From fbe871951119396826d96c5bf4b0455fbd844501 Mon Sep 17 00:00:00 2001 From: Sam Crauwels Date: Thu, 12 Mar 2026 17:41:53 +0100 Subject: [PATCH] Fix cert validation become for remote_src certificates When elasticsearch_tls_remote_src is true, certificate files live on the remote host and may require elevated privileges to read (e.g. FreeIPA-managed certs in /etc/pki). The validation tasks previously hardcoded become: false, which caused permission denied errors when validating remote certificates. Set become dynamically based on _validate_remote_src so that local certs are validated without privilege escalation while remote certs use become as expected. Co-Authored-By: Claude Opus 4.6 --- .../tasks/certs/cert_validate.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/elasticstack/tasks/certs/cert_validate.yml b/roles/elasticstack/tasks/certs/cert_validate.yml index 43be0ea9..f82f7350 100644 --- a/roles/elasticstack/tasks/certs/cert_validate.yml +++ b/roles/elasticstack/tasks/certs/cert_validate.yml @@ -18,7 +18,7 @@ path: "{{ _validate_cert_path }}" register: _validate_cert_stat delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: "Fail if certificate file missing — {{ _validate_service }}" ansible.builtin.fail: @@ -36,7 +36,7 @@ failed_when: false changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: "Probe for P12 format — {{ _validate_service }}" ansible.builtin.command: @@ -47,7 +47,7 @@ failed_when: false changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" no_log: true when: _validate_pem_probe.rc != 0 @@ -80,7 +80,7 @@ path: "{{ _validate_derived_key }}" register: _validate_derived_key_stat delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: "Fail if derived key not found — {{ _validate_service }}" ansible.builtin.fail: @@ -116,7 +116,7 @@ register: _validate_pem_count changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: "Set CA extracted fact — {{ _validate_service }}" ansible.builtin.set_fact: @@ -136,7 +136,7 @@ failed_when: false changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" when: _validate_pem_probe.rc == 0 - name: "Fail if certificate already expired — {{ _validate_service }}" @@ -162,7 +162,7 @@ register: _validate_cert_modulus changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: "Get key modulus — {{ _validate_service }}" ansible.builtin.shell: @@ -176,7 +176,7 @@ changed_when: false failed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" no_log: true # If RSA modulus failed, try EC key @@ -192,7 +192,7 @@ changed_when: false failed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" no_log: true when: _validate_key_modulus.rc != 0 @@ -203,7 +203,7 @@ register: _validate_ec_cert_fp changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" when: _validate_key_modulus.rc != 0 - name: "Fail if RSA key does not match certificate — {{ _validate_service }}" @@ -240,7 +240,7 @@ register: _validate_san_output changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: "Warn if SAN does not include this node — {{ _validate_service }}" ansible.builtin.debug: