Bug 2186057 - rhel-system-roles.certificate does not re-issue after updating key_size [NEEDINFO]
Summary: rhel-system-roles.certificate does not re-issue after updating key_size
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: rhel-system-roles
Version: 8.7
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: 8.9
Assignee: Rafael Jeffman
QA Contact: David Jež
David Voženílek
URL:
Whiteboard: role:certificate
Depends On:
Blocks: 2224138
TreeView+ depends on / blocked
 
Reported: 2023-04-12 01:48 UTC by Sunny Wu
Modified: 2023-08-13 15:10 UTC (History)
5 users (show)

Fixed In Version: rhel-system-roles-1.22.0-0.16.el8
Doc Type: Bug Fix
Doc Text:
**Resolves:** When requesting a certificate key size is not evaluated to consider a new certificate has to be requested. **Result:** This patch adds 'key_size' to the metadata comparison to determine if a new certificate request must be performed. **Issue Tracker Tickets (Jira or BZ if any):** [RHBZ#2186057](https://bugzilla.redhat.com/show_bug.cgi?id=2186057)
Clone Of:
: 2224138 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:
rmeggins: needinfo? (vdanek)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github linux-system-roles certificate pull 188 0 None Merged fix: Re-issue certificate if key size changes 2023-07-19 23:35:47 UTC
Red Hat Issue Tracker RHELPLAN-154451 0 None None None 2023-04-12 01:51:41 UTC

Description Sunny Wu 2023-04-12 01:48:06 UTC 
Description of problem:

When using the `rhel-system-roles.certificate` system role provided in EL8.7, the role does not sufficiently check existing certificate parameters before reporting that no changes are needed. 

For example, if you create a certificate with basic syntax:

    - name: Build TLS certs for Satellite
      ansible.builtin.include_role:
        name: rhel-system-roles.certificate
      vars:
        certificate_requests:
          - name: test
            dns:
              - test.example.com
              - "{{ inventory_hostname }}"
            ips:
              - "{{ ansible_eth0.ipv4.address }}"
            principal: HTTP/test.example.com
            ca: ipa

Modifying it to:

    - name: Build TLS certs for Satellite
      ansible.builtin.include_role:
        name: rhel-system-roles.certificate
      vars:
        certificate_requests:
          - name: test
            key_size: 3072                <<<<<=====
            dns:
              - test.example.com
              - "{{ inventory_hostname }}"
            ips:
              - "{{ ansible_eth0.ipv4.address }}"
            principal: HTTP/test.example.com
            ca: ipa

Results in the second run reporting no changes, and the existing certificate not being modified.

When adding a "country" parameter, a new key/certificate pair is (re)issued.

    - name: Build TLS certs for Satellite
      ansible.builtin.include_role:
        name: rhel-system-roles.certificate
      vars:
        certificate_requests:
          - name: test
            key_size: 3072                <<<<<=====
            country: "AU"                 <<<<<=====
            dns:
              - test.example.com
              - "{{ inventory_hostname }}"
            ips:
              - "{{ ansible_eth0.ipv4.address }}"
            principal: HTTP/test.example.com
            ca: ipa


Actual results:
Certificate is not issued with new parameters.

Expected results:
Modifying any of the creation parameters would modify the created certificate and reissue if required.
Comment 1 Rafael Jeffman 2023-07-18 22:55:42 UTC 
Upstream PR: https://github.com/linux-system-roles/certificate/pull/188
Note You need to log in before you can comment on or make changes to this bug.