Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssh_cert: valid_at has no effect (will always be regenerated) #379

Closed
JochenKorge opened this issue Jan 17, 2022 · 3 comments · Fixed by #381
Closed

openssh_cert: valid_at has no effect (will always be regenerated) #379

JochenKorge opened this issue Jan 17, 2022 · 3 comments · Fixed by #381

Comments

@JochenKorge
Copy link
Contributor

SUMMARY

valid_at does not behave as expected

ISSUE TYPE
  • Bug Report
COMPONENT NAME

openssh_cert

ANSIBLE VERSION
ansible [core 2.12.1]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/jochen/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/dist-packages/ansible
  ansible collection location = /usr/share/ansible/collections:/home/jochen/.ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
# /usr/local/lib/python3.9/dist-packages/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.0.2  

# /usr/share/ansible/collections/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.0.2
STEPS TO REPRODUCE
# Generate an OpenSSH host certificate that is valid for 32 weeks from now and will be regenerated
# if it is valid for less than 2 weeks from the time the module is being run
- name: Generate an OpenSSH host certificate with valid_from, valid_to and valid_at parameters
  community.crypto.openssh_cert:
    type: host
    signing_key: /path/to/private_key
    public_key: /path/to/public_key.pub
    path: /path/to/certificate
    valid_from: +0s
    valid_to: +32w
    valid_at: +2w
EXPECTED RESULTS

Only run when cert is invalid in "now + 2w" or some non "valid_*" Parameters changed

ACTUAL RESULTS

This will always regenerate the cert. Probably due to changes in relative valid_from and valid_to.

TASK [ssh_server : Generate an OpenSSH host certificate with valid_from, valid_to and valid_at parameters] ********************************************************************************************************************************************************
changed: [srvans01 -> localhost]

When run with absolute times (e.g. 2022-01-01) on valid_from and valid_to it works like a charm...
Not sure its a bug, a feature request or documentation error. Second example is exactly my intended usecase.
@felixfontein
Copy link
Contributor

CC @Ajpantuso

@Ajpantuso
Copy link
Collaborator

This is as intended and the module documentation mentions that use of relative timestamps is not idempotent. I guess we could implement a toggle similar to #317 and when ignore_timestamps is true the module would just check valid_at falls between the values from an existing certificate. Then you would be able to enforce a rotation policy.

@JochenKorge
Copy link
Contributor Author

Ok, I´ll try and add it. Seems pretty straight forward.

This was referenced Jan 18, 2022
Closed
Merged
@renovate renovate bot mentioned this issue Feb 1, 2022
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@felixfontein @Ajpantuso @JochenKorge