Use openssl to generate better quality p12_export_password

We're already doing it this way for CA_password, and ansible's to_uuid is problematic as it uses uuid v5 under the hood (#654)
2025-09-03 10:33:13 +02:00 · 2017-08-27 17:12:12 +10:00 · 2017-08-27 17:12:12 +10:00 · 3fffe281e3
commit 3fffe281e3
parent 8da53f859b
1 changed files with 9 additions and 1 deletions
--- a/playbooks/facts/main.yml
+++ b/playbooks/facts/main.yml
@ -27,9 +27,17 @@
  become: no
  register: CA_password

+- name: Generate p12 export password
+  local_action:
+    module: shell
+      openssl rand -hex 4
+  become: no
+  register: p12_export_password_generated
+  when: p12_export_password is not defined
+
 - name: Define password facts
  set_fact:
-    easyrsa_p12_export_password: "{{ p12_export_password|default((ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0]) }}"
+    easyrsa_p12_export_password: "{{ p12_export_password|default(p12_export_password_generated.stdout) }}"
    easyrsa_CA_password: "{{ CA_password.stdout }}"

 - name: Define the commonName