setup ldaps for 389 DS
---
# ansible code documenting steps to setup ssl certs for 389DS / RHDS
- set_fact:
dirsrv_root: "/etc/dirsrv/slapd-{{ dirsrv_server_id }}"
tags:
- dirsrv
- dirsrv-ssl
- name: certdb password file (temporary)
copy:
content: "{{dirsrv_certdb_pw}}"
dest: "/root/dirsrv-setup/certdb_pw"
no_log: true
tags:
- dirsrv
- dirsrv-ssl
- name: create pin file
copy:
content: "Internal (Software) Token:{{dirsrv_certdb_pw}}"
dest: "{{dirsrv_root }}/pin.txt"
no_log: true
tags:
- dirsrv
- dirsrv-ssl
- name: create certdb
command: "certutil -N -d {{ dirsrv_root }} -f /root/dirsrv-setup/certdb_pw"
args:
creates: "{{dirsrv_root}}/cert8.db"
tags:
- dirsrv
- dirsrv-ssl
- name: generate selfsigned certs
command: "openssl req -new -x509 -nodes -newkey rsa:2048 -keyout {{ dirsrv_root }}/dirsrv.key -out {{ dirsrv_root }
}/dirsrv.crt -days 365 -sha256 -subj '/CN={{ansible_fqdn}}' -extensions v3_ca"
args:
creates: "{{ dirsrv_root }}/dirsrv.key"
tags:
- dirsrv
- dirsrv-ssl
- name: export cert and key to pk21
command: "openssl pkcs12 -export -in {{ dirsrv_root }}/dirsrv.crt -inkey {{ dirsrv_root }}/dirsrv.key -password 'fi
le:/root/dirsrv-setup/certdb_pw' -out {{ dirsrv_root }}/server-cert.p12 -name server-cert"
args:
creates: "{{ dirsrv_root }}/server-cert.p12"
tags:
- dirsrv
- dirsrv-ssl
- name: import to nssdb
command: "pk12util -d {{ dirsrv_root }} -i {{ dirsrv_root }}/server-cert.p12 -w /root/dirsrv-setup/certdb_pw -k /ro
ot/dirsrv-setup/certdb_pw"
tags:
- dirsrv
- dirsrv-ssl
- name: trust selfsigned
command: "certutil -M -d {{ dirsrv_root }} -n server-cert -t Cu,u,u"
tags:
- dirsrv
- dirsrv-ssl
- name: ldif to enable ssl
template:
src: ssl.ldif.j2
dest: "/root/dirsrv-setup/ssl.ldif"
tags:
- dirsrv
- dirsrv-ssl
- name: (ldapmodify) enable ssl
command: "{{ ldapmodify_cmd }} /root/dirsrv-setup/ssl.ldif"
register: ldap_result
failed_when: "(ldap_result.rc != 0) and (ldap_result.rc != 20) and (ldap_result.rc != 68)"
no_log: true
notify:
- restart services
tags:
- dirsrv
- dirsrv-ssl
###
# ssl.ldif
###
#dn: cn=encryption,cn=config
#changetype: modify
#replace: nsSSL3
#nsSSL3: off
#-
#replace: nsSSL2
#nsSSL2: off
#
#dn: cn=RSA,cn=encryption,cn=config
#changetype: add
#objectClass: top
#objectClass: nsEncryptionModule
#nsSSLPersonalitySSL: server-cert
#nsSSLActivation: on
#nsSSLToken: internal (software)
#cn: RSA