Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_pkcs12 always changed when only importing a certificate #538

Open
ruckc opened this issue Dec 8, 2022 · 3 comments
Open

openssl_pkcs12 always changed when only importing a certificate #538

ruckc opened this issue Dec 8, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@ruckc
Copy link

ruckc commented Dec 8, 2022

SUMMARY

openssl_pkcs12 always changed when only importing a certificate

ISSUE TYPE
  • Bug Report
COMPONENT NAME

openssl_pkcs12

ANSIBLE VERSION
ansible [core 2.14.1]
  config file = /home/ruckc/Projects/tc/ansible-deployment/ansible.cfg
  configured module search path = ['/home/ruckc/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ruckc/.pyenv/versions/3.11.0/lib/python3.11/site-packages/ansible
  ansible collection location = /home/ruckc/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ruckc/.pyenv/versions/3.11.0/bin/ansible
  python version = 3.11.0 (main, Oct 26 2022, 13:57:22) [GCC 11.3.0] (/home/ruckc/.pyenv/versions/3.11.0/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
# /home/ruckc/.pyenv/versions/3.11.0/lib/python3.11/site-packages/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.9.0
CONFIGURATION
CONFIG_FILE() = /home/ruckc/Projects/tc/ansible-deployment/ansible.cfg
DEFAULT_FORKS(/home/ruckc/Projects/tc/ansible-deployment/ansible.cfg) = 10
DEFAULT_HOST_LIST(/home/ruckc/Projects/tc/ansible-deployment/ansible.cfg) = ['/home/ruckc/Projects/tc/ansible-deployment/hosts']
OS / ENVIRONMENT

Ubuntu 22.04, local apply

STEPS TO REPRODUCE
- hosts: localhost
  connection: local
  gather_facts: false

  vars:
    base: '/tmp/test'

  tasks:
    - name: 'Generate Private Key'
      community.crypto.openssl_privatekey:
        path: '{{ base }}/ca.key'

    - name: 'Generate CSR'
      community.crypto.openssl_csr:
        path: '{{ base }}/ca.csr'
        privatekey_path: '{{ base }}/ca.key'

    - name: 'Generate Certificate'
      community.crypto.x509_certificate:
        provider: selfsigned
        path: '{{ base }}/ca.crt'
        csr_path: '{{ base }}/ca.csr'
        privatekey_path: '{{ base }}/ca.key'
        return_content: true
      
    - name: truststore.p12  # CHANGES
      community.crypto.openssl_pkcs12:
        action: export
        state: present
        certificate_path: '{{ base }}/ca.crt'
        path: '{{ base }}/truststore.p12'
        passphrase: 'changeit'
        friendly_name: 'ca'

    
    - name: keypair.p12  # DOESN'T CHANGE
      community.crypto.openssl_pkcs12:
        action: export
        state: present
        certificate_path: '{{ base }}/ca.crt'
        privatekey_path: '{{ base }}/ca.key'
        path: '{{ base }}/keypair.p12'
        passphrase: 'changeit'
        friendly_name: 'ca'
EXPECTED RESULTS

On the 2nd run, I expect changed=0.

ACTUAL RESULTS

changed=1, the truststore.p12 is changed every time.

ansible-playbook [core 2.14.1]
  config file = /home/ruckc/Projects/tc/ansible-deployment/ansible.cfg
  configured module search path = ['/home/ruckc/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ruckc/.pyenv/versions/3.11.0/lib/python3.11/site-packages/ansible
  ansible collection location = /home/ruckc/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ruckc/.pyenv/versions/3.11.0/bin/ansible-playbook
  python version = 3.11.0 (main, Oct 26 2022, 13:57:22) [GCC 11.3.0] (/home/ruckc/.pyenv/versions/3.11.0/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True
Using /home/ruckc/Projects/tc/ansible-deployment/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /home/ruckc/Projects/tc/ansible-deployment/hosts as it did not pass its verify_file() method
script declined parsing /home/ruckc/Projects/tc/ansible-deployment/hosts as it did not pass its verify_file() method
auto declined parsing /home/ruckc/Projects/tc/ansible-deployment/hosts as it did not pass its verify_file() method
Set default localhost to localhost
Parsed /home/ruckc/Projects/tc/ansible-deployment/hosts inventory source with ini plugin
Loading collection community.crypto from /home/ruckc/.pyenv/versions/3.11.0/lib/python3.11/site-packages/ansible_collections/community/crypto
Loading callback plugin default of type stdout, v2.0 from /home/ruckc/.pyenv/versions/3.11.0/lib/python3.11/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: test.yml *************************************************************
Positional arguments: test.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
diff: True
inventory: ('/home/ruckc/Projects/tc/ansible-deployment/hosts',)
forks: 10
1 plays in test.yml

