Changing behavior of new fullchain argument.

[felixfontein]

SUMMARY

This PR should initiate a discussion on whether #18996 might not be solved in a better way than in #22074, namely by not making the user choose between getting a leaf certificate or a fullchain certificate (i.e. certificate followed by intermediate certificates), but to allow the user to get both.

The approach in #22074 was to provide a new boolean option fullchain, which determines whether the file written to dest/cert will be a leaf certificate or a fullchain certificate.

This PR creates a new option fullchain_dest with alias fullchain (i.e. the boolean option is removed),

@resmo, @manicai: what do you think?

ISSUE TYPE

• Feature Pull Request

COMPONENT NAME

letsencrypt

ANSIBLE VERSION

devel

ADDITIONAL INFORMATION

The current fullchain option only exists in the devel branch (to my knowledge), not in any release branch. So changing it shouldn't hurt backwards compatibility. Everyone using the devel version will notice that something changed when 2.5 will be released, i.e. there should be no silent failures.

This PR is related to #34328, which adds another option chain_dest/chain which allows to write the intermediate certificate chain into a separate file. With both this and #34328 merged, the user can choose which one of certificate, fullchain, and chain to be written to disk, and is not forced to do additional file operations to extract the chain or create a fullchain certificate.

[ansibot]

cc @mgruener
click here for bot help

[felixfontein]

This PR must be either merged or closed by end of February 7th, since then there's community module freeze and we shouldn't change module options once they are released (fullchain will first appear in Ansible 2.5).

[resmo]

needs_info

[resmo]

according code, it is not required.

[felixfontein]

See below. How should this (i.e. at least one of dest and fullchain is specified) be marked here? My idea was to mark both as required, but add some text that only one needs to be specified. Should I mark both as not required, and add a note to each that at least one of them must be specified?

[resmo]

yes, both not required, but put a note in the doc that "Either C(dest) or C(fullchain_dest) is required."

[felixfontein]

I've updated the documentation. I hope it's better explained now.

[resmo]

according code, there is no default, so can be left off.

[felixfontein]

Oops, I just forgot to remove this. The type isn't bool anymore anyway, so false makes no sense.

[resmo]

so it looks like they fullchain_dest and dest are also mutually exclusive, aren't they? require one of but not both?

[felixfontein]

Both dest and fullchain_dest are not required, but at least one of them must be specified. Both can be specified as well. If both are specified, the module assumes that both are equivalent for determining whether the certificate is new enough (if dest is given, the certificate it points to is checked, otherwise the certificate where fullchain_dest points to).

While only one of them is required, both will be created (if both are specified) if a new certificate is retrieved. So the user can decide whether she wants to work with leaf certificates, fullchain certificates, or both (without the need to manually concatenating or splitting files).

[resmo]

I see.

[felixfontein]

I rebased and squashed the commits.

[felixfontein]

bot_status

[resmo]

shipit

[ansibot]

Components

lib/ansible/modules/web_infrastructure/letsencrypt.py
support: community
maintainers: felixfontein mgruener resmo

Metadata

waiting_on: maintainer
changes_requested_by: null
needs_info: False
needs_revision: False
needs_rebase: False
merge_commits: []
mergeable_state: clean
shippable_status: success
maintainer_shipits (module maintainers): 1
community_shipits (namespace maintainers): 0
ansible_shipits (core team members): 1
shipit_actors (maintainers or core team members): resmo felixfontein
shipit_actors_other: []

click here for bot help