ansible-collections / community.crypto Goto Github PK

View Code? Open in Web Editor NEW

94.0 13.0 86.0 14.87 MB

The community.crypto collection for Ansible.

Home Page: https://galaxy.ansible.com/ui/repo/published/community/crypto/

License: Other

Python 98.84% Shell 1.16%

ansible-collection hacktoberfest

community.crypto's Introduction

Ansible Community Crypto Collection

Provides modules for Ansible for various cryptographic operations.

You can find documentation for this collection on the Ansible docs site.

Please note that this collection does not support Windows targets.

Tested with Ansible

Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, ansible-core 2.14, ansible-core 2.15, ansible-core 2.16, and ansible-core-2.17 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported.

External requirements

The exact requirements for every module are listed in the module documentation.

Most modules require a recent enough version of the Python cryptography library. See the module documentations for the minimal version supported for each module.

Collection Documentation

Browsing the latest collection documentation will show docs for the latest version released in the Ansible package, not the latest version of the collection released on Galaxy.

Browsing the devel collection documentation shows docs for the latest version released on Galaxy.

We also separately publish latest commit collection documentation which shows docs for the latest commit in the main branch.

If you use the Ansible package and do not update collections independently, use latest. If you install or update this collection directly from Galaxy, use devel. If you are looking to contribute, use latest commit.

Included content

OpenSSL / PKI modules and plugins:
- certificate_complete_chain module
- openssl_csr_info module and filter
- openssl_csr_pipe module
- openssl_csr module
- openssl_dhparam module
- openssl_pkcs12 module
- openssl_privatekey_convert module
- openssl_privatekey_info module and filter
- openssl_privatekey_pipe module
- openssl_privatekey module
- openssl_publickey_info module and filter
- openssl_publickey module
- openssl_signature_info module
- openssl_signature module
- split_pem filter
- x509_certificate_convert module
- x509_certificate_info module and filter
- x509_certificate_pipe module
- x509_certificate module
- x509_crl_info module and filter
- x509_crl module
OpenSSH modules and plugins:
- openssh_cert module
- openssh_keypair module
ACME modules and plugins:
- acme_account_info module
- acme_account module
- acme_ari_info module
- acme_certificate module
- acme_certificate_deactivate_authz module
- acme_certificate_revoke module
- acme_challenge_cert_helper module
- acme_inspect module
ECS modules and plugins:
- ecs_certificate module
- ecs_domain module
GnuPG modules and plugins:
- gpg_fingerprint lookup and filter
Miscellaneous modules and plugins:
- crypto_info module
- get_certificate module
- luks_device module
- parse_serial and to_serial filters

You can also find a list of all modules and plugins with documentation on the Ansible docs site, or the latest commit collection documentation.

Using this collection

Before using the crypto community collection, you need to install the collection with the ansible-galaxy CLI:

ansible-galaxy collection install community.crypto

You can also include it in a requirements.yml file and install it via ansible-galaxy collection install -r requirements.yml using the format:

collections:
- name: community.crypto

See Ansible Using collections for more details.

Contributing to this collection

We're following the general Ansible contributor guidelines; see Ansible Community Guide.

If you want to clone this repositority (or a fork of it) to improve it, you can proceed as follows:

Create a directory ansible_collections/community;
In there, checkout this repository (or a fork) as crypto;
Add the directory containing ansible_collections to your ANSIBLE_COLLECTIONS_PATH.

See Ansible's dev guide for more information.

Release notes

See the changelog.

Roadmap

We plan to regularly release minor and patch versions, whenever new features are added or bugs fixed. Our collection follows semantic versioning, so breaking changes will only happen in major releases.

Most modules will drop PyOpenSSL support in version 2.0.0 of the collection, i.e. in the next major version. We currently plan to release 2.0.0 somewhen during 2021. Around then, the supported versions of the most common distributions will contain a new enough version of cryptography.

Once 2.0.0 has been released, bugfixes will still be backported to 1.0.0 for some time, and some features might also be backported. If we do not want to backport something ourselves because we think it is not worth the effort, backport PRs by non-maintainers are usually accepted.

In 2.0.0, the following notable features will be removed:

PyOpenSSL backends of all modules, except openssl_pkcs12 which does not have a cryptography backend due to lack of support of PKCS#12 functionality in cryptography.
The assertonly provider of x509_certificate will be removed.

More information

Licensing

This collection is primarily licensed and distributed as a whole under the GNU General Public License v3.0 or later.

See LICENSES/GPL-3.0-or-later.txt for the full text.

Parts of the collection are licensed under the Apache 2.0 license (plugins/module_utils/crypto/_obj2txt.py and plugins/module_utils/crypto/_objects_data.py), the BSD 2-Clause license (plugins/module_utils/ecs/api.py), the BSD 3-Clause license (plugins/module_utils/crypto/_obj2txt.py, tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py), and the PSF 2.0 license (plugins/module_utils/_version.py). This only applies to vendored files in plugins/module_utils/ and to the ECS module utils.

Almost all files have a machine readable SDPX-License-Identifier: comment denoting its respective license(s) or an equivalent entry in an accompanying .license file. Only changelog fragments (which will not be part of a release) are covered by a blanket statement in .reuse/dep5. Right now a few vendored PEM files do not have licensing information as well. This conforms to the REUSE specification up to the aforementioned PEM files.

community.crypto's People

Stargazers

Watchers

Forkers

felixfontein mulatinho samccann nkakouros-forks relrod eric-belhomme andersson007 jborean93 lucc moreati markusteufelberger s-hertel abadger akasurde arnoways apollo13 buratina dougstanley mattclay normo quidame gundalow northfuture idawko pewhprogrammer schurzi ajpantuso jensheinrich nhojpatrick wilsonge saito-hideki stice2k przor3n crwr45 alinabuzachis gderber camja014 mullvad gregsutcliffe ranabirchakraborty brunovernay r4j4h jochenkorge linxside jcgonnard sadfacesmith detobel36 bluikko jsirex russoz-ansible lisongmin jdelafon ziegenberg gotmax23 artur-borys1 0gima z-bsod benaryorg warkdev ggold7046 srikanthsc dlehrman austlane garnser bsnyder788 blablup diazona puiterwijk msl0 abikouo dwandro tjajt kloppi313 dody56 sgufler sapnajainentrust flowerysong vstone gparent 0x00ace liuzhixi0714 peshev francescolovecchio austinlucaslake eagleijoe srushtilohiya

community.crypto's Issues

x509_certificate_info error in ansible 2.9.11 <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed

SUMMARY

When verify all the file in /etc/ssl/certs i got this error

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 881, in <module>

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 874, in main

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 488, in get_info

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 560, in _get_key_usage

  File "/usr/local/lib64/python3.6/site-packages/cryptography/utils.py", line 170, in inner

    result = func(instance)

  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 127, in extensions

    self._backend, self._x509

  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 249, in parse

    "parsed".format(oid)

ValueError: The <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed

ISSUE TYPE

Bug Report

COMPONENT NAME

x509_certificate_info

ANSIBLE VERSION

/�-�\�|�+ ansible --version
ansible 2.9.11
  config file = /X/ansible-sik/ansible.cfg
  configured module search path = [u'/home/X/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /X/lib/python2.7/site-packages/ansible
  executable location = /X/bin/ansible
  python version = 2.7.5 (default, Dec  3 2013, 08:35:16) [GCC 4.4.6 20120305 (Red Hat 4.4.6-4)]

CONFIGURATION


+ ansible-config dump --only-changed
ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
ANSIBLE_SSH_ARGS(/X/ansible.cfg) = -o ControlMaster=no -o UserKnownHostsFile=/dev/null
ANSIBLE_SSH_CONTROL_PATH(/X/ansible.cfg) = %(directory)s/%%h-%%r
CACHE_PLUGIN(/X/ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/X/ansible.cfg) = ./tmp/.ansible_fact_cache
CACHE_PLUGIN_TIMEOUT(/X/ansible.cfg) = 7200
DEFAULT_CALLBACK_WHITELIST(/X/ansible.cfg) = [u'profile_tasks']
DEFAULT_FILTER_PLUGIN_PATH(/X/ansible.cfg) = [u'/X/library/filters']
DEFAULT_FORKS(/X/ansible.cfg) = 25
DEFAULT_GATHERING(/X/ansible.cfg) = smart
DEFAULT_GATHER_TIMEOUT(/X/ansible.cfg) = 30
DEFAULT_LOCAL_TMP(env: ANSIBLE_LOCAL_TEMP) = /X/tmp/ansible/ansible-local-24783uQEOb_
DEFAULT_LOOKUP_PLUGIN_PATH(/X/ansible.cfg) = [u'/X/library/lookup']
DEFAULT_POLL_INTERVAL(/X/ansible.cfg) = 5
DEFAULT_ROLES_PATH(/X/ansible.cfg) = [u'/X/roles', u'/X/galaxy_roles']
DEFAULT_STDOUT_CALLBACK(/X/ansible.cfg) = debug
DEFAULT_STRATEGY(/X/ansible.cfg) = linear
DEFAULT_STRATEGY_PLUGIN_PATH(/X/ansible.cfg) = [u'/X/library/mitogen-0.2.9/ansible_mitogen/plugins/strategy']
DEFAULT_TIMEOUT(/X/ansible.cfg) = 15
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False

