From fd3b264933bfcaf074c37ca7ec11cc833b950536 Mon Sep 17 00:00:00 2001
From: Jared Ledvina <jared@techsmix.net>
Date: Mon, 19 Mar 2018 23:25:19 -0400
Subject: [PATCH 1/8] Tests  - Install urllib3 for SAN verification - #150

---
 tasks/ssl_generate.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tasks/ssl_generate.yml b/tasks/ssl_generate.yml
index 821ab2a1..77bc03a4 100644
--- a/tasks/ssl_generate.yml
+++ b/tasks/ssl_generate.yml
@@ -12,6 +12,10 @@
       group: "{{ sensu_group_name }}"
     when: sensu_master
 
+  - name: Install urllib3 to ensure we can validate the SAN cert
+    package:
+      name: python-urllib3
+
   - block:
 
     - name: Untar the ssl_certs tarball from sensuapp.org

From c78e53e5994f16191ea709920a05cb7a5b251e6d Mon Sep 17 00:00:00 2001
From: Jared Ledvina <jared@techsmix.net>
Date: Mon, 26 Mar 2018 07:43:51 -0400
Subject: [PATCH 2/8] Tests - Install python deps for SNI only on Ubuntu 14.04

---
 tasks/ssl_generate.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/tasks/ssl_generate.yml b/tasks/ssl_generate.yml
index 77bc03a4..66d96860 100644
--- a/tasks/ssl_generate.yml
+++ b/tasks/ssl_generate.yml
@@ -12,16 +12,12 @@
       group: "{{ sensu_group_name }}"
     when: sensu_master
 
-  - name: Install urllib3 to ensure we can validate the SAN cert
-    package:
-      name: python-urllib3
-
   - block:
 
     - name: Untar the ssl_certs tarball from sensuapp.org
       unarchive:
       args:
-        src: http://sensuapp.org/docs/{{ sensu_ssl_tool_version }}/files/sensu_ssl_tool.tar
+        src: https://docs.sensu.io/sensu-core/{{ sensu_ssl_tool_version }}/files/sensu_ssl_tool.tar
         dest: "{{ sensu_config_path }}/ssl_generation/"
         creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool"
         copy: no

From c6d767c58c6e33db84b2ad8f0e082f4033766753 Mon Sep 17 00:00:00 2001
From: Jared Ledvina <jared@techsmix.net>
Date: Fri, 4 May 2018 09:34:08 -0400
Subject: [PATCH 3/8] Lets try this out

---
 tasks/.ssl_generate.yml.swp | Bin 0 -> 12288 bytes
 tasks/ssl_generate.yml      |   4 ++--
 2 files changed, 2 insertions(+), 2 deletions(-)
 create mode 100644 tasks/.ssl_generate.yml.swp

