-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl_certificate, fixed has_expired to check the cert expiration date #53168
Conversation
When set to true will ensure the certificate is expired; when set to false ensures the certificate is not expired Also fixes an issue with older versions of pyOpenSSL which prevented the certificate expiry date to be validated correctly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some nits :)
self.message.append( | ||
'Certificate expiration check failed (certificate expiration is %s, expected %s)' % (self.cert.has_expired(), self.has_expired) | ||
) | ||
time_string = to_native(self.cert.get_notAfter()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add a comment here that this is similar to the PyOpenSSL code for cert.has_expired()
, but that older versions have a buggy implementation and we thus do it manually here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added comments, hopefully makes sense :)
Co-Authored-By: Shaps <andrea@braingap.uk>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shipit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shipit
bot_status |
Componentschangelogs/fragments/openssl_certificate_fix_has_expired.yml lib/ansible/modules/crypto/openssl_certificate.py test/integration/targets/openssl_certificate/tasks/expired.yml test/integration/targets/openssl_certificate/tasks/main.yml Metadatawaiting_on: maintainer |
…ate (ansible#53168) (cherry picked from commit d5d92e4)
…tion date (#53203) * Type error in openssl_certificate (#47508) * Fixed #47505: Type error in openssl_certificate * Use to_bytes instead of str.encode in SelfSignedCertificate. Updates #47508 * Use to_bytes instead of str.encode in OwnCACertificate * Added integration tests for openssl_certificate: selfsigned_not_before/after and ownca_not_before/after (cherry picked from commit 5b1c685) * openssl_certificate, fixed has_expired to check the cert expiration date (#53168) (cherry picked from commit d5d92e4) * Use fixed timestamp in past instead of relative time (relative times are a feature of devel). * Add changelog for #47508.
SUMMARY
has_expired
was not actually checking the certificate expiration, and had an issue with older versions of thepyOpenSSL
package which was incorrectly verifying the expiry date.Also adds tests for this case
Fixes #51267
ISSUE TYPE
COMPONENT NAME
openssl_certificate
ADDITIONAL INFORMATION
N/A