From fa8b58fb33624518894339505c1214d599d00e7a Mon Sep 17 00:00:00 2001 From: Dimitri Savineau Date: Mon, 9 Aug 2021 10:33:40 -0400 Subject: [PATCH] ceph-dashboard: fix TLS cert openssl generation With OpenSSL version prior 1.1.1 (like CentOS 7 with 1.0.2k), the -addext doesn't exist. As a solution, this uses the default openssl.cnf configuration file as a template and add the subjectAltName in the v3_ca section. This temp openssl configuration file is removed after the TLS certificate creation. This patch also move the run_once statement at the block level. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1978869 Signed-off-by: Dimitri Savineau (cherry picked from commit 5e0ace7e5493f7d8299155e915435691a0f1a007) --- .../tasks/configure_dashboard.yml | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/roles/ceph-dashboard/tasks/configure_dashboard.yml b/roles/ceph-dashboard/tasks/configure_dashboard.yml index 5b197e09c3..b75710fb4a 100644 --- a/roles/ceph-dashboard/tasks/configure_dashboard.yml +++ b/roles/ceph-dashboard/tasks/configure_dashboard.yml @@ -64,6 +64,7 @@ - name: generate and copy self-signed certificate when: dashboard_key | length == 0 or dashboard_crt | length == 0 + run_once: true block: - name: set_fact subj_alt_names set_fact: @@ -71,13 +72,34 @@ {% for host in groups[mgr_group_name] | default(groups[mon_group_name]) -%} DNS:{{ hostvars[host]['ansible_facts']['hostname'] }},DNS:{{ hostvars[host]['ansible_facts']['fqdn'] }},IP:{{ hostvars[host]['dashboard_server_addr'] }}{% if not loop.last %},{% endif %} {%- endfor -%} - run_once: true + + - name: create tempfile for openssl certificate and key generation + tempfile: + state: file + register: openssl_config_file + + - name: copy the openssl configuration file + copy: + src: "{{ '/etc/pki/tls/openssl.cnf' if ansible_facts['os_family'] == 'RedHat' else '/etc/ssl/openssl.cnf' }}" + dest: '{{ openssl_config_file.path }}' + remote_src: true + + - name: add subjectAltName to the openssl configuration + ini_file: + path: '{{ openssl_config_file.path }}' + section: v3_ca + option: subjectAltName + value: '{{ subj_alt_names | trim }}' - name: generate a Self Signed OpenSSL certificate for dashboard shell: | test -f /etc/ceph/ceph-dashboard.key -a -f /etc/ceph/ceph-dashboard.crt || \ - openssl req -new -nodes -x509 -subj '/O=IT/CN={{ dashboard_certificate_cn }}/' -addext 'subjectAltName={{ subj_alt_names | trim }}' -days 3650 -keyout /etc/ceph/ceph-dashboard.key -out /etc/ceph/ceph-dashboard.crt -extensions v3_ca - run_once: True + openssl req -new -nodes -x509 -subj '/O=IT/CN={{ dashboard_certificate_cn }}/' -config {{ openssl_config_file.path }} -days 3650 -keyout /etc/ceph/ceph-dashboard.key -out /etc/ceph/ceph-dashboard.crt -extensions v3_ca + + - name: remove the openssl tempfile + file: + path: '{{ openssl_config_file.path }}' + state: absent - name: slurp self-signed generated certificate for dashboard slurp: @@ -96,7 +118,6 @@ group: "{{ ceph_uid }}" mode: "{{ '0600' if item.0.source.split('.')[-1] == 'key' else '0664' }}" delegate_to: "{{ item.1 }}" - run_once: True with_nested: - "{{ slurp_self_signed_crt.results }}" - "{{ groups[mon_group_name] }}"