cp-ansible
cp-ansible copied to clipboard
confluentinc
Add support for non-RSA TLS certificates
Describe the issue When upgrading from 7.0 to 7.1, with ecdsa ssl_custom_certs, the play fails at Assert SSL key hash matches SSL cert hash
ansible-playbook -i hosts.yml confluent.platform.all --tags zookeeper
[...]
TASK [confluent.platform.common : Assert SSL key hash matches SSL cert hash] ********
Thursday 07 April 2022 10:20:51 -0400 (0:00:00.084) 0:00:25.547 ****************
fatal: [SERVER01]: FAILED! => {
"assertion": "key_hash.stdout == cert_hash.stdout",
"changed": false,
"evaluated_to": false,
"msg": "\"The MD5 value of the custom ssl key does not match the MD5 value of the custom certificate, indicating that the keys do no match and are incompatible. Please review your keys and certs and confirm they are from the same source.\""
}
To Reproduce Deploy a 7.0.0 cluster:
- git+https://github.com/confluentinc/cp-ansible.git,7.0.0-post
- ssl_custom_certs: true
- zookeeper_ssl_enabled: false
- Use ecdsa TLS certificates, not rsa
Attempt to upgrade the cluster to 7.1:
- ansible-galaxy collection install --upgrade git+https://github.com/confluentinc/cp-ansible.git,7.1.0-post
- ansible-playbook -i hosts.yml confluent.platform.all --tags zookeeper
Expected behaviour
Algorithm agnostic key-pair validation. For example, using pkey and pubout/pubkey instead of rsa and modulus
Proposed Change (I've tested successfully with an ecdsa key pair; I have not tested an rsa one):
- name: Retrieve SSL key hash
shell: openssl pkey -pubout -in {{ ssl_key_filepath }} | openssl md5
register: key_hash
delegate_to: localhost
when: ssl_custom_certs|bool
tags:
- validate
- validate_ssl_keys_certs
- name: Retrieve SSL cert hash
shell: openssl x509 -noout -pubkey -in {{ ssl_signed_cert_filepath }} | openssl md5
register: cert_hash
delegate_to: localhost
when: ssl_custom_certs|bool
tags:
- validate
- validate_ssl_keys_certs
Diff:
92c94
< shell: openssl rsa -noout -modulus -in {{ ssl_key_filepath }} | openssl md5
---
> shell: openssl pkey -pubout -in {{ ssl_key_filepath }} | openssl md5
101c103
< shell: openssl x509 -noout -modulus -in {{ ssl_signed_cert_filepath }} | openssl md5
---
> shell: openssl x509 -noout -pubkey -in {{ ssl_signed_cert_filepath }} | openssl md5
Inventory File This would require steps to obfuscate and with the above detail should not be necessary. Please let me know if more information is required.
Logs This would require steps to obfuscate and with the above detail should not be necessary. Please let me know if more information is required.
Environment (please complete the following information):
- OS: [RHEL 8]
- CP-Ansible Branch: [7.1.0-post]
- Ansible Version: ansible-playbook [core 2.11.6]
- Python version: 3.6.9
Additional context Reference:
- encryption - How can you check if a private key and certificate match in OpenSSL with ECDSA? - Information Security Stack Exchange
- cryptography - Determine if private key belongs to certificate? - Information Security Stack Exchange
- hyperledger fabric - Any openssl command line to verify ECDSA prime256v1 certificate and private key match? - Stack Overflow
