Silently treats ca: self-sign as ca: local

[martinpitt]

I've been debugging the RHEL 7 failures in linux-system-roles/cockpit#39 , and scratching my head over why RHEL 7's curl/OpenSSL don't accept lsr.certificate self-signed certificates. Turns out the reason is that even when the request playbook variable specifies ca: self-sign, the actually generated certificate is for the "local" CA:

Request ID '20211020094829':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/monger-cockpit.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/monger-cockpit.crt'
	CA: local

So if you try to use the certificate as its own CA (as you would with a self-signed one), at least on RHEL/CentOS 7 this fails:

# openssl s_client -CAfile /etc/pki/tls/certs/monger-cockpit.crt -verify 1 -verify_return_error -connect localhost:9090 </dev/null 
verify depth is 1
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=20:unable to get local issuer certificate
139932372125584:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:
[...]

For some utterly strange reason it seems to work on Fedora or RHEL 8 -- maybe certmonger creates the "local" CA lazily with the first request, and re-uses the same value for both the CA and the requested certificate? (I did not investigate this deeply).

After some digging it turns out that this is some explicit code, from the original commit f33e8e6 by @seocam :

        if ca == "self-sign":
            ca = "local"

@seocam, do you still remember why you did this? It seems to me that the intended thing would be to set ca = 'SelfSign'?

FTR: I tried that locally, and it still does not work, but at least one step further.. filed as #99

[martinpitt]

This can be worked around with ca: SelfSign in the role parameters. It only documents (and wrongly translates) self-sign, but getcert -c expects it as SelfSign anyway, and like that it just gets passed through.