diff --git a/tasks/.ssl_generate.yml.swp b/tasks/.ssl_generate.yml.swp
new file mode 100644
index 0000000000000000000000000000000000000000..0344050f64dc9f347c7c2ac2d98cb60a36a0915e
GIT binary patch
literal 12288
zcmeI2zmF6*6vut(AmN7+h1x8%GYdz9ra?kNC{a#Ibb^9r@Or#E!_ACWwr4M^<B~2#
zq%;8u{s&4*Dk^%Kq^FHQ=_n}pdd9Q2yLUo4L__o}eKlI|o9E|`-?R2~Z*=MQcU$~w
ze2HP4W$c>x=g#jxy<+iO#wNL#6{Y{;!{d8lRA!?sA+Kw_6a8p(v>BILinVut=^PGW
za8F5RhgQ|Li9~ISQK^Pb*d5H-GM%Ve8R1ksuhv|AI1u`l2oQmz2{djTT|LFFY+i0l
z{lefp|K{skN88dY5g-CYfCvx)B0vO)01+Sp|4RaHy1{<M&b|n{i^6kb?HNAOg9s1-
zB0vO)01+SpM1Tko0U|&IhyW4z3<-#gvHcT_ZJk8$`2T<Z_y4;yj6H)MLJy$3PzuG+
zMd;0G#{Pz$LVrLrsDbW51#|@(K<A*Rrx@FVHlgznhc=);zhdk+=o<9qOU7P9FQMnq
zW9Si7LlXKHdW{(Wf?hyRpa;->D1&_b|6(6BhyW2F0z`la5CI}U1l9=fc0^p3g{s|f
zN6q7@s@U4JRK~5$TV-a-95N5n!F<ihC-r?0V%s&EN->mTCCuHz<!RwmWs`P0ySb_p
z-dR_|I%UExGi6=E2YY)wo7bW$WSR*lQtPx)e1Crs%&d`}Raj8h<6@Fdh09^I+^1UT
zx@%=kee<f*x*Wo{k7VI(tenh!SP{pHD&gDccFnoV72ozvuzY*_2kv)cJz|UB$QUCf
zb*0h<ke37TpHuH;;k`3VxHFAv-#ona`y+(ax%IB4QRuI=%Wmay_Sc<zPYV9>tXK*1
zINo|U!c4-^!J)1yQD<F%X*vR}9z6%#k2n&4HZ9>8;QJ2aZt4C|Zic?&gVR_drl<3S
z*Sh8V2@v+1=KLTX|I4lp-fQzScW#;thnbc(ZeNcJ9r~&z(%C0s=e1AG6lH9Yu|9{#
zMX5p;_9As-C;B>BK98mrM&`v#b+y$KyH&%yP2&Y#j+v1tOFlNb>J~>#9%RHv=nCIS
zI;e+pG@zXr-AtD=vz=JYc+T}Mdc>El4wnVz)*;Iij@(4Qxi<5#!m)^Vz&)zv`n`do
z#ckosHsq3Lx>$&-p9|~SI*xcz%d*K-Iuj;TTxfYuGZ>j-)VS_Ie82mEu?yVaM+n~E
rM`LY}A=6UNE8N%I>2Pyfm>u0QpYWADZhfJYJPd#3=>FDYQ53QF?iEPr

literal 0
HcmV?d00001

diff --git a/tasks/ssl_generate.yml b/tasks/ssl_generate.yml
index 66d96860..d03e8204 100644
--- a/tasks/ssl_generate.yml
+++ b/tasks/ssl_generate.yml
@@ -14,10 +14,10 @@
 
   - block:
 
-    - name: Untar the ssl_certs tarball from sensuapp.org
+    - name: Untar the ssl_certs tarball from sensu.io
       unarchive:
       args:
-        src: https://docs.sensu.io/sensu-core/{{ sensu_ssl_tool_version }}/files/sensu_ssl_tool.tar
+        src: http://docs.sensu.io/sensu-core/{{ sensu_ssl_tool_version }}/files/sensu_ssl_tool.tar
         dest: "{{ sensu_config_path }}/ssl_generation/"
         creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool"
         copy: no

From 3cf874b131ebfe877a23f83edf544d41aa1ba346 Mon Sep 17 00:00:00 2001
From: Jared Ledvina <jared@techsmix.net>
Date: Fri, 4 May 2018 09:37:10 -0400
Subject: [PATCH 4/8] Switch directly to HTTPS

---
 tasks/.ssl_generate.yml.swp | Bin 12288 -> 12288 bytes
 tasks/ssl_generate.yml      |   2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/.ssl_generate.yml.swp b/tasks/.ssl_generate.yml.swp
index 0344050f64dc9f347c7c2ac2d98cb60a36a0915e..b8cc71f751aa698f4fe26c0ffaf7ee5b4055ff5a 100644
GIT binary patch
delta 173
zcmZojXh;xCG6?hZRj|-AU;qLE28NS~Z=$?{Hj2HIXRYC6VDOpDsSusDiI;()3WyDX
zSOJLTftUe^C-N{bv;wgm5WnMQV0a6}7lHTy5Kjl<X+WF{#7RIb0>p2*7#OYr@i8D?
r1;mqpxEhF)f!GI#KXPtnWKrgv{82L+h+{Ud)RJaqEZ%%X*M<oIyrCnz

