Fixes to ecs_certificate cert chain for #61738 (#61858)

* Fixes to ecs_certificate cert chain for #61738 * Added changelog fragment * Fixes to ecs_certificate for cleaner join, and better integration test * Fix integration test formatting * End cert chain with a \n * Update changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml Co-Authored-By: Felix Fontein <felix@fontein.de> * Update main.yml
2019-09-07 01:58:25 -04:00 · 2019-09-07 01:58:25 -04:00 · 943888b955
commit 943888b955
parent cac93cbd1f
4 changed files with 19 additions and 4 deletions
--- a/changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml
+++ b/changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml
@ -0,0 +1,2 @@
+bugfixes:
+  - ecs_certificate - Fix formatting of contents of ``full_chain_path``.
--- a/lib/ansible/modules/crypto/entrust/ecs_certificate.py
+++ b/lib/ansible/modules/crypto/entrust/ecs_certificate.py
@ -768,17 +768,19 @@ class EcsCertificate(object):
                    if self.backup:
                        self.backup_file = module.backup_local(self.path)
                    crypto_utils.write_file(module, to_bytes(self.cert_details.get('endEntityCert')))
-                    if self.full_chain_path:
+                    if self.full_chain_path and self.cert_details.get('chainCerts'):
                        if self.backup:
                            self.backup_full_chain_file = module.backup_local(self.full_chain_path)
-                        crypto_utils.write_file(module, to_bytes(self.cert_details.get('chainCerts')), path=self.full_chain_path)
+                        chain_string = '\n'.join(self.cert_details.get('chainCerts')) + '\n'
+                        crypto_utils.write_file(module, to_bytes(chain_string), path=self.full_chain_path)
                    self.changed = True
        # If there is no certificate present in path but a tracking ID was specified, save it to disk
        elif not os.path.exists(self.path) and self.tracking_id:
            if not module.check_mode:
                crypto_utils.write_file(module, to_bytes(self.cert_details.get('endEntityCert')))
-                if self.full_chain_path:
-                    crypto_utils.write_file(module, to_bytes(self.cert_details.get('chainCerts')), path=self.full_chain_path)
+                if self.full_chain_path and self.cert_details.get('chainCerts'):
+                    chain_string = '\n'.join(self.cert_details.get('chainCerts')) + '\n'
+                    crypto_utils.write_file(module, to_bytes(chain_string), path=self.full_chain_path)
            self.changed = True

    def dump(self):
--- a/test/integration/targets/ecs_certificate/tasks/main.yml
+++ b/test/integration/targets/ecs_certificate/tasks/main.yml
@ -169,6 +169,7 @@
  - name: Test a request with all of the various optional possible fields populated
    ecs_certificate:
      path: '{{ example4_cert_path }}'
+      full_chain_path: '{{ example4_full_chain_path }}'
      csr: '{{ csr_path }}'
      subject_alt_name: '{{ example4_subject_alt_name }}'
      eku: '{{ example4_eku }}'
@ -198,6 +199,15 @@
        - example4_result.tracking_id > 0
        - example4_result.serial_number is string

+  # For bug 61738, verify that the full chain is valid
+  - name: Verify that the full chain path can be successfully imported
+    command: openssl verify "{{ example4_full_chain_path }}"
+    register: openssl_result
+
+  - assert:
+      that:
+         - "' OK' in openssl_result.stdout_lines[0]"
+
  always:
    - name: clean-up temporary folder
      file:
--- a/test/integration/targets/ecs_certificate/vars/main.yml
+++ b/test/integration/targets/ecs_certificate/vars/main.yml
@ -49,3 +49,4 @@ example4_custom_fields:
  email2: sales@ansible.testcertificates.com
  dropdown2: Dropdown 2 Value 1
 example4_cert_expiry: 2020-08-15
+example4_full_chain_path: '{{ tmpdir_path }}/issuedcert_2_chain.pem'