New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changing behavior of new fullchain argument. #34916
Changing behavior of new fullchain argument. #34916
Conversation
f2d1695
to
8a5cf0e
Compare
8a5cf0e
to
eef53a6
Compare
eef53a6
to
d1abf9a
Compare
This PR must be either merged or closed by end of February 7th, since then there's community module freeze and we shouldn't change module options once they are released ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs_info
- "The destination file for the full chain (i.e. certificate followed | ||
by chain of intermediate certificates)." | ||
- "If C(dest) is specified, C(fullchain_dest) can be left away." | ||
required: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
according code, it is not required.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See below. How should this (i.e. at least one of dest
and fullchain
is specified) be marked here? My idea was to mark both as required, but add some text that only one needs to be specified. Should I mark both as not required, and add a note to each that at least one of them must be specified?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, both not required, but put a note in the doc that "Either C(dest) or C(fullchain_dest) is required."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated the documentation. I hope it's better explained now.
- "The destination file for the full chain (i.e. certificate followed | ||
by chain of intermediate certificates)." | ||
- "If C(dest) is specified, C(fullchain_dest) can be left away." | ||
required: true | ||
default: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
according code, there is no default, so can be left off.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, I just forgot to remove this. The type isn't bool
anymore anyway, so false
makes no sense.
@@ -950,7 +964,10 @@ def main(): | |||
module.run_command_environ_update = dict(LANG='C', LC_ALL='C', LC_MESSAGES='C', LC_CTYPE='C') | |||
locale.setlocale(locale.LC_ALL, 'C') | |||
|
|||
cert_days = get_cert_days(module, module.params['dest']) | |||
if module.params.get('dest'): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so it looks like they fullchain_dest and dest are also mutually exclusive, aren't they? require one of but not both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both dest
and fullchain_dest
are not required, but at least one of them must be specified. Both can be specified as well. If both are specified, the module assumes that both are equivalent for determining whether the certificate is new enough (if dest
is given, the certificate it points to is checked, otherwise the certificate where fullchain_dest
points to).
While only one of them is required, both will be created (if both are specified) if a new certificate is retrieved. So the user can decide whether she wants to work with leaf certificates, fullchain certificates, or both (without the need to manually concatenating or splitting files).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see.
9544f33
to
25b1db5
Compare
I rebased and squashed the commits. |
bot_status |
shipit |
Componentslib/ansible/modules/web_infrastructure/letsencrypt.py Metadatawaiting_on: maintainer |
* Allowing to write intermediate certificate into file. * Fixing merge errors introduced in 25b1db5 (ansible#34916).
SUMMARY
This PR should initiate a discussion on whether #18996 might not be solved in a better way than in #22074, namely by not making the user choose between getting a leaf certificate or a fullchain certificate (i.e. certificate followed by intermediate certificates), but to allow the user to get both.
The approach in #22074 was to provide a new boolean option
fullchain
, which determines whether the file written todest
/cert
will be a leaf certificate or a fullchain certificate.This PR creates a new option
fullchain_dest
with aliasfullchain
(i.e. the boolean option is removed),@resmo, @manicai: what do you think?
ISSUE TYPE
COMPONENT NAME
letsencrypt
ANSIBLE VERSION
ADDITIONAL INFORMATION
The current
fullchain
option only exists in thedevel
branch (to my knowledge), not in any release branch. So changing it shouldn't hurt backwards compatibility. Everyone using the devel version will notice that something changed when 2.5 will be released, i.e. there should be no silent failures.This PR is related to #34328, which adds another option
chain_dest
/chain
which allows to write the intermediate certificate chain into a separate file. With both this and #34328 merged, the user can choose which one of certificate, fullchain, and chain to be written to disk, and is not forced to do additional file operations to extract the chain or create a fullchain certificate.