Review fedmsg-certs SOP
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
This commit is contained in:
Michal Konečný
parent
f074a7040e
commit
8998ae5aa7
2 changed files with 19 additions and 22 deletions
|
|
@ -25,7 +25,7 @@
|
||||||
** xref:docs.fedoraproject.org.adoc[Docs - SOP]
|
** xref:docs.fedoraproject.org.adoc[Docs - SOP]
|
||||||
** xref:fas-notes.adoc[Fedora Account System - SOP]
|
** xref:fas-notes.adoc[Fedora Account System - SOP]
|
||||||
** xref:fas-openid.adoc[FAS-OpenID - SOP]
|
** xref:fas-openid.adoc[FAS-OpenID - SOP]
|
||||||
** xref:fedmsg-certs.adoc[fedmsg-certs - SOP in review ]
|
** xref:fedmsg-certs.adoc[fedmsg (Fedora Messaging) Certs, Keys, and CA - SOP]
|
||||||
** xref:fedmsg-gateway.adoc[fedmsg-gateway - SOP in review ]
|
** xref:fedmsg-gateway.adoc[fedmsg-gateway - SOP in review ]
|
||||||
** xref:fedmsg-introduction.adoc[fedmsg-introduction - SOP in review ]
|
** xref:fedmsg-introduction.adoc[fedmsg-introduction - SOP in review ]
|
||||||
** xref:fedmsg-irc.adoc[fedmsg-irc - SOP in review ]
|
** xref:fedmsg-irc.adoc[fedmsg-irc - SOP in review ]
|
||||||
|
|
|
||||||
|
|
@ -29,13 +29,13 @@ with signing them so an attacker cannot spoof.
|
||||||
|
|
||||||
Every instance of each service on each host has its own cert and private
|
Every instance of each service on each host has its own cert and private
|
||||||
key, signed by the CA. By convention, we name the certs
|
key, signed by the CA. By convention, we name the certs
|
||||||
<service>-<fqdn>.\{crt,key} For instance, bodhi has the following certs:
|
`<service>-<fqdn>.\{crt,key}` For instance, bodhi has the following certs:
|
||||||
|
|
||||||
* bodhi-app01.phx2.fedoraproject.org
|
* bodhi-app01.iad2.fedoraproject.org
|
||||||
* bodhi-app02.phx2.fedoraproject.org
|
* bodhi-app02.iad2.fedoraproject.org
|
||||||
* bodhi-app03.phx2.fedoraproject.org
|
* bodhi-app03.iad2.fedoraproject.org
|
||||||
* bodhi-app01.stg.phx2.fedoraproject.org
|
* bodhi-app01.stg.iad2.fedoraproject.org
|
||||||
* bodhi-app02.stg.phx2.fedoraproject.org
|
* bodhi-app02.stg.iad2.fedoraproject.org
|
||||||
* more
|
* more
|
||||||
|
|
||||||
Scripts to generate new keys, sign them, and revoke them live in the
|
Scripts to generate new keys, sign them, and revoke them live in the
|
||||||
|
|
@ -60,7 +60,7 @@ The attempt here is to minimize the number of potential attack vectors.
|
||||||
Each private key should be readable only by the service that needs it.
|
Each private key should be readable only by the service that needs it.
|
||||||
bodhi runs under mod_wsgi in apache and should run as its own unique
|
bodhi runs under mod_wsgi in apache and should run as its own unique
|
||||||
bodhi user (not as apache). The permissions for
|
bodhi user (not as apache). The permissions for
|
||||||
its.phx2.fedoraproject.org private_key, when deployed by ansible, should
|
its _iad2.fedoraproject.org_ private_key, when deployed by ansible, should
|
||||||
be read-only for that local bodhi user.
|
be read-only for that local bodhi user.
|
||||||
|
|
||||||
For more information on how fedmsg uses these certs see
|
For more information on how fedmsg uses these certs see
|
||||||
|
|
@ -88,7 +88,6 @@ the old and generate a new CA root certificate, a signing cert and key,
|
||||||
and all key/cert pairs for all service-hosts.
|
and all key/cert pairs for all service-hosts.
|
||||||
|
|
||||||
[NOTE]
|
[NOTE]
|
||||||
.Note
|
|
||||||
====
|
====
|
||||||
Warning -- Obviously, this will wipe everything. Do you want that?
|
Warning -- Obviously, this will wipe everything. Do you want that?
|
||||||
====
|
====
|
||||||
|
|
@ -96,7 +95,7 @@ Warning -- Obviously, this will wipe everything. Do you want that?