PLAY [localhost] ***************************************************************

TASK [Generate Private Key] ****************************************************
task path: /home/ruckc/Projects/tc/ansible-deployment/test.yml:10
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: ruckc
<localhost> EXEC /bin/sh -c 'echo ~ruckc && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ruckc/.ansible/tmp `"&& mkdir "` echo /home/ruckc/.ansible/tmp/ansible-tmp-1670466708.838035-143478-158450767513986 `" && echo ansible-tmp-1670466708.838035-143478-158450767513986="` echo /home/ruckc/.ansible/tmp/ansible-tmp-1670466708.838035-143478-158450767513986 `" ) && sleep 0'
<localhost> Attempting python interpreter discovery
<localhost> EXEC /bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'python3.11'"'"'; command -v '"'"'python3.10'"'"'; command -v '"'"'python3.9'"'"'; command -v '"'"'python3.8'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<localhost> EXEC /bin/sh -c '/home/ruckc/.pyenv/versions/3.11.0/bin/python3.11 && sleep 0'
Using module file /home/ruckc/.pyenv/versions/3.11.0/lib/python3.11/site-packages/ansible_collections/community/crypto/plugins/modules/openssl_privatekey.py
<localhost> PUT /home/ruckc/.ansible/tmp/ansible-local-143433x1wm6dy9/tmpzbrow9f_ TO /home/ruckc/.ansible/tmp/ansible-tmp-1670466708.838035-143478-158450767513986/AnsiballZ_openssl_privatekey.py
<localhost> EXEC /bin/sh -c 'chmod u+x /home/ruckc/.ansible/tmp/ansible-tmp-1670466708.838035-143478-158450767513986/ /home/ruckc/.ansible/tmp/ansible-tmp-1670466708.838035-143478-158450767513986/AnsiballZ_openssl_privatekey.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python3 /home/ruckc/.ansible/tmp/ansible-tmp-1670466708.838035-143478-158450767513986/AnsiballZ_openssl_privatekey.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /home/ruckc/.ansible/tmp/ansible-tmp-1670466708.838035-143478-158450767513986/ > /dev/null 2>&1 && sleep 0'
ok: [localhost] => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "diff": {
        "after": {
            "can_parse_key": true,
            "key_is_consistent": null,
            "public_data": {
                "exponent": 65537,
                "modulus": 924584833661220243023619194855799053534193597705926567688841734798836281777223509684959696185636456708767439333742299214256124599127690041588321712784565031124765720899984026441891151782750415020440950579164708489814529052882149593300069500155335810673133029607664058522679101619987162289935267811561564167375854010668701203562179818189767064068662534581994020837855796153568748022631676091220521837032519419218157219491327330151130908061910285149751318847607919373594144973401455031543717914839908964889441398879607430366573303352671729531968695389387293441630764718846459518682491412789779218831070634212851515441922523879609739710935198944760104533717181189751878403777242237263821512609610495516156870971923544286389111209858542086209030062928870676233870651009570094499681176982336541933672215205443643282934601705738725166748367170038101194848914199485716667270944656654769364661929125942368164563324247985063881678906553007431396261015206743044638650774572577173584345061645826921404405795772610806117427518395504260904191506211354504666256544665980604748254133635089544943422355659526316189531752909842728934106320779522123196450909580844151122682344364641151627371053587930952372282557752399127160849846549490144720411264697,
                "size": 4096
            },
            "public_key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4qI6OZUQMx98WnZG50b9\nQ/mGfaK4HVfl0P52kfRJ80IbWT368vAckVCNAJE+goyJ82rTCy8frd6AASCpdKzq\nubqSRtTYmPSW+OAoyXpQUvA0BeGPkbvrCPwlcwFe7pnSKn+ecrnfbb41Wfa4yZ/J\nvE5MVpJdc6iEf1He7npFgPOgytpCYnjyApgcriZggUJ7pRA9sQIlbAxEilnWupxG\nulqMGGm8tYR7dkbmixPXK+U6Y1h18fCvKESwTH6qCVJd7OBR/ql7aqLk+Zi6LnCQ\nzM3KK5EqmbQOozlLKHYe+1IH61vy3bjTTLPGWUqwfPv+1YI6HzsN9vCTTbyq/+Bj\ntRe8MUWwWnss0ggc8cjcp1c0xPK1fZC3yv0iZsA+GBbNw6UoCT+Wc0hbrtW37Ge4\nvo058pfOVwoNBvSSE3oACgn5sd7g7477fyMxApeywypihQfJrNPCTuuc61/pkN1U\nM7a2GtYsoTA7EMXFjz/9HeHQhw/1zezeeIYaE2eYE33ZfNJEuy0UZ4BqWeYO9jWz\n879mTZ98e7YCvFewgC0rsZLt+IVmGxz+fN7nqVHLmhwog035wS/wGjIGr9RqpO/s\nadVO8abto93Q1ZB+yXwTJJYzeWgqUZuAkdG1Kf3GrzdBfdKpcoiowhcow3M8MXnW\nEdYYlWBzmqdWIfQ4ohvZhrkCAwEAAQ==\n-----END PUBLIC KEY-----\n",
            "public_key_fingerprints": {
                "sha256": "d6:86:b6:26:79:3d:88:7b:83:1a:1d:0c:8b:ed:9f:f7:c2:b3:c1:08:d6:8e:35:16:1c:87:46:41:0b:fa:65:e8"
            },
            "type": "RSA"
        },
        "before": {
            "can_parse_key": true,
            "key_is_consistent": null,
            "public_data": {
                "exponent": 65537,
                "modulus": 924584833661220243023619194855799053534193597705926567688841734798836281777223509684959696185636456708767439333742299214256124599127690041588321712784565031124765720899984026441891151782750415020440950579164708489814529052882149593300069500155335810673133029607664058522679101619987162289935267811561564167375854010668701203562179818189767064068662534581994020837855796153568748022631676091220521837032519419218157219491327330151130908061910285149751318847607919373594144973401455031543717914839908964889441398879607430366573303352671729531968695389387293441630764718846459518682491412789779218831070634212851515441922523879609739710935198944760104533717181189751878403777242237263821512609610495516156870971923544286389111209858542086209030062928870676233870651009570094499681176982336541933672215205443643282934601705738725166748367170038101194848914199485716667270944656654769364661929125942368164563324247985063881678906553007431396261015206743044638650774572577173584345061645826921404405795772610806117427518395504260904191506211354504666256544665980604748254133635089544943422355659526316189531752909842728934106320779522123196450909580844151122682344364641151627371053587930952372282557752399127160849846549490144720411264697,
                "size": 4096
            },
            "public_key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4qI6OZUQMx98WnZG50b9\nQ/mGfaK4HVfl0P52kfRJ80IbWT368vAckVCNAJE+goyJ82rTCy8frd6AASCpdKzq\nubqSRtTYmPSW+OAoyXpQUvA0BeGPkbvrCPwlcwFe7pnSKn+ecrnfbb41Wfa4yZ/J\nvE5MVpJdc6iEf1He7npFgPOgytpCYnjyApgcriZggUJ7pRA9sQIlbAxEilnWupxG\nulqMGGm8tYR7dkbmixPXK+U6Y1h18fCvKESwTH6qCVJd7OBR/ql7aqLk+Zi6LnCQ\nzM3KK5EqmbQOozlLKHYe+1IH61vy3bjTTLPGWUqwfPv+1YI6HzsN9vCTTbyq/+Bj\ntRe8MUWwWnss0ggc8cjcp1c0xPK1fZC3yv0iZsA+GBbNw6UoCT+Wc0hbrtW37Ge4\nvo058pfOVwoNBvSSE3oACgn5sd7g7477fyMxApeywypihQfJrNPCTuuc61/pkN1U\nM7a2GtYsoTA7EMXFjz/9HeHQhw/1zezeeIYaE2eYE33ZfNJEuy0UZ4BqWeYO9jWz\n879mTZ98e7YCvFewgC0rsZLt+IVmGxz+fN7nqVHLmhwog035wS/wGjIGr9RqpO/s\nadVO8abto93Q1ZB+yXwTJJYzeWgqUZuAkdG1Kf3GrzdBfdKpcoiowhcow3M8MXnW\nEdYYlWBzmqdWIfQ4ohvZhrkCAwEAAQ==\n-----END PUBLIC KEY-----\n",
            "public_key_fingerprints": {
                "sha256": "d6:86:b6:26:79:3d:88:7b:83:1a:1d:0c:8b:ed:9f:f7:c2:b3:c1:08:d6:8e:35:16:1c:87:46:41:0b:fa:65:e8"
            },
            "type": "RSA"
        }
    },
    "filename": "/tmp/test/ca.key",
    "fingerprint": {
        "blake2b": "26:df:4c:f8:b5:a1:68:ac:d8:4f:f8:6d:51:47:8f:02:9d:a3:b1:d7:c4:84:61:6b:bf:a4:7d:6f:e5:01:08:e7:2b:6f:98:02:39:61:15:fc:de:c7:62:03:76:a4:4c:d9:04:e6:c2:90:44:88:a2:b3:71:92:65:dc:88:89:48:41",
        "blake2s": "88:58:87:77:be:cd:7a:78:e0:f5:99:82:16:9a:df:74:0b:3f:41:34:a8:91:5c:82:14:78:66:3d:06:69:6d:df",
        "md5": "2c:2a:57:88:28:ba:ba:ac:f7:a2:72:36:c9:dd:1c:9e",
        "sha1": "07:f2:d5:67:1d:78:8b:ef:09:68:93:9e:e3:95:66:91:1f:21:85:a6",
        "sha224": "be:55:0d:e7:03:1c:52:82:6c:27:68:6c:3d:2b:e5:f8:5e:70:3a:16:16:cf:63:f7:fd:d7:80:04",
        "sha256": "d6:86:b6:26:79:3d:88:7b:83:1a:1d:0c:8b:ed:9f:f7:c2:b3:c1:08:d6:8e:35:16:1c:87:46:41:0b:fa:65:e8",
        "sha384": "82:1d:46:be:ba:2e:3b:3c:bd:df:36:f7:f4:65:4f:ea:c6:b5:0a:cb:c0:6b:cb:67:ed:fa:de:1c:ee:26:d9:76:de:9f:f4:45:97:e1:0d:06:f5:e7:15:59:b0:f1:5f:95",
        "sha3_224": "a8:61:47:85:47:25:c2:0b:a8:3e:2c:73:c0:c9:1e:10:66:19:a4:20:dd:27:d1:30:d3:d8:91:33",
        "sha3_256": "26:fa:d4:e8:ba:19:d6:e7:4f:db:5f:a9:a8:70:5c:4a:9c:8c:5d:e7:9f:ad:ab:ff:b3:e7:d5:cb:0e:21:39:66",
        "sha3_384": "17:47:66:3b:d4:9f:b2:37:f5:be:ef:9c:21:b9:2d:e6:58:2b:3f:d1:9b:96:f8:ef:82:9d:2b:56:9f:d3:cd:34:a1:97:a7:95:72:24:ce:8a:9a:3b:45:d8:bf:ae:22:8b",
        "sha3_512": "96:24:38:6c:8d:a1:42:b8:6d:65:8b:39:14:b8:b0:f1:cb:fc:5c:ab:f1:6b:7f:0c:c7:20:e9:8b:d8:a5:3e:2f:c5:23:40:fd:40:d7:70:3d:f2:d2:43:b0:f5:b8:d0:33:9f:7e:de:9f:41:c3:60:e4:f1:32:ad:99:50:25:d3:10",
        "sha512": "47:85:96:28:18:da:73:66:c0:43:97:35:86:9e:f5:e7:da:ae:88:99:c3:e2:d5:5b:23:41:c4:5e:6d:6d:d6:89:05:51:f6:ef:57:e4:9e:3c:97:17:2a:1a:44:d3:79:7b:02:20:30:38:f1:91:d6:83:f9:91:5b:00:78:21:ce:fc",
        "shake_128": "7d:2b:65:22:4e:5f:90:be:2e:16:45:fd:f6:b7:76:46:d4:d3:9f:21:3e:1f:e8:9d:d2:a2:1b:14:bd:58:ce:b6",
        "shake_256": "a6:4a:25:5c:15:b3:64:fa:ca:61:4d:33:56:1c:e6:84:84:21:2d:da:9c:40:50:c8:d5:83:0d:73:7f:cc:97:32"
    },
    "invocation": {
        "module_args": {
            "attributes": null,
            "backup": false,
            "cipher": null,
            "curve": null,
            "force": false,
            "format": "auto_ignore",
            "format_mismatch": "regenerate",
            "group": null,
            "mode": "0600",
            "owner": null,
            "passphrase": null,
            "path": "/tmp/test/ca.key",
            "regenerate": "full_idempotence",
            "return_content": false,
            "select_crypto_backend": "auto",
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "size": 4096,
            "state": "present",
            "type": "RSA",
            "unsafe_writes": false
        }
    },
    "size": 4096,
    "type": "RSA"
}

