From 09ef1342f03b0fbcb83564cfa6b217e359dbeab7 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Jul 05 2021 13:39:18 +0000 Subject: Added wrapper script doc for TLS for IPA/Dogtag part - Fedoraproject.org REALM Signed-off-by: Fabian Arrotin --- diff --git a/docs/operations/deploy/common.md b/docs/operations/deploy/common.md index bc7f495..ce63196 100644 --- a/docs/operations/deploy/common.md +++ b/docs/operations/deploy/common.md @@ -26,6 +26,10 @@ Warning: Permanently added 'artwork-1.dev.centos.org' (ECDSA) to the list of kno ``` +!!! tip + it's also possible to *not* do the ssh host key checking, but not adviced, by using `ANSIBLE_HOST_KEY_CHECKING=False` env variable in front of the first playbook execution in the next steps. As said, it's possible and should *eventually* only be used for .dev. or .stg. environment, and on just provisioned instances (non public) like Virtual Machines + + Now we can proceed with next steps. Let's add the node in the correct Ansible inventory (like for example `CentOS-CI` or `CentOS-prod` or `CentOS-staging`, etc. diff --git a/docs/security/tls.md b/docs/security/tls.md index fd94a41..5084f1f 100644 --- a/docs/security/tls.md +++ b/docs/security/tls.md @@ -9,14 +9,90 @@ Ansible roles are using the following logic to distribute .key/.cert files * {{ public_name }}-CAchain.crt : Trusted chain from CA (usually a symlink in pkistore is enough as we have a very few) ``` - -## Public certificates -### DigiCert -We have some long-term certificates that we use for www/lists/ci/etc .centos.org -Those need to be required through DigiCert Web ui and through internal RH ticket. -Once we have the signed cert back, we can upload it in pkistore and deploy +## Internal certificates + +### IPA/dogtag (central authentication) + +While IPA enrolled nodes can directly request TLS certificates, for CentOS infra, due to the fact that almost *all* nodes *can't* be enrolled (no direct link with IPA infra), we have to delegate this on an enrolled node where we can then be granted "delegation" rights in IPA, so that a "fake" enrolled node (created for the real target server that will need a TLS cert) can be "managed by" the enrolled node. + +From that enrolled node, we'll then be able to retrieve the TLS cert/keytab and also then export/import into `pkistore` , following the same naming convention as described above. + +Depending on the Env (Prod vs STG), you can find which node[s] is/are enrolled (through applied `ipa-client` client role applied with also the `ipa_client_tls_delegated_host` boolean set to `True` (needed for the following script to be present in the ipa-client role). + +Pre-requisites: + + * one node enrolled in the correct REALM we want to generate/retrieve TLS cert (and keytab) for + * an IPA account that has enough privileges to add hosts/services and local sudo rights on the intermediate enrolled node + * `ipa-client` role applied with correct script deployed + +Once we have shell access on such enrolled node, we can proceed like this : +``` +/usr/libexec/centos/generate_ipa_tls_krb5 -n mbs.mbox.stg.centos.org -d 'Koji mbox STG mbs' -s 'HTTP' +[+] Adding host in IPA and adding delegation to retrieve certs/keytab ... +------------------------------------ +Added host "mbs.mbox.stg.centos.org" +------------------------------------ + Host name: mbs.mbox.stg.centos.org + Description: Koji mbox STG mbs + Principal name: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Principal alias: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Password: False + Keytab: False + Managed by: mbs.mbox.stg.centos.org + Host name: mbs.mbox.stg.centos.org + Description: Koji mbox STG mbs + Principal name: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Principal alias: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Managed by: mbs.mbox.stg.centos.org, .fedoraproject.org +------------------------- +Number of members added 1 +------------------------- +------------------------------------------------------------------ +Added service "HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG" +------------------------------------------------------------------ + Principal name: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Principal alias: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Managed by: mbs.mbox.stg.centos.org + Principal name: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Principal alias: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Managed by: mbs.mbox.stg.centos.org, .fedoraproject.org +------------------------- +Number of members added 1 +------------------------- + Host name: mbs.mbox.stg.centos.org + Description: Koji mbox STG mbs + Principal name: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Principal alias: host/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Managed by: mbs.mbox.stg.centos.org, .fedoraproject.org + Hosts allowed to retrieve keytab: .fedoraproject.org +------------------------- +Number of members added 1 +------------------------- + Principal name: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Principal alias: HTTP/mbs.mbox.stg.centos.org@STG.FEDORAPROJECT.ORG + Managed by: mbs.mbox.stg.centos.org, .fedoraproject.org + Hosts allowed to retrieve keytab: .fedoraproject.org +------------------------- +Number of members added 1 +------------------------- +[+] Retrieving TLS and keytab files ... +New signing request "20210705130958" added. +Keytab successfully retrieved and stored in: /etc/pki/centos/certs/HTTP-mbs.mbox.stg.centos.org.keytab +[+] Validating TLS against IPA CA ... +/etc/pki/centos/certs/mbs.mbox.stg.centos.org.crt: OK +``` + +!!! tip + You need a valid kerberos ticket for the existing REALM, otherwise same script will exit 1. Worth knowing that if you have enabled OTP on your account (a *must* for admins) you can use the `2fa-kinit` script, also deployed by ansible on each enrolled node by the `ipa-client` ansible role + +You can now import into `pkistore` (and correct directory based on role) git-crypted repository the needed .crt and .key files from /etc/pki/centos/certs/ directory + + +### Red Hat CA (internal setup only) + +## Public certificates ### Letsencrypt @@ -76,7 +152,8 @@ And back on the certbot node, where it just updates, then waits and finalizes th ``` -PS : for a wildcard, just add multiple -d and '*.domain' +PS : for a wildcard, just add multiple -d and `*.domain` + ``` acme.sh --issue --dns dns_nsupdate -d stg.centos.org -d '*.stg.centos.org' --challenge-alias stg.acme.centos.org ```