' + + '' + + _("Hide Search Matches") + + "
" + ) + ); + }, + + /** + * helper function to hide the search marks again + */ + hideSearchWords: () => { + document + .querySelectorAll("#searchbox .highlight-link") + .forEach((el) => el.remove()); + document + .querySelectorAll("span.highlighted") + .forEach((el) => el.classList.remove("highlighted")); + localStorage.removeItem("sphinx_highlight_terms") + }, + + initEscapeListener: () => { + // only install a listener if it is really needed + if (!DOCUMENTATION_OPTIONS.ENABLE_SEARCH_SHORTCUTS) return; + + document.addEventListener("keydown", (event) => { + // bail for input elements + if (BLACKLISTED_KEY_CONTROL_ELEMENTS.has(document.activeElement.tagName)) return; + // bail with special keys + if (event.shiftKey || event.altKey || event.ctrlKey || event.metaKey) return; + if (DOCUMENTATION_OPTIONS.ENABLE_SEARCH_SHORTCUTS && (event.key === "Escape")) { + SphinxHighlight.hideSearchWords(); + event.preventDefault(); + } + }); + }, +}; + +_ready(() => { + /* Do not call highlightSearchWords() when we are on the search page. + * It will highlight words from the *previous* search query. + */ + if (typeof Search === "undefined") SphinxHighlight.highlightSearchWords(); + SphinxHighlight.initEscapeListener(); +}); diff --git a/tag/2.18.0/acme_account_facts_module.html b/tag/2.18.0/acme_account_facts_module.html new file mode 100644 index 000000000..3a6582f5a --- /dev/null +++ b/tag/2.18.0/acme_account_facts_module.html @@ -0,0 +1,194 @@ + + + + + + + +
+ Note
+This plugin was part of the community.crypto collection (version 2.18.0).
+This module has been removed +in version 2.0.0 of community.crypto. +The ‘community.crypto.acme_account_facts’ module has been renamed to ‘community.crypto.acme_account_info’.
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.acme_account_info.
Allows to retrieve information on accounts a CA supporting the ACME protocol, such as Let’s Encrypt.
This module only works with the ACME v2 protocol.
The below requirements are needed on the host that executes this module.
+either openssl or cryptography >= 1.5
ipaddress
Parameter |
+Comments |
+
|---|---|
| + | Content of the ACME account RSA or Elliptic Curve key. +Mutually exclusive with Required if Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, or to revoke your certificates without knowing their private keys —, this might not be acceptable. +In case |
+
| + | Phassphrase to use to decode the account key. +Note: this is not supported by the |
+
| + | Path to a file containing the ACME account RSA or Elliptic Curve key. +Private keys can be created with the community.crypto.openssl_privatekey or community.crypto.openssl_privatekey_pipe modules. If the requisite (cryptography) is not available, keys can also be created directly with the Mutually exclusive with Required if |
+
| + | If specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails. + |
+
| + | The ACME directory to use. This is the entry point URL to access the ACME CA server API. +For safety reasons the default is set to the Let’s Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. +For Let’s Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/. For Buypass, all endpoints can be found here: https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints +For Let’s Encrypt, the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory. +For Buypass, the production directory URL for ACME v2 and v1 is https://api.buypass.com/acme/directory. +For ZeroSSL, the production directory URL for ACME v2 is https://acme.zerossl.com/v2/DV90. +For Sectigo, the production directory URL for ACME v2 is https://acme-qa.secure.trust-provider.com/v2/DV. +The notes for this module contain a list of ACME services this module has been tested against. + |
+
| + | The ACME version of the endpoint. +Must be The value Choices: +
|
+
| + | The time Ansible should wait for a response from the ACME API. +This timeout is applied to all HTTP(S) requests (HEAD, GET, POST). +Default: |
+
| + | Whether to retrieve the list of order URLs or order objects, if provided by the ACME server. +A value of If the value is not Currently, Let’s Encrypt does not return orders, so the Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to If set to Choices: +
|
+
| + | Whether calls to the ACME directory will validate TLS certificates. +Warning: Should only ever be set to Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Action groups: community.crypto.acme, acme + |
+Use |
+
| + | Support: full +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+The community.crypto.acme_account module allows to modify, create and delete ACME accounts.
This module was called acme_account_facts before Ansible 2.8. The usage did not change.
If a new enough version of the cryptography library is available (see Requirements for details), it will be used instead of the openssl binary. This can be explicitly disabled or enabled with the select_crypto_backend option. Note that using the openssl binary will be slower and less secure, as private key contents always have to be stored on disk (see account_key_content).
