88 lines
2.3 KiB
Plaintext
88 lines
2.3 KiB
Plaintext
Create the ca cnf file:
|
|
file.managed:
|
|
- name: /etc/rmt/ssl/rmt-ca.cnf
|
|
- source: salt://rmt/files/rmt-ca.cnf
|
|
- user: root
|
|
- group: root
|
|
- mode: "0600"
|
|
|
|
|
|
Create rmt CA key:
|
|
x509.private_key_managed:
|
|
- name: /etc/rmt/ssl/rmt-ca.key
|
|
- passphrase: {{ pillar['rmt']['ca_passphrase'] }}
|
|
- bits: 2048
|
|
- owner: root
|
|
- group: root
|
|
- mode: "0600"
|
|
|
|
Create rmt CA certificate:
|
|
cmd.run:
|
|
- name: openssl req -config rmt-ca.cnf -key rmt-ca.key -new -x509 -days 3650 -sha256 -out rmt-ca.crt -passin pass:{{ pillar['rmt']['ca_passphrase'] }}
|
|
- cwd: /etc/rmt/ssl
|
|
- onchanges:
|
|
- file: Create the ca cnf file
|
|
|
|
Set permission on CA Certificate:
|
|
file.managed:
|
|
- name: /etc/rmt/ssl/rmt-ca.crt
|
|
- replace: False
|
|
- user: root
|
|
- group: nginx
|
|
- mode: "0640"
|
|
|
|
Create rmt-server key:
|
|
x509.private_key_managed:
|
|
- name: /etc/rmt/ssl/rmt-server.key
|
|
- bits: 2048
|
|
- owner: root
|
|
- group: root
|
|
- mode: "0600"
|
|
|
|
Create the server cnf file:
|
|
file.managed:
|
|
- name: /etc/rmt/ssl/rmt-server.cnf
|
|
- source: salt://rmt/files/rmt-server.cnf.jinja
|
|
- template: jinja
|
|
- user: root
|
|
- group: root
|
|
- mode: "0600"
|
|
|
|
Create the rmt-server signing request:
|
|
cmd.run:
|
|
- name: openssl req -new -key rmt-server.key -config rmt-server.cnf -out rmt-server.csr
|
|
- cwd: /etc/rmt/ssl
|
|
- onchanges:
|
|
- file: Create the server cnf file
|
|
|
|
Set permission on rmt-server singing request:
|
|
file.managed:
|
|
- name: /etc/rmt/ssl/rmt-server.csr
|
|
- replace: False
|
|
- user: root
|
|
- group: root
|
|
- mode: "0600"
|
|
|
|
Create the rmt-server certificate:
|
|
cmd.run:
|
|
- name: openssl x509 -req -in rmt-server.csr -CA rmt-ca.crt -CAkey rmt-ca.key -CAcreateserial -extfile rancher-server.cnf -extensions v3_req -out rmt-server.crt -days 3650 -sha256 -passin pass:{{ pillar['rmt']['ca_passphrase'] }}
|
|
- cwd: /etc/rmt/ssl
|
|
- onchanges:
|
|
- cmd: Create the rmt-server signing request
|
|
|
|
Set permission on rmt-server certificate:
|
|
file.managed:
|
|
- name: /etc/rmt/ssl/rmt-server.crt
|
|
- replace: False
|
|
- user: root
|
|
- group: root
|
|
- mode: "0600"
|
|
|
|
Set permission on rmt CA serial:
|
|
file.managed:
|
|
- name: /etc/rmt/ssl/rmt-ca.srl
|
|
- replace: False
|
|
- user: root
|
|
- group: root
|
|
- mode: "0600"
|