Add extra task to guarantee immutability on CentOS7

StackStorm · Oct 13, 2023 · 6b055b8 · 6b055b8
1 parent 6e5ecc7
commit 6b055b8
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/roles/StackStorm.st2web/tasks/certificate.yml b/roles/StackStorm.st2web/tasks/certificate.yml
@@ -49,21 +49,26 @@
   # RedHat 7 comes with openssl 1.0.2k-fips which requires an extra openssl.conf to specify the SAN
   become: yes
   block:
+    - name: Check if there is already an existing key file
+      stat:
+        path: /etc/ssl/st2/st2.key
+      register: keyfile
     - name: Render openssl.cnf
       ansible.builtin.template:
         src: openssl.cnf.j2
         dest: /tmp/openssl.cnf
         mode: '0644'
+      when: not keyfile.stat.exists
     - name: Generate self-signed SSL certificate on RedHat 7
       shell: openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt -days 365 -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information Technology/CN=$(hostname)" -config /tmp/openssl.cnf
-      args:
-        creates: /etc/ssl/st2/st2.key
       notify:
         - restart nginx
+      when: not keyfile.stat.exists
     - name: Delete the openssl.cnf
       ansible.builtin.file:
         path: /tmp/openssl.cnf
         state: absent
+      when: not keyfile.stat.exists
   when:
     - not st2web_ssl_certificate
     - not st2web_ssl_certificate_key