Work around issues with easy-rsa (#1016759 in Debian).

ansible/roles/ssl-init-ca/tasks/main.yml

@@ -31,24 +31,33 @@
 - name: Create skel for {{ssl_ca_name}} CA
   command: make-cadir {{ssl_ca_name}}
   args:
-    creates: "{{ssl_ca_defaults}}"
+    creates: "{{ssl_ca_dir}}/{{ssl_ca_name}}"
     chdir: "{{ssl_ca_dir}}"
 
+# Workaround for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016759
+# After that bug has been closed we should check which one is the right file to
+# use and edit that.
+- name: Remove var file
+  file:
+    path: "{{ssl_ca_defaults}}"
+    state: absent
+
+- name: Initialize directories for {{ssl_ca_name}} CA
+  command: ./easyrsa init-pki
+  args:
+    creates: "{{ssl_ca_path}}/pki"
+    chdir: "{{ssl_ca_path}}"
+
 - name: Setup default values for certificates
   blockinfile:
-    dest: "{{ssl_ca_defaults}}"
+    #dest: "{{ssl_ca_defaults}}"
+    dest: "{{ssl_ca_path}}/pki/vars"
     block: |
       {% for var in easy_rsa_vars %}
       set_var	EASYRSA_{{var}}	"{{easy_rsa_vars[var]}}"
       {% endfor %}
   register: results
 
-- name: Initialize directories for {{ssl_ca_name}} CA
-  command: ./easyrsa init-pki
-  args:
-    creates: "{{ssl_ca_path}}/pki"
-    chdir: "{{ssl_ca_path}}"
-
 - name: Create {{ssl_ca_name}} CA files
   command: ./easyrsa build-ca nopass
   args:

debian/changelog

@@ -13,6 +13,7 @@ fuss-server (12.0.0) UNRELEASED; urgency=medium
   * Temporarily changed the algorithm for dnssec-keygen to RSASHA512.
   * Temporarily disable squid-deb-proxy (not in testing).
   * Updated configuration for ntp to apply to ntpsec.
+  * Work around issues with easy-rsa (#1016759 in Debian).
 
  -- Elena Grandi <elena@truelite.it>  Wed, 26 Oct 2022 10:20:35 +0200