TASK [Generate CSR] ************************************************************
task path: /home/ruckc/Projects/tc/ansible-deployment/test.yml:14
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: ruckc
<localhost> EXEC /bin/sh -c 'echo ~ruckc && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ruckc/.ansible/tmp `"&& mkdir "` echo /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.2212555-143533-51445133026249 `" && echo ansible-tmp-1670466710.2212555-143533-51445133026249="` echo /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.2212555-143533-51445133026249 `" ) && sleep 0'
Using module file /home/ruckc/.pyenv/versions/3.11.0/lib/python3.11/site-packages/ansible_collections/community/crypto/plugins/modules/openssl_csr.py
<localhost> PUT /home/ruckc/.ansible/tmp/ansible-local-143433x1wm6dy9/tmp5s3mdcn5 TO /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.2212555-143533-51445133026249/AnsiballZ_openssl_csr.py
<localhost> EXEC /bin/sh -c 'chmod u+x /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.2212555-143533-51445133026249/ /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.2212555-143533-51445133026249/AnsiballZ_openssl_csr.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python3 /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.2212555-143533-51445133026249/AnsiballZ_openssl_csr.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.2212555-143533-51445133026249/ > /dev/null 2>&1 && sleep 0'
ok: [localhost] => {
    "basicConstraints": null,
    "changed": false,
    "diff": {
        "after": {
            "authority_cert_issuer": null,
            "authority_cert_serial_number": null,
            "authority_key_identifier": null,
            "basic_constraints": null,
            "basic_constraints_critical": false,
            "can_parse_csr": true,
            "extended_key_usage": null,
            "extended_key_usage_critical": false,
            "extensions_by_oid": {},
            "key_usage": null,
            "key_usage_critical": false,
            "name_constraints_critical": false,
            "name_constraints_excluded": null,
            "name_constraints_permitted": null,
            "ocsp_must_staple": null,
            "ocsp_must_staple_critical": false,
            "public_key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4qI6OZUQMx98WnZG50b9\nQ/mGfaK4HVfl0P52kfRJ80IbWT368vAckVCNAJE+goyJ82rTCy8frd6AASCpdKzq\nubqSRtTYmPSW+OAoyXpQUvA0BeGPkbvrCPwlcwFe7pnSKn+ecrnfbb41Wfa4yZ/J\nvE5MVpJdc6iEf1He7npFgPOgytpCYnjyApgcriZggUJ7pRA9sQIlbAxEilnWupxG\nulqMGGm8tYR7dkbmixPXK+U6Y1h18fCvKESwTH6qCVJd7OBR/ql7aqLk+Zi6LnCQ\nzM3KK5EqmbQOozlLKHYe+1IH61vy3bjTTLPGWUqwfPv+1YI6HzsN9vCTTbyq/+Bj\ntRe8MUWwWnss0ggc8cjcp1c0xPK1fZC3yv0iZsA+GBbNw6UoCT+Wc0hbrtW37Ge4\nvo058pfOVwoNBvSSE3oACgn5sd7g7477fyMxApeywypihQfJrNPCTuuc61/pkN1U\nM7a2GtYsoTA7EMXFjz/9HeHQhw/1zezeeIYaE2eYE33ZfNJEuy0UZ4BqWeYO9jWz\n879mTZ98e7YCvFewgC0rsZLt+IVmGxz+fN7nqVHLmhwog035wS/wGjIGr9RqpO/s\nadVO8abto93Q1ZB+yXwTJJYzeWgqUZuAkdG1Kf3GrzdBfdKpcoiowhcow3M8MXnW\nEdYYlWBzmqdWIfQ4ohvZhrkCAwEAAQ==\n-----END PUBLIC KEY-----\n",
            "public_key_data": {
                "exponent": 65537,
                "modulus": 924584833661220243023619194855799053534193597705926567688841734798836281777223509684959696185636456708767439333742299214256124599127690041588321712784565031124765720899984026441891151782750415020440950579164708489814529052882149593300069500155335810673133029607664058522679101619987162289935267811561564167375854010668701203562179818189767064068662534581994020837855796153568748022631676091220521837032519419218157219491327330151130908061910285149751318847607919373594144973401455031543717914839908964889441398879607430366573303352671729531968695389387293441630764718846459518682491412789779218831070634212851515441922523879609739710935198944760104533717181189751878403777242237263821512609610495516156870971923544286389111209858542086209030062928870676233870651009570094499681176982336541933672215205443643282934601705738725166748367170038101194848914199485716667270944656654769364661929125942368164563324247985063881678906553007431396261015206743044638650774572577173584345061645826921404405795772610806117427518395504260904191506211354504666256544665980604748254133635089544943422355659526316189531752909842728934106320779522123196450909580844151122682344364641151627371053587930952372282557752399127160849846549490144720411264697,
                "size": 4096
            },
            "public_key_fingerprints": {
                "sha256": "d6:86:b6:26:79:3d:88:7b:83:1a:1d:0c:8b:ed:9f:f7:c2:b3:c1:08:d6:8e:35:16:1c:87:46:41:0b:fa:65:e8"
            },
            "public_key_type": "RSA",
            "signature_valid": true,
            "subject": {},
            "subject_alt_name": null,
            "subject_alt_name_critical": false,
            "subject_key_identifier": null,
            "subject_ordered": []
        },
        "before": {
            "authority_cert_issuer": null,
            "authority_cert_serial_number": null,
            "authority_key_identifier": null,
            "basic_constraints": null,
            "basic_constraints_critical": false,
            "can_parse_csr": true,
            "extended_key_usage": null,
            "extended_key_usage_critical": false,
            "extensions_by_oid": {},
            "key_usage": null,
            "key_usage_critical": false,
            "name_constraints_critical": false,
            "name_constraints_excluded": null,
            "name_constraints_permitted": null,
            "ocsp_must_staple": null,
            "ocsp_must_staple_critical": false,
            "public_key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4qI6OZUQMx98WnZG50b9\nQ/mGfaK4HVfl0P52kfRJ80IbWT368vAckVCNAJE+goyJ82rTCy8frd6AASCpdKzq\nubqSRtTYmPSW+OAoyXpQUvA0BeGPkbvrCPwlcwFe7pnSKn+ecrnfbb41Wfa4yZ/J\nvE5MVpJdc6iEf1He7npFgPOgytpCYnjyApgcriZggUJ7pRA9sQIlbAxEilnWupxG\nulqMGGm8tYR7dkbmixPXK+U6Y1h18fCvKESwTH6qCVJd7OBR/ql7aqLk+Zi6LnCQ\nzM3KK5EqmbQOozlLKHYe+1IH61vy3bjTTLPGWUqwfPv+1YI6HzsN9vCTTbyq/+Bj\ntRe8MUWwWnss0ggc8cjcp1c0xPK1fZC3yv0iZsA+GBbNw6UoCT+Wc0hbrtW37Ge4\nvo058pfOVwoNBvSSE3oACgn5sd7g7477fyMxApeywypihQfJrNPCTuuc61/pkN1U\nM7a2GtYsoTA7EMXFjz/9HeHQhw/1zezeeIYaE2eYE33ZfNJEuy0UZ4BqWeYO9jWz\n879mTZ98e7YCvFewgC0rsZLt+IVmGxz+fN7nqVHLmhwog035wS/wGjIGr9RqpO/s\nadVO8abto93Q1ZB+yXwTJJYzeWgqUZuAkdG1Kf3GrzdBfdKpcoiowhcow3M8MXnW\nEdYYlWBzmqdWIfQ4ohvZhrkCAwEAAQ==\n-----END PUBLIC KEY-----\n",
            "public_key_data": {
                "exponent": 65537,
                "modulus": 924584833661220243023619194855799053534193597705926567688841734798836281777223509684959696185636456708767439333742299214256124599127690041588321712784565031124765720899984026441891151782750415020440950579164708489814529052882149593300069500155335810673133029607664058522679101619987162289935267811561564167375854010668701203562179818189767064068662534581994020837855796153568748022631676091220521837032519419218157219491327330151130908061910285149751318847607919373594144973401455031543717914839908964889441398879607430366573303352671729531968695389387293441630764718846459518682491412789779218831070634212851515441922523879609739710935198944760104533717181189751878403777242237263821512609610495516156870971923544286389111209858542086209030062928870676233870651009570094499681176982336541933672215205443643282934601705738725166748367170038101194848914199485716667270944656654769364661929125942368164563324247985063881678906553007431396261015206743044638650774572577173584345061645826921404405795772610806117427518395504260904191506211354504666256544665980604748254133635089544943422355659526316189531752909842728934106320779522123196450909580844151122682344364641151627371053587930952372282557752399127160849846549490144720411264697,
                "size": 4096
            },
            "public_key_fingerprints": {
                "sha256": "d6:86:b6:26:79:3d:88:7b:83:1a:1d:0c:8b:ed:9f:f7:c2:b3:c1:08:d6:8e:35:16:1c:87:46:41:0b:fa:65:e8"
            },
            "public_key_type": "RSA",
            "signature_valid": true,
            "subject": {},
            "subject_alt_name": null,
            "subject_alt_name_critical": false,
            "subject_key_identifier": null,
            "subject_ordered": []
        }
    },
    "extendedKeyUsage": null,
    "filename": "/tmp/test/ca.csr",
    "invocation": {
        "module_args": {
            "attributes": null,
            "authority_cert_issuer": null,
            "authority_cert_serial_number": null,
            "authority_key_identifier": null,
            "backup": false,
            "basic_constraints": null,
            "basic_constraints_critical": false,
            "common_name": null,
            "country_name": null,
            "create_subject_key_identifier": false,
            "crl_distribution_points": null,
            "digest": "sha256",
            "email_address": null,
            "extended_key_usage": null,
            "extended_key_usage_critical": false,
            "force": false,
            "group": null,
            "key_usage": null,
            "key_usage_critical": false,
            "locality_name": null,
            "mode": null,
            "name_constraints_critical": false,
            "name_constraints_excluded": null,
            "name_constraints_permitted": null,
            "ocsp_must_staple": false,
            "ocsp_must_staple_critical": false,
            "organization_name": null,
            "organizational_unit_name": null,
            "owner": null,
            "path": "/tmp/test/ca.csr",
            "privatekey_content": null,
            "privatekey_passphrase": null,
            "privatekey_path": "/tmp/test/ca.key",
            "return_content": false,
            "select_crypto_backend": "auto",
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "state": "present",
            "state_or_province_name": null,
            "subject": null,
            "subject_alt_name": null,
            "subject_alt_name_critical": false,
            "subject_key_identifier": null,
            "subject_ordered": null,
            "unsafe_writes": false,
            "use_common_name_for_san": true,
            "version": 1
        }
    },
    "keyUsage": null,
    "name_constraints_excluded": [],
    "name_constraints_permitted": [],
    "ocspMustStaple": false,
    "privatekey": "/tmp/test/ca.key",
    "subject": [],
    "subjectAltName": null
}