delta 177
zcmZojXh;xCG6?hZRj|-AU;qLE1_t}YH&I=I8^zwqv(|DlF!)a9REW;n%*((~4a7!3
ztO&#kK+FillXw^y+JM*|h~INFFuVieOF(=Oh-U!tbRf<H;$$Ee1>$#H3=G$S_&5-+
u2I9#;Tm!@@K<o>|A2~NOvM6&-{-_zvm<l2%S7`BW-lE0Ny!nW(4HEz)?j*hd

diff --git a/tasks/ssl_generate.yml b/tasks/ssl_generate.yml
index d03e8204..b64a546f 100644
--- a/tasks/ssl_generate.yml
+++ b/tasks/ssl_generate.yml
@@ -17,7 +17,7 @@
     - name: Untar the ssl_certs tarball from sensu.io
       unarchive:
       args:
-        src: http://docs.sensu.io/sensu-core/{{ sensu_ssl_tool_version }}/files/sensu_ssl_tool.tar
+        src: https://docs.sensu.io/sensu-core/{{ sensu_ssl_tool_version }}/files/sensu_ssl_tool.tar
         dest: "{{ sensu_config_path }}/ssl_generation/"
         creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool"
         copy: no

From bb26be840ab8dade99589d236d31ba3a6f3c9a4b Mon Sep 17 00:00:00 2001
From: Jared Ledvina <jared@techsmix.net>
Date: Fri, 4 May 2018 09:37:21 -0400
Subject: [PATCH 5/8] Switch to 1.3 for the version of the SSL tar

---
 defaults/main.yml           |   2 +-
 tasks/.ssl_generate.yml.swp | Bin 12288 -> 0 bytes
 2 files changed, 1 insertion(+), 1 deletion(-)
 delete mode 100644 tasks/.ssl_generate.yml.swp

diff --git a/defaults/main.yml b/defaults/main.yml
index ebed2975..6f1879a7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -100,7 +100,7 @@ sensu_ssl_client_key: "{{ sensu_ssl_tool_base_path }}/client/key.pem"
 sensu_ssl_server_cacert: "{{ sensu_ssl_tool_base_path }}/sensu_ca/cacert.pem"
 sensu_ssl_server_cert: "{{ sensu_ssl_tool_base_path }}/server/cert.pem"
 sensu_ssl_server_key: "{{ sensu_ssl_tool_base_path }}/server/key.pem"
-sensu_ssl_tool_version: "1.2"
+sensu_ssl_tool_version: "1.3"
 dynamic_data_store: "{{ playbook_dir }}/data/store"
 static_data_store: "{{ playbook_dir}}/data/static"
 
diff --git a/tasks/.ssl_generate.yml.swp b/tasks/.ssl_generate.yml.swp
deleted file mode 100644
index b8cc71f751aa698f4fe26c0ffaf7ee5b4055ff5a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 12288
zcmeI2zmMER6vroY0WKgwX&E-O_U1<uxkwQSA)<>E<rE4UGak>bowGfwneiUW<)ETW
zkp#j2KnW!c6%r*4qNgPwItmKDV~_W|d#8v)X+UqJudJPYe)Hxt?~V3!FT4Eyd$;-Z
z_%g$Im9ZbhuOHmH`wNTzWNcoDWm)+zo;_{}qjDSF7V@Un`_UbvqpNYHrPzA+liuMJ
z2KSY8c4}2)+ekFF%qlf?!tP_vR_R<d$_S_8RlVin*@4ivM1TmKPM~$O==u)3cJ)eE
z>X#;O@z-Cwce*Xj5&<GW1c(3;AOb{y2oM1x@V_MB7U$Tf*x3tVcTsqr+j@qN^dJI6
zfCvx)B0vO)01+SpM1Tko0U|&I{(}TW&e((VjP1UN;PL<e;qU*yUSaH8=yT`^^dXc&
zG4wX{`vt~+hQ5IwLQANH?n5PX4Vpj~p|5us`xv?cap+BmL62T$>@(;F^xI2}J%xUR
zzJtDmzJO{dgWiCiBF3Mf@1d`t$Iu}pAs_!A*ar<FKm>>Y5g-CYfCvzQEdsn75tmh|
z8aLfnt9YSmwlyu4aU1hinWZu(%)@kVzUAY2x*kQ?HI1fHOr_X}@}P7@S~^wRq}$Cw
zp_+vE*0r!snXt)RS(ot1;UUjgji^hR=E8~8I&Bm`I+_GCYh-T~7SzqGoTm%n3K)&s
zR7>6Tovf+vU3FSlQ~36gti8>YlZ6i};#g57d=Jg81$Twwd%g#j@9ph!zZ>fbTl`GM
z$duHzN?R}<2jV}c-pks1Z<ugrTGhRIa_bK=gw?zCuBB0EueD>h@+|x7k9{Boe??wy
z1bG&3gBxMy;ppH{*R^Q!KEO21Kx;tH0ry`Vi9ef;a18K6gK@v~a47GFw&UZ|7!lKp
zRl*zH@qG>mhfQ;SoR0rwSI6&l`B^x(u*r0qYiZ-|{kYVjuUaCXeJ1v9huln2#uh2-
zlXzBEDs*A5b2oNkD3tMmw2d&bD3_`)t^wJ-2IgHJulaJ!WTLA0%;>sb95H#45zo*S
zzMu3|PbO(#J2$#rj8n6l*i3oO^#OXs$5tonf^+MT<_Sk~qTgJbRaoIn$a~@*)wqD)
zLDk~A@O2xK$unIq#MMWobzLDxyliCE<|<tZ6G|?$yr(&gOqsQ=KM>#VK4I(<_ZJd^
t_ZQMk8>Gmh(yJQxHFrAP+!ki1cg!bzBau5_s3i}>-#L1?_E;1}>~AqiNhJUP


