Adding module which allows to complete certificate chains #44169
Conversation
felixfontein
force-pushed
the
crypto-complete-chain
branch
from
bf3994f
to
2f1c5d7
Compare
ansibot
added
affects_2.7
felixfontein
force-pushed
the
crypto-complete-chain
branch
from
2f1c5d7
to
c54fd88
Compare
ansibot
added
core_review
| description: | ||
| - A concatenated set of certificates in PEM format forming a chain. | ||
| - The module will try to complete this chain. | ||
| input_chain_src: |
There was a problem hiding this comment.
not a blocker (IMHO) but having 2 params for input chain: input_chain_src and input_chain is not necessary (I know acme_certificate has also 2 but this has historical reasons). I would use only input_chain, because reading from a file could be done with a lookup plugin: `input_chain: "{{ lookup('file', '/path/filename' )}". Also remember, lookup plugins can also "read" from all kinds of things, like DBs, Vaults, kv stores.
There was a problem hiding this comment.
Ah, that's a good point. I'll change the module accordingly, since here the use-case "input data is on remote system" isn't very important (and the input files are small).
One question though: what happens if the contents of a file on the remote system are needed? With input_chain_src, this is easily doable, but without it? Do I have to do a fetch: ... first in that case, before I can use this module?
There was a problem hiding this comment.
it would require to have the content into a var e.g like with the slurp module.
There was a problem hiding this comment.
how would this work with input_chain_src?
There was a problem hiding this comment.
Ah sorry, I meant slurp: ..., not fetch: .... And yes, just having ..._src makes this complicated.
But: for acme_certificate (and friends), I think it is different, and both parameters should be provided. The reason is that depending on how you use the module, and how your security model is set up, you do not want the private account key to leave the remote host where the module is executed. If you have to slurp it first, this condition is violated. So there, having both account_key_content and account_key_src is a Very Good Thing(tm).
But that doesn't apply to this module, since certificates are usually public enough. Also, the input size isn't huge (another potential reason for having both parameters).
ansibot
removed
the
needs_triage
felixfontein
force-pushed
the
crypto-complete-chain
branch
from
52885d1
to
681a468
Compare
felixfontein
force-pushed
the
crypto-complete-chain
branch
from
e5fdfac
to
c7747ab
Compare
|
@Spredzy Did you have a chance to look at this module? |
|
@felixfontein I haven't yet. I'll try to go throught it between this afternoon and tomorrow. Sorry for that. |
|
@Spredzy No problem! Thanks a lot! :) |
ansibot
added
shipit
|
and thanks for merging, @resmo :) |
SUMMARY
This module allows to complete certificate chains. Given an incomplete chain (leaf certificate, maybe also some intermediates), pointers to potential intermediate certificates, and pointers to root certificates, the module tries to form a complete chain from leaf until a root certificate.
This can for example be used to find the root certificate for certificates issued with the
acme_certificatemodule (which allows to retrieve the intermediate certificate(s), but not the root certificate since the ACME protocol doesn't allow for that); this is sometimes needed for configuration (f.ex. for Amazon AWS ELB load balancers), or to simply verify the chain of trust withopenssl verify ....CC @resmo
ISSUE TYPE
COMPONENT NAME
certificate_complete_chain
ANSIBLE VERSION