TASK [Generate Certificate] ****************************************************
task path: /home/ruckc/Projects/tc/ansible-deployment/test.yml:19
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: ruckc
<localhost> EXEC /bin/sh -c 'echo ~ruckc && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ruckc/.ansible/tmp `"&& mkdir "` echo /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.8659413-143571-271581767959628 `" && echo ansible-tmp-1670466710.8659413-143571-271581767959628="` echo /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.8659413-143571-271581767959628 `" ) && sleep 0'
Using module file /home/ruckc/.pyenv/versions/3.11.0/lib/python3.11/site-packages/ansible_collections/community/crypto/plugins/modules/x509_certificate.py
<localhost> PUT /home/ruckc/.ansible/tmp/ansible-local-143433x1wm6dy9/tmpzi5sid6h TO /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.8659413-143571-271581767959628/AnsiballZ_x509_certificate.py
<localhost> EXEC /bin/sh -c 'chmod u+x /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.8659413-143571-271581767959628/ /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.8659413-143571-271581767959628/AnsiballZ_x509_certificate.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python3 /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.8659413-143571-271581767959628/AnsiballZ_x509_certificate.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /home/ruckc/.ansible/tmp/ansible-tmp-1670466710.8659413-143571-271581767959628/ > /dev/null 2>&1 && sleep 0'
ok: [localhost] => {
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIErzCCApegAwIBAgIUIUKh+Yo2t8ZXxNpWn60r6T817OwwDQYJKoZIhvcNAQEL\nBQAwADAeFw0yMjEyMDgwMjIwNDhaFw0zMjEyMDUwMjIwNDhaMAAwggIiMA0GCSqG\nSIb3DQEBAQUAA4ICDwAwggIKAoICAQDiojo5lRAzH3xadkbnRv1D+YZ9orgdV+XQ\n/naR9EnzQhtZPfry8ByRUI0AkT6CjInzatMLLx+t3oABIKl0rOq5upJG1NiY9Jb4\n4CjJelBS8DQF4Y+Ru+sI/CVzAV7umdIqf55yud9tvjVZ9rjJn8m8TkxWkl1zqIR/\nUd7uekWA86DK2kJiePICmByuJmCBQnulED2xAiVsDESKWda6nEa6WowYaby1hHt2\nRuaLE9cr5TpjWHXx8K8oRLBMfqoJUl3s4FH+qXtqouT5mLoucJDMzcorkSqZtA6j\nOUsodh77UgfrW/LduNNMs8ZZSrB8+/7VgjofOw328JNNvKr/4GO1F7wxRbBaeyzS\nCBzxyNynVzTE8rV9kLfK/SJmwD4YFs3DpSgJP5ZzSFuu1bfsZ7i+jTnyl85XCg0G\n9JITegAKCfmx3uDvjvt/IzECl7LDKmKFB8ms08JO65zrX+mQ3VQztrYa1iyhMDsQ\nxcWPP/0d4dCHD/XN7N54hhoTZ5gTfdl80kS7LRRngGpZ5g72NbPzv2ZNn3x7tgK8\nV7CALSuxku34hWYbHP583uepUcuaHCiDTfnBL/AaMgav1Gqk7+xp1U7xpu2j3dDV\nkH7JfBMkljN5aCpRm4CR0bUp/cavN0F90qlyiKjCFyjDczwxedYR1hiVYHOap1Yh\n9DiiG9mGuQIDAQABoyEwHzAdBgNVHQ4EFgQUiWEFs8xUUkILNtXi7204+agE9Lgw\nDQYJKoZIhvcNAQELBQADggIBANEf7O1ScSKZcI5gzHvB6iVDIDrPfpo3UlsQ+j33\nPUjD6ndnUbguebPa4NICriMq36Fev/VSzyzaqxRAONMEoLUPMZYs/6AGaJFu1Jn9\nmDvCuuhEROgpZhFrm/BxA7TeGqp2hyvS6mkI1XinyU4KsHuqJrXXMSaCIHfABieu\nKt0sa+yrPFgVK8ghwtXWbnn/bbNJX9NGPMOr5tAx69JWfDxJbUuQltda4S3ihizB\n2VIZ/1fyST7RbqJZCDYTxOznLOpwhK0+RrebPBzS3zfAst687+7r3ldIICNGLsk6\nVYaTlY/AQIj0BUCBukf+oYkCcfVJ05EToIdlRTJHoiQ8sD+nvF49s8hWia0/1yoR\nQmWXgmvYpyZ+NaGcfGGGYjzRKwtAXEMa5C1P6k497I+1H9ZBmwOKx5KZUhE+WeDV\n12pvz8IMaOfpKvbVNHldh2zwibc8dTwR30y9lhxO5WyhjR76z1jo9PEzT2lkdeYK\nQvOFJ5rzpd8EvIAFzdyyVMXpH1OFUPdP/NGtm/zEfovWuCClNH7bPW+Jgx11sOWO\nIouBTermBVYu//5sYOxvZJviqkOOEftgw9FIc727BeOJEAwMwNzXEfTwIlYgUpAk\n/gxKuqT0wy9Sou0zh6ZAMzp4n0NkhkV1G2LZj/IYb+6t4NlnbiicF6DIYFugQGHC\nuzdf\n-----END CERTIFICATE-----\n",
    "changed": false,
    "csr": "/tmp/test/ca.csr",
    "diff": {
        "after": {
            "authority_cert_issuer": null,
            "authority_cert_serial_number": null,
            "authority_key_identifier": null,
            "basic_constraints": null,
            "basic_constraints_critical": false,
            "can_parse_certificate": true,
            "expired": false,
            "extended_key_usage": null,
            "extended_key_usage_critical": false,
            "extensions_by_oid": {
                "2.5.29.14": {
                    "critical": false,
                    "value": "BBSJYQWzzFRSQgs21eLvbTj5qAT0uA=="
                }
            },
            "fingerprints": {
                "sha256": "dc:a9:20:fe:43:e4:6f:c2:82:b4:19:ae:c9:70:26:42:f6:c1:1d:2a:94:bb:11:e0:2c:63:f5:76:4e:22:26:68"
            },
            "issuer": {},
            "issuer_ordered": [],
            "issuer_uri": null,
            "key_usage": null,
            "key_usage_critical": false,
            "not_after": "20321205022048Z",
            "not_before": "20221208022048Z",
            "ocsp_must_staple": null,
            "ocsp_must_staple_critical": false,
            "ocsp_uri": null,
            "public_key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4qI6OZUQMx98WnZG50b9\nQ/mGfaK4HVfl0P52kfRJ80IbWT368vAckVCNAJE+goyJ82rTCy8frd6AASCpdKzq\nubqSRtTYmPSW+OAoyXpQUvA0BeGPkbvrCPwlcwFe7pnSKn+ecrnfbb41Wfa4yZ/J\nvE5MVpJdc6iEf1He7npFgPOgytpCYnjyApgcriZggUJ7pRA9sQIlbAxEilnWupxG\nulqMGGm8tYR7dkbmixPXK+U6Y1h18fCvKESwTH6qCVJd7OBR/ql7aqLk+Zi6LnCQ\nzM3KK5EqmbQOozlLKHYe+1IH61vy3bjTTLPGWUqwfPv+1YI6HzsN9vCTTbyq/+Bj\ntRe8MUWwWnss0ggc8cjcp1c0xPK1fZC3yv0iZsA+GBbNw6UoCT+Wc0hbrtW37Ge4\nvo058pfOVwoNBvSSE3oACgn5sd7g7477fyMxApeywypihQfJrNPCTuuc61/pkN1U\nM7a2GtYsoTA7EMXFjz/9HeHQhw/1zezeeIYaE2eYE33ZfNJEuy0UZ4BqWeYO9jWz\n879mTZ98e7YCvFewgC0rsZLt+IVmGxz+fN7nqVHLmhwog035wS/wGjIGr9RqpO/s\nadVO8abto93Q1ZB+yXwTJJYzeWgqUZuAkdG1Kf3GrzdBfdKpcoiowhcow3M8MXnW\nEdYYlWBzmqdWIfQ4ohvZhrkCAwEAAQ==\n-----END PUBLIC KEY-----\n",
            "public_key_data": {
                "exponent": 65537,
                "modulus": 924584833661220243023619194855799053534193597705926567688841734798836281777223509684959696185636456708767439333742299214256124599127690041588321712784565031124765720899984026441891151782750415020440950579164708489814529052882149593300069500155335810673133029607664058522679101619987162289935267811561564167375854010668701203562179818189767064068662534581994020837855796153568748022631676091220521837032519419218157219491327330151130908061910285149751318847607919373594144973401455031543717914839908964889441398879607430366573303352671729531968695389387293441630764718846459518682491412789779218831070634212851515441922523879609739710935198944760104533717181189751878403777242237263821512609610495516156870971923544286389111209858542086209030062928870676233870651009570094499681176982336541933672215205443643282934601705738725166748367170038101194848914199485716667270944656654769364661929125942368164563324247985063881678906553007431396261015206743044638650774572577173584345061645826921404405795772610806117427518395504260904191506211354504666256544665980604748254133635089544943422355659526316189531752909842728934106320779522123196450909580844151122682344364641151627371053587930952372282557752399127160849846549490144720411264697,
                "size": 4096
            },
            "public_key_fingerprints": {
                "sha256": "d6:86:b6:26:79:3d:88:7b:83:1a:1d:0c:8b:ed:9f:f7:c2:b3:c1:08:d6:8e:35:16:1c:87:46:41:0b:fa:65:e8"
            },
            "public_key_type": "RSA",
