Fixes to ecs_certificate cert chain for #61738 (#61858)

* Fixes to ecs_certificate cert chain for #61738

* Added changelog fragment

* Fixes to ecs_certificate for cleaner join, and better integration test

* Fix integration test formatting

* End cert chain with a \n

* Update changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml

Co-Authored-By: Felix Fontein <felix@fontein.de>

* Update main.yml

(cherry picked from commit 943888b955)
This commit is contained in:
Chris Trufan 2019-09-07 01:58:25 -04:00 committed by Toshio Kuratomi
parent 94f8f320ed
commit 1cb40e1aed
4 changed files with 19 additions and 4 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- ecs_certificate - Fix formatting of contents of ``full_chain_path``.

View file

@ -768,17 +768,19 @@ class EcsCertificate(object):
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, to_bytes(self.cert_details.get('endEntityCert')))
if self.full_chain_path:
if self.full_chain_path and self.cert_details.get('chainCerts'):
if self.backup:
self.backup_full_chain_file = module.backup_local(self.full_chain_path)
crypto_utils.write_file(module, to_bytes(self.cert_details.get('chainCerts')), path=self.full_chain_path)
chain_string = '\n'.join(self.cert_details.get('chainCerts')) + '\n'
crypto_utils.write_file(module, to_bytes(chain_string), path=self.full_chain_path)
self.changed = True
# If there is no certificate present in path but a tracking ID was specified, save it to disk
elif not os.path.exists(self.path) and self.tracking_id:
if not module.check_mode:
crypto_utils.write_file(module, to_bytes(self.cert_details.get('endEntityCert')))
if self.full_chain_path:
crypto_utils.write_file(module, to_bytes(self.cert_details.get('chainCerts')), path=self.full_chain_path)
if self.full_chain_path and self.cert_details.get('chainCerts'):
chain_string = '\n'.join(self.cert_details.get('chainCerts')) + '\n'
crypto_utils.write_file(module, to_bytes(chain_string), path=self.full_chain_path)
self.changed = True
def dump(self):

View file

@ -169,6 +169,7 @@
- name: Test a request with all of the various optional possible fields populated
ecs_certificate:
path: '{{ example4_cert_path }}'
full_chain_path: '{{ example4_full_chain_path }}'
csr: '{{ csr_path }}'
subject_alt_name: '{{ example4_subject_alt_name }}'
eku: '{{ example4_eku }}'
@ -198,6 +199,15 @@
- example4_result.tracking_id > 0
- example4_result.serial_number is string
# For bug 61738, verify that the full chain is valid
- name: Verify that the full chain path can be successfully imported
command: openssl verify "{{ example4_full_chain_path }}"
register: openssl_result
- assert:
that:
- "' OK' in openssl_result.stdout_lines[0]"
always:
- name: clean-up temporary folder
file:

View file

@ -49,3 +49,4 @@ example4_custom_fields:
email2: sales@ansible.testcertificates.com
dropdown2: Dropdown 2 Value 1
example4_cert_expiry: 2020-08-15
example4_full_chain_path: '{{ tmpdir_path }}/issuedcert_2_chain.pem'