From 9f95406fdba7d4c0bb0a636ff5a936b9ddd56cb5 Mon Sep 17 00:00:00 2001
From: Jared Ledvina <jared@techsmix.net>
Date: Fri, 4 May 2018 09:56:51 -0400
Subject: [PATCH 6/8] Lets try to package the tar with the role

---
 files/sensu_ssl_tool.tar | Bin 0 -> 10241 bytes
 tasks/ssl_generate.yml   |   6 ++----
 2 files changed, 2 insertions(+), 4 deletions(-)
 create mode 100644 files/sensu_ssl_tool.tar

diff --git a/files/sensu_ssl_tool.tar b/files/sensu_ssl_tool.tar
new file mode 100644
index 0000000000000000000000000000000000000000..42af74f4a179f6e45c77535e1fb5c258c90ff1f0
GIT binary patch
literal 10241
zcmeHL>u=jO5cg;P6|C0}EilQFYuR1a3<$EU7}h00y?zP`gO+HUjb0_GG}*BKeRtHu
zvMoQ7Cf$HZ2_Wi7-u>>$qZN-;Hc={^=p+eyou_ylct)PrftNe-ocbH5@aeey{$Mn6
z2e7c?xL$wQ?@;e4z^wDklxC9BPMS!~;oo1ZugJgm%{TA*&r{W^|MO3uJ!&AJgZKO2
zbDg2%d9DloA2|cB_5ZgBo^Ae5QV0wc+I~FyY8dGM;b2hD`?3z;)L=LomigazhLHb#
z7m7iLI$tgM00#f_{J)|;qaW!*9un{w%R)T?4#%{t9EWlu<Z8L+{s2fIBuKRn6<1$J
zd?@r{CVZwj@OTcadOky<o${!@a&t@qrrDIKYNLn)erxMny}5RsLSp`9f@0JpN1sbZ
z!uryUZ<0!J19&Ib{I0}YkN`UncR(kKOTof&Tk*9aqLDzBUY6k`V0Q}Gj2f42605z%
zKKFIst7uUGoYaE3oBOs=2uYJr_-KGK+$IHO+m<?=+<MLr6Mn0qw234}O=^))pQ!K3
z$MtY6W!@udiJwGK5}&gO14m_P8VVk4ifN({=ukAjke4#K5wXt;CP}J632^JK2jph4
zmUs8rQ}QD`Vj?^V0?8HH>L7u|W|GJ`i^ZP|G2T=7%3c<Jh=o3w1G;I8PxpI^Kwb;~
z6e2@QCSu6SV|sdWG-Dy8`<@2{OaA#`rL@Y4sW3wO&fxVPdDV2a7iz#vgcx3S@4(7X
z?R`itrZS0A4dU+j{_<79H3KN#N{e`&3ANzCB+j!!CJCM;P#ZTUYug)=xZGIF?AnIf
z&^T$kl-&`smcrOK*ZI|i@8(nD*%ED9W_yE;5^(kh#pdX37@oorG8Xgrd+NV`hl5f^
z)7zv7RG-)w`<}43fIcimYM=u#7n+5LmFZ0G)tDHZ0S|s#D(>2^?4j-29{i19+;7qr
zXs9rpc{f~Qbp1;TgYIXsFVY2<5tx1p)Ft^4g<Wz$f4gVNdjAhU1egxRR$K1Dd-yd?
zW0Sw*{`U&XUD^K+oB{kk;EslH4Q%`WCSyJ_?Yn2asfc@U@+}Ba3pnGcr6?rHJWQs9
