openssl_certificate cannot decrypt ownca privatekey

[sonnenteich]

SUMMARY

When I try to run the task openssl_certificate in my ansible playbook with a vault encrypted ownca_privatekey_path-file I always get message Wrong passphrase provided for private key.

When I run the same command with a decrypted ownca_privatekey_path-file it works like it should.

I would expect that ansible decrypt my ownca_privatekey_path-file, but it seems something goes wrong.

ISSUE TYPE

• Bug Report

COMPONENT NAME

crypto.x509_certificate

ANSIBLE VERSION

ansible [core 2.11.6] 
  config file = /home/xxx/.ansible.cfg
  configured module search path = ['/home/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/dist-packages/ansible
  ansible collection location = /home/xxx/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 3.0.3
  libyaml = True

COLLECTION VERSION

CONFIGURATION

CALLBACKS_ENABLED(/home/xxx/.ansible.cfg) = ['timer']
DEFAULT_FORKS(/home/xxx/.ansible.cfg) = 80
DEFAULT_GATHERING(/home/xxx/.ansible.cfg) = smart
DEFAULT_GATHER_SUBSET(/home/xxx/.ansible.cfg) = ['!facter', '!ohai', '!hardware']
DEFAULT_HOST_LIST(/home/xxx/.ansible.cfg) = ['/home/xxx/ansible/hosts']
DEFAULT_LOG_PATH(/home/xxx/.ansible.cfg) = /home/xxx/ansible.log
DEFAULT_MANAGED_STR(/home/xxx/.ansible.cfg) = Ansible managed file: {file}
DEFAULT_POLL_INTERVAL(/home/xxx/.ansible.cfg) = 1
DEFAULT_ROLES_PATH(/home/xxx/.ansible.cfg) = ['/home/xxx/ansible/machines/roles', '/home/xxx/ansible/users/roles']
DEFAULT_STDOUT_CALLBACK(/home/xxx/.ansible.cfg) = debug
HOST_KEY_CHECKING(/home/xxx/.ansible.cfg) = False
RETRY_FILES_ENABLED(/home/xxx/.ansible.cfg) = False
SHOW_CUSTOM_STATS(/home/xxx/.ansible.cfg) = True

OS / ENVIRONMENT

Debian bullseye

STEPS TO REPRODUCE

- name: Generate an OpenSSL certificate signed with your own CA certificate
  openssl_certificate:
  path: /tmp/certs/internal.crt
  csr_path: /tmp/certs/internal.csr
  ownca_path: roles/ssl/files/ownca/MyCA.crt
  ownca_privatekey_path: roles/ssl/files/ownca/MyCA.key
  ownca_privatekey_passphrase: "{{ SECRET_CA_PASSWORD }}"
  provider: ownca

EXPECTED RESULTS

I expect to accept the passphrase for the private key.

ACTUAL RESULTS

fatal: [localhost]: FAILED! => {
    "changed": false
}

MSG:

Wrong passphrase provided for private key

[sonnenteich]

My current workaround is to save the privatekey content in a variable and use the parameter ownca_privatekey_content.
But I hope there is a better way ;-)

[felixfontein]

That's not a workaround, that's the only correct and viable solution to this :)

[felixfontein]

Longer answer: modules cannot un-vault. This is only possible for plugins. Some modules like copy do this by not being a real module, but an action plugin combined with a module. Most modules, including all in this collection, do not support vaulted files.