Although the defaults are chosen so that the module can be used with the Let’s Encrypt CA, the module can in principle be used with any CA providing an ACME endpoint, such as Buypass Go SSL.
So far, the ACME modules have only been tested by the developers against Let’s Encrypt (staging and production), Buypass (staging and production), ZeroSSL (production), and Pebble testing server. We have got community feedback that they also work with Sectigo ACME Service for InCommon. If you experience problems with another ACME server, please create an issue to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.
See also
+Allows to create, modify or delete an ACME account.
+- name: Check whether an account with the given account key exists
+ community.crypto.acme_account_info:
+ account_key_src: /etc/pki/cert/private/account.key
+ register: account_data
+- name: Verify that account exists
+ ansible.builtin.assert:
+ that:
+ - account_data.exists
+- name: Print account URI
+ ansible.builtin.debug:
+ var: account_data.account_uri
+- name: Print account contacts
+ ansible.builtin.debug:
+ var: account_data.account.contact
+
+- name: Check whether the account exists and is accessible with the given account key
+ acme_account_info:
+ account_key_content: "{{ acme_account_key }}"
+ account_uri: "{{ acme_account_uri }}"
+ register: account_data
+- name: Verify that account exists
+ ansible.builtin.assert:
+ that:
+ - account_data.exists
+- name: Print account contacts
+ ansible.builtin.debug:
+ var: account_data.account.contact
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | The account information, as retrieved from the ACME server. +Returned: if account exists + |
+
| + | the challenge resource that must be created for validation +Returned: always +Sample: |
+
| + | A URL where a list of orders can be retrieved for this account. +Use the Returned: always +Sample: |
+
| + | the public account key as a JSON Web Key. +Returned: always +Sample: |
+
| + | the account’s status +Returned: always +Can only return: +
Sample: |
+
| + | ACME account URI, or None if account does not exist. +Returned: always + |
+
| + | Whether the account exists. +Returned: always + |
+
| + | The list of orders. +If If Returned: if account exists, |
+
| + | The list of orders. +Returned: if account exists, |
+
| + | A list of URLs for authorizations for this order. +Returned: success + |
+
| + | The URL for retrieving the certificate. +Returned: when certificate was issued + |
+
| + | In case an error occurred during processing, this contains information about the error. +The field is structured as a problem document (RFC7807). +Returned: when an error occurred + |
+
| + | When the order expires. +Timestamp should be formatted as described in RFC3339. +Only required to be included in result when Returned: when server gives expiry date + |
+
| + | A URL used for finalizing an ACME order. +Returned: success + |
+
| + | List of identifiers this order is for. +Returned: success + |
+
| + | Type of identifier. +Returned: success +Can only return: +
|
+
| + | Name of identifier. Hostname or IP address. +Returned: success + |
+
| + | Whether Returned: required to be included if the identifier is wildcarded + |
+
| + | The requested value of the Date should be formatted as described in RFC3339. +Server is not required to return this. +Returned: when server returns this + |
+
| + | The requested value of the Date should be formatted as described in RFC3339. +Server is not required to return this. +Returned: when server returns this + |
+
| + | The order’s status. +Returned: success +Can only return: +
|
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.acme_account.
Allows to create, modify or delete accounts with a CA supporting the ACME protocol, such as Let’s Encrypt.
This module only works with the ACME v2 protocol.
The below requirements are needed on the host that executes this module.
