search

Venafi / ansible-role-venafi

(END-OF-LIFE) Ansible Role that uses Venafi to streamline machine identity (certificate and key) acquisition.
Apache License 2.0
14 stars 8 forks source link

Unable to renew a certificate if the certificate exists in the destination directory #17

Closed jmeldrum76 closed 3 years ago

jmeldrum76 commented 4 years ago

PROBLEM SUMMARY Unable to renew a certificate if the certificate exists in the destination directory

STEPS TO REPRODUCE

  1. Install Ansible and vcert using the default instructions from the readme.
  2. Create Credentials.yml file Example:

user: 'myuser' password: 'mypassword' url: 'https://venafi_server/vedsdk/' zone: "Demo\APIs\Ansible" trust_bundle: "/home/venafilab/ansible/venafilab_trust_bundle.pem"


3. Create Sample.yml


4.  Run playbook
    ansible-playbook sample.yml
5. Certificate will be created since this is first time you have requested it.
6. No Re-run the playbook again (This should renew the cert) and you will see that there is no renewal that takes place.
7. Now remove the certificates from the /tmp/etc/ssl/[common_name] directory
8. Re-run the playbook and you will see that renewal has taken place.

**EXPECTED RESULTS**
See steps above

**ACTUAL RESULTS**
I would expect that the renew takes place regardless of whether the certificate is present on the machine or not.  

**ENVIRONMENT DETAILS**
vcert=0.6.8
Ansible=0.2.1
Python=2.7.15+
Ubuntu=18.0.4

**COMMENTS/WORKAROUNDS**
tr1ck3r commented 4 years ago

@jmeldrum76 I think what you've described here is the desired behavior. We only want to renew certificates when they need to be (i.e. they're close to expiring). That said, I'm not sure we have implemented the renewal functionality for this project since we've not had any requests for it until now.

tr1ck3r commented 4 years ago

@jmeldrum76 We have now implemented the renewal functionality I mentioned in my previous comment (https://github.com/Venafi/ansible-role-venafi/pull/19). By default certificates will be renewed if they are within 72 hours of expiration. You can override the default using the before_expired_hours role parameter and also prevent renewal from happening by setting the renew role parameter to false. Please confirm this result when you have a chance to test again.