✔ buying a dedicated server
✔ installing debian and 2 packages
✔ adding that machine to the list and running ansible that will handle everything from now
i forgot how to manage a pki ca
kind of shit that's so badly documented people sell books about it
and there's none of it in my bash/zsh history
@CobaltVelvet I’m not sure exactly what you’re doing, but if you have general questions i can answer without standing up my own trusted root, feel free to ask; i was the Person Who Dealt With PKI at my last place (and the only reason i’m not at this place is my coworker worked for an actual trusted root before here)
@CobaltVelvet try Hashicorp‘s Vault, its CA backend is amazeballs
@CobaltVelvet more like nobody cared to make decent and probably interactive tools for it.
update: i guessed things and it worked out fine. now i can talk about it.
first i had a very elaborate ansible playbook that would generate a key and csr on the vpn server,
then fetch, sign with the local ca, and upload the cert.
it got replaced by generating the key/cert locally and uploading it; it's much less steps and knowing that the ca host also has root an other servers it's not really problematic. (further automation was considered and abandoned later)
update 2 : apparently it stills uses the first method *after* the second.
okay i have no idea. i'd read look at that file's history but... meh. not sure i'd get much information.
@CobaltVelvet (pointing back towards my earlier recommendation: Vault‘s CA can be used directly with OpenVPN, i.e. clients get their certificates with Vault instead of easy-pki or Ansible, plus Vault has a variety of authentication backends available; e.g. you could hand out certificates for certain servers or services based on GitHub groups, or LDAP logins etc. it’s tremendously helpful and trivial to use, honestly)
@moritzheiber well it looks really good and i'll definitely consider it if and when i'll get the time and motivation to fix all of that, hopefully it'll happen in the next year
@CobaltVelvet lmk if you want any help, it’s literally what I do on a daily basis :)
@CobaltVelvet currently most of it is Keycloak, Vault and containers.. it’s a very potent combination
@moritzheiber @CobaltVelvet if it can help I have a repo where I was playing around with vault's pki and bootstrapping vault with an external ca too, it's here: https://github.com/caligin/nomad-playground/
Makefile around +54 generates the "external" ca, then playbook.yml aroud +65 sets up a root ca inside vault
@caligin @CobaltVelvet hint: Terraform has an excellent certificate provider: https://www.terraform.io/docs/providers/tls/index.html
No more Makefile foo.
@moritzheiber @CobaltVelvet ohhhh nice!
@CobaltVelvet wiki time