+either openssl or cryptography >= 1.5
ipaddress
Parameter |
+Comments |
+
|---|---|
| + | Content of the ACME account RSA or Elliptic Curve key. +Mutually exclusive with Required if Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, or to revoke your certificates without knowing their private keys —, this might not be acceptable. +In case |
+
| + | Phassphrase to use to decode the account key. +Note: this is not supported by the |
+
| + | Path to a file containing the ACME account RSA or Elliptic Curve key. +Private keys can be created with the community.crypto.openssl_privatekey or community.crypto.openssl_privatekey_pipe modules. If the requisite (cryptography) is not available, keys can also be created directly with the Mutually exclusive with Required if |
+
| + | If specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails. + |
+
| + | The ACME directory to use. This is the entry point URL to access the ACME CA server API. +For safety reasons the default is set to the Let’s Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. +For Let’s Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/. For Buypass, all endpoints can be found here: https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints +For Let’s Encrypt, the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory. +For Buypass, the production directory URL for ACME v2 and v1 is https://api.buypass.com/acme/directory. +For ZeroSSL, the production directory URL for ACME v2 is https://acme.zerossl.com/v2/DV90. +For Sectigo, the production directory URL for ACME v2 is https://acme-qa.secure.trust-provider.com/v2/DV. +The notes for this module contain a list of ACME services this module has been tested against. + |
+
| + | The ACME version of the endpoint. +Must be The value Choices: +
|
+
| + | Whether account creation is allowed (when state is Choices: +
|
+
| + | A list of contact URLs. +Email addresses must be prefixed with See https://tools.ietf.org/html/rfc8555#section-7.3 for what is allowed. +Must be specified when state is Default: |
+
| + | Allows to provide external account binding data during account creation. +This is used by CAs like Sectigo to bind a new ACME account to an existing CA-specific account, to be able to properly identify a customer. +Only used when creating a new account. Can not be specified for ACME v1. + |
+
| + | The MAC algorithm provided by the CA. +If not specified by the CA, this is probably Choices: +
|
+
| + | Base64 URL encoded value of the MAC key provided by the CA. +Padding ( |
+
| + | The key identifier provided by the CA. + |
+
| + | Content of the ACME account RSA or Elliptic Curve key to change to. +Same restrictions apply as to Mutually exclusive with Required if |
+
| + | Phassphrase to use to decode the new account key. +Note: this is not supported by the |
+
| + | Path to a file containing the ACME account RSA or Elliptic Curve key to change to. +Same restrictions apply as to Mutually exclusive with Required if |
+
| + | The time Ansible should wait for a response from the ACME API. +This timeout is applied to all HTTP(S) requests (HEAD, GET, POST). +Default: |
+
| + | Determines which crypto backend to use. +The default choice is If set to If set to Choices: +
|
+
| + | The state of the account, to be identified by its account key. +If the state is If the state is Choices: +
|
+
| + | Boolean indicating whether you agree to the terms of service document. +ACME servers can require this to be Choices: +
|
+
| + | Whether calls to the ACME directory will validate TLS certificates. +Warning: Should only ever be set to Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Action groups: community.crypto.acme, acme + |
+Use |
+
| + | Support: full + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+The community.crypto.acme_certificate module also allows to do basic account management. When using both modules, it is recommended to disable account management for community.crypto.acme_certificate. For that, use the modify_account option of community.crypto.acme_certificate.
If a new enough version of the cryptography library is available (see Requirements for details), it will be used instead of the openssl binary. This can be explicitly disabled or enabled with the select_crypto_backend option. Note that using the openssl binary will be slower and less secure, as private key contents always have to be stored on disk (see account_key_content).
Although the defaults are chosen so that the module can be used with the Let’s Encrypt CA, the module can in principle be used with any CA providing an ACME endpoint, such as Buypass Go SSL.
So far, the ACME modules have only been tested by the developers against Let’s Encrypt (staging and production), Buypass (staging and production), ZeroSSL (production), and Pebble testing server. We have got community feedback that they also work with Sectigo ACME Service for InCommon. If you experience problems with another ACME server, please create an issue to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.
See also
+The specification of the ACME protocol (RFC 8555).
+Retrieves facts about an ACME account.
+Can be used to create a private account key.
+Can be used to create a private account key without writing it to disk.
+Allows to debug problems.
+- name: Make sure account exists and has given contacts. We agree to TOS.
+ community.crypto.acme_account:
+ account_key_src: /etc/pki/cert/private/account.key
+ state: present
+ terms_agreed: true
+ contact:
+ - mailto:me@example.com
+ - mailto:myself@example.org
+
+- name: Make sure account has given email address. Do not create account if it does not exist
+ community.crypto.acme_account:
+ account_key_src: /etc/pki/cert/private/account.key
+ state: present
+ allow_creation: false
+ contact:
+ - mailto:me@example.com
+
+- name: Change account's key to the one stored in the variable new_account_key
+ community.crypto.acme_account:
+ account_key_src: /etc/pki/cert/private/account.key
+ new_account_key_content: '{{ new_account_key }}'
+ state: changed_key
+
+- name: Delete account (we have to use the new key)
+ community.crypto.acme_account:
+ account_key_content: '{{ new_account_key }}'
+ state: absent
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | ACME account URI, or None if account does not exist. +Returned: always + |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.acme_certificate.
Create and renew SSL/TLS certificates with a CA supporting the ACME protocol, such as Let’s Encrypt or Buypass. The current implementation supports the http-01, dns-01 and tls-alpn-01 challenges.
