Bug 2224138 - rhel-system-roles.certificate does not re-issue after updating key_size [NEEDINFO]
Summary: rhel-system-roles.certificate does not re-issue after updating key_size
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: rhel-system-roles
Version: 9.3
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: 9.3
Assignee: Rich Megginson
QA Contact: Jakub Haruda
URL:
Whiteboard: role:certificate
Depends On: 2186057
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-19 23:39 UTC by Rich Megginson
Modified: 2023-08-10 13:50 UTC (History)
8 users (show)

Fixed In Version: rhel-system-roles-1.22.0-0.16.el9
Doc Type: Bug Fix
Doc Text:
**Resolves:** When requesting a certificate key size is not evaluated to consider a new certificate has to be requested. **Result:** This patch adds 'key_size' to the metadata comparison to determine if a new certificate request must be performed.
Clone Of: 2186057
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:
rmeggins: needinfo? (djez)
rmeggins: needinfo? (vdanek)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-162804 0 None None None 2023-07-19 23:41:33 UTC

Description Rich Megginson 2023-07-19 23:39:44 UTC 
+++ This bug was initially created as a clone of Bug #2186057 +++

Description of problem:

When using the `rhel-system-roles.certificate` system role provided in EL8.7, the role does not sufficiently check existing certificate parameters before reporting that no changes are needed. 

For example, if you create a certificate with basic syntax:

    - name: Build TLS certs for Satellite
      ansible.builtin.include_role:
        name: rhel-system-roles.certificate
      vars:
        certificate_requests:
          - name: test
            dns:
              - test.example.com
              - "{{ inventory_hostname }}"
            ips:
              - "{{ ansible_eth0.ipv4.address }}"
            principal: HTTP/test.example.com
            ca: ipa

Modifying it to:

    - name: Build TLS certs for Satellite
      ansible.builtin.include_role:
        name: rhel-system-roles.certificate
      vars:
        certificate_requests:
          - name: test
            key_size: 3072                <<<<<=====
            dns:
              - test.example.com
              - "{{ inventory_hostname }}"
            ips:
              - "{{ ansible_eth0.ipv4.address }}"
            principal: HTTP/test.example.com
            ca: ipa

Results in the second run reporting no changes, and the existing certificate not being modified.

When adding a "country" parameter, a new key/certificate pair is (re)issued.

    - name: Build TLS certs for Satellite
      ansible.builtin.include_role:
        name: rhel-system-roles.certificate
      vars:
        certificate_requests:
          - name: test
            key_size: 3072                <<<<<=====
            country: "AU"                 <<<<<=====
            dns:
              - test.example.com
              - "{{ inventory_hostname }}"
            ips:
              - "{{ ansible_eth0.ipv4.address }}"
            principal: HTTP/test.example.com
            ca: ipa


Actual results:
Certificate is not issued with new parameters.

Expected results:
Modifying any of the creation parameters would modify the created certificate and reissue if required.

--- Additional comment from Rafael Jeffman on 2023-07-18 22:55:42 UTC ---

Upstream PR: https://github.com/linux-system-roles/certificate/pull/188
Note You need to log in before you can comment on or make changes to this bug.