x509_certificate: idempotency failure with validity dates

[MichaelRiss]

SUMMARY

Since 2.18.0 x509_certificate fails to recognize that the existing certificate already fulfills the "...not_before" / "...not_after" conditions and regenerates the certificate. A quick test in my setup has shown that the newly generated CA certificate still can confirm certificates issued with the previous CA certificate - even when the serial number of the CA certificate changed. However, it's a creepy feeling and I would prefer the module to be idempotent again.

ISSUE TYPE

• Bug Report

COMPONENT NAME

x509_certificate

ANSIBLE VERSION

ansible [core 2.16.6]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.12/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.12.3 (main, Apr 17 2024, 00:00:00) [GCC 14.0.1 20240411 (Red Hat 14.0.1-0)] (/usr/bin/python3)
jinja version = 3.1.4
libyaml = True

COLLECTION VERSION

ansible-galaxy collection list community.crypto

# /root/.ansible/collections/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.19.0 

# /usr/local/lib/python3.12/site-packages/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.19.0 

CONFIGURATION

ansible-config dump --only-changed
CONFIG_FILE() = None

OS / ENVIRONMENT

Fedora 40, I provide a script to reproduce the error behavior below.

STEPS TO REPRODUCE

I created a demo script which shows the difference between 2.17.1 and 2.19.0 in a container:
demo.zip

You can see it already from the color of the output that 2.19.0 regenerates the certificate, but the md5sums show that the resulting new certificate also differs from the original one.

Here is the task which should be idempotent the second time it's executed:

community.crypto.x509_certificate:
  path: /root/CACert.pem
  csr_path: /root/CAcert.csr
  ignore_timestamps: False
  selfsigned_not_before: 20230101000000Z
  selfsigned_not_after: 20260101000000Z 
  privatekey_path: /root/private.key
  provider: selfsigned

EXPECTED RESULTS

I expect the behavior as shown with community.crypto 2.17.1: if the existing certificate already fulfills all requirements it should not get regenerated.

ACTUAL RESULTS

Since community.crypto 2.18.0 the certificate gets regenerated and the module is not idempotent anymore.

[felixfontein]

Actually with 2.18.0 it's also idempotent. It's only with 2.19.0 that it's no longer idempotent.

[felixfontein]

#754 fixes this. Will continue on this later today...

[felixfontein]

I just released 2.19.1 with the fix.

[MichaelRiss]

Thanks for the fix and sorry for my mistake with 2.18.0 - I thought I saw 2.18.0 when I first stumbled over the bug, but I should have double checked it.