To use this module, it has to be executed twice. Either as two different tasks in the same run or during two runs. Note that the output of the first run needs to be recorded and passed to the second run as the module argument data.
Between these two tasks you have to fulfill the required steps for the chosen challenge by whatever means necessary. For http-01 that means creating the necessary challenge file on the destination webserver. For dns-01 the necessary dns record has to be created. For tls-alpn-01 the necessary certificate has to be created and served. It is not the responsibility of this module to perform these steps.
For details on how to fulfill these challenges, you might have to read through the main ACME specification and the TLS-ALPN-01 specification. Also, consider the examples provided for this module.
The module includes experimental support for IP identifiers according to the RFC 8738.
The below requirements are needed on the host that executes this module.
+either openssl or cryptography >= 1.5
ipaddress
Parameter |
+Comments |
+
|---|---|
| + | The email address associated with this account. +It will be used for certificate expiration warnings. +Note that when |
+
| + | Content of the ACME account RSA or Elliptic Curve key. +Mutually exclusive with Required if Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, or to revoke your certificates without knowing their private keys —, this might not be acceptable. +In case |
+
| + | Phassphrase to use to decode the account key. +Note: this is not supported by the |
+
| + | Path to a file containing the ACME account RSA or Elliptic Curve key. +Private keys can be created with the community.crypto.openssl_privatekey or community.crypto.openssl_privatekey_pipe modules. If the requisite (cryptography) is not available, keys can also be created directly with the Mutually exclusive with Required if |
+
| + | If specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails. + |
+
| + | The ACME directory to use. This is the entry point URL to access the ACME CA server API. +For safety reasons the default is set to the Let’s Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. +For Let’s Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/. For Buypass, all endpoints can be found here: https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints +For Let’s Encrypt, the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory. +For Buypass, the production directory URL for ACME v2 and v1 is https://api.buypass.com/acme/directory. +For ZeroSSL, the production directory URL for ACME v2 is https://acme.zerossl.com/v2/DV90. +For Sectigo, the production directory URL for ACME v2 is https://acme-qa.secure.trust-provider.com/v2/DV. +The notes for this module contain a list of ACME services this module has been tested against. + |
+
| + | The ACME version of the endpoint. +Must be The value Choices: +
|
+
| + | URI to a terms of service document you agree to when using the ACME v1 service at Default is latest gathered from This option will only be used when |
+
| + | If specified, the intermediate certificate will be written to this file. + |
+
| + | The challenge to be performed. +If set to Choices: +
|
+
| + | File containing the CSR for the new certificate. +Can be created with community.crypto.openssl_csr or The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed. +Note: the private key used to create the CSR must not be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case. +Precisely one of |
+
| + | Content of the CSR for the new certificate. +Can be created with community.crypto.openssl_csr_pipe or The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed. +Note: the private key used to create the CSR must not be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case. +Precisely one of |
+
| + | The data to validate ongoing challenges. This must be specified for the second run of the module only. +The value that must be used here will be provided by a previous use of this module. See the examples for more details. +Note that for ACME v2, only the Note: the |
+
| + | Deactivate authentication objects (authz) after issuing a certificate, or when issuing the certificate failed. +Authentication objects are bound to an account key and remain valid for a certain amount of time, and can be used to issue certificates without having to re-authenticate the domain. This can be a security concern. +Choices: +
|
+
| + | The destination file for the certificate. +Required if |
+
| + | Enforces the execution of the challenge and validation, even if an existing certificate is still valid for more than This is especially helpful when having an updated CSR, for example with additional domains for which a new certificate is desired. +Choices: +
|
+
| + | The destination file for the full chain (that is, a certificate followed by chain of intermediate certificates). +Required if |
+
| + | Boolean indicating whether the module should create the account if necessary, and update its contact data. +Set to If set to Choices: +
|
+
| + | The number of days the certificate must have left being valid. If To make sure that the certificate is renewed in any case, you can use the Default: |
+
| + | The time Ansible should wait for a response from the ACME API. +This timeout is applied to all HTTP(S) requests (HEAD, GET, POST). +Default: |
+
| + | When set to Choices: +
|
+
| + | Allows to specify criteria by which an (alternate) trust chain can be selected. +The list of criteria will be processed one by one until a chain is found matching a criterium. If such a chain is found, it will be used by the module instead of the default chain. +If a criterium matches multiple chains, the first one matching will be returned. The order is determined by the ordering of the Every criterium can consist of multiple different conditions, like This option can only be used with the |
+
| + | Checks for the AuthorityKeyIdentifier extension. This is an identifier based on the private key of the issuer of the intermediate certificate. +The identifier must be of the form |
+
| + | Allows to specify parts of the issuer of a certificate in the chain must have to be selected. +If An example value would be |
+
| + | Allows to specify parts of the subject of a certificate in the chain must have to be selected. +If An example value would be |
+
| + | Checks for the SubjectKeyIdentifier extension. This is an identifier based on the private key of the intermediate certificate. +The identifier must be of the form |
+
| + | Determines which certificates in the chain will be tested. +
Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to If set to Choices: +
|
+
| + | Boolean indicating whether you agree to the terms of service document. +ACME servers can require this to be true. +This option will only be used when Choices: +
|
+
| + | Whether calls to the ACME directory will validate TLS certificates. +Warning: Should only ever be set to Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Action groups: community.crypto.acme, acme + |
+Use |
+
| + | Support: full + |
+Can run in |
+
| + | Support: none + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
Note
+At least one of dest and fullchain_dest must be specified.