OS / ENVIRONMENT

Red Hat 7.3 python2

STEPS TO REPRODUCE

- name: Find cert files under /etc/ssl/certs
  find:
    paths: /etc/ssl/certs
    file_type: file
    patterns: "*.crt,*.pem,*.cer"
    recurse: yes
    exclude: "*crl*"
  register: find_result

- name: Check validity
  community.crypto.x509_certificate_info:
    path: "{{ item.path }}"
    valid_at:
      point_1: "+1w"
      point_2: "+10w"
  register: cert_info
  loop: "{{ find_result.files }}"

- name: Filter out valid certs
  set_fact:
    outdated_certs: "{{ cert_info | json_query('results[? !(valid_at.point_1) || !(valid_at.point_2)]') }}"

- block:
    - name: Check that all certificates are valid
      assert:
        that:
          - outdated_certs | count == 0

  rescue:
    - name: Show info about outdated certs
      debug:
        msg: >-
          {{ { "Outdated Certs": outdated_certs | json_query("[].item.path") } }}

    - fail:
        msg: "Outdated certs found. See list above"

EXPECTED RESULTS

Verify certificate

ACTUAL RESULTS

it append on 2 files
/etc/ssl/certs/multisite_XXX.cer and ca_multisite_chain_complete.pem

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: The <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed
failed: [XXXXXX] (item={u'rusr': True, u'uid': 0, u'rgrp': True, u'xoth': False, u'islnk': False, u'woth': False, u'nlink': 1, u'issock': False, u'mtime': 1558689976.840408, u'gr_name': u'root', u'path': u'/etc/ssl/certs/ca_multisite_chaine_complete.pem', u'xusr': False, u'atime': 1595420107.449019, u'inode': 7210673, u'isgid': False, u'size': 13966, u'isdir': False, u'ctime': 1558690057.8965392, u'roth': True, u'wgrp': False, u'xgrp': False, u'isuid': False, u'dev': 64768, u'isblk': False, u'isreg': True, u'isfifo': False, u'mode': u'0644', u'pw_name': u'root', u'gid': 0, u'ischr': False, u'wusr': True}) => {
    "ansible_loop_var": "item", 
    "changed": false, 
    "item": {
        "atime": 1595420107.449019, 
        "ctime": 1558690057.8965392, 
        "dev": 64768, 
        "gid": 0, 
        "gr_name": "root", 
        "inode": 7210673, 
        "isblk": false, 
        "ischr": false, 
        "isdir": false, 
        "isfifo": false, 
        "isgid": false, 
        "islnk": false, 
        "isreg": true, 
        "issock": false, 
        "isuid": false, 
        "mode": "0644", 
        "mtime": 1558689976.840408, 
        "nlink": 1, 
        "path": "/etc/ssl/certs/ca_multisite_chain_complete.pem", 
        "pw_name": "root", 
        "rgrp": true, 
        "roth": true, 
        "rusr": true, 
        "size": 13966, 
        "uid": 0, 
        "wgrp": false, 
        "woth": false, 
        "wusr": true, 
        "xgrp": false, 
        "xoth": false, 
        "xusr": false
    }, 
    "rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error


MODULE_STDOUT:

Traceback (most recent call last):

  File "/tmp/ansible-tmp-1595432655.5-24980-6466534372655/AnsiballZ_x509_certificate_info.py", line 102, in <module>

    _ansiballz_main()

  File "/tmp/ansible-tmp-1595432655.5-24980-6466534372655/AnsiballZ_x509_certificate_info.py", line 94, in _ansiballz_main

    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)

  File "/tmp/ansible-tmp-1595432655.5-24980-6466534372655/AnsiballZ_x509_certificate_info.py", line 40, in invoke_module

    runpy.run_module(mod_name='ansible_collections.community.crypto.plugins.modules.x509_certificate_info', init_globals=None, run_name='__main__', alter_sys=True)

  File "/usr/lib64/python3.6/runpy.py", line 205, in run_module

    return _run_module_code(code, init_globals, run_name, mod_spec)

  File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code

    mod_name, mod_spec, pkg_name, script_name)

  File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code

    exec(code, run_globals)

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 881, in <module>

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 874, in main

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 488, in get_info

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 560, in _get_key_usage

  File "/usr/local/lib64/python3.6/site-packages/cryptography/utils.py", line 170, in inner

    result = func(instance)

  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 127, in extensions

    self._backend, self._x509

  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 249, in parse

    "parsed".format(oid)

ValueError: The <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed




MODULE_STDERR:

Warning: Permanently added 'XXXXXX,XXXXXX' (RSA) to the list of known hosts.

Connection to XXXXXX closed.

Directory structure / module naming

SUMMARY

In ansible/ansible, the crypto modules were organized in a directory structure. Most modules were in the root, but the ACME and ECS modules were in subdirectories.

In collections, this is no longer the case (except for community.general, which uses a technique called flatmapping which isn't fully supported yet, hence "some" symlinks). Right now, our modules are all in one directory, plugins/modules/.

Having subdirectories means that the fully qualified collection names (FQCNs) get longer. For example, if we would have the same subdirectories as in ansible/ansible, the acme_certificate module would have to be accessed via community.crypto.acme.acme_certificate, instead of the current community.crypto.acme_certificate. But at the same time, we could also adjust the module names, like rename acme_certificate to certificate. Then the FQCN would be community.crypto.acme.certificate. (We'd have to adjust Ansible's routing.yml afterwards so that playbooks which worked with Ansible 2.9 continue to work with Ansible 2.10 ACD.)

Also we could use this chance to move x509_* into a subdirectory x509/, and also move openssl_certificate into there (so we'd have community.crypto.x509.certificate instead of community.crypto.openssl_certificate).

Doing this renames opens up some potential pitfalls though (what mostly comes up to my mind is docs generation):

Multiple modules will be called certificate (acme.certificate, ecs.certificate, and maybe also x509.certificate). That shouldn't be a problem in itself, but might confuse docs generation.
More on docs generation: when linking to other module docs with M(...), this might not work well when subdirectories are involved.

Any opinions on directory structure, renames, and potential problems (the potential docs problems as well as other potential problems)?

I'd say it's best to decide on this soon, so we can rename everything (and adjust Ansible's routing.yml) before the first proper release of this collection, and before Ansible 2.10 is released.

CC @ctrufan @MarkusTeufelberger @puiterwijk @Shaps @Spredzy @Xyon, and also @gundalow @abadger

ISSUE TYPE

Feature Idea

COMPONENT NAME

x509_certificate without csr_path

SUMMARY

An explicit csr_path shouldn't be required when generating an openssl certificate. A valid command to generate a certificate is openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365, which doesn't require a csr file.

ansible/ansible#68736 was closed saying to post here.

ISSUE TYPE

Feature Idea

COMPONENT NAME

openssl_certificate

Lack of documentation in new recommended way of generating openssl certificates

From @alexcernat on Jun 20, 2020 10:23

SUMMARY

I am using this code to generate self signed certificates:

- name: Verify SSL certificate
  openssl_certificate:
    provider: assertonly
    path: "{{ path_to_crt }}"
    state: present
    issuer:
      CN: "common name"
      O: "organization"
    subject:
      CN: "{{ ansible_fqdn }}"
    valid_in: "2592000" # 30 days
  delegate_to: localhost
  ignore_errors: True
  register: verify_cert

- name: Generate SSL certificate
  my_ownca_generate:
    common_name: "{{ ansible_fqdn }}"
    key_path: "{{ path_to_key }}"
    cert_path: "{{ path_to_crt }}"
  delegate_to: localhost
  when: verify_cert.failed

First step is checking the actual certificate, and if it doesn't exists or is not valid (CA checks, CN checks, validity etc.), then the certificate is generated in step 2. The fact that I am using my own module to generate the certificate is irrelevant, the fact is that I need to run step 2 (generation) only if step 1 (checking) fails (or maybe if you have a better approach ...?)

From ansible 2.9 using openssl_certificate to check the validity of a certificate is deprecated (and set to be removed in 2.13 IIRC), the documentation suggest that I should use openssl_certificate_info to check different certificate parameters, but only an "assert" method is presented in the docs.

How can I translate that "when: verify_cert.failed" from step 2 in order to work with the new openssl_certificate_info module ? I think that such an example should be provided in the docs.

Also, as a feature request, I believe that a "serial" parameter should be included in the ownca module, or at least increase somehow the "randomness" of that serial number. Last time I've check the code, IIRC the serial was between 1 and 65535, which is not quite so "random".

ISSUE TYPE

Documentation Report

COMPONENT NAME

ANSIBLE VERSION

ansible 2.9.9
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0]

CONFIGURATION

OS / ENVIRONMENT

ADDITIONAL INFORMATION

Copied from original issue: ansible/ansible#70193

get_certificate module is not using SNI resulting in certs coming back as invalid

SUMMARY

When using get_certificate, the client does not provide an SNI, causing some certs to come back as invalid. One example of this is from AppSpot (testsafebrowsing.appspot.com).

