Modify cert gen to make it work under fips

Some openssl command line utilities (e.g. openssl req) accept a supplementary config file as an option. This config file should contain only supplementary sections. If you use the main configuration file as supplementary, it may cause strange errors because openssl will try to activate the providers twice. This behaviour existed for a long time but before the 3.0 version it caused problems less often, and it appears to fail consistently under FIPS. In this commit, we create a config file with just those configs that are necessary. Change-Id: Iecf3f3e20fa285563b23a7aff7deaa00616aca51
2022-02-21 17:53:01 -05:00 · 2022-02-21 17:53:01 -05:00 · 4fc439a03e
parent 84a6731a1a
commit 4fc439a03e
2 changed files with 110 additions and 9 deletions
--- a/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml
+++ b/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml
@ -22,15 +22,10 @@

 - name: create openssl configuration file from template
  become: true
-  copy: src="/etc/pki/tls/openssl.cnf" dest="{{ openssl_temp_dir }}/openssl.cnf" remote_src=yes
-
- name: update openssl directory entry in the configuration file
-  become: true
-  ini_file: path="{{ openssl_temp_dir }}/openssl.cnf" section=" CA_default " option="dir" value="{{ openssl_temp_dir }}"
-
- name: update openssl ca certificate file in the configuration file
-  become: true
-  replace: path="{{ openssl_temp_dir }}/openssl.cnf" regexp="cacert.pem" replace="ca_01.pem"
+  ansible.builtin.template:
+    src: openssl.cnf.j2
+    dest: "{{ openssl_temp_dir }}/openssl.cnf"
+    mode: '0640'

 - name: Generating certificate authority private key
  become: true
--- a/tripleo_ansible/roles/octavia_overcloud_config/templates/openssl.cnf.j2
+++ b/tripleo_ansible/roles/octavia_overcloud_config/templates/openssl.cnf.j2
@ -0,0 +1,106 @@
+# OpenSSL root CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = "{{ openssl_temp_dir }}"
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/cakey.pem
+certificate       = $dir/ca_01.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 3650
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = US
+stateOrProvinceName_default     = Oregon
+localityName_default            =
+0.organizationName_default      = OpenStack
+organizationalUnitName_default  = Octavia
+emailAddress_default            =
+commonName_default              = example.org
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always