This module includes basic account management functionality. If you want to have more control over your ACME account, use the community.crypto.acme_account module and disable account management for this module using the modify_account option.
This module was called letsencrypt before Ansible 2.6. The usage did not change.
If a new enough version of the cryptography library is available (see Requirements for details), it will be used instead of the openssl binary. This can be explicitly disabled or enabled with the select_crypto_backend option. Note that using the openssl binary will be slower and less secure, as private key contents always have to be stored on disk (see account_key_content).
Although the defaults are chosen so that the module can be used with the Let’s Encrypt CA, the module can in principle be used with any CA providing an ACME endpoint, such as Buypass Go SSL.
So far, the ACME modules have only been tested by the developers against Let’s Encrypt (staging and production), Buypass (staging and production), ZeroSSL (production), and Pebble testing server. We have got community feedback that they also work with Sectigo ACME Service for InCommon. If you experience problems with another ACME server, please create an issue to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.
See also
+Documentation for the Let’s Encrypt Certification Authority. Provides useful information for example on rate limits.
+Documentation for the Buypass Certification Authority. Provides useful information for example on rate limits.
+The specification of the ACME protocol (RFC 8555).
+The specification of the tls-alpn-01 challenge (RFC 8737).
Helps preparing tls-alpn-01 challenges.
Can be used to create private keys (both for certificates and accounts).
+Can be used to create private keys without writing it to disk (both for certificates and accounts).
+Can be used to create a Certificate Signing Request (CSR).
+Can be used to create a Certificate Signing Request (CSR) without writing it to disk.
+Allows to find the root certificate for the returned fullchain.
+Allows to revoke certificates.
+Allows to create, modify or delete an ACME account.
+Allows to debug problems.
+### Example with HTTP challenge ###
+
+- name: Create a challenge for sample.com using a account key from a variable.
+ community.crypto.acme_certificate:
+ account_key_content: "{{ account_private_key }}"
+ csr: /etc/pki/cert/csr/sample.com.csr
+ dest: /etc/httpd/ssl/sample.com.crt
+ register: sample_com_challenge
+
+# Alternative first step:
+- name: Create a challenge for sample.com using a account key from Hashi Vault.
+ community.crypto.acme_certificate:
+ account_key_content: >-
+ {{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/account_private_key:value') }}
+ csr: /etc/pki/cert/csr/sample.com.csr
+ fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
+ register: sample_com_challenge
+
+# Alternative first step:
+- name: Create a challenge for sample.com using a account key file.
