x509_certificate (ownca) to be regenerated on parent cert change

[shk3bq4d]

SUMMARY

Hello,

Maybe my understanding of certificates is incomplete, but I have a playbook where I'm updating a Root CA's CN an I was expecting a subsequent change to a child certificate which did not happen.

ISSUE TYPE

• Bug Report

COMPONENT NAME

x509_certificate

ansible [core 2.12.2]
  python version = 3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0]

COLLECTION VERSION

Collection         Version
------------------ -------
community.crypto   2.2.1

cryptography==36.0.1

STEPS TO REPRODUCE

- hosts: localhost
  connection: local
  gather_facts: no

  vars:

    root_csr: &root_csr
      path:            /tmp/a_root.csr
      privatekey_path: /tmp/a_root.key

    root_crt: &root_crt
      path:            /tmp/a_root.crt
      csr_path:        /tmp/a_root.csr
      privatekey_path: /tmp/a_root.key
      provider:        selfsigned

    cert_crt: &cert_crt
      path:                  /tmp/b_cert.crt
      csr_path:              /tmp/b_cert.csr
      ownca_path:            /tmp/a_root.crt
      ownca_privatekey_path: /tmp/a_root.key
      provider:               ownca

  tasks:

    - name: Setup - generate all private keys
      community.crypto.openssl_privatekey:
        path: /tmp/{{ item }}
      with_items:
        - a_root.key
        - b_cert.key

    - name: generate root csr first time
      community.crypto.openssl_csr:
        <<: *root_csr
        common_name: initial root CN

    - name: generate root CA cert first time
      community.crypto.x509_certificate: *root_crt

    - name: generate leaf cert CSR
      community.crypto.openssl_csr:
        path:            /tmp/b_cert.csr
        privatekey_path: /tmp/b_cert.key
        common_name:     leaf certificate

    - name: Generate leaf cert first time
      community.crypto.x509_certificate: *cert_crt

    - name: updates root csr
      community.crypto.openssl_csr:
        <<: *root_csr
        common_name:     this is a new root CN

    - name: updates root crt
      community.crypto.x509_certificate: *root_crt

    - name: reapply cert args
      register: reapply_cert_args
      community.crypto.x509_certificate: *cert_crt

    - name: One would expect that having updated the root certificate CN would result to a refresh of the leaf certificate
      assert:
        that: reapply_cert_args.changed

EXPECTED RESULTS

The assertion passes (ie: the child certificate gets re-regenerated because the root CA's CN has been updated)

ACTUAL RESULTS

The assertion fails.

[felixfontein]

Thanks for your report! #402 should fix this.

[shk3bq4d]

Thank you for your work and reactivity!

I'm glad to hear as I was scratching my head when tweaking my test scenario for #399 and replaying the playbook multiple times before adding a bunch of conditional "force" that looked ugly to me.