            "serial_number": 189882654612351676984398707823038400242723974380,
            "signature_algorithm": "sha256WithRSAEncryption",
            "subject": {},
            "subject_alt_name": null,
            "subject_alt_name_critical": false,
            "subject_key_identifier": "89:61:05:b3:cc:54:52:42:0b:36:d5:e2:ef:6d:38:f9:a8:04:f4:b8",
            "subject_ordered": [],
            "version": 3
        },
        "before": {
            "authority_cert_issuer": null,
            "authority_cert_serial_number": null,
            "authority_key_identifier": null,
            "basic_constraints": null,
            "basic_constraints_critical": false,
            "can_parse_certificate": true,
            "expired": false,
            "extended_key_usage": null,
            "extended_key_usage_critical": false,
            "extensions_by_oid": {
                "2.5.29.14": {
                    "critical": false,
                    "value": "BBSJYQWzzFRSQgs21eLvbTj5qAT0uA=="
                }
            },
            "fingerprints": {
                "sha256": "dc:a9:20:fe:43:e4:6f:c2:82:b4:19:ae:c9:70:26:42:f6:c1:1d:2a:94:bb:11:e0:2c:63:f5:76:4e:22:26:68"
            },
            "issuer": {},
            "issuer_ordered": [],
            "issuer_uri": null,
            "key_usage": null,
            "key_usage_critical": false,
            "not_after": "20321205022048Z",
            "not_before": "20221208022048Z",
            "ocsp_must_staple": null,
            "ocsp_must_staple_critical": false,
            "ocsp_uri": null,
            "public_key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4qI6OZUQMx98WnZG50b9\nQ/mGfaK4HVfl0P52kfRJ80IbWT368vAckVCNAJE+goyJ82rTCy8frd6AASCpdKzq\nubqSRtTYmPSW+OAoyXpQUvA0BeGPkbvrCPwlcwFe7pnSKn+ecrnfbb41Wfa4yZ/J\nvE5MVpJdc6iEf1He7npFgPOgytpCYnjyApgcriZggUJ7pRA9sQIlbAxEilnWupxG\nulqMGGm8tYR7dkbmixPXK+U6Y1h18fCvKESwTH6qCVJd7OBR/ql7aqLk+Zi6LnCQ\nzM3KK5EqmbQOozlLKHYe+1IH61vy3bjTTLPGWUqwfPv+1YI6HzsN9vCTTbyq/+Bj\ntRe8MUWwWnss0ggc8cjcp1c0xPK1fZC3yv0iZsA+GBbNw6UoCT+Wc0hbrtW37Ge4\nvo058pfOVwoNBvSSE3oACgn5sd7g7477fyMxApeywypihQfJrNPCTuuc61/pkN1U\nM7a2GtYsoTA7EMXFjz/9HeHQhw/1zezeeIYaE2eYE33ZfNJEuy0UZ4BqWeYO9jWz\n879mTZ98e7YCvFewgC0rsZLt+IVmGxz+fN7nqVHLmhwog035wS/wGjIGr9RqpO/s\nadVO8abto93Q1ZB+yXwTJJYzeWgqUZuAkdG1Kf3GrzdBfdKpcoiowhcow3M8MXnW\nEdYYlWBzmqdWIfQ4ohvZhrkCAwEAAQ==\n-----END PUBLIC KEY-----\n",
            "public_key_data": {
                "exponent": 65537,
                "modulus": 924584833661220243023619194855799053534193597705926567688841734798836281777223509684959696185636456708767439333742299214256124599127690041588321712784565031124765720899984026441891151782750415020440950579164708489814529052882149593300069500155335810673133029607664058522679101619987162289935267811561564167375854010668701203562179818189767064068662534581994020837855796153568748022631676091220521837032519419218157219491327330151130908061910285149751318847607919373594144973401455031543717914839908964889441398879607430366573303352671729531968695389387293441630764718846459518682491412789779218831070634212851515441922523879609739710935198944760104533717181189751878403777242237263821512609610495516156870971923544286389111209858542086209030062928870676233870651009570094499681176982336541933672215205443643282934601705738725166748367170038101194848914199485716667270944656654769364661929125942368164563324247985063881678906553007431396261015206743044638650774572577173584345061645826921404405795772610806117427518395504260904191506211354504666256544665980604748254133635089544943422355659526316189531752909842728934106320779522123196450909580844151122682344364641151627371053587930952372282557752399127160849846549490144720411264697,
                "size": 4096
            },
            "public_key_fingerprints": {
                "sha256": "d6:86:b6:26:79:3d:88:7b:83:1a:1d:0c:8b:ed:9f:f7:c2:b3:c1:08:d6:8e:35:16:1c:87:46:41:0b:fa:65:e8"
            },
            "public_key_type": "RSA",
            "serial_number": 189882654612351676984398707823038400242723974380,
            "signature_algorithm": "sha256WithRSAEncryption",
            "subject": {},
            "subject_alt_name": null,
            "subject_alt_name_critical": false,
            "subject_key_identifier": "89:61:05:b3:cc:54:52:42:0b:36:d5:e2:ef:6d:38:f9:a8:04:f4:b8",
            "subject_ordered": [],
            "version": 3
        }
    },
    "filename": "/tmp/test/ca.crt",
    "invocation": {
        "module_args": {
            "acme_accountkey_path": null,
            "acme_chain": false,
            "acme_challenge_path": null,
            "acme_directory": "https://acme-v02.api.letsencrypt.org/directory",
            "attributes": null,
            "backup": false,
            "csr_content": null,
            "csr_path": "/tmp/test/ca.csr",
            "entrust_api_client_cert_key_path": null,
            "entrust_api_client_cert_path": null,
            "entrust_api_key": null,
            "entrust_api_specification_path": "https://cloud.entrust.net/EntrustCloud/documentation/cms-api-2.1.0.yaml",
            "entrust_api_user": null,
            "entrust_cert_type": "STANDARD_SSL",
            "entrust_not_after": "+365d",
            "entrust_requester_email": null,
            "entrust_requester_name": null,
            "entrust_requester_phone": null,
            "force": false,
            "group": null,
            "ignore_timestamps": true,
            "mode": null,
            "ownca_content": null,
            "ownca_create_authority_key_identifier": true,
            "ownca_create_subject_key_identifier": "create_if_not_provided",
            "ownca_digest": "sha256",
            "ownca_not_after": "+3650d",
            "ownca_not_before": "+0s",
            "ownca_path": null,
            "ownca_privatekey_content": null,
            "ownca_privatekey_passphrase": null,
            "ownca_privatekey_path": null,
            "ownca_version": 3,
            "owner": null,
            "path": "/tmp/test/ca.crt",
            "privatekey_content": null,
            "privatekey_passphrase": null,
            "privatekey_path": "/tmp/test/ca.key",
            "provider": "selfsigned",
            "return_content": true,
            "select_crypto_backend": "auto",
            "selevel": null,
            "selfsigned_create_subject_key_identifier": "create_if_not_provided",
            "selfsigned_digest": "sha256",
            "selfsigned_not_after": "+3650d",
            "selfsigned_not_before": "+0s",
            "selfsigned_version": 3,
            "serole": null,
            "setype": null,
            "seuser": null,
            "state": "present",
            "unsafe_writes": false
        }
    },
    "notAfter": "20321205022048Z",
    "notBefore": "20221208022048Z",
    "privatekey": "/tmp/test/ca.key",
    "serial_number": 189882654612351676984398707823038400242723974380
}

