From 12cce111db6c99e66c4a3cdd51e2dbd1f463efd2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 28 Jun 2023 10:28:50 -0400 Subject: [PATCH 01/10] custom crt and key for nginx --- salt/nginx/enabled.sls | 1 + salt/nginx/soc_nginx.yaml | 11 +++-- salt/nginx/ssl.sls | 79 ++++++++++++++++++++++++++++++ salt/nginx/{config => ssl}/ssl.crt | 0 salt/nginx/{config => ssl}/ssl.key | 0 salt/ssl/init.sls | 40 --------------- 6 files changed, 86 insertions(+), 45 deletions(-) create mode 100644 salt/nginx/ssl.sls rename salt/nginx/{config => ssl}/ssl.crt (100%) rename salt/nginx/{config => ssl}/ssl.key (100%) diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 93c5e4ebc..614264fda 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -9,6 +9,7 @@ {% from 'docker/docker.map.jinja' import DOCKER %} include: + - nginx.ssl - nginx.config - nginx.sostatus diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 8b362a538..31eb6ce45 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -3,7 +3,7 @@ nginx: description: You can enable or disable Nginx. advanced: True helpLink: nginx.html - config: + ssl: replace_cert: description: Enable this if you would like to replace the Security Onion Certificate with your own. global: True @@ -11,19 +11,20 @@ nginx: title: Replace Default Cert helpLink: nginx.html ssl__key: - description: If you enabled the replace_cert option, paste your .key file here. + description: If you enabled the replace_cert option, paste the contents of your .key file here. file: True - title: SSL Key File + title: SSL/TLS Key File advanced: True global: True helpLink: nginx.html ssl__crt: - description: If you enabled the replace_cert option, paste your .crt file here. + description: If you enabled the replace_cert option, paste the contents of your .crt file here. file: True - title: SSL Cert File + title: SSL/TLS Cert File advanced: True global: True helpLink: nginx.html + config: throttle_login_burst: description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow. global: True diff --git a/salt/nginx/ssl.sls b/salt/nginx/ssl.sls new file mode 100644 index 000000000..b6d09b899 --- /dev/null +++ b/salt/nginx/ssl.sls @@ -0,0 +1,79 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'nginx/map.jinja' import NGINXMERGED %} + +{# if the user has selected to replace the crt and key in the ui #} +{% if NGINXMERGED.ssl.replace_cert %} + +managerssl_key: + file.managed: + - name: /etc/pki/managerssl.key + - source: salt://nginx/ssl/ssl.key + - mode: 640 + - group: 939 + +managerssl_crt: + file.managed: + - name: /etc/pki/managerssl.crt + - source: salt://nginx/ssl/ssl.crt + - mode: 644 + +{% else %} + +managerssl_key: + x509.private_key_managed: + - name: /etc/pki/managerssl.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} + - prereq: + - x509: /etc/pki/managerssl.crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +# Create a cert for the reverse proxy +managerssl_crt: + x509.certificate_managed: + - name: /etc/pki/managerssl.crt + - ca_server: {{ ca_server }} + - signing_policy: managerssl + - private_key: /etc/pki/managerssl.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 0 + - days_valid: 820 + - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +{% endif %} + +msslkeyperms: + file.managed: + - replace: False + - name: /etc/pki/managerssl.key + - mode: 640 + - group: 939 + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/nginx/config/ssl.crt b/salt/nginx/ssl/ssl.crt similarity index 100% rename from salt/nginx/config/ssl.crt rename to salt/nginx/ssl/ssl.crt diff --git a/salt/nginx/config/ssl.key b/salt/nginx/ssl/ssl.key similarity index 100% rename from salt/nginx/config/ssl.key rename to salt/nginx/ssl/ssl.key diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 358357459..48f643e29 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -507,47 +507,7 @@ elasticp12perms: - mode: 640 - group: 930 -managerssl_key: - x509.private_key_managed: - - name: /etc/pki/managerssl.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} - - prereq: - - x509: /etc/pki/managerssl.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 -# Create a cert for the reverse proxy -managerssl_crt: - x509.certificate_managed: - - name: /etc/pki/managerssl.crt - - ca_server: {{ ca_server }} - - signing_policy: managerssl - - private_key: /etc/pki/managerssl.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -msslkeyperms: - file.managed: - - replace: False - - name: /etc/pki/managerssl.key - - mode: 640 - - group: 939 {% endif %} From 24b7f7a7ce1b84edb8fdddd8b3d56c35e3e440b7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 28 Jun 2023 10:32:16 -0400 Subject: [PATCH 02/10] move replace_cert under ssl for nginx defaults --- salt/nginx/defaults.