[FEATURE REQUEST]: Cert update

[KManW]

Summary

I'm trying to update an existing and assigned sslcertkey using the netscaler.adc.sslcertkey module, but it appears that such a feature is unavailable. I tried to use syntax like below:

• name: Create server ssl certkey
  delegate_to: localhost
  netscaler.adc.sslcertkey:
  state: present
  certkey: test-certkey
  cert: test-cert.cert
  key: test-cert.key
  passplain: 1234

However, I can only install a new certificate. Have I missed something or is it simply not possible in the current version?
It would be nice to have such a feature because it is used quite often.

Equivalent CLI command:
update ssl certkey test-certkey -cert test-cert.certNEW.cer -key test-certNEW.key -password 1234

Issue Type

Feature Idea

Component Name

sslcertkey

Describe alternatives you've considered

No response

Additional Information

[krausi24]

This may be a potential bug as in module documentation it states: "When present, the resource will be added/updated configured according to the module’s parameters."
Existing Certkey Installation with name: mycert should be updatable with new cert and key file.

Reproduce:

• name: Setup ssl certkey without password
  tags: CERTKEY
  delegate_to: localhost
  netscaler.adc.sslcertkey:
  nsip: "{{ ansible_host }}"
  nitro_user: "{{ nitro_user }}"
  nitro_pass: "{{ nitro_pass }}"
  validate_certs: "{{ validate_certs }}"
  state: "{{ }}"
  certkey: "{{ CERTKEY_name }}"
  cert: "{{ CERTKEY_servercert_name }}"
  key: "{{ CERTKEY_serverkey_name }}"
  expirymonitor: "{{ CERTKEY_expirymonitor }}"
  notificationperiod: "{{ CERTKEY_notificationperiod }}"
  inform: "{{ CERTKEY_inform }}"
  nodomaincheck: "{{ CERTKEY_nodomaincheck }}"

Vars:
state: present
CERTKEY_name: mycert
CERTKEY_servercert_name: mycert.crt
CERTKEY_serverkey_name: mycert.key
CERTKEY_expirymonitor: ENABLED
CERTKEY_notificationperiod: 30
CERTKEY_inform: PEM
CERTKEY_nodomaincheck: True

Error:
"Cannot change value for the following non-updateable attributes ['cert', 'key', 'inform']"), {}"], "msg": "Cannot change value for the following non-updateable attributes ['cert', 'key', 'inform']"}

[fa-elepape]

This looks like it will require yet another special case because the NITRO API is weird about it.

The sslcertkey resource supports both UPDATE (HTTP PUT) and CHANGE (HTTP POST with action=change parameter) operations where:

• UDPATE: can edit expirymonitor and notificationperiod
• CHANGE: can edit cert, key, password, fipskey, inform, passplain and nodomaincheck

However the the get_valid_desired_states does not appear to recognize change operations leading to most attributes being considered immutable and yet readwrite at the same time (from nitro_resource_map):

        "immutable_keys": [
            "bundle",
            "cert",
            "fipskey",
            "hsmkey",
            "inform",
            "key",
            "passplain",
            "password",
        ],
        "readwrite_arguments": {
            "bundle": {"choices": ["NO", "YES"], "no_log": False, "type": "str"},
            "cert": {"no_log": False, "type": "str"},
            "fipskey": {"no_log": False, "type": "str"},
            "hsmkey": {"no_log": False, "type": "str"},
            "inform": {
                "choices": ["DER", "PEM", "PFX"],
                "no_log": False,
                "type": "str",
            },
            "key": {"no_log": False, "type": "str"},
            "passplain": {"no_log": True, "type": "str"},
            "password": {"no_log": False, "type": "bool"},

[KManW]

I was able to update the certificate using the built-in url module to call something like this:

- name: Update the server certificate
  delegate_to: localhost`
  uri:
    url: "https://{{nsip}}/nitro/v1/config/sslcertkey?action=update"
    validate_certs: no
    method: POST
    status_code: 200
    headers:
      Cookie: "NITRO_AUTH_TOKEN={{sessionid}}"
    body_format: json
    body:
      sslcertkey:
        certkey: "test-certkey"
        cert: "test-cert.cer"
        key: "test-cert.key"
        passplain: "1234"
        nodomaincheck: True

It seems that the only difference between adding and updating is setting the "action" to update.