certificates

certificates copied to clipboard

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Allow head requests for the roots.pem path. Currently this returns a 405.

$ curl --head https://step-cert-authority.anonymous-org.com/roots.pem     
HTTP/2 405 

Resulting output from journalctl -x --unit=step-ca:

Aug 01 15:24:03 ip-x-x-x-x.x.internal step-ca[2461]: time="2022-08-01T15:24:03-05:00" level=warning duration="25.229µs" duration-ns=25229 fields.time="2022-08-01T15:24:03-05:00" method=HEAD name=ca path=/roots.pem protocol=HTTP/2.0 referer= remote-address=x.x.x.x request-id=cbk3copes5pck49fpnn0 size=0 status=405 user-agent=curl/7.68.0 user-id=

step version:

$ step --version
Smallstep CLI/0.20.0 (linux/amd64)
Release Date: 2022-05-26T18:40:14Z

Why is this needed?

When running an ansible playbook in check mode, the ansible.builtin.get_url module uses head requests instead of get in order to validate that the url is accessible.

From Ansible 2.4 when run with --check, it will do a HEAD request to validate the URL but will not download the entire file or verify it against hashes and will report incorrect changed status.

Without this, ansible errors on this step in check mode since the server returns 405, which the module treats as a terminating error, stopping the playbook execution.