zWLRWgyrh2-3{7a5>6<ra7r*56Bl_Gax&lHjF8}!T;(UCB3l}_0i%=dfk}p&*grX62
z5x@-R{gAVwMxB~rmLhr1V=l2Lr}S+(9FO1C4|GLmiKJswd=bargcxQOL>W;_&Oibd
zxFYQ-USvP1BsNNj8NH%bK)YoN*`*(U1c*GJM%;c-^_OM~(hA1UUes>JFU{;sAdC`x
zg(SMhCf`ceu^@IRMCBP>N$Q!rGaPl2`HSU5b;U4~@C#K!9hd&JT#$G4W_BHVf!6dU
z7WTi?@{@Qb=HNI$lHc&D1ve9@P*f^*WSS4lbnMu#Q!B|dcplN2I|hD(6C!$f_B+H%
zHvL3<r{~AUC#NSp;FSbi88D^rT&{@M*_7YF+lVo2e?EI(YGT{Hyl}5@14{$W92bB#
zpb+%RBJ9ObD{7%$<uaoSOzl#{ghlV-IG4Pl4;a@#%00Lu&j&zFh6SZ7EqZmyHS*H5
zaiSshs5NC80>G-BRZR!jZZoCVzH<A>1b@1$%#{nn3G_$hR1vS(DP>Bb-|>B<xG%Y`
zNz1cqMgMQ)lw9)TIHlmV?v#SOG|hIW<V#n(irr><LZ@I6GPSMy-0ebN*exs4YJD^1
zqx&|muh4_j?G+Y6)b1L6N>+r2D<VwoZQ^grI&#m_B^R?ASSWJ{P;<5rsGg5}q_yl?
l3$zw!Eznw^wLoiu)&i{sS_`xmXf4oMptV42fi(+|e*jev!4&`i

literal 0
HcmV?d00001

diff --git a/tasks/ssl_generate.yml b/tasks/ssl_generate.yml
index b64a546f..88ab6d3b 100644
--- a/tasks/ssl_generate.yml
+++ b/tasks/ssl_generate.yml
@@ -14,13 +14,11 @@
 
   - block:
 
-    - name: Untar the ssl_certs tarball from sensu.io
+    - name: Untar the sensu_ssl_tool tarball
       unarchive:
-      args:
-        src: https://docs.sensu.io/sensu-core/{{ sensu_ssl_tool_version }}/files/sensu_ssl_tool.tar
+        src: files/sensu_ssl_tool.tar
         dest: "{{ sensu_config_path }}/ssl_generation/"
         creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool"
-        copy: no
 
     - name: Generate SSL certs
       command: "{{ __bash_path }} {{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/ssl_certs.sh generate"

From 2d19e9338f8e73faffab80902a4f099e8de38046 Mon Sep 17 00:00:00 2001
From: Jared Ledvina <jared@techsmix.net>
Date: Sun, 6 May 2018 10:17:24 -0400
Subject: [PATCH 7/8] Drop tarball, switch to native command modules for SSL
 generation

