Skip to content

Generate self-signed certificates with subject alternative name #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Generate self-signed certificates with subject alternative name #300

wants to merge 4 commits into from

Conversation

winem
Copy link
Contributor

@winem winem commented Jul 18, 2021
edited
Loading

Now we create self-signed certificates with an SubjectAlternativeName as requested in #293

The openssl version shipped on RedHat/CentOS7 is too old and does not support the SAN attributes to be passed on the command line so it needs an extra configuration file.

close #293

@winem winem marked this pull request as draft July 19, 2021 09:26
@winem
Copy link
Contributor Author

winem commented Jul 19, 2021

Converted the PR to a draft until I had time to look into the CentOS7 issues Travis has.

@amanda11
Copy link
Contributor

Looks to be an idemptonency problem on centos 7, so on second run it complaisn about 2 changed tasks:

TASK [StackStorm.st2web : Render openssl.cnf] **********************************
       task path: /tmp/kitchen/roles/StackStorm.st2web/tasks/certificate.yml:52
       changed: [localhost] => {"changed": true, "checksum": "7b77c4f29a6c66a722d2c53573a08901b3a7ad69", "dest": "/tmp/openssl.cnf", "gid": 0, "group": "root", "md5sum": "bb1d9954d249261171b878a51804d03a", "mode": "0644", "owner": "root", "size": 233, "src": "/root/.ansible/tmp/ansible-tmp-1626572239.45-7002-193383408367893/source", "state": "file", "uid": 0}
       
       TASK [StackStorm.st2web : Generate self-signed SSL certificate on RedHat 7] ****
       task path: /tmp/kitchen/roles/StackStorm.st2web/tasks/certificate.yml:57
       ok: [localhost] => {"changed": false, "cmd": "openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt -days 365 -nodes -subj \"/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information Technology/CN=$(hostname)\" -config /tmp/openssl.cnf", "rc": 0, "stdout": "skipped, since /etc/ssl/st2/st2.key exists", "stdout_lines": ["skipped, since /etc/ssl/st2/st2.key exists"]}
       
       
       TASK [StackStorm.st2web : Delete the openssl.cnf] ******************************
       task path: /tmp/kitchen/roles/StackStorm.st2web/tasks/certificate.yml:63
       changed: [localhost] => {"changed": true, "path": "/tmp/openssl.cnf", "state": "absent"}

The new tasks for Redhat7 as they stand will always create the temp file /tmp/openssl.cnf and delete them - so will fail the idempotency test. Perhaps add a when on the first one so that it only does it if /etc/ssl/st2/st2.key doesn't exist?

@winem
Copy link
Contributor Author

winem commented Jul 19, 2021

Yes, that'll probably be it. I'll provide an update.

@pull-request-size pull-request-size bot added the size/M PR that changes 30-99 lines. Good size to review. label Jul 23, 2021
@winem winem marked this pull request as ready for review July 26, 2021 09:34
@winem
Copy link
Contributor Author

winem commented Jul 31, 2021

I'm happy about (re-)reviews of this PR!

amanda11
amanda11 reviewed Aug 2, 2021
View reviewed changes
Copy link
Contributor

@amanda11 amanda11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

amanda11
amanda11 approved these changes Aug 2, 2021
View reviewed changes
Copy link
Contributor

@amanda11 amanda11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@CLAassistant
Copy link

CLAassistant commented May 11, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

@winem winem force-pushed the add-san-for-self-signed-certs branch from 5a6bf68 to 6b055b8 Compare October 13, 2023 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amanda11 amanda11 amanda11 approved these changes

Assignees
No one assigned
Labels
size/M PR that changes 30-99 lines. Good size to review.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Self signed cert does not contain subject alternative name
3 participants
@winem @amanda11 @CLAassistant