cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

openssl_certificate: fix ACME provider (#54656)

Browse source 
* Change default of acme_chain to no.

* Stop using string command lines.

* Add changelog.

* Fix changelog.
This commit is contained in:
Felix Fontein 2019-04-01 13:18:14 +02:00 committed by John R Barker
parent f99d1b3e47
commit fa47bed71c
2 changed files with 15 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
changelogs/fragments/54656-openssl_certificate-acme-chain.yml Normal file
View file

@ -0,0 +1,5 @@
minor_changes:
- "openssl_certificate - change default value for ``acme_chain`` from ``yes`` to ``no``. Current versions
of `acme-tiny <https://github.com/diafygi/acme-tiny/>`_ do not support the ``--chain`` command anymore.
This default setting caused the module not to work with such versions of acme-tiny until
``acme_chain: no`` was explicitly set."

20
lib/ansible/modules/crypto/openssl_certificate.py
View file

@ -211,8 +211,10 @@ options:
description: description:
- Include the intermediate certificate to the generated certificate - Include the intermediate certificate to the generated certificate
- This is only used by the C(acme) provider. - This is only used by the C(acme) provider.
- Note that this is only available for older versions of C(acme-tiny).
New versions include the chain automatically, and setting I(acme_chain) to C(yes) results in an error.
type: bool type: bool
default: yes default: no
version_added: "2.5" version_added: "2.5"
signature_algorithms: signature_algorithms:
@ -1646,17 +1648,15 @@ class AcmeCertificate(Certificate):
if not self.check(module, perms_required=False) or self.force: if not self.check(module, perms_required=False) or self.force:
acme_tiny_path = self.module.get_bin_path('acme-tiny', required=True) acme_tiny_path = self.module.get_bin_path('acme-tiny', required=True)
chain = '' command = [acme_tiny_path]
if self.use_chain: if self.use_chain:
chain = '--chain' command.append('--chain')
command.extend(['--account-key', self.accountkey_path])
command.extend(['--csr', self.csr_path])
command.extend(['--acme-dir', self.challenge_path])
try: try:
crt = module.run_command("%s %s --account-key %s --csr %s " crt = module.run_command(command, check_rc=True)[1]
"--acme-dir %s" % (acme_tiny_path, chain,
self.accountkey_path,
self.csr_path,
self.challenge_path),
check_rc=True)[1]
if self.backup: if self.backup:
self.backup_file = module.backup_local(self.path) self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, to_bytes(crt)) crypto_utils.write_file(module, to_bytes(crt))
@ -1736,7 +1736,7 @@ def main():
# provider: acme # provider: acme
acme_accountkey_path=dict(type='path'), acme_accountkey_path=dict(type='path'),
acme_challenge_path=dict(type='path'), acme_challenge_path=dict(type='path'),
acme_chain=dict(type='bool', default=True), acme_chain=dict(type='bool', default=False),
), ),
supports_check_mode=True, supports_check_mode=True,
add_file_common_args=True, add_file_common_args=True,