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/nginx/defaults.yaml b/salt/nginx/defaults.yaml index 3c520888a..088ba9257 100644 --- a/salt/nginx/defaults.yaml +++ b/salt/nginx/defaults.yaml @@ -1,6 +1,7 @@ nginx: enabled: False - config: + ssl: replace_cert: False + config: throttle_login_burst: 12 throttle_login_rate: 20 From be028aa23e96f61854a3d02b51cc15f8c0aa4097 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 28 Jun 2023 10:58:13 -0400 Subject: [PATCH 03/10] define ca_server for nginx.ssl --- salt/nginx/ssl.sls | 2 ++ salt/ssl/init.sls | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/nginx/ssl.sls b/salt/nginx/ssl.sls index b6d09b899..fbcf2b6c6 100644 --- a/salt/nginx/ssl.sls +++ b/salt/nginx/ssl.sls @@ -7,6 +7,8 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'nginx/map.jinja' import NGINXMERGED %} +{# since nginx runs on the manager we can just use the hostname as the ca server #} +{% set ca_server = GLOBALS.hostname %} {# if the user has selected to replace the crt and key in the ui #} {% if NGINXMERGED.ssl.replace_cert %} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 48f643e29..4bb706d63 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -507,8 +507,6 @@ elasticp12perms: - mode: 640 - group: 930 - - {% endif %} From 02ea939abc6c26bed058fd23aa2db16d3bd42f6c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 28 Jun 2023 11:11:20 -0400 Subject: [PATCH 04/10] watch crt and key for nginx container --- salt/nginx/enabled.sls | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 614264fda..dc2c6dcc4 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -7,6 +7,7 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'nginx/map.jinja' import NGINXMERGED %} include: - nginx.ssl @@ -73,6 +74,13 @@ so-nginx: - watch: - file: nginxconf - file: nginxconfdir +{% if NGINXMERGED.ssl.replace_cert %} + - file: managerssl_key + - file: managerssl_crt +{% else %} + - x509: managerssl_key + - x509: managerssl_crt +{% endif%} - require: - file: nginxconf {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} From cae011babb3da9d2d7f4ee5329caca8b58c33a1f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 28 Jun 2023 11:30:36 -0400 Subject: [PATCH 05/10] force bool for nginx ssl replace_cert --- salt/nginx/soc_nginx.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 31eb6ce45..924a45ae9 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -8,6 +8,7 @@ nginx: description: Enable this if you would like to replace the Security Onion Certificate with your own. global: True advanced: True + forcedType: bool title: Replace Default Cert helpLink: nginx.html ssl__key: From 69670c481de48229b8a1ce1b29f1aa4e16ace793 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 28 Jun 2023 11:32:08 -0400 Subject: [PATCH 06/10] fix require logic for nginx container --- salt/nginx/enabled.sls | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index dc2c6dcc4..7dfe7560d 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -83,12 +83,17 @@ so-nginx: {% endif%} - require: - file: nginxconf - {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} +{% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} +{% if NGINXMERGED.ssl.replace_cert %} + - file: managerssl_key + - file: managerssl_crt +{% else %} - x509: managerssl_key - x509: managerssl_crt +{% endif%} - file: navigatorconfig - file: navigatordefaultlayer - {% endif %} +{% endif %} delete_so-nginx_so-status.disabled: file.uncomment: From 66457ad8f8c76254553c57e824439dd3d34688ce Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 28 Jun 2023 12:27:14 -0400 Subject: [PATCH 07/10] use watch_in instead of watch --- salt/nginx/enabled.sls | 79 +++++++++++++++++++++++++++++++++++----- salt/nginx/ssl.sls | 81 ------------------------------------------ 2 files changed, 71 insertions(+), 89 deletions(-) delete mode 100644 salt/nginx/ssl.sls diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 7dfe7560d..0db4fe4be 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -8,12 +8,82 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'nginx/map.jinja' import NGINXMERGED %} +{% set ca_server = GLOBALS.hostname %} include: - - nginx.ssl - nginx.config - nginx.sostatus +{# if the user has selected to replace the crt and key in the ui #} +{% if NGINXMERGED.ssl.replace_cert %} + +managerssl_key: + file.managed: + - name: /etc/pki/managerssl.key + - source: salt://nginx/ssl/ssl.key + - mode: 640 + - group: 939 + - watch_in: + - docker_container: so-nginx + +managerssl_crt: + file.managed: + - name: /etc/pki/managerssl.crt + - source: salt://nginx/ssl/ssl.crt + - mode: 644 + - watch_in: + - docker_container: so-nginx + +{% else %} + +managerssl_key: + x509.private_key_managed: + - name: /etc/pki/managerssl.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} + - prereq: + - x509: /etc/pki/managerssl.crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + - watch_in: + - docker_container: so-nginx + +# Create a cert for the reverse proxy +managerssl_crt: + x509.certificate_managed: + - name: /etc/pki/managerssl.crt + - ca_server: {{ ca_server }} + - signing_policy: managerssl + - private_key: /etc/pki/managerssl.