ISSUE TYPE

Bug Report

COMPONENT NAME

get_certificate

ANSIBLE VERSION

ansible-playbook 2.9.7
  config file = None
  configured module search path = ['/Users/calcheu/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.7/site-packages/ansible
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.7.5 (default, Nov  1 2019, 02:16:32) [Clang 11.0.0 (clang-1100.0.33.8)]

CONFIGURATION

OS / ENVIRONMENT

MacOS X Mojave

STEPS TO REPRODUCE

  - name: "Fetch Cert from URL"
    get_certificate:
      host: "testsafebrowsing.appspot.com"
      port: 443

EXPECTED RESULTS

Certificate string returned by get_certificate is valid

ACTUAL RESULTS

Connection is rejected by AppSpot. Certificate has CN of "invalid".

Release Planning Announcements

This continues #74. For policy discussion, see that issue. This issue is announce only, without discussions.

The next release will be 1.3.0 (tracked in #126).

TODO: add x509_certificate_revocation_info module

Fixes ansible/ansible#53789

IMO #16 should be done first.

other_certificates is not pulling all certs in file

Here is my ansible cfg

name: Generate PFX file
become: yes
become_user: "{{ app_user }}"
community.crypto.openssl_pkcs12:
action: export
path: "{{ sslpath }}/{{ fqdn_v }}/{{ fqdn_v }}.pfx"
friendly_name: "{{ fqdn_v }}"
privatekey_path: "{{ sslpath }}/{{ fqdn_v }}/{{ fqdn_v }}.key"
certificate_path: "{{ sslpath }}/{{ fqdn_v }}/{{ fqdn_v }}.crt"
other_certificates: "{{ sslpath }}/{{ fqdn_v}}/{{ InCommon_crt }}"
passphrase: "{{ pfx_pass }}"
state: present
mode: "0644"

the "InCommon_crt" contains the whole chain, but when it goes and reads the .crt it only pulls the first certificate entry it finds:

There are 3 sets of certs in the InCommon.crt file.

All being and end with:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

openssl_csr extendedKeyUsage should support custom oid

SUMMARY

The openssl_csr module should support custom OID's for extendedKeyUsage, example:

      openssl_csr:
        ...
        # 1.3.6.1.5.5.8.2.2 = iKEIntermediate, see http://oid-info.com/get/1.3.6.1.5.5.8.2.2
        extended_key_usage:
          - serverAuth
          - "1.3.6.1.5.5.8.2.2"
        ...

Applying this file currently returns:

  File "/tmp/ansible_openssl_csr_payload_5sf35e3e/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py", line 1088, in main
  File "/tmp/ansible_openssl_csr_payload_5sf35e3e/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py", line 541, in generate
  File "/tmp/ansible_openssl_csr_payload_5sf35e3e/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py", line 783, in _generate_csr
  File "/tmp/ansible_openssl_csr_payload_5sf35e3e/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py", line 783, in <listcomp>
  File "/tmp/ansible_openssl_csr_payload_5sf35e3e/ansible_openssl_csr_payload.zip/ansible/module_utils/crypto.py", line 1753, in cryptography_name_to_oid
    raise OpenSSLObjectError('Cannot find OID for "{0}"'.format(name))

ISSUE TYPE

Feature Idea

COMPONENT NAME

openssl_csr

ADDITIONAL INFORMATION

The cryptography_name_to_oid should probably determine if the name passed in is already an oid, and return the input it if it was not found in the lookup table. There is also the inverse function which should simply return the oid if no name is found.

(this issue is migrated from ansible/ansible#69232)

Problem with acme_certificate and pending authorizations

SUMMARY

acme_certificate returns wrong challange_data when there is pending authorizations.

ISSUE TYPE

Bug Report

COMPONENT NAME

acme_certificate

ANSIBLE VERSION

ansible 2.9.7
  config file = /usr/local/etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/local/share/py37-ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.7.7 (default, Mar 21 2020, 01:20:51) [Clang 8.0.1 (tags/RELEASE_801/final 366581)]

CONFIGURATION

CACHE_PLUGIN(/usr/local/etc/ansible/ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/usr/local/etc/ansible/ansible.cfg) = /usr/local/etc/ansible/cache
DEFAULT_GATHERING(/usr/local/etc/ansible/ansible.cfg) = smart
DEFAULT_MANAGED_STR(/usr/local/etc/ansible/ansible.cfg) = Ansible managed: {file}
RETRY_FILES_ENABLED(/usr/local/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

FreeBSD 12.1-RELEASE-p3

STEPS TO REPRODUCE

If you have pending authorizations acme_certificate will populate challange_data and challenge_data_dns with the wrong authorization tokens.

EXPECTED RESULTS

When I use the acme_certificate module I would expect that it picks up the pending authorizations and puts that into the challenge data.

ACTUAL RESULTS

But what actually happens is that in for example challenge_data_dns there is some other challange/token that is not the one needed to satisfy the pending challenge.

  "authorizations": {
        "domain.tld": {
            "challenges": [
                {
                    "status": "pending",
                    "token": "Y0wM-Yk9p7h7-fhcX_JW7w-8OcZfSWjetMBVqNrBP3E",
                    "type": "http-01",
                    "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/YYY"
                },
                {
                    "status": "pending",
                    "token": "Y0wM-Yk9p7h7-fhcX_JW7w-8OcZfSWjetMBVqNrBP3E",
                    "type": "dns-01",
                    "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/YYY"
                },
                {
                    "status": "pending",
                    "token": "Y0wM-Yk9p7h7-fhcX_JW7w-8OcZfSWjetMBVqNrBP3E",
                    "type": "tls-alpn-01",
                    "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/YYY"
                }
            ],
            "expires": "2020-06-14T08:13:32Z",
            "identifier": {
                "type": "dns",
                "value": "domain.tld"
            },
            "status": "pending",
            "uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/ZZZ"
        }


    "challenge_data": {
        "domain.tld": {
            "dns-01": {
                "record": "_acme-challenge.domain.tld",
                "resource": "_acme-challenge",
                "resource_value": "v-KF4L82VV62Qgl9wu_o_BOhxGNofDTFOQ14arL2oSA"
            },
            "http-01": {
                "resource": ".well-known/acme-challenge/Y0wM-Yk9p7h7-fhcX_JW7w-8OcZfSWjetMBVqNrBP3E",
                "resource_value": "Y0wM-Yk9p7h7-fhcX_JW7w-8OcZfSWjetMBVqNrBP3E.XLHcLBBIo8tXZnWtqHvUSiZue2EWMmONdiJTTUWBIME"
            },
            "tls-alpn-01": {
                "resource": "domain.tld",
                "resource_original": "dns:domain.tld",
                "resource_value": "v+KF4L82VV62Qgl9wu/o/BOhxGNofDTFOQ14arL2oSA="
            }
        },
    "challenge_data_dns": {
        "_acme-challenge.domain.tld": [
            "v-KF4L82VV62Qgl9wu_o_BOhxGNofDTFOQ14arL2oSA"
        ],

acme_inspect tests fail for devel/cloud/3.5/1

SUMMARY

See #85.

ISSUE TYPE

Bug Report

COMPONENT NAME

acme_inspect

acme_certificate not working with ZeroSSL

SUMMARY

acme_account does by now, but acme_certificate is not. I've tried to contact their support last weekend, let's see if they answer.

ISSUE TYPE

Bug Report

COMPONENT NAME

acme_certificate

[all] Support diff mode

SUMMARY

Most/all modules in here should support returning meaningful diffs on changes.

ISSUE TYPE

Feature Idea

COMPONENT NAME

ADDITIONAL INFORMATION

It generally feels a bit "empty" if a certificate or similar gets replaced with a simple [changed] notice, having a diff of the actual changes would be really helpful.

See https://blog.networktocode.com/post/generating-diff-with-ansible/ for the general return values expected by Ansible.

Some complications would probably include the fact that there could be private key material leaked and just diffing a DER-encoded file isn't going to help people either... so there should be some way to do the diffs on the parsed + decoded versions of the files we're creating/changing here rather than a straightforward text only diff.

openssh_keypair: check_mode should return public key

SUMMARY

When running in check mode, the openssh_keypair module returns "public_key": {}.
Can the module please return the current key, at least if no changes would be required?

ISSUE TYPE

Feature Idea

COMPONENT NAME

openssh_keypair

ADDITIONAL INFORMATION

Copied from ansible/ansible#67185

See suggested workarounds:

FYI @joernheissler @clarsen @MarkusTeufelberger

STEPS TO REPRODUCE

Run that once without and then with check mode enabled:

- name: create key
  openssh_keypair:
    path: /root/.ssh/somekey
  register: somevar

EXPECTED RESULTS

I expect somevar.public_key to contain the public key.

ACTUAL RESULTS

ok: [somehost] => changed=false
  comment: ''
  filename: /root/.ssh/somekey
  fingerprint: ''
  public_key: {}
  size: 256
  type: ed25519

Next release: 1.4.0

~~#150 Move _info module code to module_utils, add diff support~~
#163 luks_device: allow to configure PBKDF
#166 openssl_pkcs12: allow to specify certificate bundles in other_certificates
#167 openssl_csr: allow to specify CRL distribution endpoints
#172 improve SNI support of get_certificate
#173 improve validation in acme_certificate, prevent hanging for wrong choice of challenge type

openssh_cert: Idempotency and random serials

SUMMARY

When creating new certificates, I want my serial numbers to be unique and that's about all. Uniqueness is required for the use with KRLs.
Uniqueness can be achieved by managing state or by assigning random serials with sufficient entropy (OpenSSH supports 64 bit integers). Since the former is cumbersome, I'd like to go with random serials. However, that does not currently seem to be possible without regenerating certificates.

