Enhance Certificate-Renewal functionality

[kepi]

What is best way to reissue certificate with different settings? If I'm not mistaken, only way for now is to revoke original with state: absent and then add it again?

It's quite common to forget i.e. DNS name and I'm wondering if there is better way.

Feel free to close this if this is only correct way. Thanks.

[ansibleguy]

Greetings.

I've thought of having a renew action.
It basically revokes and re-creates the certificate, but keeps its private key.

See: https://github.com/ansibleguy/infra_pki/blob/latest/playbook_single_cert.yml#L23C13-L23C28

Is that what you though of? Or do you have some better way in mind?

Have a nice day

[kepi]

Greetings.

Renew action would be definitely better than revoking and recreating.

But as you are asking about what I thought of, I would prefer Ansible's idempotent way. Renew action seems better for one-time playbooks, not those you run on schedule.

Certificate would be simply issued exactly as specified in arguments. If it doesn't match arguments, it get reissued automatically. So normal state: present would give me assurance that certificate is exactly as wanted.

To be more clear about my thinking, let's take into account use case of managing OpnSense routers with your role.

Use case 1 - current status

There is no easy way to replace certificate on router, when it changes and you'll probably upload it manually. One-time playbook would be great for this, simply something like renew-routers-certs.yml and then you upload the certs manually to routers. renew action makes absolute sense here.

Use case 2 - certificates installed from ansible

When there would be some easy way to change certificate on router, I don't want to think about renewing certificate. I'll simply run my routers.yml playbook, which will simply issue certs which aren't issued yet or where attributes changed. And when certificate changes, it will be uploaded to router by ansible. In such case I want state: present and nothing more. I would simply put this play into cron and be done.

Btw. in that ideal (for me) case there would still be need for one new attribute, something like renew_days_before which will handle renewing certificate if it is expiring soon.

Feel free to ditch this idea if it isn't in line with your thinking.

Have a nice day

[ansibleguy]

I like that idea.
That way it would provide some features we see in 'ACME' providers nowadays.

So we would have to implement:

• If state = present - check certificate attributes to trigger renewal if needed
  • Check lifetime/valid-days and renew if needed
  • Check if SAN, cert-type, or something like that changed

Am I missing something?

[kepi]

Sounds great, I think it might be everything. But we will probably discover something missing when starting to use this :D

[ansibleguy]

Sorry for the delay. Have been busy with starting a business. I'll add it to my internal ticket-system and hopefully will find time for it in the next few weeks