commit 2b65966381e81ee12c1539d61a63e596e30141db
parent cd2d654d41f655c97413125d8155dfa81249f45b
Author: Andreas Gruhler <agruhl@gmx.ch>
Date: Sat, 4 Oct 2025 16:20:51 +0200
feat(openbao): use self-signed certs from installer
Diffstat:
4 files changed, 7 insertions(+), 122 deletions(-)
diff --git a/README.md b/README.md
@@ -51,27 +51,9 @@ The packer builder "cross" requires `qemu-img`.
## Self-signed TLS Certificates
### OpenBao
-To create a new self-signed CA certificate for Bao:
-```bash
-# create bao self-signed CA certificate in ./tls/vault/
-./vault-tls.sh
-```
-
-A new self-signed server certificate is created in the Bao provisioning stage.
-
-The Packer JSON supports a few arguments for Bao server certificates:
-```json
- "vault_tls_ca_cert": "./tls/vault/ca/vault_ca.pem",
- "vault_tls_ca_key": "./tls/vault/ca/vault_ca.key",
- "vault_tls_subj_alt_name": ""
-```
-
-* `vault_tls_ca_cert`: The path of the CA certificate on the Packer build host,
- e.g., created with `./vault-tls.sh`
-* `vault_tls_ca_key`: The path of the CA key on the Packer build host, e.g.,
- created with `./vault-tls.sh`
-* `vault_tls_subj_alt_name`: Comma seperated list of Subject Alternative Names
- (SAN) for the self-signed certificates, e.g., `DNS:vault.example.com`
+OpenBao installation uses the self-signed certificates that are initially
+created in `/opt/openbao/tls` during the OpenBao installation process from the
+official package.
### Nomad
The steps to create a set of self-signed certificates for Nomad are not fully
diff --git a/hashi-pi.pkr.hcl b/hashi-pi.pkr.hcl
@@ -108,21 +108,6 @@ variable "vault_addr" {
default = "https://vault.in0rdr.ch"
}
-variable "vault_tls_ca_cert" {
- type = string
- default = "./tls/vault/ca/vault_ca.pem"
-}
-
-variable "vault_tls_ca_key" {
- type = string
- default = "./tls/vault/ca/vault_ca.key"
-}
-
-variable "vault_tls_subj_alt_name" {
- type = string
- default = "IP:127.0.0.1"
-}
-
variable "vault_transit_server" {
type = string
default = ""
@@ -261,16 +246,6 @@ build {
]
}
- provisioner "file" {
- destination = "/tmp/vault_ca.pem"
- source = "${var.vault_tls_ca_cert}"
- }
-
- provisioner "file" {
- destination = "/tmp/vault_ca.key"
- source = "${var.vault_tls_ca_key}"
- }
-
provisioner "shell" {
script = "openbao.sh"
remote_folder = "/home/${var.username}"
@@ -279,9 +254,6 @@ build {
"USERNAME=${var.username}",
"HOSTNAME=${var.hostname}",
"NOMAD_SERVER=${var.nomad_server}",
- "VAULT_TLS_CA_CERT=/tmp/vault_ca.pem",
- "VAULT_TLS_CA_KEY=/tmp/vault_ca.key",
- "VAULT_TLS_SUBJ_ALT_NAME=${var.vault_tls_subj_alt_name}",
"VAULT_TRANSIT_SERVER=${var.vault_transit_server}",
"VAULT_TRANSIT_TOKEN=${var.vault_transit_token}"
]
diff --git a/openbao.sh b/openbao.sh
@@ -15,41 +15,10 @@ rm -rf /etc/openbao/*
mkdir -p /etc/openbao/tls
# The bao systemd service requires this env file, can be empty
touch /etc/openbao/openbao.env
-cd /etc/openbao/tls
-
-# Specify CSR parameters for server key
-VAULT_TLS_SUBJ_ALT_NAME=${VAULT_TLS_SUBJ_ALT_NAME:+", $VAULT_TLS_SUBJ_ALT_NAME"}
-SERVER_CONFIG="
-[ req ]
-commonName = $HOSTNAME
-distinguished_name = dn
-req_extensions = ext
-[ dn ]
-CN = Common Name
-[ ext ]
-subjectAltName = DNS:$HOSTNAME $VAULT_TLS_SUBJ_ALT_NAME
-keyUsage=critical,digitalSignature,keyAgreement
-"
-# Create new private key and CSR
-openssl req -config <(echo "$SERVER_CONFIG") -subj "/CN=${HOSTNAME}" -extensions ext -out "${HOSTNAME}.csr" -new -newkey rsa:2048 -nodes -keyout "${HOSTNAME}.key"
-# Sign the CSR
-openssl x509 -extfile <(echo "$SERVER_CONFIG") -extensions ext -req -in "${HOSTNAME}.csr" -CA "$VAULT_TLS_CA_CERT" -CAkey "$VAULT_TLS_CA_KEY" -CAcreateserial -out "${HOSTNAME}.pem" -days 365
-# Show fingerprint
-openssl x509 -in "${HOSTNAME}.pem" -fingerprint -noout
-
-# Cleanup CA key
-rm -rf "$VAULT_TLS_CA_KEY"
-
-# Change permissions for tls certs
-chmod 640 *.key
-chmod 644 *.pem
-
-# Concatenate CA and server certificate
-cat "$VAULT_TLS_CA_CERT" >> "${HOSTNAME}.pem"
-
-# Trust the CA
-mv "$VAULT_TLS_CA_CERT" /usr/local/share/ca-certificates/
-update-ca-certificates
+
+# Symlink self-signed certs of Openbao installer
+ln -s /opt/openbao/tls/tls.key "/etc/openbao/tls/$HOSTNAME.key"
+ln -s /opt/openbao/tls/tls.crt "/etc/openbao/tls/$HOSTNAME.pem"
cat << EOF > /etc/openbao/openbao.hcl
ui = true
diff --git a/vault-tls.sh b/vault-tls.sh
@@ -1,38 +0,0 @@
-#!/usr/bin/env bash
-#
-# Creates a set of certificates for use with HashiCorp Vault
-# https://learn.hashicorp.com/vault/operations/ops-deployment-guide
-
-# set -o errexit
-# set -o nounset
-# set -o xtrace
-
-# https://www.shellhacks.com/yes-no-bash-script-prompt-confirmation/
-# read -p "Do you want to generate a new set of Vault certicates in the directory \"./tls/vault/\" [y/N]? " -n 1 -r
-read -p "Do you want to generate a new Vault CA certicate in the directory \"./tls/vault/\" [y/N]? " -n 1 -r
-echo # (optional) move to a new line
-if [[ ! $REPLY =~ ^[Yy]$ ]]
-then
- exit 1
-fi
-
-# Set working dir
-VAULT_TLS_BASE_PATH="${VAULT_TLS_BASE_PATH:-./tls/vault/}"
-mkdir -p "$VAULT_TLS_BASE_PATH"
-cd "$VAULT_TLS_BASE_PATH"
-
-# Cleanup previously generated certificates
-rm -rf certs ca
-mkdir -p certs ca
-
-# Create CA cert
-CA_CONFIG="
-[ req ]
-distinguished_name = dn
-[ dn ]
-[ ext ]
-basicConstraints = critical, CA:true, pathlen:1
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-"
-openssl req -config <(echo "$CA_CONFIG") -new -newkey rsa:2048 -nodes -days 730 \
- -subj "/CN=Snake Root CA" -x509 -extensions ext -keyout "./ca/vault_ca.key" -out "./ca/vault_ca.pem"
