search

ansible-collections / netapp.ontap

Ansible collection to support NetApp ONTAP configuration.
https://galaxy.ansible.com/netapp/ontap
GNU General Public License v3.0
57 stars 36 forks source link

na_ontap_security_certificates - can't install new certificate with the same Common Name #39

Closed mamoep closed 2 years ago

mamoep commented 2 years ago

Summary

For HTTPS access to the ONTAP cluster I have installed an certificate from our company PKI. I wanted to automate the process of certificate renewal. For this I need to install a new certificate with the same Common Name as the existing certificate, but the module always returns OK and does nothing.

Component Name

na_ontap_security_certificates

Ansible Version

$ ansible --version
ansible 2.9.25
  config file = /home/user/ansible/ansible.cfg
  configured module search path = [u'/home/user/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug 13 2020, 02:51:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

ONTAP Collection Version

$ ansible-galaxy collection list
21.13.0

ONTAP Version

NetApp Release 9.8P7: Tue Sep 14 18:38:58 UTC 2021

Playbook

- name: Import new certificate to ONTAP
    na_ontap_security_certificates:
      <<: *login
      common_name: "{{ cluster }}"
      public_certificate: "{{ certificate }}"
      private_key: "{{ key }}"
      intermediate_certificates: "{{ issuer }}"
      type: server
      use_rest: always
    connection: local

Steps to Reproduce

Expected Results

Import of the new certificate.

Actual Results

{
    "invocation": {
        "module_args": {
            "username": "admin",
            "private_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "key_filepath": null,
            "intermediate_certificates": [
                "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"
            ],
            "feature_flags": {},
            "hash_function": null,
            "common_name": "cluster.local",
            "ontapi": null,
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "cert_filepath": null,
            "svm": null,
            "http_port": null,
            "expiry_time": null,
            "name": null,
            "validate_certs": true,
            "hostname": "cluster.local",
            "state": "present",
            "key_size": null,
            "signing_request": null,
            "public_certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n",
            "https": true,
            "ignore_name_if_not_supported": true,
            "type": "server",
            "use_rest": "always"
        }
    },
    "changed": false,
    "_ansible_no_log": false
}
lonico commented 2 years ago

can you use a name? I see "name": null. It is a limitation of 9.6 and 9.7 that name is not supported. But with 9.8, you could use a different name for the new certificate. And then remove the old certificate.

mamoep commented 2 years ago

Using name option works indeed. Thank you! I also encountered bug #28