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 0 + - days_valid: 820 + - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + - watch_in: + - docker_container: so-nginx + +{% endif %} + +msslkeyperms: + file.managed: + - replace: False + - name: /etc/pki/managerssl.key + - mode: 640 + - group: 939 + make-rule-dir-nginx: file.directory: - name: /nsm/rules @@ -74,13 +144,6 @@ so-nginx: - watch: - file: nginxconf - file: nginxconfdir -{% if NGINXMERGED.ssl.replace_cert %} - - file: managerssl_key - - file: managerssl_crt -{% else %} - - x509: managerssl_key - - x509: managerssl_crt -{% endif%} - require: - file: nginxconf {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} diff --git a/salt/nginx/ssl.sls b/salt/nginx/ssl.sls deleted file mode 100644 index fbcf2b6c6..000000000 --- a/salt/nginx/ssl.sls +++ /dev/null @@ -1,81 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls.split('.')[0] in allowed_states %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'nginx/map.jinja' import NGINXMERGED %} -{# since nginx runs on the manager we can just use the hostname as the ca server #} -{% set ca_server = GLOBALS.hostname %} - -{# if the user has selected to replace the crt and key in the ui #} -{% if NGINXMERGED.ssl.replace_cert %} - -managerssl_key: - file.managed: - - name: /etc/pki/managerssl.key - - source: salt://nginx/ssl/ssl.key - - mode: 640 - - group: 939 - -managerssl_crt: - file.managed: - - name: /etc/pki/managerssl.crt - - source: salt://nginx/ssl/ssl.crt - - mode: 644 - -{% else %} - -managerssl_key: - x509.private_key_managed: - - name: /etc/pki/managerssl.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} - - prereq: - - x509: /etc/pki/managerssl.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -# Create a cert for the reverse proxy -managerssl_crt: - x509.certificate_managed: - - name: /etc/pki/managerssl.crt - - ca_server: {{ ca_server }} - - signing_policy: managerssl - - private_key: /etc/pki/managerssl.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -{% endif %} - -msslkeyperms: - file.managed: - - replace: False - - name: /etc/pki/managerssl.key - - mode: 640 - - group: 939 - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} From 120d21c0daf821bfd833e6c5714e4922e314e78c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 28 Jun 2023 13:52:30 -0400 Subject: [PATCH 08/10] use minion id instead of hostname for ca_server in nginx state --- salt/nginx/enabled.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 0db4fe4be..6019e25db 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -8,7 +8,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'nginx/map.jinja' import NGINXMERGED %} -{% set ca_server = GLOBALS.hostname %} +{% set ca_server = GLOBALS.minion_id %} include: - nginx.config From eeaf077baf9c7cce2996f48cd38880ff96b5bd96 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 28 Jun 2023 15:02:09 -0400 Subject: [PATCH 09/10] dont need the unless for ssl since using x509v2 now --- salt/nginx/enabled.sls | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 6019e25db..fb56674b2 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -64,10 +64,6 @@ managerssl_crt: - days_remaining: 0 - days_valid: 820 - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - timeout: 30 - retry: attempts: 5 From 34db6fb823987361136da15d6b41b4b8b3e8e4f5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 28 Jun 2023 15:06:13 -0400 Subject: [PATCH 10/10] dont need the unless for ssl since using x509v2 now --- salt/ssl/init.sls | 50 ----------------------------------------------- 1 file changed, 50 deletions(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 4bb706d63..376900f33 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -76,12 +76,6 @@ influxdb_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -121,12 +115,6 @@ redis_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -169,12 +157,6 @@ etc_elasticfleet_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -250,12 +232,6 @@ etc_elasticfleetlogstash_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -359,12 +335,6 @@ etc_filebeat_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -436,10 +406,6 @@ registry_crt: - days_remaining: 0 - days_valid: 820 - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - timeout: 30 - retry: attempts: 5 @@ -478,12 +444,6 @@ regkeyperms: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -545,12 +505,6 @@ conf_filebeat_crt: - days_remaining: 0 - days_valid: 820 - backup: True -{% if grains.role not in ['so-heavynode'] %} - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' -{% endif %} - timeout: 30 - retry: attempts: 5 @@ -605,10 +559,6 @@ chownfilebeatp8: - days_remaining: 0 - days_valid: 820 - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - timeout: 30 - retry: attempts: 5