+ community.crypto.acme_certificate:
+ account_key_src: /etc/pki/cert/private/account.key
+ csr_content: "{{ lookup('file', '/etc/pki/cert/csr/sample.com.csr') }}"
+ dest: /etc/httpd/ssl/sample.com.crt
+ fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
+ register: sample_com_challenge
+
+# perform the necessary steps to fulfill the challenge
+# for example:
+#
+# - name: Copy http-01 challenge for sample.com
+# ansible.builtin.copy:
+# dest: /var/www/html/{{ sample_com_challenge['challenge_data']['sample.com']['http-01']['resource'] }}
+# content: "{{ sample_com_challenge['challenge_data']['sample.com']['http-01']['resource_value'] }}"
+# when: sample_com_challenge is changed and 'sample.com' in sample_com_challenge['challenge_data']
+#
+# Alternative way:
+#
+# - name: Copy http-01 challenges
+# ansible.builtin.copy:
+# dest: /var/www/{{ item.key }}/{{ item.value['http-01']['resource'] }}
+# content: "{{ item.value['http-01']['resource_value'] }}"
+# loop: "{{ sample_com_challenge.challenge_data | dict2items }}"
+# when: sample_com_challenge is changed
+
+- name: Let the challenge be validated and retrieve the cert and intermediate certificate
+ community.crypto.acme_certificate:
+ account_key_src: /etc/pki/cert/private/account.key
+ csr: /etc/pki/cert/csr/sample.com.csr
+ dest: /etc/httpd/ssl/sample.com.crt
+ fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
+ chain_dest: /etc/httpd/ssl/sample.com-intermediate.crt
+ data: "{{ sample_com_challenge }}"
+
+### Example with DNS challenge against production ACME server ###
+
+- name: Create a challenge for sample.com using a account key file.
+ community.crypto.acme_certificate:
+ account_key_src: /etc/pki/cert/private/account.key
+ account_email: myself@sample.com
+ src: /etc/pki/cert/csr/sample.com.csr
+ cert: /etc/httpd/ssl/sample.com.crt
+ challenge: dns-01
+ acme_directory: https://acme-v01.api.letsencrypt.org/directory
+ # Renew if the certificate is at least 30 days old
+ remaining_days: 60
+ register: sample_com_challenge
+
+# perform the necessary steps to fulfill the challenge
+# for example:
+#
+# - name: Create DNS record for sample.com dns-01 challenge
+# community.aws.route53:
+# zone: sample.com
+# record: "{{ sample_com_challenge.challenge_data['sample.com']['dns-01'].record }}"
+# type: TXT
+# ttl: 60
+# state: present
+# wait: true
+# # Note: route53 requires TXT entries to be enclosed in quotes
+# value: "{{ sample_com_challenge.challenge_data['sample.com']['dns-01'].resource_value | regex_replace('^(.*)$', '\"\\1\"') }}"
+# when: sample_com_challenge is changed and 'sample.com' in sample_com_challenge.challenge_data
+#
+# Alternative way:
+#
+# - name: Create DNS records for dns-01 challenges
+# community.aws.route53:
+# zone: sample.com
+# record: "{{ item.key }}"
+# type: TXT
+# ttl: 60
+# state: present
+# wait: true
+# # Note: item.value is a list of TXT entries, and route53
+# # requires every entry to be enclosed in quotes
+# value: "{{ item.value | map('regex_replace', '^(.*)$', '\"\\1\"' ) | list }}"
+# loop: "{{ sample_com_challenge.challenge_data_dns | dict2items }}"
+# when: sample_com_challenge is changed
+
+- name: Let the challenge be validated and retrieve the cert and intermediate certificate
+ community.crypto.acme_certificate:
+ account_key_src: /etc/pki/cert/private/account.key
+ account_email: myself@sample.com
+ src: /etc/pki/cert/csr/sample.com.csr
+ cert: /etc/httpd/ssl/sample.com.crt
+ fullchain: /etc/httpd/ssl/sample.com-fullchain.crt
+ chain: /etc/httpd/ssl/sample.com-intermediate.crt
+ challenge: dns-01
+ acme_directory: https://acme-v01.api.letsencrypt.org/directory
+ remaining_days: 60
+ data: "{{ sample_com_challenge }}"
+ when: sample_com_challenge is changed
+
+# Alternative second step:
+- name: Let the challenge be validated and retrieve the cert and intermediate certificate
+ community.crypto.acme_certificate:
+ account_key_src: /etc/pki/cert/private/account.key
+ account_email: myself@sample.com
+ src: /etc/pki/cert/csr/sample.com.csr
+ cert: /etc/httpd/ssl/sample.com.crt
+ fullchain: /etc/httpd/ssl/sample.com-fullchain.crt
+ chain: /etc/httpd/ssl/sample.com-intermediate.crt
+ challenge: tls-alpn-01
+ remaining_days: 60
+ data: "{{ sample_com_challenge }}"
+ # We use Let's Encrypt's ACME v2 endpoint
+ acme_directory: https://acme-v02.api.letsencrypt.org/directory
+ acme_version: 2
+ # The following makes sure that if a chain with /CN=DST Root CA X3 in its issuer is provided
+ # as an alternative, it will be selected. These are the roots cross-signed by IdenTrust.