For example, consider the following (incomplete) task:

- openssh_cert:
    valid_from: always
    valid_to: +7d
    valid_at: +1d

Running this task generates a certificate. Running it twice still only generates one certificate. Running it again in a week regenerates the certificate. This seems to me what most people would want, except that the serial is always 0.
I can set the serial to a random value:

- openssh_cert:
    valid_from: always
    valid_to: +7d
    valid_at: +1d
    serial: "{{ 2**64 | random }}"

This task would (almost) always regenerate the certificate, since the serial number changes on each invocation. A seed for random does not help, since it can not ensure that the serial is constant until the expiry date is less than valid_at.

According to ansible/ansible#54653 (review) there is some sense behind the choice of comparing serial numbers on the idempotency check. Unfortunately, I can not figure it out by myself and the comment does not elaborate on this.

Am I simply doing it wrong? Are users supposed to track and manage serial numbers manually?
If not, I suggest, that the serial number check should be made optional in is_valid or removed completely, if there is no valid use case for it.
Removing the check would be easiest but may break some use case I am not currently aware of. Making it optional would require a new parameter, which feels like cluttering the interface to me.

ISSUE TYPE

Feature Idea

COMPONENT NAME

plugins/modules/openssh_cert.py

ADDITIONAL INFORMATION

If someone gives me a hint on what would be acceptable behaviour, I can make a pull request.

Out of memory error when attempting to create luks2 device

SUMMARY

An error occurs when using luks2 type when creating a crypt device

Actual code snippet (minimal example later):
task:

- name: Create keyfile for luks
  shell: "openssl rand -base64 {{ item.keyfile_len }} | tr -d '\n' | tee {{ item.keyfile }}"
  with_items: "{{ crypt }}"

- name: Setup luks partitions
  community.crypto.luks_device:
    device: "{{ item.device }}"
    state: "opened"
    name: "{{ item.name }}"
    # label: "{{ item.name }}"
    type: "{{ item.type }}"
    cipher: "{{ item.cipher }}"
    keysize: "{{ item.keysize }}"
    hash: "{{ item.hash }}"
    keyfile: "{{ item.keyfile }}"
    #passphrase: "{{ item.passphrase }}"
  with_items: "{{ crypt }}"

- name: Add luks passprase
  community.crypto.luks_device:
    device: "{{ item.device }}"
    keyfile: "{{ item.keyfile }}"
    new_passphrase: "{{ item.passphrase }}"
  with_items: "{{ crypt }}"

vars:

crypt:
  - device: /dev/vda2
    name: "{{ crypt_name }}"
    type: luks2
    cipher: aes-xts-plain64
    keysize: 512
    hash: sha512
    passphrase: "{{ luks_password }}"
    keyfile: "/tmp/{{ crypt_name }}_{{ ansible_date_time.date }}"
    keyfile_len: 512

Error:

Note that the key never gets added

Replacing luks2 with luks1 maks it work again (note that I ctrl+c after the playbook got past the adding of passcode)

ISSUE TYPE

Bug Report

COMPONENT NAME

community.crypto.luks_device

ANSIBLE VERSION

ansible 2.10.2
  config file = /root/a/0/ansible-linux/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.5 (default, Sep  5 2020, 10:50:12) [GCC 10.2.0]

CONFIGURATION

DEFAULT_HOST_LIST(/root/a/0/ansible-linux/ansible.cfg) = ['/root/a/0/ansible-linux/localhost']

OS / ENVIRONMENT

OS: Arch Linux install iso: archlinux-2020.10.01-x86_64.iso
Machine: libvirt/kvm/qemu VM

STEPS TO REPRODUCE

When attempting to run this ansible-playbook code (minimal code)

---
- hosts: localhost
  connection: local
  tasks:
    - name: Setup luks partitions
      community.crypto.luks_device:
        device: "/dev/vda"
        state: "present"
        name: "test"
        type: luks2
        passphrase: "123"

I get an out of memory error. Attempted multiple times and the same error occurs.

If type: is replaced with luks1, the error disappears.

---
- hosts: localhost
  connection: local
  tasks:
    - name: Setup luks partitions
      community.crypto.luks_device:
        device: "/dev/vda"
        state: "present"
        name: "test"
        type: luks1
        passphrase: "123"

EXPECTED RESULTS

crypt device should be created with luks2 header format

ACTUAL RESULTS

cryptsetup starts but gets killed because of an out of memory error. Running cryptsetup manually works without any issues.

output of -vvv

ansible-playbook 2.10.2
  config file = /root/a/0/ansible-linux/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.8.5 (default, Sep  5 2020, 10:50:12) [GCC 10.2.0]
Using /root/a/0/ansible-linux/ansible.cfg as config file
host_list declined parsing /root/a/0/ansible-linux/localhost as it did not pass its verify_file() method
script declined parsing /root/a/0/ansible-linux/localhost as it did not pass its verify_file() method
auto declined parsing /root/a/0/ansible-linux/localhost as it did not pass its verify_file() method
Parsed /root/a/0/ansible-linux/localhost inventory source with ini plugin

PLAYBOOK: test.yml *************************************************************
1 plays in test.yml

PLAY [localhost] ***************************************************************

TASK [Gathering Facts] *********************************************************
task path: /root/a/0/ansible-linux/test.yml:2
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<localhost> EXEC /bin/sh -c 'echo ~root && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1604373915.8610246-7734-152505809239539 `" && echo ansible-tmp-1604373915.8610246-7734-152505809239539="` echo /root/.ansible/tmp/ansible-tmp-1604373915.8610246-7734-152505809239539 `" ) && sleep 0'
<localhost> Attempting python interpreter discovery
<localhost> EXEC /bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'python2.6'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python && sleep 0'
<localhost> Python interpreter discovery fallback (unable to get Linux distribution/version info)
Using module file /usr/lib/python3.8/site-packages/ansible/modules/setup.py
<localhost> PUT /root/.ansible/tmp/ansible-local-77303wte3qvg/tmp1j33jo_s TO /root/.ansible/tmp/ansible-tmp-1604373915.8610246-7734-152505809239539/AnsiballZ_setup.py
<localhost> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1604373915.8610246-7734-152505809239539/ /root/.ansible/tmp/ansible-tmp-1604373915.8610246-7734-152505809239539/AnsiballZ_setup.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1604373915.8610246-7734-152505809239539/AnsiballZ_setup.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1604373915.8610246-7734-152505809239539/ > /dev/null 2>&1 && sleep 0'
ok: [localhost]
META: ran handlers

TASK [Setup luks partitions] ***************************************************
task path: /root/a/0/ansible-linux/test.yml:5
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<localhost> EXEC /bin/sh -c 'echo ~root && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1604373917.1401203-7799-221460709672824 `" && echo ansible-tmp-1604373917.1401203-7799-221460709672824="` echo /root/.ansible/tmp/ansible-tmp-1604373917.1401203-7799-221460709672824 `" ) && sleep 0'
Using module file /usr/lib/python3.8/site-packages/ansible_collections/community/crypto/plugins/modules/luks_device.py
<localhost> PUT /root/.ansible/tmp/ansible-local-77303wte3qvg/tmpztewcmh_ TO /root/.ansible/tmp/ansible-tmp-1604373917.1401203-7799-221460709672824/AnsiballZ_luks_device.py
<localhost> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1604373917.1401203-7799-221460709672824/ /root/.ansible/tmp/ansible-tmp-1604373917.1401203-7799-221460709672824/AnsiballZ_luks_device.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1604373917.1401203-7799-221460709672824/AnsiballZ_luks_device.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1604373917.1401203-7799-221460709672824/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/tmp/ansible_community.crypto.luks_device_payload_kewvgto3/ansible_community.crypto.luks_device_payload.zip/ansible_collections/community/crypto/plugins/modules/luks_device.py", line 711, in run_module
  File "/tmp/ansible_community.crypto.luks_device_payload_kewvgto3/ansible_community.crypto.luks_device_payload.zip/ansible_collections/community/crypto/plugins/modules/luks_device.py", line 426, in run_luks_create
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "cipher": null,
            "device": "/dev/vda",
            "force_remove_last_key": false,
            "hash": null,
            "keyfile": null,
            "keysize": null,
            "label": null,
            "name": "test",
            "new_keyfile": null,
            "new_passphrase": null,
            "passphrase": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "remove_keyfile": null,
            "remove_passphrase": null,
            "state": "present",
            "type": "luks2",
            "uuid": null
        }
    },
    "msg": "luks_device error: Error while creating LUKS on /dev/vda: "
}

PLAY RECAP *********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Non-logged output:

Add support for adding a custom serial to certificates and csr ( cmdline: set_serial )

SUMMARY

Let serial be set in various modules

ISSUE TYPE

Feature Idea

COMPONENT NAME

openssl _csr
openssl _certificate

ADDITIONAL INFORMATION

some tools require to set special information in certificates. it seems that a 01 serial is required at least for mariadb.
see documentation and automated tests:

https://github.com/mariadb-corporation/mariadb-connector-j/blob/master/.travis/gen-ssl.sh#L69
https://github.com/mariadb-corporation/mariadb-connector-j/blob/master/.travis/gen-ssl.sh#L78
https://github.com/mariadb-corporation/mariadb-connector-j/blob/master/.travis/gen-ssl.sh#L102

openssl_pkcs12: cannot re-create pkcs12 with no private key

Original issue from Ansible github: https://github.com/ansible/ansible/issues/59945