---
 defaults/main.yml        |   1 -
 files/sensu_ssl_tool.tar | Bin 10241 -> 0 bytes
 tasks/ssl_generate.yml   | 104 +++++++++++++++++++++++++++++++++++----
 templates/openssl.cnf.j2 |  56 +++++++++++++++++++++
 4 files changed, 150 insertions(+), 11 deletions(-)
 delete mode 100644 files/sensu_ssl_tool.tar
 create mode 100644 templates/openssl.cnf.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 6f1879a7..525a14c8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -100,7 +100,6 @@ sensu_ssl_client_key: "{{ sensu_ssl_tool_base_path }}/client/key.pem"
 sensu_ssl_server_cacert: "{{ sensu_ssl_tool_base_path }}/sensu_ca/cacert.pem"
 sensu_ssl_server_cert: "{{ sensu_ssl_tool_base_path }}/server/cert.pem"
 sensu_ssl_server_key: "{{ sensu_ssl_tool_base_path }}/server/key.pem"
-sensu_ssl_tool_version: "1.3"
 dynamic_data_store: "{{ playbook_dir }}/data/store"
 static_data_store: "{{ playbook_dir}}/data/static"
 
diff --git a/files/sensu_ssl_tool.tar b/files/sensu_ssl_tool.tar
deleted file mode 100644
index 42af74f4a179f6e45c77535e1fb5c258c90ff1f0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 10241
zcmeHL>u=jO5cg;P6|C0}EilQFYuR1a3<$EU7}h00y?zP`gO+HUjb0_GG}*BKeRtHu
zvMoQ7Cf$HZ2_Wi7-u>>$qZN-;Hc={^=p+eyou_ylct)PrftNe-ocbH5@aeey{$Mn6
z2e7c?xL$wQ?@;e4z^wDklxC9BPMS!~;oo1ZugJgm%{TA*&r{W^|MO3uJ!&AJgZKO2
zbDg2%d9DloA2|cB_5ZgBo^Ae5QV0wc+I~FyY8dGM;b2hD`?3z;)L=LomigazhLHb#
z7m7iLI$tgM00#f_{J)|;qaW!*9un{w%R)T?4#%{t9EWlu<Z8L+{s2fIBuKRn6<1$J
zd?@r{CVZwj@OTcadOky<o${!@a&t@qrrDIKYNLn)erxMny}5RsLSp`9f@0JpN1sbZ
z!uryUZ<0!J19&Ib{I0}YkN`UncR(kKOTof&Tk*9aqLDzBUY6k`V0Q}Gj2f42605z%
zKKFIst7uUGoYaE3oBOs=2uYJr_-KGK+$IHO+m<?=+<MLr6Mn0qw234}O=^))pQ!K3
z$MtY6W!@udiJwGK5}&gO14m_P8VVk4ifN({=ukAjke4#K5wXt;CP}J632^JK2jph4
zmUs8rQ}QD`Vj?^V0?8HH>L7u|W|GJ`i^ZP|G2T=7%3c<Jh=o3w1G;I8PxpI^Kwb;~
z6e2@QCSu6SV|sdWG-Dy8`<@2{OaA#`rL@Y4sW3wO&fxVPdDV2a7iz#vgcx3S@4(7X
z?R`itrZS0A4dU+j{_<79H3KN#N{e`&3ANzCB+j!!CJCM;P#ZTUYug)=xZGIF?AnIf
z&^T$kl-&`smcrOK*ZI|i@8(nD*%ED9W_yE;5^(kh#pdX37@oorG8Xgrd+NV`hl5f^
z)7zv7RG-)w`<}43fIcimYM=u#7n+5LmFZ0G)tDHZ0S|s#D(>2^?4j-29{i19+;7qr
zXs9rpc{f~Qbp1;TgYIXsFVY2<5tx1p)Ft^4g<Wz$f4gVNdjAhU1egxRR$K1Dd-yd?
zW0Sw*{`U&XUD^K+oB{kk;EslH4Q%`WCSyJ_?Yn2asfc@U@+}Ba3pnGcr6?rHJWQs9
zWLRWgyrh2-3{7a5>6<ra7r*56Bl_Gax&lHjF8}!T;(UCB3l}_0i%=dfk}p&*grX62
z5x@-R{gAVwMxB~rmLhr1V=l2Lr}S+(9FO1C4|GLmiKJswd=bargcxQOL>W;_&Oibd
zxFYQ-USvP1BsNNj8NH%bK)YoN*`*(U1c*GJM%;c-^_OM~(hA1UUes>JFU{;sAdC`x
zg(SMhCf`ceu^@IRMCBP>N$Q!rGaPl2`HSU5b;U4~@C#K!9hd&JT#$G4W_BHVf!6dU
z7WTi?@{@Qb=HNI$lHc&D1ve9@P*f^*WSS4lbnMu#Q!B|dcplN2I|hD(6C!$f_B+H%
zHvL3<r{~AUC#NSp;FSbi88D^rT&{@M*_7YF+lVo2e?EI(YGT{Hyl}5@14{$W92bB#
zpb+%RBJ9ObD{7%$<uaoSOzl#{ghlV-IG4Pl4;a@#%00Lu&j&zFh6SZ7EqZmyHS*H5
zaiSshs5NC80>G-BRZR!jZZoCVzH<A>1b@1$%#{nn3G_$hR1vS(DP>Bb-|>B<xG%Y`
zNz1cqMgMQ)lw9)TIHlmV?v#SOG|hIW<V#n(irr><LZ@I6GPSMy-0ebN*exs4YJD^1
zqx&|muh4_j?G+Y6)b1L6N>+r2D<VwoZQ^grI&#m_B^R?ASSWJ{P;<5rsGg5}q_yl?
l3$zw!Eznw^wLoiu)&i{sS_`xmXf4oMptV42fi(+|e*jev!4&`i