+ # As long as Let's Encrypt provides alternate chains with the cross-signed root(s) when
+ # switching to their own ISRG Root X1 root, this will use the chain ending with a cross-signed
+ # root. This chain is more compatible with older TLS clients.
+ select_chain:
+ - test_certificates: last
+ issuer:
+ CN: DST Root CA X3
+ O: Digital Signature Trust Co.
+ when: sample_com_challenge is changed
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | ACME account URI. +Returned: changed + |
+
| + | When See Section 7.4.2 of RFC8555 for details. +Returned: when certificate was retrieved and |
+
| + | The leaf certificate itself, in PEM format. +Returned: always + |
+
| + | The certificate chain, excluding the root, as concatenated PEM certificates. +Returned: always + |
+
| + | The certificate chain, excluding the root, but including the leaf certificate, as concatenated PEM certificates. +Returned: always + |
+
| + | ACME authorization data. +Maps an identifier to ACME authorization objects. See https://tools.ietf.org/html/rfc8555#section-7.1.4. +Returned: changed +Sample: |
+
| + | The number of days the certificate remains valid. +Returned: success + |
+
| + | Per identifier / challenge type challenge data. +Since Ansible 2.8.5, only challenges which are not yet valid are returned. +Returned: changed + |
+
| + | The full DNS record’s name for the challenge. +Returned: changed and challenge is Sample: |
+
| + | The challenge resource that must be created for validation. +Returned: changed +Sample: |
+
| + | The original challenge resource including type identifier for Returned: changed and Sample: |
+
| + | The value the resource has to produce for the validation. +For For Returned: changed +Sample: |
+
| + | List of TXT values per DNS record, in case challenge is Since Ansible 2.8.5, only challenges which are not yet valid are returned. +Returned: changed + |
+
| + | ACME finalization URI. +Returned: changed + |
+
| + | ACME order URI. +Returned: changed + |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.acme_certificate_revoke.
Allows to revoke certificates issued by a CA supporting the ACME protocol, such as Let’s Encrypt.
The below requirements are needed on the host that executes this module.
+either openssl or cryptography >= 1.5
ipaddress
Parameter |
+Comments |
+
|---|---|
| + | Content of the ACME account RSA or Elliptic Curve key. +Note that exactly one of Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, or to revoke your certificates without knowing their private keys —, this might not be acceptable. +In case |
+
| + | Phassphrase to use to decode the account key. +Note: this is not supported by the |
+
| + | Path to a file containing the ACME account RSA or Elliptic Curve key. +RSA keys can be created with Mutually exclusive with Required if |
+
| + | If specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails. + |
+
| + | The ACME directory to use. This is the entry point URL to access the ACME CA server API. +For safety reasons the default is set to the Let’s Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. +For Let’s Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/. For Buypass, all endpoints can be found here: https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints +For Let’s Encrypt, the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory. +For Buypass, the production directory URL for ACME v2 and v1 is https://api.buypass.com/acme/directory. +For ZeroSSL, the production directory URL for ACME v2 is https://acme.zerossl.com/v2/DV90. +For Sectigo, the production directory URL for ACME v2 is https://acme-qa.secure.trust-provider.com/v2/DV. +The notes for this module contain a list of ACME services this module has been tested against. + |
+
| + | The ACME version of the endpoint. +Must be The value Choices: +
|
+
| + | Path to the certificate to revoke. + |
+
| + | Content of the certificate’s private key. +Note that exactly one of Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, or to revoke your certificates without knowing their private keys —, this might not be acceptable. +In case |
+
| + | Phassphrase to use to decode the certificate’s private key. +Note: this is not supported by the |
+
| + | Path to the certificate’s private key. +Note that exactly one of |
+
| + | The time Ansible should wait for a response from the ACME API. +This timeout is applied to all HTTP(S) requests (HEAD, GET, POST). +Default: |
+
| + | One of the revocation reasonCodes defined in Section 5.3.1 of RFC5280. +Possible values are |
+
| + | Determines which crypto backend to use. +The default choice is If set to If set to Choices: +
|
+
| + | Whether calls to the ACME directory will validate TLS certificates. +Warning: Should only ever be set to Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Action groups: community.crypto.acme, acme + |
+Use |
+
| + | Support: none + |
+Can run in |
+
| + | Support: none + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+Exactly one of account_key_src, account_key_content, private_key_src, or private_key_content must be specified.
Trying to revoke an already revoked certificate should result in an unchanged status, even if the revocation reason was different than the one specified here. Also, depending on the server, it can happen that some other error is returned if the certificate has already been revoked.
