mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
bc16ccaef7
When a revoked certificate with reason 6 (certificateHold) is revoked
with reason 8 (removeFromCRL), the effect is that the certificate is
valid again, as it is the same procedure as 'state: release'.
This is, at least, the behavior with IPA CLI comands, which is
implemented by this patch.
A new test is added to verify this behavior:
tests/cert/test_cert_remove_hold_with_removeFromCRL.yml
66 lines
1.9 KiB
YAML
66 lines
1.9 KiB
YAML
---
|
|
- name: Test remove certificate hold by removing it from CRL.
|
|
hosts: ipaserver
|
|
become: false
|
|
gather_facts: false
|
|
module_defaults:
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipacert:
|
|
ipaadmin_password: SomeADMINpassword
|
|
|
|
tasks:
|
|
- name: Ensure test users are present
|
|
ipauser:
|
|
name: testuser
|
|
first: test
|
|
last: user
|
|
|
|
- name: Create user certificae CSR
|
|
ansible.builtin.shell:
|
|
cmd: |-
|
|
openssl req -newkey rsa:2048 -keyout /dev/null -nodes \
|
|
-subj /CN=testuser -reqexts IECUserRoles -config \
|
|
<(cat /etc/pki/tls/openssl.cnf; \
|
|
printf "[IECUserRoles]\n1.2.3.10.9.8=ASN1:UTF8String:Testing Cert")
|
|
args:
|
|
executable: /bin/bash
|
|
register: user_csr
|
|
|
|
- name: Request certificate with ipacert
|
|
ipacert:
|
|
csr: '{{ user_csr.stdout }}'
|
|
principal: testuser
|
|
state: requested
|
|
register: user_csr
|
|
failed_when: not user_csr.changed or user_csr.failed
|
|
|
|
- name: Revoke certifice with reason 6 (certificateHold)
|
|
ipacert:
|
|
serial_number: "{{ user_csr.certificate.serial_number }}"
|
|
revocation_reason: certificateHold
|
|
state: revoked
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Revoke certificate with reason 8 (removeFromCRL)
|
|
ipacert:
|
|
serial_number: "{{ user_csr.certificate.serial_number }}"
|
|
revocation_reason: removeFromCRL
|
|
state: revoked
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Revoke certificate with reason 8 (removeFromCRL), again
|
|
ipacert:
|
|
serial_number: "{{ user_csr.certificate.serial_number }}"
|
|
revocation_reason: removeFromCRL
|
|
state: revoked
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure test users are absent
|
|
ipauser:
|
|
name: testuser
|
|
state: absent
|