search

facebookarchive / CommunityCellularManager

Tool for deploying, managing and controlling your Community Cellular Networks
Other
87 stars 36 forks source link

certifier ansible script missing easyrsa installation #18

Closed kheimerl closed 7 years ago

kheimerl commented 7 years ago

eom

9muir commented 7 years ago

are you sure? It looks fine to me:

TASK [add easyrsa repo] ********************************************************
changed: [cert] => {"after": "5a429d22c78604c95813b457a8bea565a39793fa", "before": null, "changed": true, "warnings": []}

TASK [copy easyrsa] ************************************************************
changed: [cert] => {"changed": true, "cmd": ["cp", "/home/vagrant/easyrsa/easyrsa3/easyrsa", "/home/vagrant/certifier/"], "delta": "0:00:00.004870", "end": "2016-12-19 13:38:32.960355", "rc": 0, "start": "2016-12-19 13:38:32.955485", "stderr": "", "stdout": "", "stdout_lines": [], "warnings": []}

TASK [easyrsa permissions] *****************************************************
ok: [cert] => {"changed": false, "gid": 0, "group": "root", "mode": "0755", "owner": "root", "path": "/home/vagrant/certifier/easyrsa", "size": 35253, "state": "file", "uid": 0}
kheimerl commented 7 years ago

The prod one, certifier.yml.

shaddi commented 7 years ago

This is by design. The cert generation used for the development environment isn't a recommended setup for a production deployment, and how one wants to deploy in production is probably going to vary from environment to environment.

What we've done in the past for production environments is generate a root key on a known trusted machine with a good source of randomness (i.e., not on AWS). The root key is stored offline and used only to generate signing key(s), which are then manually copied over to the machine running certifier via a secure channel. Then the signing key is used like the root key in the dev environment.

We should copy the easyrsa script and certifier.py over, and if we're not doing that that's a bug. But adding instructions or a script for production-ready key generation, etc, is something we'd have to add.

kheimerl commented 7 years ago

We are not copying the easyrsa script over and that is a bug.

On Tue, Dec 20, 2016 at 9:21 AM, Shaddi Hasan notifications@github.com wrote:

This is by design. The cert generation used for the development environment isn't a recommended setup for a production deployment, and how one wants to deploy in production is probably going to vary from environment to environment.

What we've done in the past for production environments is generate a root key on a known trusted machine with a good source of randomness (i.e., not on AWS). The root key is stored offline and used only to generate signing key(s), which are then manually copied over to the machine running certifier via a secure channel. Then the signing key is used like the root key in the dev environment.

We should copy the easyrsa script and certifier.py over, and if we're not doing that that's a bug. But adding instructions or a script for production-ready key generation, etc, is something we'd have to add.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/facebookincubator/CommunityCellularManager/issues/18#issuecomment-268302910, or mute the thread https://github.com/notifications/unsubscribe-auth/AA_rnzRjLjLyaqmw9jQ11TzjWV6lv5uNks5rKA6cgaJpZM4LPqG2 .

9muir commented 7 years ago

resolved by 8ec79b6