Bug 2224138

Summary: rhel-system-roles.certificate does not re-issue after updating key_size
Product: Red Hat Enterprise Linux 9 Reporter: Rich Megginson <rmeggins>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: VERIFIED --- QA Contact: Jakub Haruda <jharuda>
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.3CC: djez, jharuda, rhel-cs-system-management-subsystem-qe, rjeffman, rmeggins, spetrosi, suwu, vdanek
Target Milestone: rcKeywords: Triaged
Target Release: 9.3Flags: rmeggins: needinfo? (djez)
rmeggins: needinfo? (vdanek)
Hardware: All   
OS: Linux   
Whiteboard: role:certificate
Fixed In Version: rhel-system-roles-1.22.0-0.16.el9 Doc Type: Bug Fix
Doc Text:
**Resolves:** When requesting a certificate key size is not evaluated to consider a new certificate has to be requested. **Result:** This patch adds 'key_size' to the metadata comparison to determine if a new certificate request must be performed.
Story Points: ---
Clone Of: 2186057 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2186057    
Bug Blocks:    

Description Rich Megginson 2023-07-19 23:39:44 UTC
+++ This bug was initially created as a clone of Bug #2186057 +++

Description of problem:

When using the `rhel-system-roles.certificate` system role provided in EL8.7, the role does not sufficiently check existing certificate parameters before reporting that no changes are needed. 

For example, if you create a certificate with basic syntax:

    - name: Build TLS certs for Satellite
      ansible.builtin.include_role:
        name: rhel-system-roles.certificate
      vars:
        certificate_requests:
          - name: test
            dns:
              - test.example.com
              - "{{ inventory_hostname }}"
            ips:
              - "{{ ansible_eth0.ipv4.address }}"
            principal: HTTP/test.example.com
            ca: ipa

Modifying it to:

    - name: Build TLS certs for Satellite
      ansible.builtin.include_role:
        name: rhel-system-roles.certificate
      vars:
        certificate_requests:
          - name: test
            key_size: 3072                <<<<<=====
            dns:
              - test.example.com
              - "{{ inventory_hostname }}"
            ips:
              - "{{ ansible_eth0.ipv4.address }}"
            principal: HTTP/test.example.com
            ca: ipa

Results in the second run reporting no changes, and the existing certificate not being modified.

When adding a "country" parameter, a new key/certificate pair is (re)issued.

    - name: Build TLS certs for Satellite
      ansible.builtin.include_role:
        name: rhel-system-roles.certificate
      vars:
        certificate_requests:
          - name: test
            key_size: 3072                <<<<<=====
            country: "AU"                 <<<<<=====
            dns:
              - test.example.com
              - "{{ inventory_hostname }}"
            ips:
              - "{{ ansible_eth0.ipv4.address }}"
            principal: HTTP/test.example.com
            ca: ipa


Actual results:
Certificate is not issued with new parameters.

Expected results:
Modifying any of the creation parameters would modify the created certificate and reissue if required.

--- Additional comment from Rafael Jeffman on 2023-07-18 22:55:42 UTC ---

Upstream PR: https://github.com/linux-system-roles/certificate/pull/188