[debops-users] usage of pki service - how to create new root ca

Jan Kowalsky jankow at datenkollektiv.net
Mon Nov 27 12:32:31 CET 2017


Hi Maciej,

thanks for your reply and your explanation. I look more clearly now.

Am 24.11.2017 um 00:18 schrieb Maciej Delmanowski:
> On Nov 23, Jan Kowalsky wrote:
>> Hi all,
> 
>> How is it possible to initialize a completely new certificate auhtority
>> while there are already hosts in the same ansible domain?
> 
> The 'debops.pki' role depends on few things like presence of the generated
> private keys and certificates to no overwrite the certs over and over. If you
> want to reset it, removing the 'secret/pki/' directory (entire) on the Ansible
> Controller, as well as the '/etc/pki/realms/' directories on the remote hosts
> should be sufficient to create a new set of CA and certificates.

ok, I understand - there is no standalone initialization prozess - it's
initilized on configuration of first host.

>> And still there is the problem that encfs on debian stretch isn't
>> working (but this is another story).

yes, I know.

> I chose it as the DebOps encryption method because it didn't require root
> access to lock/unlock the encrypted directories, and was portable enough that
> the encrypted data could be kept in the git repository, the same as the rest

the idea ist fine - but at the moment with debian stretch it doesn't
work at all - (this is already here
https://github.com/debops/debops-tools/issues/184)

> or a separate. If you plan to use it, I would suggest to use an encrypted
> filesystem underneath as well, for example LUKS, to ensure better security.
> Of course EncFS is completely optional and could be replaced by something
> else.

I took now the solution to mount small luks-containers together with a
small script to mount/unmount them with pgp-keys. They are small enough
to reside in git - but with the drawback that there is no tracking of
individual files inside.

On this point I wondering if it's easy to substitute the debops-padlock
command with any other script. As I understood debops takes care itself
on mounting unmounting the secret. Could this achieved also with custom
mounting scripts?

Kind Regards
Jan


More information about the debops-users mailing list