SUMMARY

When generating a PKCS12 keystore without a private key, if the file exists, parsing it fails

ISSUE TYPE

Bug Report

COMPONENT NAME

openssl_pkcs12 (likely caused by https://github.com/ansible-collections/community.crypto/blob/main/plugins/modules/openssl_pkcs12.py#L363)

ANSIBLE VERSION

ansible 2.9.6
  config file = /home/redacted/dev/redacted/ansible.cfg
  configured module search path = ['/home/redacted/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/redacted/.local/lib/python3.6/site-packages/ansible
  executable location = /home/redacted/.local/bin/ansible
  python version = 3.6.9 (default, Nov  7 2019, 10:44:02) [GCC 8.3.0]

CONFIGURATION

ANSIBLE_NOCOWS(env: ANSIBLE_NOCOWS) = True
DEFAULT_CALLBACK_WHITELIST(/home/redacted/dev/redacted/ansible.cfg) = ['timer']
DEFAULT_FILTER_PLUGIN_PATH(/home/redacted/dev/redacted/ansible.cfg) = ['/home/redacted/dev/redacted/filter_plugins']
DEFAULT_LOG_PATH(/home/redacted/dev/redacted/ansible.cfg) = /var/log/ansible.log
DEFAULT_ROLES_PATH(/home/redacted/dev/redacted/ansible.cfg) = ['/home/redacted/dev/redacted/roles']
DEFAULT_STDOUT_CALLBACK(/home/redacted/dev/redacted/ansible.cfg) = yaml

OS / ENVIRONMENT

Ubuntu 18.04 inside WSL1 on Windows 10, but issue has been reproduced across various platforms (mainly CentOS 7.7)

STEPS TO REPRODUCE

EXPECTED RESULTS

Create a PFX/P12 file with only certificates ("other_certificates")
Try to parse the file or run the export again over the same file

openssl_pkcs12:
    path: "{{ truststore_path }}"
    name: truststore
    other_certificates: "{{ cacert_path }}"

ACTUAL RESULTS

PyOpenSSL fails to dump the private key (which is None when parsed from p12)

      File "/tmp/ansible_openssl_pkcs12_payload_tfn6ujgx/ansible_openssl_pkcs12_payload.zip/ansible/modules/crypto/openssl_pkcs12.py", line 449, in <module>
      File "/tmp/ansible_openssl_pkcs12_payload_tfn6ujgx/ansible_openssl_pkcs12_payload.zip/ansible/modules/crypto/openssl_pkcs12.py", line 412, in main
      File "/tmp/ansible_openssl_pkcs12_payload_tfn6ujgx/ansible_openssl_pkcs12_payload.zip/ansible/modules/crypto/openssl_pkcs12.py", line 246, in check
      File "/tmp/ansible_openssl_pkcs12_payload_tfn6ujgx/ansible_openssl_pkcs12_payload.zip/ansible/modules/crypto/openssl_pkcs12.py", line 341, in parse
      File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1899, in dump_privatekey
        raise TypeError("pkey must be a PKey")
    TypeError: pkey must be a PKey

TODO: Refactor module_utils/crypto.py

Make it a subdirectory and split that file up into several smaller files.

This allows modules to include only the parts they actually need.

Requires ~~#7 and~~ #9 to be merged first.

Release plan

We should decide eventually on how to release this collection (w.r.t. versioning). Small collections like this one don't need a complex plan like the one for community.general and community.network (https://gist.github.com/felixfontein/2bad8517b70008ab9be90387ee4090c8). So how about the following?

Release 1.0.0 soon ~~(I think #53 and #9 should get in in some form first, because they slightly change behavior of existing things)~~.
Release minor and patch releases whenever we want (like after adding new features or fixing bugs). Since this collection is small, there's no need to fix things in advance. Just add features, and after a feature either wait a bit longer for more features/bugs, or make a release.
The 2.0.0 release will be without PyOpenSSL (except probably in openssl_pkcs12, since right now cryptography cannot handle PKCS12 files), and somewhen in mid 2021 (Markus pointed out that by then we can assume cryptography 2.1.4 or even newer.
We can obviously backport bugfixes or even features from 2.x.y to 1.X.Y if we want, i.e. we can supply the 1.X.Y series with fixes or even features for a longer time.
We can start planning a 3.0.0 release once we have a reason to break backwards compatibility again.

What do you think @MarkusTeufelberger @Shaps @gundalow?

We can also start with some pre-1.0.0 releases, but honestly I don't see why. New features can easily end up in post-1.0.0 releases; it's only backwards compatibility breaking (no matter how hard) changes that should go in at least for 1.0.0. ~~And right now, the only candidates I see for that are #9 and #53 since they change the output of cryptography_decode_name.~~

openssl_csr: Please add ability to specify the crl location (crlDistributionPoints URI http://$url/org.crl)

SUMMARY

Please add the ability to specify the crlDistributionPoints URI within the CSR.

ISSUE TYPE

Feature Idea

COMPONENT NAME

openssl_csr

ADDITIONAL INFORMATION

This is needed for smart card logon as a windows domain user (Samba DC). For this to work, the system looks for the crlDistribution point within the certificate to specify the URL to check for the CRL.

name: Generate Certificate Authority Certificate Signing Request (CSR)
openssl_csr:
path: "/etc/ssl/csr/www.ansible.com.csr"
privatekey_path: "/etc/ssl/private/ansible.com.pem"
privatekey_passphrase: "{{ privatekey_passphrase }}"
common_name: "{{ common_name }}"
country_name: "{{ country_name }}"
email_address: "{{ email_address }}"
organization_name: "{{ organization_name }}"
key_usage: "{{ item.keyusage }}"
basic_constraints: "{{ item.basic_constraints }}"
create_subject_key_identifier: yes
crl_distribution_point: "http://example.com/pki/ca.crl"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"

openssl_csr missing nameConstraints extension

SUMMARY

I was trying to limit domains an intermediate CA certificate can sign by adding a nameConstraints. However I couldn't find an option for that in openssl_csr. Is that implemented?

ISSUE TYPE

Feature Idea

COMPONENT NAME

openssl_csr

ADDITIONAL INFORMATION

TODO: Update module names in tests to FQCN

~~Needs #7 to be merged first.~~

Add OpenSSL fingerprint(s) to x509_certificate_info

SUMMARY

The x509_certificate_info module does not return the OpenSSL fingerprint for any algorithm.

ISSUE TYPE

Feature Idea

COMPONENT NAME

x509_certificate_info module

ADDITIONAL INFORMATION

I was porting an old certificate verification shell script to ansible and discovered the x509_certificate_info module does not return the OpenSSL fingerprint. ie:

$ openssl x509 -noout -fingerprint -sha1 -in /home/user/test.pem
SHA1 Fingerprint=XX:XX:XX...
$ openssl x509 -noout -fingerprint -sha256 -in /home/user/test.pem
SHA256 Fingerprint=XX:XX:XX...

The hex values returned differ from the public_key_fingerprints currently returned with x509_certificate_info.

The cryptography python package does support generating the fingerprint:

$ python3
Python 3.8.3 (default, May 19 2020, 18:47:26)
[GCC 7.3.0] :: Anaconda, Inc. on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from cryptography import x509
>>> from cryptography.hazmat.primitives import hashes
>>> f = open("/home/user/test.pem", "r")
>>> data = f.read().encode('ascii')
>>> cert = x509.load_pem_x509_certificate(data)
>>> cert.fingerprint(hashes.SHA1()).hex()
'xxxxxx...'
>>> cert.fingerprint(hashes.SHA256()).hex()
'xxxxxx...'

The SHA1 fingerprint matches that which is found in Windows browsers and used by less tech savvy admins as additional verification that the certificate matches those reported by the shell script. Could this be easily implemented in the module?

Thank you

openssh_cert: idempotency check ignores signing_key, public_key, options and identifier

SUMMARY

The idempotency check of openssh_cert ignores changes to signing_key, public_key, options and identifier.

Reported by @das7pad here.

(Migration of ansible/ansible#54655)

ISSUE TYPE

Bug Report

COMPONENT NAME

openssh_cert

ANSIBLE VERSION

2.8.0

openssl_certificate's ACME provider crashes when privatekey_path is not provided

SUMMARY

It checks whether the path exists. Reported in #ansible-devel.

ISSUE TYPE

Bug Report

COMPONENT NAME

openssl_certificate

ANSIBLE VERSION

2.9.6

Can't detect any of the required Python libraries cryptography (>= 1.6) or PyOpenSSL (>= 0.15)

SUMMARY

Module community.crypto.get_certificate only can run in localhost, but can't run it in target node.