diff --git a/tasks/ssl_generate.yml b/tasks/ssl_generate.yml
index 88ab6d3b..93e0af24 100644
--- a/tasks/ssl_generate.yml
+++ b/tasks/ssl_generate.yml
@@ -4,27 +4,111 @@
 
   - include_vars: "{{ ansible_distribution }}.yml"
 
+  - name: Ensure OpenSSL is installed
+    package:
+      name: openssl
+      state: installed
+
   - name: Ensure SSL generation directory exists
     file:
-      dest: "{{ sensu_config_path }}/ssl_generation"
+      dest: "{{ sensu_config_path }}/{{ item }}"
       state: directory
       owner: "{{ sensu_user_name }}"
       group: "{{ sensu_group_name }}"
     when: sensu_master
+    with_items:
+      - ssl_generation
+      - ssl_generation/sensu_ssl_tool
+      - ssl_generation/sensu_ssl_tool/client
+      - ssl_generation/sensu_ssl_tool/server
+      - ssl_generation/sensu_ssl_tool/sensu_ca
+      - ssl_generation/sensu_ssl_tool/sensu_ca/private
+      - ssl_generation/sensu_ssl_tool/sensu_ca/certs
+
+  - name: Ensure OpenSSL configuration is in place
+    template:
+      src: openssl.cnf.j2
+      dest: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/openssl.cnf"
+      owner: "{{ sensu_user_name }}"
+      group: "{{ sensu_group_name }}"
+    when: sensu_master
 
   - block:
+    - name: Ensure the Sensu CA serial configuration
+      shell: 'echo 01 > sensu_ca/serial'
+      args:
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/serial"
+      register: sensu_ca_new_serial
 
