search

Venafi / ansible-collection-venafi

Ansible collection for managing machine identities (certificates and keys) using Venafi
Apache License 2.0
14 stars 7 forks source link

Default values not being assigned if they are not specified in the playbook file #23

Open ricrodriguezg opened 2 years ago

ricrodriguezg commented 2 years ago

PROBLEM SUMMARY When not specified, options certificate_privatekey_type and certificate_privatekey_size are not being set by default by the certificate role so when requesting a new certificate.

STEPS TO REPRODUCE Request a certificate using the certificate role without certificate_privatekey_type and certificate_privatekey_size:

----
- name: Generate and Install cert
  hosts: all
  collections: venafi.machine_identity

  vars_files:
    - variables.yml
  tasks:
    - name: Calling Venafi role
      include_role:
        name: certificate
        apply:
          delegate_to: localhost
      vars:
        certificate_common_name: "{{ cert_name }}"
        certificate_copy_private_key_to_remote: false
        certificate_chain_option: "last"
        certificate_cert_dir: "{{ cert_path }}/{{ certificate_common_name }}"
        certificate_remote_execution: false

EXPECTED RESULTS The task fails with the following error :

    "msg": "Certificate file does not exist | Private key file does not contain a valid private key | Private key file does not contain a valid private key"

ACTUAL RESULTS The task fails with the following error :

fatal: [hostname -> localhost]: FAILED! => {                                                                                                                                                     
    "changed": false,                                                                                                                                                                         
    "invocation": {                                                                                                                                                                           
        "module_args": {                                                                                                                                                                      
            "access_token": "",                                                                                                                                                               
            "alt_name": [],                                                                                                                                                                   
            "attributes": null,                                                                                                                                                               
            "before_expired_hours": 72,                                                                                                                                                       
            "cert_path": "/tmp/my.cert.example.pem",
            "chain_option": "last",                                                                                                                                                           
            "chain_path": "/tmp//tmp/my.cert.example.pem",
            "common_name": "my.cert.example",                                                                                                                                       
            "csr_origin": "local",                                                             
            "csr_path": "/tmp/my.cert.example.csr", 
            "custom_fields": null,
            "force": false,
            "group": null,
            "issuer_hint": "DEFAULT",
            "mode": null,
            "owner": null,
            "password": "",
            "path": "/tmp/my.cert.example.pem",
            "privatekey_curve": null,
            "privatekey_passphrase": null,
            "privatekey_path": "/tmp/my.cert.example.key",
            "privatekey_reuse": true,
            "privatekey_size": null,
            "privatekey_type": null,
            "renew": true,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "state": "present",
            "test_mode": false,
            "token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "trust_bundle": null,
            "unsafe_writes": false,
            "url": "",
            "use_pkcs12_format": false,
            "user": "",
            "validity_hours": null,
            "zone": "App\\mycit"
        }

    "msg": "Certificate file does not exist | Private key file does not contain a valid private key | Private key file does not contain a valid private key"

ENVIRONMENT DETAILS

ansible [core 2.12.3]
  config file = None
  configured module search path = ['/home/ricrodriguez/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ricrodriguez/venvs/ansible-venafi/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ricrodriguez/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ricrodriguez/venvs/ansible-venafi/bin/ansible
  python version = 3.9.10 (main, Feb 22 2022, 13:54:07) [GCC 11.2.0]
  jinja version = 3.0.1
  libyaml = True

Machine Identity collection: 0.8.0

COMMENTS/WORKAROUNDS Add the options to the playbook:

----
- name: Generate and Install cert
  hosts: all
  collections: venafi.machine_identity

  vars_files:
    - variables.yml
  tasks:
    - name: Calling Venafi role
      include_role:
        name: certificate
        apply:
          delegate_to: localhost
      vars:
        certificate_common_name: "{{ cert_name }}"
        certificate_copy_private_key_to_remote: false
        certificate_privatekey_type: "RSA"
        certificate_privatekey_size: "2048"
        certificate_chain_option: "last"
        certificate_cert_dir: "{{ cert_path }}/{{ certificate_common_name }}"
        certificate_remote_execution: false
cdmadrigal commented 2 years ago

Seems like this bug doesn't apply to deployments done on a Mac. Environment Details:

  ansible [core 2.12.3]
  config file = None
  configured module search path = ['/Users/cris.madrigal/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
  ansible collection location = /Users/cris.madrigal/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.12 (default, Oct 13 2021, 06:42:42) [Clang 13.0.0 (clang-1300.0.29.3)]
  jinja version = 2.11.2
  libyaml = True
AaronJaegerVA commented 2 years ago

We got the error

"msg": "Certificate file does not exist | Private key file does not contain a valid private key | Private key file does not contain a valid private key"

when the Private Key was not "Stored in Software" in Venafi like this:

image

Shmooty commented 1 year ago

Same issue experienced here, and resolved with the workaround of providing specifically privatekey fields