search

F5Networks / f5-ansible

Imperative Ansible modules for F5 BIG-IP products
GNU General Public License v3.0
375 stars 229 forks source link

bigip_ssl_certificate doesn't delete certificates if 'is_bundle': 'yes' #2184

Open jalbai opened 2 years ago

jalbai commented 2 years ago
COMPONENT NAME

bigip_ssl_certificate

ANSIBLE VERSION

ansible-playbook [core 2.12.1] python version = 3.8.12 (default, Sep 21 2021, 00:10:52) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)] jinja version = 3.0.3 libyaml = True

BIGIP VERSION

Sys::Version Main Package Product BIG-IP Version 13.1.1.5 Build 0.0.4 Edition Point Release 5 Date Wed Apr 24 21:26:13 PDT 2019

CONFIGURATION
- name: Delete expired SSL certificates
  bigip_ssl_certificate:
     name: <cert name>
     state: absent
     provider: "{{credentials}}"
  delegate_to: localhost
OS / ENVIRONMENT

CentOS Stream release 8

SUMMARY

The module deletes SSL certificates only if they have the option is_bundle : no.

If option is 'is_bundle': 'yes', the certificate is not deleted.

STEPS TO REPRODUCE

PLAY [Start Playbook ] ****

TASK [Delete expired SSL certificates] **** ok: [1.1.1.1 -> localhost]

PLAY RECAP **** 1.1.1.1 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

trinaths commented 2 years ago

@jalbai - Please provide the playbook that is failing to retry this issue.

jalbai commented 2 years ago

hi

The playbook is in the main message

trinaths commented 2 years ago

@jalbai - I dont see the is_bundle option.

jalbai commented 2 years ago

This is the option in the certificate

On Wed, 9 Mar 2022, 19:38 Trinath Somanchi, @.***> wrote:

@jalbai https://github.com/jalbai - I dont see the is_bundle option.

— Reply to this email directly, view it on GitHub https://github.com/F5Networks/f5-ansible/issues/2184#issuecomment-1063185766, or unsubscribe https://github.com/notifications/unsubscribe-auth/AECPKNPBI6SGLN7YXOTUO2LU7DO3BANCNFSM5QC7EDTQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

oniGino commented 2 years ago

I am also having this issue in collection 1.17 with bigip_ssl_certificate and bigip_ssl_key

KrithikaChidambaram commented 1 year ago

Hi, internal ID to track this item is: INFRAANO-983, thanks!

wojtek0806 commented 8 months ago

I have tested with the latest devel and i see no issue:

{
    "kind": "tm:sys:file:ssl-cert:ssl-certstate",
    "name": "test_bundle",
    "partition": "Common",
    "fullPath": "/Common/test_bundle",
    "generation": 2462,
    "selfLink": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~test_bundle?ver=16.1.3.3",
    "certificateKeyCurveName": "none",
    "certificateKeySize": 2048,
    "checksum": "SHA1:8134:9fbb071e91ed77960d197fc5714c4adbfd085e96",
    "createTime": "2024-02-08T08:58:26Z",
    "createdBy": "admin",
    "expirationDate": 1738918407,
    "expirationString": "Feb  7 08:53:27 2025 GMT",
    "fingerprint": "SHA256/90:F0:D6:21:16:1E:47:C5:E7:15:84:EB:93:FB:CD:F0:A1:93:C0:3F:2C:27:82:2F:4B:7C:CE:68:F2:59:1A:34",
    "isBundle": "true",
    "issuer": "C=US",
    "keyType": "rsa-public",
    "lastUpdateTime": "2024-02-08T08:58:26Z",
    "mode": 33188,
    "revision": 1,
    "serialNumber": "ed:8b:48:57:c2:68:d2:fc",
    "size": 8134,
    "subject": "C=US",
    "updatedBy": "admin",
    "version": 1,
    "bundleCertificatesReference": {
        "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~test_bundle/bundle-certificates?ver=16.1.3.3",
        "isSubcollection": true
    },
    "certValidatorsReference": {
        "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~test_bundle/cert-validators?ver=16.1.3.3",
        "isSubcollection": true
    }
}

Playbook task:

    - name: Delete bundled cert
      bigip_ssl_certificate:
        state: absent
        name: test_bundle
        true_names: yes
        provider: "{{ provider }}"

Playbook run:

changed: [bigip_16_1] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "content": null,
            "issuer_cert": null,
            "name": "test_bundle",
            "partition": "Common",
            "provider": {
                "auth_provider": null,
                "no_f5_teem": true,
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "server": "<redacted>",
                "server_port": <redacted>,
                "timeout": null,
                "transport": "rest",
                "user": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "validate_certs": false
            },
            "state": "absent",
            "true_names": true
        }
    }
}

PLAY RECAP ********************************************************************************************************************************************************************************************************************************************************************************************************
bigip_16_1                 : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Verified in API after playbook run:

{
    "code": 404,
    "message": "01020036:3: The requested Certificate File (/Common/test_bundle) was not found.",
    "errorStack": [],
    "apiError": 3
}