From bb9a9aab59411dc74628a83c72ac94a03799da4b Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Wed, 6 Aug 2025 21:28:52 -0700
Subject: [PATCH] Fix StrongSwan CRL handler properly without ignoring errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Instead of ignoring errors (anti-pattern), this fix properly handles the race
condition when StrongSwan restarts:

1. After restarting StrongSwan, wait for port 500 (IKE) to be listening
   - This ensures the daemon is fully ready before proceeding
   - Waits up to 30 seconds with proper timeout handling

2. When reloading CRLs, use Ansible's retry mechanism
   - Retries up to 3 times with 2-second delays
   - Handles transient failures during startup

3. Separated rereadcrls and purgecrls into distinct tasks
   - Better error reporting and debugging
   - Cleaner task organization

This approach ensures the installation works reliably on fresh installs
without hiding potential real errors.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/strongswan/handlers/main.yml | 33 +++++++++++++++++++-----------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/roles/strongswan/handlers/main.yml b/roles/strongswan/handlers/main.yml
index f60a495a..21756e28 100644
--- a/roles/strongswan/handlers/main.yml
+++ b/roles/strongswan/handlers/main.yml
@@ -1,6 +1,16 @@
 ---
 - name: restart strongswan
-  service: name={{ strongswan_service }} state=restarted
+  block:
+    - name: restart strongswan service
+      service: name={{ strongswan_service }} state=restarted
+
+    - name: wait for strongswan to be ready
+      wait_for:
+        port: 500
+        host: 127.0.0.1
+        delay: 2
+        timeout: 30
+        state: started
 
 - name: daemon-reload
   systemd: daemon_reload=true
@@ -9,14 +19,13 @@
   service: name=apparmor state=restarted
 
 - name: rereadcrls
-  shell: |
-    # Wait for ipsec daemon to be ready (up to 10 seconds)
-    for i in $(seq 1 10); do
-      if ipsec statusall >/dev/null 2>&1; then
-        ipsec rereadcrls && ipsec purgecrls
-        exit 0
-      fi
-      sleep 1
-    done
-    # If daemon still not ready, try anyway but don't fail the playbook
-    ipsec rereadcrls; ipsec purgecrls || true
+  block:
+    - name: reload certificate revocation lists
+      command: ipsec rereadcrls
+      register: rereadcrls_result
+      retries: 3
+      delay: 2
+      until: rereadcrls_result.rc == 0
+
+    - name: purge old certificate revocation lists
+      command: ipsec purgecrls