ISSUE TYPE

Bug Report

COMPONENT NAME

community.crypto.get_certificate

ANSIBLE VERSION

ansible 2.10.2
  config file = None
  configured module search path = ['/home/ansapp/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ansapp/.local/lib/python3.6/site-packages/ansible
  executable location = /home/ansapp/.local/bin/ansible
  python version = 3.6.8 (default, Sep 26 2019, 11:57:09) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

CONFIGURATION

OS / ENVIRONMENT

RHEL 7.6

STEPS TO REPRODUCE

    - name: Get a cert from an https port
      community.crypto.get_certificate:
        host: "XX.XX.XX.XX"
        port: 443
      register: cert

EXPECTED RESULTS

Like other module, can run it in remote nodes

ACTUAL RESULTS

TASK [Get a cert from an https port] *********************************************************************************************************************************************************
fatal: [xxx]: FAILED! => {"changed": false, "msg": "Can't detect any of the required Python libraries cryptography (>= 1.6) or PyOpenSSL (>= 0.15)"}

Inclusion of community.crypto in Ansible 2.10

This collection will be included in Ansible 2.10 because it contains modules and/or plugins that were included in Ansible 2.9. Please review:

The list of requirements for inclusion in Ansible: https://github.com/ansible-collections/overview/blob/master/collection_requirements.rst
The roadmap with all important dates for Ansible 2.10: https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/roadmap/COLLECTIONS_2_10.rst

DEADLINE: 2020-08-18

The latest version of the collection available on August 18 will be included in Ansible 2.10.0, except possibly newer versions which differ only in the patch level. (For details, see the roadmap). Please release version 1.0.0 of your collection by this date! If 1.0.0 does not exist, the same 0.x.y version will be used in all of Ansible 2.10 without updates, and your 1.x.y release will not be included until Ansible 2.11 (unless you request an exception at a community working group meeting and go through a demanding manual process to vouch for backwards compatibility . . . you want to avoid this!).

Follow semantic versioning rules

Your collection versioning must follow all semver rules. This means:

Patch level releases can only contain bugfixes;
Minor releases can contain new features, new modules and plugins, and bugfixes, but must not break backwards compatibility;
Major releases can break backwards compatibility.

Changelogs and Porting Guide

Your collection should provide data for the Ansible 2.10 changelog and porting guide. The changelog and porting guide are automatically generated from ansible-base, and from the changelogs of the included collections. All changes from the breaking_changes, major_changes, removed_features and deprecated_features sections will appear in both the changelog and the porting guide. You have two options for providing changelog fragments to include:

If possible, use the antsibull-changelog tool, which uses the same changelog fragment as the ansible/ansible repository (see the documentation).
If you cannot use antsibull-changelog, you can provide the changelog in a machine-readable format as changelogs/changelog.yaml inside your collection (see the documentation of changelogs/changelog.yaml format).

If you cannot contribute to the integrated Ansible changelog using one of these methods, please provide a link to your collection's changelog by creating an issue in https://github.com/ansible-community/ansible-build-data/. If you do not provide changelogs/changelog.yml or a link, users will not be able to find out what changed in your collection from the Ansible changelog and porting guide.

Make sure your collection passes the sanity tests

Run ansible-test sanity --docker -v in the collection with the latest ansible-base or stable-2.10 ansible/ansible checkout.

Keep informed

Be sure you're subscribed to:

Changes impacting Collections to track changes that Collection maintainers should be aware of;
The Bullhorn, a newsletter for the Ansible developer community, back issues and how to add content.

Questions and Feedback

If you have questions or want to provide feedback, please see the Feedback section in the collection requirements.

(Internal link to keep track of issues: ansible-collections/overview#102)

openssl_privatekey does not recreate keys

SUMMARY

A key generated with openssl_privatekey is not regenerated if I change the type.

My idea was that Ansible should make sure that a key is in the given state. But this is not happening.
As you can see I create a RSA 4096 bit key as thats are the defaults. After a change to an ECC key Ansible changes nothing.

ISSUE TYPE

Feature Idea

COMPONENT NAME

openssl_privatekey

ADDITIONAL INFORMATION

    - name: generate key
      community.crypto.openssl_privatekey:
        path: /my/privatekey.key

    - name: change key
      community.crypto.openssl_privatekey:
        path: /my/privatekey.key
        type: ECC
        curve: secp384r1

openssh_keypair error if key already exists

SUMMARY

openssh_keypair throws an error if ssh key pair already exists.

ISSUE TYPE

Bug Report

COMPONENT NAME

openssh_keypair module

ANSIBLE VERSION

ansible 2.9.13
  configured module search path = ['/home/devnewton/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/devnewton/.local/lib/python3.8/site-packages/ansible
  executable location = /home/devnewton/.local/bin/ansible
  python version = 3.8.3 (default, May 23 2020, 15:50:53) [GCC 9.3.0]

CONFIGURATION

OS / ENVIRONMENT

Windows 10 + cygwin

STEPS TO REPRODUCE

Run a playbook with openssh_keypair twice.

- name: test ssh key gen
  hosts: localhost
  gather_facts: false
  tasks:
    - name: create target directory
      file:
        path: "target"
        state: directory
    - name: create ssh key
      openssh_keypair:
        path: "target/ssh_key"

EXPECTED RESULTS

No error expected.

ACTUAL RESULTS

Playbook fails on python exception.

An exception occurred during task execution. To see the full traceback, use -vvv. The error was:   File "/tmp/ansible_openssh_keypair_payload_rzdh605t/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/openssh_keypair.py", line 292, in _pubkey_valid
fatal: [localhost]: FAILED! => {
    "changed": false
}

MSG:

'bool' object is not subscriptable

Strange error for modules importing pyOpenSSL when Ansible just upgraded cryptography on controller

SUMMARY

See ansible/ansible#68701 and #22 for details.

This affects everything importing module_utils/crypto.py in collections.

ISSUE TYPE

Bug Report

COMPONENT NAME

get_certificate
openssl_*

ANSIBLE VERSION

2.9
devel

openssh_cert: Make it possible to use a signing key stored in ssh-agent

SUMMARY

If the ssh signing key is password protected, and the user has it unlocked in an ssh-agent, an additional flag needs to be passed to ssh-keygen in order for it to use the key from the agent when signing. I propose an additional optional module boolean argument to add the flag needed.

ISSUE TYPE

Feature Idea

COMPONENT NAME

openssh_cert.py

ADDITIONAL INFORMATION

See summary.

- openssh_cert:
    type: user
    signing_key: /path/to/private_key
    use_agent: yes
    public_key: /path/to/public_key.pub
    path: /path/to/certificate
    valid_from: always
    valid_to: forever

openssh_keypair does not ignore comment as documented

SUMMARY

The docs of the openssh_keypair module say about the comment: that

When checking if the key is in the correct state this will be ignored.

but the module checks and updates the comment even if all other parameters are equal.

ISSUE TYPE

Bug Report

(I am reporting this as a bug instead of a documentation bug because I would prefer the documented behaviour over the actual)

COMPONENT NAME

openssh_keypair

ANSIBLE VERSION

ansible 2.9.9
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/luc/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.3 (default, May 17 2020, 18:15:42) [GCC 10.1.0]

CONFIGURATION

(no change)

OS / ENVIRONMENT

Arch Linux

STEPS TO REPRODUCE

# bug.yml
- hosts: localhost
  tasks:
    - name: create key
      openssh_keypair:
        path: x
        comment: foo
    - name: change comment
      openssh_keypair:
        path: x
        comment: bar

EXPECTED RESULTS

on the first run the first task ("create key") should change and the second ("change comment") should be unchanged.
on subsequent runs (with or without check mode) all tasks should be unchanged.
in more abstract terms: the module should not change the file on disk if only the comment parameter differs

ACTUAL RESULTS

The module changes the file on disk if the comment parameter differs.

[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'

PLAY [localhost] ****************************************************************

TASK [Gathering Facts] **********************************************************
ok: [localhost]

TASK [create key] ***************************************************************
changed: [localhost]

TASK [change comment] ***********************************************************
changed: [localhost]

PLAY RECAP **********************************************************************
localhost                  : ok=3    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

openssl_certificate_info cannot open "TRUSTED CERTIFICATE"

I generated self-signed trusted (means with -trustout) certificate and openssl_certificate_info is unable to load it:

      File "/cygdrive/c/Users/user/AppData/Local/Temp/ansible_openssl_certificate_info_payload_44fbrdw1/ansible_openssl_certificate_info_payload.zip/ansible/module_utils/crypto.py", line 229, in load_certificate
      File "/usr/lib/python3.6/site-packages/cryptography/x509/base.py", line 70, in load_pem_x509_certificate
        return backend.load_pem_x509_certificate(data)
      File "/usr/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1310, in load_pem_x509_certificate
        "Unable to load certificate. See https://cryptography.io/en/la"
    ValueError: Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.

The certificate contains prelude / epilogue:

-----BEGIN TRUSTED CERTIFICATE-----
-----END TRUSTED CERTIFICATE-----

after I altered those lines by stripping TRUSTED it is able to work with certificate.