TASK [truststore.p12] **********************************************************
task path: /home/ruckc/Projects/tc/ansible-deployment/test.yml:27
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: ruckc
<localhost> EXEC /bin/sh -c 'echo ~ruckc && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ruckc/.ansible/tmp `"&& mkdir "` echo /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.583553-143597-224439992652194 `" && echo ansible-tmp-1670466711.583553-143597-224439992652194="` echo /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.583553-143597-224439992652194 `" ) && sleep 0'
Using module file /home/ruckc/.pyenv/versions/3.11.0/lib/python3.11/site-packages/ansible_collections/community/crypto/plugins/modules/openssl_pkcs12.py
<localhost> PUT /home/ruckc/.ansible/tmp/ansible-local-143433x1wm6dy9/tmpq1exyvv5 TO /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.583553-143597-224439992652194/AnsiballZ_openssl_pkcs12.py
<localhost> EXEC /bin/sh -c 'chmod u+x /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.583553-143597-224439992652194/ /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.583553-143597-224439992652194/AnsiballZ_openssl_pkcs12.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python3 /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.583553-143597-224439992652194/AnsiballZ_openssl_pkcs12.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.583553-143597-224439992652194/ > /dev/null 2>&1 && sleep 0'
changed: [localhost] => {
    "changed": true,
    "filename": "/tmp/test/truststore.p12",
    "invocation": {
        "module_args": {
            "action": "export",
            "attributes": null,
            "backup": false,
            "certificate_path": "/tmp/test/ca.crt",
            "encryption_level": "auto",
            "force": false,
            "friendly_name": "ca",
            "group": null,
            "iter_size": null,
            "maciter_size": null,
            "mode": "0400",
            "other_certificates": null,
            "other_certificates_parse_all": false,
            "owner": null,
            "passphrase": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "path": "/tmp/test/truststore.p12",
            "privatekey_content": null,
            "privatekey_passphrase": null,
            "privatekey_path": null,
            "return_content": false,
            "select_crypto_backend": "auto",
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "state": "present",
            "unsafe_writes": false
        }
    },
    "mode": "0400"
}

