.The `certificate` RHEL System Role now checks for the certificate key size when determining whether to perform a new certificate request
Previously, the `certificate` RHEL System Role did not check the key size of a certificate when evaluating whether to request a new certificate. As a consequence, the role sometimes did not issue new certificate requests in cases where it should. With this update, `certificate` now checks the `key_size` parameter to determine if a new certificate request should be performed.
Description of problem:
When using the `rhel-system-roles.certificate` system role provided in EL8.7, the role does not sufficiently check existing certificate parameters before reporting that no changes are needed.
For example, if you create a certificate with basic syntax:
- name: Build TLS certs for Satellite
ansible.builtin.include_role:
name: rhel-system-roles.certificate
vars:
certificate_requests:
- name: test
dns:
- test.example.com
- "{{ inventory_hostname }}"
ips:
- "{{ ansible_eth0.ipv4.address }}"
principal: HTTP/test.example.com
ca: ipa
Modifying it to:
- name: Build TLS certs for Satellite
ansible.builtin.include_role:
name: rhel-system-roles.certificate
vars:
certificate_requests:
- name: test
key_size: 3072 <<<<<=====
dns:
- test.example.com
- "{{ inventory_hostname }}"
ips:
- "{{ ansible_eth0.ipv4.address }}"
principal: HTTP/test.example.com
ca: ipa
Results in the second run reporting no changes, and the existing certificate not being modified.
When adding a "country" parameter, a new key/certificate pair is (re)issued.
- name: Build TLS certs for Satellite
ansible.builtin.include_role:
name: rhel-system-roles.certificate
vars:
certificate_requests:
- name: test
key_size: 3072 <<<<<=====
country: "AU" <<<<<=====
dns:
- test.example.com
- "{{ inventory_hostname }}"
ips:
- "{{ ansible_eth0.ipv4.address }}"
principal: HTTP/test.example.com
ca: ipa
Actual results:
Certificate is not issued with new parameters.
Expected results:
Modifying any of the creation parameters would modify the created certificate and reissue if required.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2023:6946
Comment 10Red Hat Bugzilla
2024-03-21 04:25:02 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Description of problem: When using the `rhel-system-roles.certificate` system role provided in EL8.7, the role does not sufficiently check existing certificate parameters before reporting that no changes are needed. For example, if you create a certificate with basic syntax: - name: Build TLS certs for Satellite ansible.builtin.include_role: name: rhel-system-roles.certificate vars: certificate_requests: - name: test dns: - test.example.com - "{{ inventory_hostname }}" ips: - "{{ ansible_eth0.ipv4.address }}" principal: HTTP/test.example.com ca: ipa Modifying it to: - name: Build TLS certs for Satellite ansible.builtin.include_role: name: rhel-system-roles.certificate vars: certificate_requests: - name: test key_size: 3072 <<<<<===== dns: - test.example.com - "{{ inventory_hostname }}" ips: - "{{ ansible_eth0.ipv4.address }}" principal: HTTP/test.example.com ca: ipa Results in the second run reporting no changes, and the existing certificate not being modified. When adding a "country" parameter, a new key/certificate pair is (re)issued. - name: Build TLS certs for Satellite ansible.builtin.include_role: name: rhel-system-roles.certificate vars: certificate_requests: - name: test key_size: 3072 <<<<<===== country: "AU" <<<<<===== dns: - test.example.com - "{{ inventory_hostname }}" ips: - "{{ ansible_eth0.ipv4.address }}" principal: HTTP/test.example.com ca: ipa Actual results: Certificate is not issued with new parameters. Expected results: Modifying any of the creation parameters would modify the created certificate and reissue if required.