Self contained reproduction script:

- hosts: localhost
  connection: local
  gather_facts: no
  vars:
    stdout_callback: yaml
    client_name: client
    client_pass: 123456
    client_domain: localhost
    client_email: [email protected]

  tasks:
  - shell:
      cmd: >-
        openssl genrsa -out {{ client_name }}.key -passout pass:{{ client_pass }} 2048
      creates: "{{ client_name }}.key"
  - shell:
      cmd: >-
        openssl req -new
        -key {{ client_name }}.key -passin pass:{{ client_pass }}
        -out {{ client_name }}.csr
        -subj /CN="{{ client_domain }}"/O=home/C=UA/emailAddress="{{ client_email }}"
      creates: "{{ client_name }}.csr"
  - shell:
      cmd: >-
        openssl req -new
        -key {{ client_name }}.key -passin pass:{{ client_pass }}
        -out {{ client_name }}.csr
        -subj /CN="{{ client_domain }}"/O=home/C=UA/emailAddress="{{ client_email }}"
      creates: "{{ client_name }}.csr"
  - shell:
      cmd: >-
        openssl x509 -trustout -days 3650
        -signkey {{ client_name }}.key -passin pass:{{ client_pass }}
        -req -in {{ client_name }}.csr -out {{ client_name }}.crt
      creates: "{{ client_name }}.crt"
  - shell:
      cmd: >-
        openssl x509 -text -noout -in "{{ client_name }}.crt"
    register: crt_info

  # Now you can start server with the client certificate & the private key:
  # openssl s_server -no_dhe -accept 8000 -www -key client.key -cert client.crt
  # and connect to server with:
  # curl --cacert client.crt https://localhost:8000

  - debug: var=crt_info

  - openssl_certificate_info:
      path: "{{ client_name }}.csr"
    register: crt_info

  - debug: var=crt_info

FIPS - Allow for selecting Openssl private key module hashing algorithm for fingerprint

SUMMARY

The Openssl private key module gathers fingerprints of the the key as return data using all available hashing methods. If one of the methods is not permitted on the system due to enabling FIPS, the module fails. There is no apparent way to modify this behavior.

Previous iterations of the kubernetes metering operator (as an example) have made this work by limiting the number of available hashing algorithms link but this requires blacklisting algorithms as they fall out of favor with FIPS. I'd like to propose instead allowing users to specify the fingerprint algorithm and have it run only a single default (strong) hash for the fingerprint return. If changing the default behavior to whitelist is a breaking change, just adding an option to select the hash would simplify the FIPS usability.

ISSUE TYPE

Feature request

COMPONENT NAME

community.crypto.openssl_privatekey

ANSIBLE VERSION

ansible --version
ansible 2.9.15
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/usr/share/ansible/openshift']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Dec  5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

CONFIGURATION

ansible-config dump --only-changed
DEFAULT_CALLBACK_WHITELIST(/etc/ansible/ansible.cfg) = ['timer', 'profile_roles']
DEFAULT_MODULE_PATH(/etc/ansible/ansible.cfg) = ['/usr/share/ansible/openshift']
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = ['/opt/ansible/roles']

OS / ENVIRONMENT

OpenShift Operator Deployment
https://github.com/kube-reporting/metering-operator

STEPS TO REPRODUCE

Deploy the 4.6 Metering Operator on OpenShift 4.6 cluster

EXPECTED RESULTS

Metering operator creates openssl certificates

ACTUAL RESULTS

 TASK [Generate a RSA private key for the CA] ******************************** 
�[0;31mAn exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS�[0m
�[0;31mfatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1605639519.1729925-24168-234385709602156/AnsiballZ_openssl_privatekey.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1605639519.1729925-24168-234385709602156/AnsiballZ_openssl_privatekey.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1605639519.1729925-24168-234385709602156/AnsiballZ_openssl_privatekey.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible.modules.crypto.openssl_privatekey', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n    mod_name, mod_spec, pkg_name, script_name)\n  File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_openssl_privatekey_payload_rg2zb9st/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py\", line 692, in <module>\n  File \"/tmp/ansible_openssl_privatekey_payload_rg2zb9st/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py\", line 676, in main\n  File \"/tmp/ansible_openssl_privatekey_payload_rg2zb9st/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py\", line 303, in generate\n  File \"/tmp/ansible_openssl_privatekey_payload_rg2zb9st/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py\", line 545, in _get_fingerprint\n  File \"/tmp/ansible_openssl_privatekey_payload_rg2zb9st/ansible_openssl_privatekey_payload.zip/ansible/module_utils/crypto.py\", line 164, in get_fingerprint_of_bytes\nValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}�[0m

openssl_pkcs12 parse action: always changed in check mode

SUMMARY

When dumping / parsing a PKCS#12 file in check mode the corresponding task always results in 'changed' state.

ISSUE TYPE

Bug Report

COMPONENT NAME

community.crypto.openssl_pkcs12

ANSIBLE VERSION

ansible 2.10.3
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.9 (default, Oct  8 2020, 12:12:24) [GCC 8.4.0]

CONFIGURATION

OS / ENVIRONMENT

Ubuntu 20.04

STEPS TO REPRODUCE

- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
  community.crypto.openssl_privatekey:
    path: /etc/ssl/private/ansible.com.pem

- name: Generate an OpenSSL Certificate Signing Request
  community.crypto.openssl_csr:
    path: /etc/ssl/private/www.ansible.com.csr
    privatekey_path: /etc/ssl/private/ansible.com.pem
    common_name: www.ansible.com

- name: Generate a Self Signed OpenSSL certificate
  community.crypto.x509_certificate:
    path: /etc/ssl/private/ansible.com.crt
    privatekey_path: /etc/ssl/private/ansible.com.pem
    csr_path: /etc/ssl/private/www.ansible.com.csr
    provider: selfsigned

- name: Generate PKCS#12 file
  community.crypto.openssl_pkcs12:
    action: export
    path: /etc/ssl/private/ansible.p12
    friendly_name: raclette
    privatekey_path: /etc/ssl/private/ansible.com.pem
    certificate_path: /etc/ssl/private/ansible.com.crt
    state: present

- name: Dump/Parse PKCS#12 file
  community.crypto.openssl_pkcs12:
    action: parse
    src: /etc/ssl/private/ansible.p12
    path: /etc/ssl/private/ansible.pem
    state: present

EXPECTED RESULTS

    TASK [my_test : Dump/Parse PKCS#12 file] ***************************************
    ok: [instance]

ACTUAL RESULTS

    
    TASK [my_test : Dump/Parse PKCS#12 file] ***************************************
    changed: [instance]

Renaming master branch to main on Thursday, July 2nd

Renaming `master` branch to `main` on Thursday, July 2nd

The Ansible team decided to rename the master branch in all Ansible-controlled collections to main (see ansible-collections/overview#83 and ansible-collections/overview#87 for history and more information). This also applies to community.crypto. My suggestion would be to do this now as well, before the 1.0.0 release, especially since the master branch is mentioned in the README (link to the changelog). We will change the branch for this repository tomorrow (Thursday, July 2nd) afternoon (Europe).

At https://github.com/ansible/community/wiki/Changing-the-git-default-branch-to-main#updating-local-clones you can find instructions on how to update your forks and local checkouts. If you have created a pull request, there is nothing you need to do - we will retarget the pull requests so they will get merged to master and not to main.

If you have questions, please reach out to us on #ansible-community (Freenode).

CC @abadger @Akasurde @Andersson007 @ctrufan @eric-belhomme @gundalow @jborean93 @lucc @MarkusTeufelberger @moreati @mulatinho @nkakouros-forks @puiterwijk @relrod @s-hertel @samccann @Shaps @Spredzy (you all forked this repository or are otherwise related to it)

Next release: 1.3.0

Planned changes (tentatively):

luks_device: make key add/removal idempotent

SUMMARY

The new_keyfile currently adds a new key, no matter whether the key is already present or not.
The remove_keyfile currently dies when the key is not present.

To implement this properly (especially with #52371, allow_to_remove_last_key, in mind), we need a mechanism which can detect if a key is already there. If the device is closed, one could try to open it (and on success close it again); that would probably be an acceptable hack. That doesn't work when the device is already open, though.

(Migration of ansible/ansible#52409; existing PR ansible/ansible#65937, CC @mulatinho)

COMPONENT NAME

luks_device

ISSUE TYPE

Feature Idea

luks_device: implement --diff mode

SUMMARY

As title says: implementing check_mode and --diff support would be nice.

(Migration of ansible/ansible#52407)

ISSUE TYPE

Feature Idea

COMPONENT NAME

luks_device

openssl_csr does not support non-hostname CN values

SUMMARY

PKI certs can be used for a variety of things beyond HTTPS servers. I need to be able to generate a certificate with system:kube-controller-manager as the common name. This is permitted by openssl, but blocked by this module. Since this is an inconsistency between openssl and this module, I'm calling it a bug.

ISSUE TYPE

Bug Report

COMPONENT NAME

openssl_csr

ANSIBLE VERSION

ansible 2.9.11
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/myusername/.ansible/plugins/modules', '/usr
/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.5 (default, Jul 27 2020, 08:42:51) [GCC 10.1.0

CONFIGURATION

(blank output)

OS / ENVIRONMENT

Amazon Linux 2
OpenSSL 1.0.2k-fips 26 Jan 2017

STEPS TO REPRODUCE

Try to generate a certificate that contains a non-hostname value as the common name.

- name: Generate CSRs
  become: true
  register: gen_csr
  openssl_csr:
    path: /etc/kubernetes/pki/kube-controller-manager.csr
    privatekey_path: /etc/kubernetes/pki/kube-controller-manager-key.pem
    CN: "system:kube-controller-manager"
    O: "system:kube-controller-manager"
    C: CA
    ST: My Province
    L: My City
    OU: My Business Unit

EXPECTED RESULTS

A new cert is generated with system:kube-controller-manager as the common name.

