Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acme_certificate: Allow to disable account management for certificate module #40698

Merged
merged 1 commit into from
May 25, 2018
Merged

acme_certificate: Allow to disable account management for certificate module #40698

merged 1 commit into from
May 25, 2018

Conversation

felixfontein
Copy link
Contributor

SUMMARY

Follow-up to #37275: adds a feature (disable account management) to acme_certificate module which makes the new acme_account more useful (see below for detailed info why we need this feature).

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

acme_certificate

ANSIBLE VERSION
2.6.0
ADDITIONAL INFORMATION

Addition of the new acme_account module in #37275 allows to do more precise account management: deactivating an account, changing an account key, and updating contacts (also to more than one).

There are two things where this is really needed:

  1. In case you modify the account key, and then try to create a certificate with the old account key, it can happen (if the CA doesn't prevent this) that the acme_certificate module will create a new account with the old key. This is most certainly not what you want. Thus, if you want to do all account management with the new module, you can use this option to tell acme_certificate to not touch the account.

  2. In case you want to have more than one contact address for the account, you can use the acme_account module to set them. Unfortunately, the acme_certificate module doesn't support this, and as soon as you use it to issue a new certificate, it will notice that the account has a different number of contacts than it has itself, and will adjust the account so it only contains the email address contact specified to it (or no contact at all). With this option, you can disable this behavior.

The default value for this new option is to continue doing account management; this is both important for backwards compatibility and to not make it too complicated for beginners (which can only use the acme_certificate module, and don't have to bother about the acme_account module).

@ansibot
Copy link
Contributor

ansibot commented May 25, 2018

cc @mgruener @resmo
click here for bot help

@ansibot ansibot added affects_2.6 This issue/PR affects Ansible v2.6 community_review In order to be merged, this PR must follow the community review workflow. feature This issue/PR relates to a feature request. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. owner_pr This PR is made by the module's maintainer. support:community This issue/PR relates to code supported by the Ansible community. labels May 25, 2018
resmo
resmo reviewed May 25, 2018
View reviewed changes
lib/ansible/modules/web_infrastructure/acme_certificate.py Outdated
update_contact=modify_account
)
else:
# This happens iff modify_account is False and the ACME v1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo, and I see a discrepancy in the sentence: "This happens if modify account is False or the ACME v1 is used

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean "iff" with typo? It's not a typo ;) (https://en.wikipedia.org/wiki/Iff) I'll change it for clarity.
About the second: not (modify_account or self.version > 1) is not modify_account and self.version == 1, so this should be correct.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

huch... ok then ;)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've changed it to "if" since "if and only if" is too long ;) I've also rebased to get rid of the conflicts (?).

@ansibot ansibot added needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed community_review In order to be merged, this PR must follow the community review workflow. needs_triage Needs a first human triage before being processed. owner_pr This PR is made by the module's maintainer. labels May 25, 2018
@felixfontein felixfontein force-pushed the acme-certificate-allow-not-to-change-account branch from 9bfa4b5 to d9d6ef2 Compare May 25, 2018 06:25
@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. owner_pr This PR is made by the module's maintainer. and removed needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels May 25, 2018
resmo
resmo approved these changes May 25, 2018
View reviewed changes
Copy link
Contributor

@resmo resmo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shipit

@ansibot ansibot added automerge This PR was automatically merged by ansibot. shipit This PR is ready to be merged by Core and removed community_review In order to be merged, this PR must follow the community review workflow. labels May 25, 2018
@ansibot ansibot merged commit aa791e5 into ansible:devel May 25, 2018
@felixfontein
Copy link
Contributor Author

Also thanks for this one!

@felixfontein felixfontein deleted the acme-certificate-allow-not-to-change-account branch May 25, 2018 07:19
gothicx pushed a commit to gothicx/ansible that referenced this pull request Jun 9, 2018
@felixfontein @gothicx
Allowing to prohibit account changes for acme_certificate. (ansible#4…
7825937 
…0698)
jacum pushed a commit to jacum/ansible that referenced this pull request Jun 26, 2018
@felixfontein
Allowing to prohibit account changes for acme_certificate. (ansible#4…
cf8a2ed 
…0698)
@dagwieers dagwieers added the crypto Crypto community (ACME, openssl, letsencrypt) label Feb 7, 2019
@ansible ansible locked and limited conversation to collaborators May 29, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@resmo resmo resmo approved these changes

Assignees
No one assigned
Labels
affects_2.6 This issue/PR affects Ansible v2.6 automerge This PR was automatically merged by ansibot. crypto Crypto community (ACME, openssl, letsencrypt) feature This issue/PR relates to a feature request. module This issue/PR relates to a module. owner_pr This PR is made by the module's maintainer. shipit This PR is ready to be merged by Core support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@felixfontein @ansibot @resmo @dagwieers