TASK [keypair.p12] *************************************************************
task path: /home/ruckc/Projects/tc/ansible-deployment/test.yml:37
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: ruckc
<localhost> EXEC /bin/sh -c 'echo ~ruckc && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ruckc/.ansible/tmp `"&& mkdir "` echo /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.9631379-143623-7371710064746 `" && echo ansible-tmp-1670466711.9631379-143623-7371710064746="` echo /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.9631379-143623-7371710064746 `" ) && sleep 0'
Using module file /home/ruckc/.pyenv/versions/3.11.0/lib/python3.11/site-packages/ansible_collections/community/crypto/plugins/modules/openssl_pkcs12.py
<localhost> PUT /home/ruckc/.ansible/tmp/ansible-local-143433x1wm6dy9/tmplb8k_xlg TO /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.9631379-143623-7371710064746/AnsiballZ_openssl_pkcs12.py
<localhost> EXEC /bin/sh -c 'chmod u+x /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.9631379-143623-7371710064746/ /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.9631379-143623-7371710064746/AnsiballZ_openssl_pkcs12.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python3 /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.9631379-143623-7371710064746/AnsiballZ_openssl_pkcs12.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /home/ruckc/.ansible/tmp/ansible-tmp-1670466711.9631379-143623-7371710064746/ > /dev/null 2>&1 && sleep 0'
ok: [localhost] => {
    "changed": false,
    "filename": "/tmp/test/keypair.p12",
    "invocation": {
        "module_args": {
            "action": "export",
            "attributes": null,
            "backup": false,
            "certificate_path": "/tmp/test/ca.crt",
            "encryption_level": "auto",
            "force": false,
            "friendly_name": "ca",
            "group": null,
            "iter_size": null,
            "maciter_size": null,
            "mode": "0400",
            "other_certificates": null,
            "other_certificates_parse_all": false,
            "owner": null,
            "passphrase": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "path": "/tmp/test/keypair.p12",
            "privatekey_content": null,
            "privatekey_passphrase": null,
            "privatekey_path": "/tmp/test/ca.key",
            "return_content": false,
            "select_crypto_backend": "auto",
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "state": "present",
            "unsafe_writes": false
        }
    },
    "mode": "0400",
    "privatekey_path": "/tmp/test/ca.key"
}

