         owner: root
         group: root
 
-    - name: enable the httpd site configuration for Kive
+    - name: enable the Apache SSL site configuration for Kive
       command:
         cmd: "a2ensite 001-kive-ssl"
 

diff --git a/cluster-setup/deployment/update_apache_ssl_2024_07_08.yaml b/cluster-setup/deployment/update_apache_ssl_2024_07_08.yaml
@@ -0,0 +1,14 @@
+---
+
+- name: update the Apache SSL configuration file
+  hosts: head
+  tasks:
+    - name: install the Apache SSL site configuration for Kive
+      copy:
+        src: roles/kive_server/files/001-kive-ssl.conf
+        dest: /etc/apache2/sites-available
+        owner: root
+        group: root
+
+- name: update the SSL certificates and restart Apache
+  ansible.builtin.import_playbook: update_ssl_certs.yaml
diff --git a/cluster-setup/deployment/update_ssl_certs.yaml b/cluster-setup/deployment/update_ssl_certs.yaml
@@ -0,0 +1,29 @@
+---
+
+- name: update SSL certificates
+  hosts: head
+  tasks:
+    - name: install SSL certificate
+      copy:
+        src: star_cfe_chained.crt
+        dest: /etc/ssl/certs/star_cfe_chained.crt
+        owner: root
+        group: root
+
+    - name: install SSL key
+      copy:
+        src: star_cfe.key
+        dest: /etc/ssl/private/star_cfe.key
+        owner: root
+        group: root
+        mode: "0600"
+
+- name: reload Apache configuration
+  hosts: head
+  tasks:
+    - name: reload Apache configuration
+      systemd:
+        name: apache2
+        state: reloaded
+        enabled: true
+        daemon_reload: true