Bug 2186057
| Summary: | rhel-system-roles.certificate does not re-issue after updating key_size | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sunny Wu <suwu> | |
| Component: | rhel-system-roles | Assignee: | Rafael Jeffman <rjeffman> | |
| Status: | VERIFIED --- | QA Contact: | David Jež <djez> | |
| Severity: | low | Docs Contact: | David Voženílek <dvozenil> | |
| Priority: | unspecified | |||
| Version: | 8.7 | CC: | djez, jharuda, rmeggins, spetrosi, vdanek | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | 8.9 | Flags: | rmeggins:
needinfo?
(vdanek) |
|
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | role:certificate | |||
| Fixed In Version: | rhel-system-roles-1.22.0-0.16.el8 | Doc Type: | Bug Fix | |
| Doc Text: |
**Resolves:**
When requesting a certificate key size is not evaluated to consider a new certificate has to be requested.
**Result:**
This patch adds 'key_size' to the metadata comparison to determine if a new certificate request must be performed.
**Issue Tracker Tickets (Jira or BZ if any):** [RHBZ#2186057](https://bugzilla.redhat.com/show_bug.cgi?id=2186057)
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2224138 (view as bug list) | Environment: | ||
| Last Closed: | Type: | Bug | ||
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2224138 | |||
Description of problem: When using the `rhel-system-roles.certificate` system role provided in EL8.7, the role does not sufficiently check existing certificate parameters before reporting that no changes are needed. For example, if you create a certificate with basic syntax: - name: Build TLS certs for Satellite ansible.builtin.include_role: name: rhel-system-roles.certificate vars: certificate_requests: - name: test dns: - test.example.com - "{{ inventory_hostname }}" ips: - "{{ ansible_eth0.ipv4.address }}" principal: HTTP/test.example.com ca: ipa Modifying it to: - name: Build TLS certs for Satellite ansible.builtin.include_role: name: rhel-system-roles.certificate vars: certificate_requests: - name: test key_size: 3072 <<<<<===== dns: - test.example.com - "{{ inventory_hostname }}" ips: - "{{ ansible_eth0.ipv4.address }}" principal: HTTP/test.example.com ca: ipa Results in the second run reporting no changes, and the existing certificate not being modified. When adding a "country" parameter, a new key/certificate pair is (re)issued. - name: Build TLS certs for Satellite ansible.builtin.include_role: name: rhel-system-roles.certificate vars: certificate_requests: - name: test key_size: 3072 <<<<<===== country: "AU" <<<<<===== dns: - test.example.com - "{{ inventory_hostname }}" ips: - "{{ ansible_eth0.ipv4.address }}" principal: HTTP/test.example.com ca: ipa Actual results: Certificate is not issued with new parameters. Expected results: Modifying any of the creation parameters would modify the created certificate and reissue if required.