search

StackStorm / ansible-st2

Ansible Roles and Playbooks to deploy StackStorm
https://galaxy.ansible.com/StackStorm/stackstorm/
Apache License 2.0
100 stars 77 forks source link

Generate self-signed certificates with subject alternative name #300

Open winem opened 3 years ago

winem commented 3 years ago

Now we create self-signed certificates with an SubjectAlternativeName as requested in #293

The openssl version shipped on RedHat/CentOS7 is too old and does not support the SAN attributes to be passed on the command line so it needs an extra configuration file.

close #293

winem commented 3 years ago

Converted the PR to a draft until I had time to look into the CentOS7 issues Travis has.

amanda11 commented 3 years ago

Looks to be an idemptonency problem on centos 7, so on second run it complaisn about 2 changed tasks:

TASK [StackStorm.st2web : Render openssl.cnf] **********************************
       task path: /tmp/kitchen/roles/StackStorm.st2web/tasks/certificate.yml:52
       changed: [localhost] => {"changed": true, "checksum": "7b77c4f29a6c66a722d2c53573a08901b3a7ad69", "dest": "/tmp/openssl.cnf", "gid": 0, "group": "root", "md5sum": "bb1d9954d249261171b878a51804d03a", "mode": "0644", "owner": "root", "size": 233, "src": "/root/.ansible/tmp/ansible-tmp-1626572239.45-7002-193383408367893/source", "state": "file", "uid": 0}

       TASK [StackStorm.st2web : Generate self-signed SSL certificate on RedHat 7] ****
       task path: /tmp/kitchen/roles/StackStorm.st2web/tasks/certificate.yml:57
       ok: [localhost] => {"changed": false, "cmd": "openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt -days 365 -nodes -subj \"/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information Technology/CN=$(hostname)\" -config /tmp/openssl.cnf", "rc": 0, "stdout": "skipped, since /etc/ssl/st2/st2.key exists", "stdout_lines": ["skipped, since /etc/ssl/st2/st2.key exists"]}

       TASK [StackStorm.st2web : Delete the openssl.cnf] ******************************
       task path: /tmp/kitchen/roles/StackStorm.st2web/tasks/certificate.yml:63
       changed: [localhost] => {"changed": true, "path": "/tmp/openssl.cnf", "state": "absent"}

The new tasks for Redhat7 as they stand will always create the temp file /tmp/openssl.cnf and delete them - so will fail the idempotency test. Perhaps add a when on the first one so that it only does it if /etc/ssl/st2/st2.key doesn't exist?

winem commented 3 years ago

Yes, that'll probably be it. I'll provide an update.

winem commented 2 years ago

I'm happy about (re-)reviews of this PR!

CLAassistant commented 2 years ago

CLA assistant check
All committers have signed the CLA.