From: nicoo Date: Fri, 17 Nov 2017 13:15:08 +0000 (+0100) Subject: Merge branch 'master' into ansible-fixup X-Git-Url: https://git.realraum.at/?a=commitdiff_plain;h=605383e1bfc115b3133b105565593d565a9f740d;hp=77527f38e49197966b59f7c3897a5aa9afe7669e;p=noc.git Merge branch 'master' into ansible-fixup --- diff --git a/ansible/ssh/noc/xro@bt.pub b/ansible/ssh/noc/xro@bt.pub deleted file mode 100644 index 3c00b31..0000000 --- a/ansible/ssh/noc/xro@bt.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZWYZbptxAfpN/ujxNDcKayoh8/mUR+fVP/Uj5er3IPiNLg+KZRiCEkhdftpl2g4WuxNAgdhdQqltUU/ApRlRAjYZ36SnyQ6M/bXuguDZnjocbhWFVuzSgLxzZ/TUkQ+GgxuV8N7amnl8A3y1B+LaSRuwW5CAvjkrb4vAnkFyZR1+UDXX1MC9Zek0T9rhz8CGBkhmDlylEG5dzrWPCxRtyXJgzNo80c/mDPxY0jakm/9mrhoAN49jKVSeYdmiMEXXrSVMQKiAL4MSO+7jr7Jrs9sZ0F4FnwbTyEhdOjBJqIR+R3wzwUA2xTl1ousYNuUj52y4iWMvnmBO6qXyLR1O1CSY14UP2Z0hc0jKa2vQB6eOfVeQ5g1omT1M4Z7irS88wlf+CDw38kGavutWih480RujzWa8ZNfZ1pQaHs47ps2/YkvW2GMsRU+zpr6FnPxIXgRPWqbjUUwmrYN2mQg0RMKntPtC6JqE+n0SCbm9WhdyMIeq4sxs4UvMShKL/RO+5LSf+zpt89XAkhKpRm7DZpIHKY5SiQhAs/HQBvGyCqFaApvB2JvMKEkFjT2I4VSoqaqQboDsDLCO70CH4rAAjBxc/2+sNJXWsEzewSEKdXst13VSUji3zuuj0syPwnBbkuY5B/jmGUeH3RSrE8dSgKt4TgnDNFpS+hT0sr46xKQ== bernhard@bt diff --git a/ansible/ssh/noc/xro@bt_ed25519.pub b/ansible/ssh/noc/xro@bt_ed25519.pub deleted file mode 100644 index 0e0cd2f..0000000 --- a/ansible/ssh/noc/xro@bt_ed25519.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDF7QBOKpGmJFOFSyT/OCojttdBdscPp22KWlgidA46c bernhard@bt diff --git a/ansible/ssh/noc/xro@btbook.pub b/ansible/ssh/noc/xro@btbook.pub deleted file mode 100644 index bcd6b2c..0000000 --- a/ansible/ssh/noc/xro@btbook.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwBFJLAk3O4lIyqPo34VuSDpv+cWZxZf57m35/l6WXSCIb1FJCoQ6w85Z6obt2t/SRSY4Cyqane8Tp5ghKS2COPmemCMTY2ADxc6D/TRCDdsCM0JKtHBw2p7roGik1+nHhTZK7xW6eQc6Ley9bvPVe6vXxLV/NrzSmvvmgZ0zH7e+8r28/rmMIm6sCiFIn2QyXb7/cxuZ6RvrEEwBjhLuXhrAzgUzKne9d72EpNB65TW4wkjFTu2HJEZ4ryaUFuVtU6J5w5EIqwCTW51odXNAlfQxWtgj52W/bCtkvaQTS36ppC59hA6/CFS1Kywk4cLbi7aySGQfNUbhONLDNTfIWQ== bernhard@btbook diff --git a/ansible/ssh/noc/xro@btbook_ed25519.pub b/ansible/ssh/noc/xro@btbook_ed25519.pub deleted file mode 100644 index 3de7181..0000000 --- a/ansible/ssh/noc/xro@btbook_ed25519.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIz3F0i6jEK9aJ5BlUyBDk6dmpVSzAmhfraiFZR8Z6Yv bernhard@btbook.tittelbach.at diff --git a/ansible/ssh/noc/xro@omoikane.pub b/ansible/ssh/noc/xro@omoikane.pub deleted file mode 100644 index f65cf49..0000000 --- a/ansible/ssh/noc/xro@omoikane.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAv9V7TNnZ2xxbJZ7PRXMzNKwdFkKd0vbo7Ug7v+ZaOxDyKjBcbR36Njx071iB53sQ7O/F9Y9PIMedrl6cflJTbYiQ+t5egB3fr20fNUXdd3oNe/HDc3bfQ3Z8iMei0LvwNkZ9U4TbABkXAgJKO25x0QwpcWmdJMXKSXwCpLKZXeU= bernhard@Omoikane diff --git a/ansible/ssh/noc/xro@realraum.pub b/ansible/ssh/noc/xro@realraum.pub new file mode 100644 index 0000000..3cb67d6 --- /dev/null +++ b/ansible/ssh/noc/xro@realraum.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYjli6dqjyOVemjvBBckdxFBMfxhInzEpd/4ROcb950UI38thuJ0C0m9JAK77xOtGAkHG8lA0rtlymFeWuXhWO+OYHzLB9kspesrbejkc24D5F88FHR725xjdVazHnMgYt8WlY9LkSgZGuaR/6D2bkJl339eSCjn5yTc5HGnwlB+e2xRdvFqfHiQjkkQToO70xv+xYMmThYk8MPhwvlzqPNyMd28FVXG3n6QE+QTqpFHhmEabIBjCdvNr3ESXnCd1z7nwvQZYayvbkigH/gea8uN6A19wUYZHYzwk0is6XTa0fQCYklQIq6F4KWQ3iZUQTgOPJWVqdqLnddkkBNuefav559SoAT1fd8D9PNijCFv6eXy6h2gvYPKeHRzTSbtYneUAZeYYbkMvHeQB8TFq2b/z7kQIgkt+mDlw60JVxRVP2Ts2s98flfM2yKPfKmUEjbISuLNQzBvyxEuD7g3aTtRZZzA9CV4yxwpOW5bgVSSBanGC8S/y7xbToZ3ZX1dmfkV5/yG9eI2F4bb9Kxoec/p6CMtGgJgS6m+JX+sY8/bQrjrq58XTxQEGcaLES64AFoHz/o5c17Klz0QFSNe0QaDu5rqvln0b67j4lLg4XRDDYaoalflotv1haRRUYNemCOTso/XWbUhQhN0puV3k7rNAN9ZJEkAiKzH4qd8AS6w== xro@r3.at diff --git a/ansible/ssh/noc/xro@xperia.pub b/ansible/ssh/noc/xro@xperia.pub deleted file mode 100644 index 15fd2d5..0000000 --- a/ansible/ssh/noc/xro@xperia.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/X6btnZSieJdjhjltQSPrG20uaIrxGzx81wjrjN2jzCTJKt3Gv1GBbw2IToze75kqrNNrgX0S4VO3Zd7yhdXi7Z/kD1AqUQjhirZKwbgnJ1MruJJgn+UxaNwcrOKuP52NUHXrgtjFGeb+k03iC+1ZJwZdQH5BL727W2UAqH/mQelz0vqyoekaZ8/Tlz0wbjPWhPnuVokszRrcPX96zO0IZi+MnIC2Hw4liZgTnw7LrxbjEGfdcVnvTg5rMKZFnc4eLleY7pDUCkoZ4JABcqpfAokFk940z5uBcVy9Nem5ph1DUUuPfSZtH8Aj0B7RKW1T75tBJOnKo4VAwNGuLb// bernhard@btphonexperia diff --git a/doc/ACME/LAN.md b/doc/ACME/LAN.md new file mode 100644 index 0000000..8764f02 --- /dev/null +++ b/doc/ACME/LAN.md @@ -0,0 +1,181 @@ +[[!meta title="Certificates for services on our LAN"]] + +# Let's Encrypt certs for services on our LAN + +We use [Let's Encrypt] to acquire and renew certificates for basically +all services. However, some services are only exposed on the LAN, and +so certificate acquisition becomes a bit trickier. + +[ACME], the protocol for interacting with [Let's Encrypt], +supports [DNS-01] authorization, so we can use that to acquire certs +without exposing services to the Internet. + +[Let's Encrypt]: https://letsencrypt.org/ +[DNS-01]: https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8.5 +[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-07 + + +## Overview + +Let's say we need certificates for `metrics.mgmt.realraum.at` + +`metrics.mgmt` will send DNS updates to `gw`. It only needs TXT records for + `_acme-challenge.metrics.mgmt.realraum.at` and they will be authenticated using + HMAC-SHA256. + + +## Bind9 + +### Generating a TSIG key + +On the system running the services: + +- Install `bind9utils` to have the not-so-aptly named `dnssec-keygen` tool. +- As `root`, generate an HMAC-SHA256 key and make it readable by `acme`: + + # dnssec-keygen -K /etc/acme -a HMAC-SHA256 -b 256 \ + -n USER metrics.mgmt.realraum.at. + Kmetrics.mgmt.realraum.at.+163+06888 + + # chown root:acme /etc/acme/K* + # chmod 0440 /etc/acme/K* + +- Lookup the key, as we will need to put it in the NS' configuration + + # cat /etc/acme/Kmetrics.mgmt.realraum.at.+163+06888.private + Private-key-format: v1.3 + Algorithm: 163 (HMAC_SHA256) + Key: FG4v6Eya7utyJ1GxXm019kYBawN+jvfEWCC/7lIgraQ= + Bits: AAA= + Created: 20171022235329 + Publish: 20171022235329 + Activate: 20171022235329 + + +_Note:_ I selected HMAC-SHA256 because `gw.realraum.at` is running an + obsolete version of Bind9 that only supports HMAC or RSA. + In principle, the setup should be similar for asymetric signatures. + + +### Adding the keys + +On `gw.realraum.at`: + +- `/etc/bind/keys.conf` should exist and be accessible to `root` and `bind`: + + # touch /etc/bind/keys.conf + # chown root:bind /etc/bind/keys.conf + # chmod 0640 /etc/bind/keys.conf + +- Check that `keys.conf` is included from `named.conf.local`: + + # head /etc/bind/named.conf.local + include "/etc/bind/zones.rfc1918"; + include "/etc/bind/keys.conf"; + [...] + +- Add the key descriptor to `keys.conf`: + + # cat >> /etc/bind/keys.conf + key metrics.mgmt.realraum.at. { + algorithm HMAC-SHA256; + secret "4QZWZsLagxXaoBCAxDqbSZmoSjN5qJvZviadrPXkmvU="; + } + + +### Setting up DNS updates + +- Edit the zone description in `named.conf.local` to allow updates: + + zone "realraum.at" { + type master; + file "/etc/bind/db.realraum.at"; + [...] + + update-policy { + grant metrics.mgmt.realraum.at. name _acme-challenge.metrics.mgmt.realraum.at. TXT; + }; + }; + +- The update journal for the zone should be writeable by `bind`: + + # touch /etc/bind/db.realraum.at.jnl + # chown root:bind /etc/bind/db.realraum.at.jnl + # chmod 0660 /etc/bind/db.realraum.at.jnl + +- Restart `bind` + + +## [acmetool] + +### Installation + +- `acmetool` is available from the official repos starting with Stretch. +- For earlier releases, Christian [has a package](https://build.spreadspace.org/) + +Start with a working, [rootless acmetool setup]. + +_Note:_ On Debian, _hooks_ are located in `/etc/acme/hooks`, instead of + `/usr/lib/acme/hooks` or `/usr/libexec/acme/hooks`. + +[acmetool]: https://hlandau.github.io/acme/ +[rootless acmetool setup]: https://hlandau.github.io/acme/userguide#annex-root-configured-non-root-operation + + +### Setting up the hook + +An example hook using `nsupdate` +[already ships](https://github.com/hlandau/acme/blob/master/_doc/dns.hook) +with acmetool. + +- Install `dnsutils` (contains `nsupdate`) +- Link the hook from the documentation: + + # ln -s ../../../usr/share/doc/acmetool/examples/dns.hook /etc/acme/ + +- Write the configuration for it: + + # cat > /etc/default/acme-dns + NSUPDATE_ARGS="-k /etc/acme/Kmetrics.mgmt.realraum.at.+163+06888.key" + + nsupdate_cmds() { + echo server 192.168.33.1 + } + +- Test + + # sudo -u acme /etc/acme/hooks/dns.hook challenge-dns-start \ + foo.example.com "" "foobar" + # sudo -u acme /etc/acme/hooks/dns.hook challenge-dns-start \ + foo.example.com "" "foobar" + + If either of those commands fail with an error, + check the DNS traffic (`tcpdump -vvv port 53`) + + +### Certificate acquisition + +Once everything is setup, getting a certificate from Let's Encrypt +is quite easy: + + # sudo -u acme acmetool want metrics.mgmt.realraum.at + + +### Testing automated removal + +Last thing, you should check that automatic renewal is setup and works: + +- Is the cron job in place? + + # crontab -u acme -l + + 37 13 * * * /usr/bin/acmetool --batch reconcile + +- Is the default hook for reloading services in place? + If you delete the certificate and key, then run `acmetool`, + do your services use the new certificate? + + # [check the service's certificate fingerprint, with openssl s_client] + # rm -rf /var/lib/acme/keys/* + # sudo -u acme acmetool --batch reconcile + # [check the service's certificate fingerprint, they should differ]