From aa39d0a808ab1e135e28d26cccc5cdbe8ad56596 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sun, 18 Jul 2021 02:05:02 +0200
Subject: [PATCH 1/4] Generate self-signed certificates with subject
 alternative name

---
 roles/StackStorm.st2web/tasks/certificate.yml | 29 +++++++++++++++++--
 .../templates/openssl.cnf.j2                  | 16 ++++++++++
 2 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 roles/StackStorm.st2web/templates/openssl.cnf.j2

diff --git a/roles/StackStorm.st2web/tasks/certificate.yml b/roles/StackStorm.st2web/tasks/certificate.yml
index 3d1a9f56..6254a7a5 100644
--- a/roles/StackStorm.st2web/tasks/certificate.yml
+++ b/roles/StackStorm.st2web/tasks/certificate.yml
@@ -33,10 +33,35 @@
   when: st2web_ssl_certificate and st2web_ssl_certificate_key
 
 - name: Generate self-signed SSL certificate
+  # openssl >= 1.1.1 is required to specify the SubjectAltName (SAN) via arguments
   become: yes
-  shell: openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt -days 365 -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information Technology/CN=$(hostname)"
+  shell: openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt -days 365 -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information Technology/CN=$(hostname)" -addext "subjectAltName=DNS:$(hostname)"
   args:
     creates: /etc/ssl/st2/st2.key
   notify:
     - restart nginx
-  when: not st2web_ssl_certificate and not st2web_ssl_certificate_key
+  when:
+    - not st2web_ssl_certificate
+    - not st2web_ssl_certificate_key
+    - not (ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7')
+
+- name: Generate self-signed SSL certificate on RedHat 7
+  # RedHat 7 comes with openssl 1.0.2k-fips which requires an extra openssl.conf to specify the SAN
+  become: yes
+  block:
+    - name: Render openssl.cnf
+      ansible.builtin.template:
+        src: openssl.cnf.j2
+        dest: /opt/stackstorm/openssl.cnf
+        mode: '0644'
+    - name: Generate self-signed SSL certificate on RedHat 7
+      shell: openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt -days 365 -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information Technology/CN=$(hostname)" -config /opt/stackstorm/openssl.cnf
+      args:
+        creates: /etc/ssl/st2/st2.key
+      notify:
+        - restart nginx
+  when:
+    - not st2web_ssl_certificate
+    - not st2web_ssl_certificate_key
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version == '7'
\ No newline at end of file
diff --git a/roles/StackStorm.st2web/templates/openssl.cnf.j2 b/roles/StackStorm.st2web/templates/openssl.cnf.j2
new file mode 100644
index 00000000..00a9cf6e
--- /dev/null
+++ b/roles/StackStorm.st2web/templates/openssl.cnf.j2
@@ -0,0 +1,16 @@
+[ req ]
+x509_extensions = v3_req
+distinguished_name = dn
+
+[ dn ]
+C = US
+ST = California
+L = Palo Alto
+O = StackStorm
+OU = Information Technology
+
+[ alternate_names ]
+DNS.1 = {{ ansible_hostname }}
+
+[ v3_req ]
+subjectAltName = @alternate_names

From b6f9bc4f6a5e361ba0fbc61d55520f1b67fa7ddf Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sun, 18 Jul 2021 02:11:47 +0200
Subject: [PATCH 2/4] Move the openssl.cnf to /tmp and delete it once the cert
 has been created

---
 roles/StackStorm.st2web/tasks/certificate.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/roles/StackStorm.st2web/tasks/certificate.yml b/roles/StackStorm.st2web/tasks/certificate.yml
index 6254a7a5..e5606622 100644
--- a/roles/StackStorm.st2web/tasks/certificate.yml
+++ b/roles/StackStorm.st2web/tasks/certificate.yml
@@ -52,14 +52,18 @@
     - name: Render openssl.cnf
       ansible.builtin.template:
         src: openssl.cnf.j2
-        dest: /opt/stackstorm/openssl.cnf
+        dest: /tmp/openssl.cnf
         mode: '0644'
     - name: Generate self-signed SSL certificate on RedHat 7
-      shell: openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt -days 365 -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information Technology/CN=$(hostname)" -config /opt/stackstorm/openssl.cnf
+      shell: openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt -days 365 -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information Technology/CN=$(hostname)" -config /tmp/openssl.cnf
       args:
         creates: /etc/ssl/st2/st2.key
       notify:
         - restart nginx
+    - name: Delete the openssl.cnf
+      ansible.builtin.file:
+        path: /tmp/openssl.cnf
+        state: absent
   when:
     - not st2web_ssl_certificate
     - not st2web_ssl_certificate_key

From 6e5ecc7d96707a536755b7310274a33314b0f88c Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sun, 18 Jul 2021 02:12:47 +0200
Subject: [PATCH 3/4] Add missing new line add the end of certificate.yml

---
 roles/StackStorm.st2web/tasks/certificate.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/StackStorm.st2web/tasks/certificate.yml b/roles/StackStorm.st2web/tasks/certificate.yml
index e5606622..8ace9b8f 100644
--- a/roles/StackStorm.st2web/tasks/certificate.yml
+++ b/roles/StackStorm.st2web/tasks/certificate.yml
@@ -68,4 +68,4 @@
     - not st2web_ssl_certificate
     - not st2web_ssl_certificate_key
     - ansible_os_family == 'RedHat'
-    - ansible_distribution_major_version == '7'
\ No newline at end of file
+    - ansible_distribution_major_version == '7'

From 6b055b845695b8b112feceb95f663140e8aafdbe Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sat, 24 Jul 2021 00:31:33 +0200
Subject: [PATCH 4/4] Add extra task to guarantee immutability on CentOS7

---
 roles/StackStorm.st2web/tasks/certificate.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/roles/StackStorm.st2web/tasks/certificate.yml b/roles/StackStorm.st2web/tasks/certificate.yml
index 8ace9b8f..e39eda92 100644
--- a/roles/StackStorm.st2web/tasks/certificate.yml
+++ b/roles/StackStorm.st2web/tasks/certificate.yml
@@ -49,21 +49,26 @@
   # RedHat 7 comes with openssl 1.0.2k-fips which requires an extra openssl.conf to specify the SAN
   become: yes
   block:
+    - name: Check if there is already an existing key file
+      stat:
+        path: /etc/ssl/st2/st2.key
+      register: keyfile
     - name: Render openssl.cnf
       ansible.builtin.template:
         src: openssl.cnf.j2
         dest: /tmp/openssl.cnf
         mode: '0644'
+      when: not keyfile.stat.exists
     - name: Generate self-signed SSL certificate on RedHat 7
       shell: openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt -days 365 -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information Technology/CN=$(hostname)" -config /tmp/openssl.cnf
-      args:
-        creates: /etc/ssl/st2/st2.key
       notify:
         - restart nginx
+      when: not keyfile.stat.exists
     - name: Delete the openssl.cnf
       ansible.builtin.file:
         path: /tmp/openssl.cnf
         state: absent
+      when: not keyfile.stat.exists
   when:
     - not st2web_ssl_certificate
     - not st2web_ssl_certificate_key