Importing certificate from site using Ansible java_cert

1.2k views Asked by At

I am pondering the use of the Ansible java_cert module to import certificate from trusted sites.

Using bash this can be accomplished using the following

echo -n | openssl s_client -connect sh.1.1.1.3.nip.io:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/nipio.pem
/usr/lib/jvm/jdk-8u192/jre/bin/keytool -importcert -noprompt -keystore /usr/lib/jvm/jdk-8u192/jre/lib/security/cacerts -storepass changeit -alias 'nipio' -file /tmp/nipio.pem

Easy enough. When I check, the certificate is in the keystore

/usr/lib/jvm/jdk-8u192/jre/bin/keytool -list -keystore /usr/lib/jvm/jdk-8u192/jre/lib/security/cacerts -storepass changeit | grep nipio

Per my understanding of Ansible java_cert the following Ansible YAML code should be used to achieve the same

- java_cert:
    cert_alias: nipio
    cert_url: sh.1.1.1.3.nip.io
    cert_port: 443
    keystore_path: /usr/lib/jvm/jdk-8u192/jre/lib/security/cacerts
    keystore_pass: changeit
    executable: /usr/lib/jvm/jdk-8u192/jre/bin/keytool
    state: present

Each time I run Ansible my task is "changed" which suggest that Ansible is updating the keystore. But the certificat will not be "present" but missing.

TASK [cacerts : Import trusted sites] ****************************
changed: [bitbucket] => (item={u'url': u'sh.1.1.1.3.nip.io', u'port': 443, u'name': u'nipio'})

There is a return value with the command which suggests that the command is run without anything to import?

cmd': u\"/usr/lib/jvm/jdk-8u192/jre/bin/keytool -importcert -noprompt -keystore '/usr/lib/jvm/jdk-8u192/jre/lib/security/cacerts' -storepass '********' -alias 'nipio' \"

Is this a known issue with java_cert? How it this supposed to work?

0

There are 0 answers