From 9e690837bd30d489c4ebed2ebe291126fdc015d5 Mon Sep 17 00:00:00 2001
From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
Date: Sun, 14 Jun 2026 08:38:42 +0200
Subject: [PATCH] [PR #12238/f4339d8c backport][stable-13] java_cert: detect
 silent `keytool` failures by verifying import outcome (#12268)

java_cert: detect silent `keytool` failures by verifying import outcome (#12238)

* fix(java_cert): detect silent keytool failures by verifying import outcome



* test(java_cert): add integration tests for silent keytool failure detection



* changelog: add fragment for PR 12238



* dummy

---------


(cherry picked from commit f4339d8c0d48e69f709ef7ba295dffb23302ad91)

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 ...38-java-cert-keytool-failure-detection.yml |  4 +++
 plugins/modules/java_cert.py                  | 14 +++++++-
 .../targets/java_cert/tasks/state_change.yml  | 34 +++++++++++++++++++
 3 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/12238-java-cert-keytool-failure-detection.yml

diff --git a/changelogs/fragments/12238-java-cert-keytool-failure-detection.yml b/changelogs/fragments/12238-java-cert-keytool-failure-detection.yml
new file mode 100644
index 0000000000..e989680ae6
--- /dev/null
+++ b/changelogs/fragments/12238-java-cert-keytool-failure-detection.yml
@@ -0,0 +1,4 @@
+bugfixes:
+  - "java_cert - detect silent ``keytool`` failures by verifying the import outcome after the command exits with ``rc=0``
+    (https://github.com/ansible-collections/community.general/issues/6685,
+    https://github.com/ansible-collections/community.general/pull/12238)."
diff --git a/plugins/modules/java_cert.py b/plugins/modules/java_cert.py
index 60343cf8bb..1e9f0ef75f 100644
--- a/plugins/modules/java_cert.py
+++ b/plugins/modules/java_cert.py
@@ -411,6 +411,14 @@ def import_pkcs12_path(
     if import_rc != 0 or not os.path.exists(keystore_path):
         module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd, error=import_err)
 
+    check_alias = keystore_alias or pkcs12_alias
+    if check_alias:
+        alias_exists, dummy = _check_cert_present(
+            module, executable, keystore_path, keystore_pass, check_alias, keystore_type
+        )
+        if not alias_exists:
+            module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd, error=import_err)
+
     return dict(
         changed=True, msg=import_out, rc=import_rc, cmd=import_cmd, stdout=import_out, error=import_err, diff=diff
     )
@@ -431,7 +439,11 @@ def import_cert_path(module, executable, path, keystore_path, keystore_pass, ali
     )
     diff = {"before": "\n", "after": f"{alias}\n"}
 
-    if import_rc != 0:
+    if import_rc != 0 or not os.path.exists(keystore_path):
+        module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd, error=import_err)
+
+    alias_exists, dummy = _check_cert_present(module, executable, keystore_path, keystore_pass, alias, keystore_type)
+    if not alias_exists:
         module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd, error=import_err)
 
     return dict(
diff --git a/tests/integration/targets/java_cert/tasks/state_change.yml b/tests/integration/targets/java_cert/tasks/state_change.yml
index bc2fa33a0f..1f16ac8751 100644
--- a/tests/integration/targets/java_cert/tasks/state_change.yml
+++ b/tests/integration/targets/java_cert/tasks/state_change.yml
@@ -93,6 +93,40 @@
 # Run tests
 #
 
+- name: import cert with too-short keystore password should fail
+  community.general.java_cert:
+    cert_alias: test_cert
+    cert_path: "{{ test_cert_path }}"
+    keystore_path: "{{ remote_tmp_dir }}/keystore_short_pass.jks"
+    keystore_pass: ""
+    keystore_create: true
+    state: present
+  ignore_errors: true
+  register: result_short_pass_cert
+
+- name: verify failure with too-short keystore password for cert import
+  ansible.builtin.assert:
+    that:
+      - result_short_pass_cert is failed
+
+- name: import pkcs12 with too-short keystore password should fail
+  community.general.java_cert:
+    cert_alias: test_pkcs12_cert
+    pkcs12_alias: test_pkcs12_cert
+    pkcs12_path: "{{ test_pkcs_path }}"
+    pkcs12_password: "{{ test_keystore2_password }}"
+    keystore_path: "{{ remote_tmp_dir }}/keystore_short_pass_pkcs12.jks"
+    keystore_pass: ""
+    keystore_create: true
+    state: present
+  ignore_errors: true
+  register: result_short_pass_pkcs12
+
+- name: verify failure with too-short keystore password for pkcs12 import
+  ansible.builtin.assert:
+    that:
+      - result_short_pass_pkcs12 is failed
+
 - name: try to create the test keystore based on the just created pkcs12, keystore_create flag not enabled
   community.general.java_cert:
     cert_alias: test_pkcs12_cert