ACTUAL RESULTS

The task fails

An exception occurred during task execution. To see the full traceback, use -vvv.
 The error was: idna.core.IDNAError: The label system:kube-controller-manager is
not a valid A-label
fatal: [myhost.example.com]: FAILED! => {"changed": false, "module_stderr
": "Shared connection to myhost.example.com closed.\r\n", "module_stdout"
: "Traceback (most recent call last):\r\n  File \"/home/ec2-user/.ansible/tmp/ans
ible-tmp-1599257775.4836168-3939543-279353330847410/AnsiballZ_openssl_csr.py\", l
ine 102, in <module>\r\n    _ansiballz_main()\r\n  File \"/home/ec2-user/.ansible
/tmp/ansible-tmp-1599257775.4836168-3939543-279353330847410/AnsiballZ_openssl_csr
.py\", line 94, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, AN
SIBALLZ_PARAMS)\r\n  File \"/home/ec2-user/.ansible/tmp/ansible-tmp-1599257775.48
36168-3939543-279353330847410/AnsiballZ_openssl_csr.py\", line 40, in invoke_modu
le\r\n    runpy.run_module(mod_name='ansible.modules.crypto.openssl_csr', init_gl
obals=None, run_name='__main__', alter_sys=True)\r\n  File \"/usr/lib64/python2.7
/runpy.py\", line 188, in run_module\r\n    fname, loader, pkg_name)\r\n  File \"
/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\r\n    mod_name, mo
d_fname, mod_loader, pkg_name)\r\n  File \"/usr/lib64/python2.7/runpy.py\", line
72, in _run_code\r\n    exec code in run_globals\r\n  File \"/tmp/ansible_openssl
_csr_payload_C13PE_/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openss
l_csr.py\", line 1105, in <module>\r\n  File \"/tmp/ansible_openssl_csr_payload_C
13PE_/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py\", li
ne 1088, in main\r\n  File \"/tmp/ansible_openssl_csr_payload_C13PE_/ansible_open
ssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py\", line 541, in generat
e\r\n  File \"/tmp/ansible_openssl_csr_payload_C13PE_/ansible_openssl_csr_payload
.zip/ansible/modules/crypto/openssl_csr.py\", line 834, in _generate_csr\r\n  Fil
e \"/usr/lib64/python2.7/site-packages/cryptography/x509/base.py\", line 393, in
sign\r\n    return backend.create_x509_csr(self, private_key, algorithm)\r\n  Fil
e \"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.
py\", line 395, in create_x509_csr\r\n    return b.create_x509_csr(builder, priva
te_key, algorithm)\r\n  File \"/usr/lib64/python2.7/site-packages/cryptography/ha
zmat/backends/openssl/backend.py\", line 793, in create_x509_csr\r\n    gc=False\
r\n  File \"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/opens
sl/backend.py\", line 1009, in _create_x509_extensions\r\n    handlers, extension
\r\n  File \"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/open
ssl/backend.py\", line 1040, in _create_x509_extension\r\n    ext_struct = encode
(self, extension.value)\r\n  File \"/usr/lib64/python2.7/site-packages/cryptograp
hy/hazmat/backends/openssl/encode_asn1.py\", line 359, in _encode_alt_name\r\n
 general_names = _encode_general_names(backend, san)\r\n  File \"/usr/lib64/pytho
n2.7/site-packages/cryptography/hazmat/backends/openssl/encode_asn1.py\", line 35
1, in _encode_general_names\r\n    gn = _encode_general_name(backend, name)\r\n
File \"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/en
code_asn1.py\", line 387, in _encode_general_name\r\n    value = _idna_encode(nam
e.value)\r\n  File \"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backe
nds/openssl/encode_asn1.py\", line 376, in _idna_encode\r\n    return idna.encode
(value)\r\n  File \"/usr/lib/python2.7/site-packages/idna/core.py\", line 355, in
 encode\r\n    result.append(alabel(label))\r\n  File \"/usr/lib/python2.7/site-p
ackages/idna/core.py\", line 265, in alabel\r\n    raise IDNAError('The label {0}
 is not a valid A-label'.format(label))\r\nidna.core.IDNAError: The label system:
kube-controller-manager is not a valid A-label\r\n", "msg": "MODULE FAILURE\nSee
stdout/stderr for the exact error", "rc": 1}

Can't use acme_certificate/account_key_content in ansible-vault

SUMMARY

First of all I like the aproach to use ansible as acme client.
Unfortunately I can't store my private account key in an ansible-vault var.

ISSUE TYPE

Bug Report

COMPONENT NAME

I used the stuff around acme_*.

ANSIBLE VERSION

ansible 2.10.2
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/x70b1/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.6 (default, Sep 30 2020, 04:00:38) [GCC 10.2.0]

STEPS TO REPRODUCE

I will use acme_account here to create a new account. I have seen the problem on all other acme parts too.
The following task works. I created a RSA key, replaced all line breaks with \n and included it as one line at account_key_content. The example has a shortened line.

    - name: "Create my account"
      community.crypto.acme_account:
        acme_version: 2
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
        account_key_content: "-----BEGIN RSA PRIVATE KEY-----\nMIIJKQ .......... DQkKX\n-----END RSA PRIVATE KEY-----\n"
        state: present
        terms_agreed: yes
        contact:
          - mailto:[email protected]

After that was working I wanted to move it to my vault. The new task is:

    - name: "Create my account"
      community.crypto.acme_account:
        acme_version: 2
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
        account_key_content: "{{ vault_letsencrypt_key }}"
        state: present
        terms_agreed: yes
        contact:
          - mailto:[email protected]

My specific vault file:

vault_letsencrypt_key: -----BEGIN RSA PRIVATE KEY-----\nMIIJKQ ......

EXPECTED RESULTS

It should work. I know that I could also encrypt the RSA key as file (I have not tested this yet).

ACTUAL RESULTS

I got msg: error while parsing account key: error while loading key: Could not deserialize key data..

The 2.0.0 Release

The 2.0.0 release will happen in the future. The main target(s):

#273 Remove PyOpenSSL backends whereever possible
#287 Remove vendored ipaddress in module_utils.
#274 Make dirName parsing / outputting more conformant to RFC4514
#289 Remove assertonly certificate backend
#290 Remove other deprecated features scheduled for removal in 2.0.0

Timeframe: September/October 2021, 2.0.0 needs to be released by 2021-11-08 (https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/roadmap/COLLECTIONS_5.rst).

Make it possible to generate a certificate, with ACME, without exporting the account’s private key to the target machine.

SUMMARY

Make it possible to generate a certificate, with ACME, without exporting the account’s private key to the target machine.

ISSUE TYPE

Feature Idea

COMPONENT NAME

acme_certificate

ADDITIONAL INFORMATION

I’m willing to use ansible to create certificates on server installation, and then to renew them.

I have an ACME account with a CA that uses external account binding. That account is pre-authorized for the domain I manage and its subdomains.

I am concerned that acme_certificate, as I understand it, would export the account’s private key to any target that needs a certificate. Some target have low trust, or might have been compromised. I’d rather not take the risk to have my account’s private key compromised, as the attacker might then be able to get certificates for any name of my domain.

I think it would be great if it were possible for the acme_certificate module to perform the required signatures on ansible server rather than on the target. As I understand it, it would require to rewrite that module as an Action plug-in

Any opinion on this?

acme_account: add support for External Account Binding

SUMMARY

As described https://tools.ietf.org/html/rfc8555#section-7.3.4. Pebble also supports this (letsencrypt/pebble#288).

ISSUE TYPE

Feature Idea

COMPONENT NAME

acme_account

Crypto Pinboard

Welcome to the community.crypto pinboard! Please subscribe if you are interested in general topics on community.crypto!

Continues ansible/community#444

Make dirName parsing / outputting more conformant to RFC4514

SUMMARY

See https://tools.ietf.org/html/rfc4514.html#section-3 (from string) and https://tools.ietf.org/html/rfc4514.html#section-2 (to string). Also see https://tools.ietf.org/html/rfc4514.html#section-2.

ISSUE TYPE

Feature Idea

COMPONENT NAME

plugins/module_utils/crypto/cryptography_support.py

openssl_pkcs12: add cryptography backend

SUMMARY

The openssl_pkcs12 module should support a cryptography backend, so PyOpenSSL can be deprecated / removed eventually. Currently cryptography does not support PKCS12, though, so some preliminary work on adding PKCS12 support to cryptography is needed. Also, this means that deprecating the PyOpenSSL backend would need to be done much later than for other modules, since a new enough cryptography supporting the new features (which aren't there yet) will take some years to trickle through.

(Migration of ansible/ansible#59905)

ISSUE TYPE

Feature Idea

COMPONENT NAME

openssl_pkcs12

Require Ansible 2.9.10+ and add deprecation notices to modules

SUMMARY

We should somehow (ideally in some standard way - galaxy.yml?) require at least Ansible >=2.9.10 so we can add the correct information to module deprecation notices.

ISSUE TYPE

Feature Idea

COMPONENT NAME

All modules in here

ADDITIONAL INFORMATION

Currently the sanity tests have to include ignores for pylint:ansible-deprecated-no-collection-name - this can be dropped and the necessary info added when we add a requirement for 2.9.10+.