-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acme_certificate: Allow to disable account management for certificate module #40698
acme_certificate: Allow to disable account management for certificate module #40698
Conversation
update_contact=modify_account | ||
) | ||
else: | ||
# This happens iff modify_account is False and the ACME v1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo, and I see a discrepancy in the sentence: "This happens if modify account is False or the ACME v1 is used
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean "iff" with typo? It's not a typo ;) (https://en.wikipedia.org/wiki/Iff) I'll change it for clarity.
About the second: not (modify_account or self.version > 1)
is not modify_account and self.version == 1
, so this should be correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
huch... ok then ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've changed it to "if" since "if and only if" is too long ;) I've also rebased to get rid of the conflicts (?).
9bfa4b5
to
d9d6ef2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shipit
Also thanks for this one! |
SUMMARY
Follow-up to #37275: adds a feature (disable account management) to
acme_certificate
module which makes the newacme_account
more useful (see below for detailed info why we need this feature).ISSUE TYPE
COMPONENT NAME
acme_certificate
ANSIBLE VERSION
ADDITIONAL INFORMATION
Addition of the new
acme_account
module in #37275 allows to do more precise account management: deactivating an account, changing an account key, and updating contacts (also to more than one).There are two things where this is really needed:
In case you modify the account key, and then try to create a certificate with the old account key, it can happen (if the CA doesn't prevent this) that the
acme_certificate
module will create a new account with the old key. This is most certainly not what you want. Thus, if you want to do all account management with the new module, you can use this option to tellacme_certificate
to not touch the account.In case you want to have more than one contact address for the account, you can use the
acme_account
module to set them. Unfortunately, theacme_certificate
module doesn't support this, and as soon as you use it to issue a new certificate, it will notice that the account has a different number of contacts than it has itself, and will adjust the account so it only contains the email address contact specified to it (or no contact at all). With this option, you can disable this behavior.The default value for this new option is to continue doing account management; this is both important for backwards compatibility and to not make it too complicated for beginners (which can only use the
acme_certificate
module, and don't have to bother about theacme_account
module).