Add persistent private key feature #44
Conversation
|
You are totally right, I've played around with openssl_privatekey a bit and realized what could have misled me. Previously I've configured a batch of servers using a small set of different domains and pre-distributed private keys and experienced that the private keys are overwritten. Other tasks later distributed the signed certificates inside the infrastructure, but it's an other question, just mentioning here to explain why the regenerated private keys caused issue for me. You are right, force is not set to true when openssl_privatekey module is called in your module, however this is not the single case when the privatekey is regenerated. It is when any major parameter is different than the passed/defined by your module. Since in my case not all the private keys were identical, e.g the key size is different, each of them not matching the default or explicitly configured value has been regenerated. It would be really nice not to follow the key details in ansible too, but would be able to preliminary define that the private keys should be kept intact. I hope these above make sense. :) |
README.md
Outdated
| @@ -92,6 +92,8 @@ Ansible 2.7+ is required for this role. If you are using an older version of Ans | |||
| * **ler53_acme_directory** - The ACME directory to use. This defaults to | |||
| `https://acme-v02.api.letsencrypt.org/directory`. This can be useful to override if you'd like to | |||
| test this role against the stage Let's Encrypt instance. | |||
| * **ler53_static_private_key** - whether or not reuse the private key. If this is `true` private key | |||
There was a problem hiding this comment.
Could you rename this to ler53_unmanaged_private_key or somethign similar?
There was a problem hiding this comment.
Implemented as you've suggested.
tasks/main.yml
Outdated
| size: "{{ ler53_key_size }}" | ||
| owner: "{{ ler53_cert_files_owner }}" | ||
| group: "{{ ler53_cert_files_group }}" | ||
| mode: "{{ ler53_cert_files_mode }}" | ||
| when: not private_key_path.stat.exists or not ler53_static_private_key |
There was a problem hiding this comment.
I just want either the key to be managed by Ansible or not. This behavior is too complex.
| when: not private_key_path.stat.exists or not ler53_static_private_key | |
| when: not ler53_static_private_key |
There was a problem hiding this comment.
Implemented as you've suggested.
tasks/main.yml
Outdated
| @@ -89,19 +89,27 @@ | |||
| import_tasks: virtualenv.yml | |||
| when: ansible_os_family in ['RedHat', 'Darwin'] | |||
|
|
|||
| - name: define private key path | |||
There was a problem hiding this comment.
This can be removed after my comment on the generate the private key task.
There was a problem hiding this comment.
Implemented as you've suggested.
martonivan
force-pushed
the
master
branch
2 times, most recently
from
28467e9 to
fb5612b
Compare
README.md
Outdated
| @@ -92,6 +92,8 @@ Ansible 2.7+ is required for this role. If you are using an older version of Ans | |||
| * **ler53_acme_directory** - The ACME directory to use. This defaults to | |||
| `https://acme-v02.api.letsencrypt.org/directory`. This can be useful to override if you'd like to | |||
| test this role against the stage Let's Encrypt instance. | |||
| * **ler53_unmanaged_private_key** - whether or not reuse the private key. If this is `true` private key | |||
There was a problem hiding this comment.
I think this documentation needs updating since based on the code, the key will never be managed if this is true. Is that your intention?
There was a problem hiding this comment.
documentation fix has been sent
I - and may others - need a feature to reuse the existing private keys, for example for use-cases where the private keys are also centrally managed and distributed. I made this feature configurable by keeping the original behavior as default.