openssl_certificate: fix idempotency (#60745)

* Fix openssl_certificate idempotency.

* Add changelog.

* Add integration test.

4 files changed, 27 insertions, 1 deletions

diff --git a/changelogs/fragments/60745-openssl_certificate-idempotency.yml b/changelogs/fragments/60745-openssl_certificate-idempotency.yml
new file mode 100644
index 0000000000..35766efedd
--- /dev/null
+++ b/changelogs/fragments/60745-openssl_certificate-idempotency.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_certificate - if both private key and CSR were specified, the idempotency check for ``selfsigned`` and ``ownca`` providers ignored the CSR."
diff --git a/lib/ansible/modules/crypto/openssl_certificate.py b/lib/ansible/modules/crypto/openssl_certificate.py
index a16ab4db2c..b2499aadd7 100644
--- a/lib/ansible/modules/crypto/openssl_certificate.py
+++ b/lib/ansible/modules/crypto/openssl_certificate.py
@@ -958,7 +958,8 @@ class Certificate(crypto_utils.OpenSSLObject):
                 )
             except crypto_utils.OpenSSLBadPassphraseError as exc:
                 raise CertificateError(exc)
-            return self._validate_privatekey()
+            if not self._validate_privatekey():
+                return False
 
         if self.csr_path:
             self.csr = crypto_utils.load_certificate_request(self.csr_path, backend=self.backend)
diff --git a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml
index 0dbe4c4fb0..8e145197c7 100644
--- a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml
+++ b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml
@@ -17,6 +17,13 @@
     subject:
       commonName: www.example.com
 
+- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR
+  openssl_csr:
+    path: '{{ output_dir }}/csr_minimal_change.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.example.org
+
 - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate
   openssl_certificate:
     path: '{{ output_dir }}/cert.pem'
@@ -47,6 +54,17 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   check_mode: yes
 
+- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (check mode, other CSR)
+  openssl_certificate:
+    path: '{{ output_dir }}/cert.pem'
+    csr_path: '{{ output_dir }}/csr_minimal_change.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  check_mode: yes
+  register: selfsigned_certificate_csr_minimal_change
+
 - name: (Selfsigned, {{select_crypto_backend}}) Check selfsigned certificate
   openssl_certificate:
     path: '{{ output_dir }}/cert.pem'
diff --git a/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml b/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml
index a357f7f816..1c24effa11 100644
--- a/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml
+++ b/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml
@@ -30,6 +30,11 @@
       - selfsigned_certificate.notBefore == selfsigned_certificate_idempotence.notBefore
       - selfsigned_certificate.notAfter == selfsigned_certificate_idempotence.notAfter
 
+- name: Make sure that changes in CSR are detected even if private key is specified
+  assert:
+    that:
+      - selfsigned_certificate_csr_minimal_change is changed
+
 - block:
   - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate v2 (test - certificate version == 2)
     shell: 'openssl x509 -noout  -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'