PLAY RECAP *********************************************************************
localhost                  : ok=5    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
@felixfontein
Copy link
Contributor

The problem is that you specify no private key. The interface with OpenSSL that cryptography and PyOpenSSL use to handle PKCS12 files is very limited and will extract the main certificate (the one with the friendly name) as an 'other' certificate if there is no private key present. Thus the module sees that you provided a main certificate, but the PKCS12 file has no main certificate, and treats this as a mismatch.

So we have basically two choices (when a main certificate is provided, but no private key):

  1. Either do not recreate the PKCS12 file if only the friendly name changes,
  2. Or try to make sure that friendly name in the PKCS12 file is what was specified to the module (basically by always treating the file as changed).

Right now we do 2., which causes the file to be regenerated in your case.

@felixfontein felixfontein added the bug Something isn't working label Dec 8, 2022
@ruckc
Copy link
Author

ruckc commented Dec 9, 2022

In my use case, i'm trying to build a PKCS12 truststore for a Java application. While using keytool would work, its much slower, and it would require us to install and maintain/patch a JRE outside of a container... just to insert a certificate into a PKCS12 store.

@hille721
Copy link

hille721 commented Jan 22, 2024
edited
Loading

This issues seems to be also appear if other_certificates is used :/

EDIT:
I can't reproduce my issue with a generic playbook like used in this issue. Thus forget my comment here, I will check what is wrong on my target system.

EDIT2:
ok it is related to other_certificates , but only with the old cryptography==3.2.1 version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ruckc @felixfontein @hille721