|
||||||
|
|
||||||
First, checkout the ansible private repo as that's where the keys are
|
First, checkout the ansible private repo as that's where the keys are
|
||||||
going to be stored. The scripts will assume this is checked out to
|
going to be stored. The scripts will assume this is checked out to
|
||||||
~/private.
|
`~/private`.
|
||||||
|
|
||||||
In `ansible/roles/fedmsg/files/cert-tools` run:
|
In `ansible/roles/fedmsg/files/cert-tools` run:
|
||||||
|
|
||||||
|
|
@ -106,24 +105,24 @@ $ ./build-and-sign-key <service>-<fqdn>
|
||||||
....
|
....
|
||||||
|
|
||||||
For instance, if we bring up a new app host,
|
For instance, if we bring up a new app host,
|
||||||
app10.phx2.fedoraproject.org, we'll need to generate a new cert/key pair
|
_app10.iad2.fedoraproject.org_, we'll need to generate a new cert/key pair
|
||||||
for each fedmsg-enabled service that will be running on it, so you'd
|
for each fedmsg-enabled service that will be running on it, so you'd
|
||||||
run:
|
run:
|
||||||
|
|
||||||
....
|
....
|
||||||
$ source ./vars
|
$ source ./vars
|
||||||
$ ./build-and-sign-key shell-app10.phx2.fedoraproject.org
|
$ ./build-and-sign-key shell-app10.iad2.fedoraproject.org
|
||||||
$ ./build-and-sign-key bodhi-app10.phx2.fedoraproject.org
|
$ ./build-and-sign-key bodhi-app10.iad2.fedoraproject.org
|
||||||
$ ./build-and-sign-key mediawiki-app10.phx2.fedoraproject.org
|
$ ./build-and-sign-key mediawiki-app10.iad2.fedoraproject.org
|
||||||
....
|
....
|
||||||
|
|
||||||
Just creating the keys isn't quite enough, there are four more things
|
Just creating the keys isn't quite enough, there are four more things
|
||||||
you'll need to do.
|
you'll need to do.
|
||||||
|
|
||||||
The private keys are created in your checkout of the private repo under
|
The private keys are created in your checkout of the private repo under
|
||||||
~/private/private/fedmsg-certs/keys . There will be four files for each
|
`~/private/private/fedmsg-certs/keys` . There will be four files for each
|
||||||
cert you created: <hexdigits>.pem (ex: 5B.pem) and
|
cert you created: `<hexdigits>.pem` (ex: 5B.pem) and
|
||||||
<service>-<fqdn>.\{crt,csr,key} git add, commit, and push all of those.
|
`<service>-<fqdn>.\{crt,csr,key}` git add, commit, and push all of those.
|
||||||
|
|
||||||
Second, You need to edit
|
Second, You need to edit
|
||||||
`ansible/roles/fedmsg/files/cert-tools/rebuild-all-fedmsg-certs` and add
|
`ansible/roles/fedmsg/files/cert-tools/rebuild-all-fedmsg-certs` and add
|
||||||
|
|
@ -132,9 +131,9 @@ to be blown away and recreated, the new service-hosts will be included.
|
||||||
For the examples above, you would need to add to the list:
|
For the examples above, you would need to add to the list:
|
||||||
|
|
||||||
....
|
....
|
||||||
shell-app10.phx2.fedoraproject.org
|
shell-app10.iad2.fedoraproject.org
|
||||||
bodhi-app10.phx2.fedoraproject.org
|
bodhi-app10.iad2.fedoraproject.org
|
||||||
mediawiki-app10.phx2.fedoraproject.org
|
mediawiki-app10.iad2.fedoraproject.org
|
||||||
....
|
....
|
||||||
|
|
||||||
You need to ensure that the keys are distributed to the host with the
|
You need to ensure that the keys are distributed to the host with the
|
||||||
|
|
@ -167,14 +166,12 @@ globally.
|
||||||
http://fedoraproject.org/fedmsg/crl.pem
|
http://fedoraproject.org/fedmsg/crl.pem
|
||||||
|
|
||||||
[NOTE]
|
[NOTE]
|
||||||
.Note
|
|
||||||
====
|
====
|
||||||
Even though crl.pem lives in the private repo, we're just keeping it
|
Even though crl.pem lives in the private repo, we're just keeping it
|
||||||
there for convenience. It really _should_ be served publicly, so don't
|
there for convenience. It really _should_ be served publicly, so don't
|
||||||
panic. :)
|
panic. :)
|
||||||
====
|
====
|
||||||
[NOTE]
|
[NOTE]
|
||||||
.Note
|
|
||||||
====
|
====
|
||||||
At the time of this writing, the CRL is not actually used. I need one
|
At the time of this writing, the CRL is not actually used. I need one
|
||||||
publicly available first so we can test it out.
|
publicly available first so we can test it out.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue