Review fedmsg-certs SOP
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
This commit is contained in:
Michal Konečný
parent
f074a7040e
commit
8998ae5aa7
2 changed files with 19 additions and 22 deletions
|
|
@ -25,7 +25,7 @@
|
|||
** xref:docs.fedoraproject.org.adoc[Docs - SOP]
|
||||
** xref:fas-notes.adoc[Fedora Account System - SOP]
|
||||
** xref:fas-openid.adoc[FAS-OpenID - SOP]
|
||||
** xref:fedmsg-certs.adoc[fedmsg-certs - SOP in review ]
|
||||
** xref:fedmsg-certs.adoc[fedmsg (Fedora Messaging) Certs, Keys, and CA - SOP]
|
||||
** xref:fedmsg-gateway.adoc[fedmsg-gateway - SOP in review ]
|
||||
** xref:fedmsg-introduction.adoc[fedmsg-introduction - SOP in review ]
|
||||
** xref:fedmsg-irc.adoc[fedmsg-irc - SOP in review ]
|
||||
|
|
|
|||
|
|
@ -29,13 +29,13 @@ with signing them so an attacker cannot spoof.
|
|||
|
||||
Every instance of each service on each host has its own cert and private
|
||||
key, signed by the CA. By convention, we name the certs
|
||||
<service>-<fqdn>.\{crt,key} For instance, bodhi has the following certs:
|
||||
`<service>-<fqdn>.\{crt,key}` For instance, bodhi has the following certs:
|
||||
|
||||
* bodhi-app01.phx2.fedoraproject.org
|
||||
* bodhi-app02.phx2.fedoraproject.org
|
||||
* bodhi-app03.phx2.fedoraproject.org
|
||||
* bodhi-app01.stg.phx2.fedoraproject.org
|
||||
* bodhi-app02.stg.phx2.fedoraproject.org
|
||||
* bodhi-app01.iad2.fedoraproject.org
|
||||
* bodhi-app02.iad2.fedoraproject.org
|
||||
* bodhi-app03.iad2.fedoraproject.org
|
||||
* bodhi-app01.stg.iad2.fedoraproject.org
|
||||
* bodhi-app02.stg.iad2.fedoraproject.org
|
||||
* more
|
||||
|
||||
Scripts to generate new keys, sign them, and revoke them live in the
|
||||
|
|
@ -60,7 +60,7 @@ The attempt here is to minimize the number of potential attack vectors.
|
|||
Each private key should be readable only by the service that needs it.
|
||||
bodhi runs under mod_wsgi in apache and should run as its own unique
|
||||
bodhi user (not as apache). The permissions for
|
||||
its.phx2.fedoraproject.org private_key, when deployed by ansible, should
|
||||
its _iad2.fedoraproject.org_ private_key, when deployed by ansible, should
|
||||
be read-only for that local bodhi user.
|
||||
|
||||
For more information on how fedmsg uses these certs see
|
||||
|
|
@ -88,7 +88,6 @@ the old and generate a new CA root certificate, a signing cert and key,
|
|||
and all key/cert pairs for all service-hosts.
|
||||
|
||||
[NOTE]
|
||||
.Note
|
||||
====
|
||||
Warning -- Obviously, this will wipe everything. Do you want that?
|
||||
====
|
||||
|
|
@ -96,7 +95,7 @@ Warning -- Obviously, this will wipe everything. Do you want that?
|
|||
|
||||
First, checkout the ansible private repo as that's where the keys are
|
||||
going to be stored. The scripts will assume this is checked out to
|
||||
~/private.
|
||||
`~/private`.
|
||||
|
||||
In `ansible/roles/fedmsg/files/cert-tools` run:
|
||||
|
||||
|
|
@ -106,24 +105,24 @@ $ ./build-and-sign-key <service>-<fqdn>
|
|||
....
|
||||
|
||||
For instance, if we bring up a new app host,
|
||||
app10.phx2.fedoraproject.org, we'll need to generate a new cert/key pair
|
||||
_app10.iad2.fedoraproject.org_, we'll need to generate a new cert/key pair
|
||||
for each fedmsg-enabled service that will be running on it, so you'd
|
||||
run:
|
||||
|
||||
....
|
||||
$ source ./vars
|
||||
$ ./build-and-sign-key shell-app10.phx2.fedoraproject.org
|
||||
$ ./build-and-sign-key bodhi-app10.phx2.fedoraproject.org
|
||||
$ ./build-and-sign-key mediawiki-app10.phx2.fedoraproject.org
|
||||
$ ./build-and-sign-key shell-app10.iad2.fedoraproject.org
|
||||
$ ./build-and-sign-key bodhi-app10.iad2.fedoraproject.org
|
||||
$ ./build-and-sign-key mediawiki-app10.iad2.fedoraproject.org
|
||||
....
|
||||
|
||||
Just creating the keys isn't quite enough, there are four more things
|
||||
you'll need to do.
|
||||
|
||||
The private keys are created in your checkout of the private repo under
|
||||
~/private/private/fedmsg-certs/keys . There will be four files for each
|
||||
cert you created: <hexdigits>.pem (ex: 5B.pem) and
|
||||
<service>-<fqdn>.\{crt,csr,key} git add, commit, and push all of those.
|
||||
`~/private/private/fedmsg-certs/keys` . There will be four files for each
|
||||
cert you created: `<hexdigits>.pem` (ex: 5B.pem) and
|
||||
`<service>-<fqdn>.\{crt,csr,key}` git add, commit, and push all of those.
|
||||
|
||||
Second, You need to edit
|
||||
`ansible/roles/fedmsg/files/cert-tools/rebuild-all-fedmsg-certs` and add
|
||||
|
|
@ -132,9 +131,9 @@ to be blown away and recreated, the new service-hosts will be included.
|
|||
For the examples above, you would need to add to the list:
|
||||
|
||||
....
|
||||
shell-app10.phx2.fedoraproject.org
|
||||
bodhi-app10.phx2.fedoraproject.org
|
||||
mediawiki-app10.phx2.fedoraproject.org
|
||||
shell-app10.iad2.fedoraproject.org
|
||||
bodhi-app10.iad2.fedoraproject.org
|
||||
mediawiki-app10.iad2.fedoraproject.org
|
||||
....
|
||||
|
||||
You need to ensure that the keys are distributed to the host with the
|
||||
|
|
@ -167,14 +166,12 @@ globally.
|
|||
http://fedoraproject.org/fedmsg/crl.pem
|
||||
|
||||
[NOTE]
|
||||
.Note
|
||||
====
|
||||
Even though crl.pem lives in the private repo, we're just keeping it
|
||||
there for convenience. It really _should_ be served publicly, so don't
|
||||
panic. :)
|
||||
====
|
||||
[NOTE]
|
||||
.Note
|
||||
====
|
||||
At the time of this writing, the CRL is not actually used. I need one
|
||||
publicly available first so we can test it out.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue