custom crt and key for nginx

2025-12-06 17:22:49 +01:00 · 2023-06-28 10:28:50 -04:00
parent 77e6ee3c36
commit 12cce111db
6 changed files with 86 additions and 45 deletions
--- a/salt/nginx/enabled.sls
+++ b/salt/nginx/enabled.sls
@@ -9,6 +9,7 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}

 include:
+  - nginx.ssl
  - nginx.config
  - nginx.sostatus

--- a/salt/nginx/soc_nginx.yaml
+++ b/salt/nginx/soc_nginx.yaml
@@ -3,7 +3,7 @@ nginx:
    description: You can enable or disable Nginx.
    advanced: True
    helpLink: nginx.html
-  config:
+  ssl:
    replace_cert:
      description: Enable this if you would like to replace the Security Onion Certificate with your own.
      global: True
@@ -11,19 +11,20 @@ nginx:
      title: Replace Default Cert
      helpLink: nginx.html
    ssl__key:
-      description: If you enabled the replace_cert option, paste your .key file here.
+      description: If you enabled the replace_cert option, paste the contents of your .key file here.
      file: True
-      title: SSL Key File
+      title: SSL/TLS Key File
      advanced: True
      global: True
      helpLink: nginx.html
    ssl__crt:
-      description: If you enabled the replace_cert option, paste your .crt file here.
+      description: If you enabled the replace_cert option, paste the contents of your .crt file here.
      file: True
-      title: SSL Cert File
+      title: SSL/TLS Cert File
      advanced: True
      global: True
      helpLink: nginx.html
+  config:
    throttle_login_burst:
      description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.
      global: True
--- a/salt/nginx/ssl.sls
+++ b/salt/nginx/ssl.sls
@@ -0,0 +1,79 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'nginx/map.jinja' import NGINXMERGED %}
+
+{#   if the user has selected to replace the crt and key in the ui #}
+{%   if NGINXMERGED.ssl.replace_cert %}
+
+managerssl_key:
+  file.managed:
+    - name: /etc/pki/managerssl.key
+    - source: salt://nginx/ssl/ssl.key
+    - mode: 640
+    - group: 939
+
+managerssl_crt:
+  file.managed:
+    - name: /etc/pki/managerssl.crt
+    - source: salt://nginx/ssl/ssl.crt
+    - mode: 644
+
+{%   else %}
+
+managerssl_key:
+  x509.private_key_managed:
+    - name: /etc/pki/managerssl.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
+    - prereq:
+      - x509: /etc/pki/managerssl.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Create a cert for the reverse proxy
+managerssl_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/managerssl.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: managerssl
+    - private_key: /etc/pki/managerssl.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+{%   endif %}
+
+msslkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/managerssl.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/nginx/config/ssl.crt
+++ b/salt/nginx/config/ssl.crt
--- a/salt/nginx/config/ssl.key
+++ b/salt/nginx/config/ssl.key
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -507,47 +507,7 @@ elasticp12perms:
    - mode: 640
    - group: 930

-managerssl_key:
-  x509.private_key_managed:
-    - name: /etc/pki/managerssl.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
-    - prereq:
-      - x509: /etc/pki/managerssl.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30

-# Create a cert for the reverse proxy
-managerssl_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/managerssl.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: managerssl
-    - private_key: /etc/pki/managerssl.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - unless:
-      # https://github.com/saltstack/salt/issues/52167
-      # Will trigger 5 days (432000 sec) from cert expiration
-      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-msslkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/managerssl.key
-    - mode: 640
-    - group: 939

  {% endif %}