Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allowing to write intermediate certificate into file. #34328

Merged
merged 2 commits into from
Jan 26, 2018
Merged

Allowing to write intermediate certificate into file. #34328

merged 2 commits into from
Jan 26, 2018

Conversation

felixfontein
Copy link
Contributor

SUMMARY

Allows the letsencrypt module to export the intermediate certificate to a file.
Fixes #18996 and extends #22074 (which allows to only write one combined file with certificate and intermediate certificate).

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

letsencrypt

ANSIBLE VERSION
2.4.2.0
ADDITIONAL INFORMATION

The original issue #18996 asked for a way to get hold of the intermediate certificate. Since that one is not only needed to create the full chain (i.e. concatenation of certificate and intermediate, which is sent by the webserver to the client so it can validate the certificate), but also to create the root chain (root and intermediate certificate, which is used by the web server to validate OCSP responses to be stapled), the fix in #22074 is not sufficient (without extra processing). (See comment by @8w in original issue.)

This PR allows to write the intermediate certificate to a separate file, so it can be combined with whatever the caller wants (and not just the certificate).

@ansibot
Copy link
Contributor

ansibot commented Jan 1, 2018

cc @mgruener @resmo
click here for bot help

@ansibot ansibot added affects_2.5 This issue/PR affects Ansible v2.5 community_review In order to be merged, this PR must follow the community review workflow. feature_pull_request module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. labels Jan 1, 2018
@ansibot
Copy link
Contributor

ansibot commented Jan 1, 2018

The test ansible-test sanity --test pylint [?] failed with the following error:

lib/ansible/modules/web_infrastructure/letsencrypt.py:845:29: undefined-variable Undefined variable 'module'

click here for bot help

@ansibot ansibot added ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. community_review In order to be merged, this PR must follow the community review workflow. and removed community_review In order to be merged, this PR must follow the community review workflow. ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Jan 1, 2018
@felixfontein felixfontein mentioned this pull request Jan 1, 2018
Merged
@gundalow gundalow removed the needs_triage Needs a first human triage before being processed. label Jan 3, 2018
gundalow
gundalow reviewed Jan 3, 2018
View reviewed changes
lib/ansible/modules/web_infrastructure/letsencrypt.py Outdated
@@ -92,6 +92,13 @@
description: The destination file for the certificate.
required: true
aliases: ['cert']
chain_dest:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason you have the primary name as chain_dest and an alias of chain, then use the alias in the examples

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The primary name for the certificate filename is dest, with an alias of cert. That's why I used chain_dest as primary and chain as an alias.

The examples don't use cert either (but dest); since there's basically only one example (with three alternatives for the first step), either the primary or the alias should be used in all examples.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that there's a second example using the aliases (see #35077), I've added this alias there as well. (I amended it into the existing commit.)

lib/ansible/modules/web_infrastructure/letsencrypt.py Outdated
@@ -855,6 +868,7 @@ def main():
data=dict(required=False, no_log=True, default=None, type='dict'),
fullchain=dict(required=False, default=True, type='bool'),
dest=dict(required=True, aliases=['cert'], type='path'),
chain_dest=dict(required=False, deafult=None, aliases=['chain'], type='path'),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo of default

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Fixed that.

@ansibot
Copy link
Contributor

ansibot commented Jan 3, 2018

@felixfontein This PR contains @ mentions in at least one commit message. Those mentions can cause cascading notifications through GitHub and need to be removed. Please squash or amend your commits to remove the mentions.

click here for bot help

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed community_review In order to be merged, this PR must follow the community review workflow. labels Jan 3, 2018
@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Jan 3, 2018
@felixfontein felixfontein mentioned this pull request Jan 5, 2018
Merged
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Jan 11, 2018
@felixfontein
Copy link
Contributor Author

ready_for_review

@felixfontein felixfontein mentioned this pull request Jan 16, 2018
Merged
@ansibot ansibot added owner_pr This PR is made by the module's maintainer. and removed stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Jan 16, 2018
@ansibot ansibot added the owner_pr This PR is made by the module's maintainer. label Jan 25, 2018
@felixfontein
Copy link
Contributor Author

@resmo: looks like current devel letsencrypt is broken, I introduced some errors while rebasing in 25b1db5; these are fixed by 3e2a0fd4b800dc4a6c33e0964f5a392680908a17. Should I move that commit to a new PR so we can quickly fix it, or how should we proceed with this PR?

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed community_review In order to be merged, this PR must follow the community review workflow. owner_pr This PR is made by the module's maintainer. labels Jan 25, 2018
@felixfontein
Copy link
Contributor Author

Hmm, the failing test doesn't seem to be related to this PR:

2018-01-25 17:48:39 + test/utils/shippable/other.sh other
2018-01-25 17:48:39 test/utils/shippable/shippable.sh: line 104: test/utils/shippable/other.sh: No such file or directory

@felixfontein felixfontein mentioned this pull request Jan 25, 2018
Merged
@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. owner_pr This PR is made by the module's maintainer. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Jan 25, 2018
@felixfontein
Copy link
Contributor Author

Yep, "random fluke". Fixed by rebase without change...

@resmo
Copy link
Contributor

resmo commented Jan 26, 2018

looks good to me.
shipit

@ansibot ansibot added automerge This PR was automatically merged by ansibot. shipit This PR is ready to be merged by Core and removed community_review In order to be merged, this PR must follow the community review workflow. labels Jan 26, 2018
@ansibot ansibot merged commit a69445e into ansible:devel Jan 26, 2018
@felixfontein
Copy link
Contributor Author

Thanks!

@felixfontein felixfontein deleted the letsencrypt-chain-export branch January 26, 2018 08:17
Lujeni pushed a commit to Lujeni/ansible that referenced this pull request Feb 1, 2018
@felixfontein @Lujeni
Allowing to write intermediate certificate into file. (ansible#34328)
8a94345 
* Allowing to write intermediate certificate into file.

* Fixing merge errors introduced in 25b1db5 (ansible#34916).
@ansibot ansibot added feature This issue/PR relates to a feature request. and removed feature_pull_request labels Mar 5, 2018
@felixfontein felixfontein mentioned this pull request Apr 7, 2018
Merged
@dagwieers dagwieers added the crypto Crypto community (ACME, openssl, letsencrypt) label Feb 7, 2019
@ansible ansible locked and limited conversation to collaborators Apr 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gundalow gundalow gundalow left review comments

Assignees
No one assigned
Labels
affects_2.5 This issue/PR affects Ansible v2.5 automerge This PR was automatically merged by ansibot. crypto Crypto community (ACME, openssl, letsencrypt) feature This issue/PR relates to a feature request. module This issue/PR relates to a module. owner_pr This PR is made by the module's maintainer. shipit This PR is ready to be merged by Core support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

letsencrypt does not create a full-chain cert
5 participants
@felixfontein @ansibot @resmo @gundalow @dagwieers