From 27929fa58b5b83c845df759fb71ea72460cfd830 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 5 Sep 2019 23:18:49 +0000
Subject: [PATCH] basessh: Always run the keygen shell command if needed, even
 in check mode.

Without this check mode will fail if there's not an old signed copy of the key around.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/basessh/tasks/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml
index 49a5aff743..7183607e9e 100644
--- a/roles/basessh/tasks/main.yml
+++ b/roles/basessh/tasks/main.yml
@@ -202,6 +202,7 @@
   shell: "ssh-keygen -s {{private}}/files/ssh/{{env}}_ca_host_key -I {{inventory_hostname}} -h -n {{ sign_hostnames|join(',') }} -V {{sign_validity}} -z `date +%s` {{pubkeydir}}/{{inventory_hostname}}{{item}}.pub"
   delegate_to: localhost
   with_items: "{{certs_to_sign}}"
+  check_mode: no
   tags:
   - basessh
   - sshd_cert