Add a check and README note for not supporting creating a self-signed

certificate on RHEL/CentOS-7.

README.md

@@ -199,7 +199,7 @@ which is not currently supported by the system roles. To use `ca: self-sign` or
 `ca: local`, depending on your certmonger usage, see the
 [linux-system-roles.certificate documentation](https://github.com/linux-system-roles/certificate/#cas-and-providers) for details.
 
-NOTE: This does *not* work on RHEL/CentOS 7.
+NOTE: This creating a self-signed certificate is not supported on RHEL/CentOS-7.
 
 ## Example Playbooks
 The most simple example.

tasks/main.yml

@@ -84,6 +84,15 @@
     - cockpit_certificates | length > 0
     - ansible_facts['os_family'] == 'RedHat'
   block:
+    - name: Check the OS version for self-sign
+      when:
+        - (ansible_facts['distribution_version'] | int == 7 and
+           cockpit_certificates.0.ca == 'self-sign')
+      fail:
+        msg: >-
+          Creating a self-signed certificate is not supported on
+          {{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}
+
     - name: Create certificates using the certificate role
       include_role:
         name: fedora.linux_system_roles.certificate

tests/tests_certificate_internal.yml

@@ -1,32 +1,44 @@
 ---
-- name: Install cockpit
+- name: Test the cockpit role calling the certificate role internally
   hosts: all
-  vars:
-    cockpit_packages: minimal
-    cockpit_certificates:
-      - name: cockpit_cert
-        dns: ['localhost', 'www.example.com']
-        ca: self-sign
-        group: cockpit-ws
-  roles:
-    - linux-system-roles.cockpit
-
-- name: Verify self-signed certmonger certificate created by the certificate role
-  hosts: all
-  vars:
-    cert_name: cockpit_cert
   tasks:
     - name: tests
+      vars:
+        cert_name: cockpit_cert
       block:
-        - name: Collect installed package versions
-          package_facts:
+        - name: Install cockpit using the certificate role to create a certificate
+          block:
+            - name: Install cockpit with cockpit_certificates request
+              vars:
+                cockpit_packages: minimal
+                cockpit_certificates:
+                  - name: "{{ cert_name }}"
+                    dns: ['localhost', 'www.example.com']
+                    ca: self-sign
+                    group: cockpit-ws
+              include_role:
+                name: linux-system-roles.cockpit
+          rescue:
+            - name: Check the error message
+              vars:
+                expected: >-
+                  Creating a self-signed certificate is not supported on
+                  {{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}
+              assert:
+                that: ansible_failed_result.msg == expected
+              when:
+                - ansible_facts['os_family'] == 'RedHat'
+                - ansible_facts['distribution_version'] | int == 7
 
-        - name: Check if cockpit is new enough (at least 211) to support certmonger
-          when: ansible_facts.packages['cockpit-ws'][0].version | int >= 211
+        - name: Verify self-signed certmonger certificate created by the certificate role
+          when:
+            - ansible_facts['os_family'] == 'RedHat'
+            - ansible_facts['distribution_version'] | int > 7
           block:
-            #
+            - name: Collect installed package versions
+              package_facts:
+
             # Validate installation
-            #
             - name: test - cockpit works with TLS and expected certificate
               command:
                 cmd: curl --cacert "/etc/pki/tls/certs/{{ cert_name }}.crt" https://localhost:9090