-    - name: Untar the sensu_ssl_tool tarball
-      unarchive:
-        src: files/sensu_ssl_tool.tar
-        dest: "{{ sensu_config_path }}/ssl_generation/"
-        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool"
+    - name: Ensure sensu_ca/index.txt exists
+      file:
+        dest: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/index.txt"
+        state: touch
+      when: sensu_ca_new_serial is changed
+
+      #TODO: The following mirrors the commands used in sensu_ssl_tool/ssl_certs.sh
+      # from the 1.3 version of the script. Ideally, this moves into the native openssl_* modules.
+      # See https://docs.sensu.io/sensu-core/1.3/reference/ssl/#reference-documentation for limitations and further instructions
+    - name: Generate Sensu CA certificate
+      command: openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 1825 -out cacert.pem -outform PEM -subj /CN=SensuCA/ -nodes
+      args:
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.pem"
+
+    - name: Generate CA cert
+      command: openssl x509 -in cacert.pem -out cacert.cer -outform DER
+      args:
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.cer"
+
+    - name: Generate server keys
+      command: openssl genrsa -out key.pem 2048
+      args:
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/key.pem"
+
+    - name: Generate server certificate signing request
+      command: openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=sensu/O=server/ -nodes
+      args:
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/req.pem"
+
+    - name: Sign the server certificate
+      command: openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
+      args:
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/cert.pem"
+
+    - name: Convert server certificate and key to PKCS12 formart
+      command: openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secret
+      args:
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/keycert.p12"
+
+    - name: Generate client key
+      command: openssl genrsa -out key.pem 2048
+      args:
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/key.pem"
+
+    - name: Generate client certificate signing request
+      command: openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=sensu/O=client/ -nodes
+      args:
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/req.pem"
+
+    - name: Sign the client certificate
+      command: openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
+      args:
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/cert.pem"
 
-    - name: Generate SSL certs
-      command: "{{ __bash_path }} {{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/ssl_certs.sh generate"
+    - name: Convert client key/certificate to PKCS12 format
+      command: openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secret
       args:
-        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool"
-        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
+        chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
+        creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/keycert.p12"
 
     when: sensu_master|bool
     become: true
diff --git a/templates/openssl.cnf.j2 b/templates/openssl.cnf.j2
new file mode 100644
index 00000000..fc877d3f
--- /dev/null
+++ b/templates/openssl.cnf.j2
@@ -0,0 +1,56 @@
+{{ ansible_managed | comment }}
+# Source: http://docs.sensu.io/sensu-core/1.3/files/sensu_ssl_tool.tar
+
+[ ca ]
+default_ca = sensu_ca
+
+[ sensu_ca ]
+dir = .
+certificate = $dir/cacert.pem
+database = $dir/index.txt
+new_certs_dir = $dir/certs
+private_key = $dir/private/cakey.pem
+serial = $dir/serial
+
+default_crl_days = 7
+default_days = 1825
+default_md = sha1
+
+policy = sensu_ca_policy
+x509_extensions = certificate_extensions
+
+[ sensu_ca_policy ]
+commonName = supplied
+stateOrProvinceName = optional
+countryName = optional
+emailAddress = optional
+organizationName = optional
+organizationalUnitName = optional
+
+[ certificate_extensions ]
+basicConstraints = CA:false
+
+[ req ]
+default_bits = 2048
+default_keyfile = ./private/cakey.pem
+default_md = sha1
+prompt = yes
+distinguished_name = root_ca_distinguished_name
+x509_extensions = root_ca_extensions
+
+[ root_ca_distinguished_name ]
+commonName = sensu
+
+[ root_ca_extensions ]
+basicConstraints = CA:true
+keyUsage = keyCertSign, cRLSign
+
+[ client_ca_extensions ]
+basicConstraints = CA:false
+keyUsage = digitalSignature
+extendedKeyUsage = 1.3.6.1.5.5.7.3.2
+
+[ server_ca_extensions ]
+basicConstraints = CA:false
+keyUsage = keyEncipherment
+extendedKeyUsage = 1.3.6.1.5.5.7.3.1

From a365413164041a4eb2d128d26b07f11bbea89150 Mon Sep 17 00:00:00 2001
From: Jared Ledvina <jared@techsmix.net>
Date: Sun, 6 May 2018 11:11:06 -0400
Subject: [PATCH 8/8] Update CHANGELOG for #151

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c65e615a..dfc69d26 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,11 @@ This project adheres to [Semantic Versioning](http://semver.org/)
 The format is based on [Keep a Changelog](http://keepachangelog.com/).
 
 ## [Unreleased]
+### Fixed:
+- Automated SSL key & cert generation fails on systems with Python 2.6 or older (@jaredledvina)
 
+### Changed
+- Port over the latest ssl_tools code to more native Ansible `command` instructions for greater flexibility (@jaredledvina)
 
 ## [2.3.0] - 2018-05-04
 ### Fixed