-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding module which allows to complete certificate chains #44169
Conversation
bf3994f
to
2f1c5d7
Compare
2f1c5d7
to
c54fd88
Compare
description: | ||
- A concatenated set of certificates in PEM format forming a chain. | ||
- The module will try to complete this chain. | ||
input_chain_src: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not a blocker (IMHO) but having 2 params for input chain: input_chain_src
and input_chain
is not necessary (I know acme_certificate has also 2 but this has historical reasons). I would use only input_chain
, because reading from a file could be done with a lookup plugin: `input_chain: "{{ lookup('file', '/path/filename' )}". Also remember, lookup plugins can also "read" from all kinds of things, like DBs, Vaults, kv stores.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, that's a good point. I'll change the module accordingly, since here the use-case "input data is on remote system" isn't very important (and the input files are small).
One question though: what happens if the contents of a file on the remote system are needed? With input_chain_src
, this is easily doable, but without it? Do I have to do a fetch: ...
first in that case, before I can use this module?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it would require to have the content into a var e.g like with the slurp module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how would this work with input_chain_src
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah sorry, I meant slurp: ...
, not fetch: ...
. And yes, just having ..._src
makes this complicated.
But: for acme_certificate
(and friends), I think it is different, and both parameters should be provided. The reason is that depending on how you use the module, and how your security model is set up, you do not want the private account key to leave the remote host where the module is executed. If you have to slurp
it first, this condition is violated. So there, having both account_key_content
and account_key_src
is a Very Good Thing(tm).
But that doesn't apply to this module, since certificates are usually public enough. Also, the input size isn't huge (another potential reason for having both parameters).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
52885d1
to
681a468
Compare
e5fdfac
to
c7747ab
Compare
@Spredzy Did you have a chance to look at this module? |
@felixfontein I haven't yet. I'll try to go throught it between this afternoon and tomorrow. Sorry for that. |
@Spredzy No problem! Thanks a lot! :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shipit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shipit
and thanks for merging, @resmo :) |
SUMMARY
This module allows to complete certificate chains. Given an incomplete chain (leaf certificate, maybe also some intermediates), pointers to potential intermediate certificates, and pointers to root certificates, the module tries to form a complete chain from leaf until a root certificate.
This can for example be used to find the root certificate for certificates issued with the
acme_certificate
module (which allows to retrieve the intermediate certificate(s), but not the root certificate since the ACME protocol doesn't allow for that); this is sometimes needed for configuration (f.ex. for Amazon AWS ELB load balancers), or to simply verify the chain of trust withopenssl verify ...
.CC @resmo
ISSUE TYPE
COMPONENT NAME
certificate_complete_chain
ANSIBLE VERSION