If a new enough version of the cryptography library is available (see Requirements for details), it will be used instead of the openssl binary. This can be explicitly disabled or enabled with the select_crypto_backend option. Note that using the openssl binary will be slower and less secure, as private key contents always have to be stored on disk (see account_key_content).
Although the defaults are chosen so that the module can be used with the Let’s Encrypt CA, the module can in principle be used with any CA providing an ACME endpoint, such as Buypass Go SSL.
So far, the ACME modules have only been tested by the developers against Let’s Encrypt (staging and production), Buypass (staging and production), ZeroSSL (production), and Pebble testing server. We have got community feedback that they also work with Sectigo ACME Service for InCommon. If you experience problems with another ACME server, please create an issue to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.
See also
+Documentation for the Let’s Encrypt Certification Authority. Provides useful information for example on rate limits.
+The specification of the ACME protocol (RFC 8555).
+Allows to debug problems.
+- name: Revoke certificate with account key
+ community.crypto.acme_certificate_revoke:
+ account_key_src: /etc/pki/cert/private/account.key
+ certificate: /etc/httpd/ssl/sample.com.crt
+
+- name: Revoke certificate with certificate's private key
+ community.crypto.acme_certificate_revoke:
+ private_key_src: /etc/httpd/ssl/sample.com.key
+ certificate: /etc/httpd/ssl/sample.com.crt
+
+ tls-alpn-01Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.acme_challenge_cert_helper.
Prepares certificates for ACME challenges such as tls-alpn-01.
The raw data is provided by the community.crypto.acme_certificate module, and needs to be converted to a certificate to be used for challenge validation. This module provides a simple way to generate the required certificates.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.3
Parameter |
+Comments |
+
|---|---|
| + | The challenge type. +Choices: +
|
+
| + | The |
+
| + | Content of the private key to use for this challenge certificate. +Mutually exclusive with |
+
| + | Phassphrase to use to decode the private key. + |
+
| + | Path to a file containing the private key file to use for this challenge certificate. +Mutually exclusive with |
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: none +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
See also
+The specification of the ACME protocol (RFC 8555).
+The specification of the tls-alpn-01 challenge (RFC 8737).
- name: Create challenges for a given CRT for sample.com
+ community.crypto.acme_certificate:
+ account_key_src: /etc/pki/cert/private/account.key
+ challenge: tls-alpn-01
+ csr: /etc/pki/cert/csr/sample.com.csr
+ dest: /etc/httpd/ssl/sample.com.crt
+ register: sample_com_challenge
+
+- name: Create certificates for challenges
+ community.crypto.acme_challenge_cert_helper:
+ challenge: tls-alpn-01
+ challenge_data: "{{ item.value['tls-alpn-01'] }}"
+ private_key_src: /etc/pki/cert/key/sample.com.key
+ loop: "{{ sample_com_challenge.challenge_data | dictsort }}"
+ register: sample_com_challenge_certs
+
+- name: Install challenge certificates
+ # We need to set up HTTPS such that for the domain,
+ # regular_certificate is delivered for regular connections,
+ # except if ALPN selects the "acme-tls/1"; then, the
+ # challenge_certificate must be delivered.
+ # This can for example be achieved with very new versions
+ # of NGINX; search for ssl_preread and
+ # ssl_preread_alpn_protocols for information on how to
+ # route by ALPN protocol.
+ ...:
+ domain: "{{ item.domain }}"
+ challenge_certificate: "{{ item.challenge_certificate }}"
+ regular_certificate: "{{ item.regular_certificate }}"
+ private_key: /etc/pki/cert/key/sample.com.key
+ loop: "{{ sample_com_challenge_certs.results }}"
+
+- name: Create certificate for a given CSR for sample.com
+ community.crypto.acme_certificate:
+ account_key_src: /etc/pki/cert/private/account.key
+ challenge: tls-alpn-01
+ csr: /etc/pki/cert/csr/sample.com.csr
+ dest: /etc/httpd/ssl/sample.com.crt
+ data: "{{ sample_com_challenge }}"
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | The challenge certificate in PEM format. +Returned: always + |
+
| + | The domain the challenge is for. The certificate should be provided if this is specified in the request’s the Returned: always + |
+
| + | The identifier for the actual resource. Will be a domain name if Returned: always + |
+
| + | The identifier type for the actual resource identifier. +Returned: always +Can only return: +
|
+
| + | A self-signed certificate for the challenge domain. +If no existing certificate exists, can be used to set-up https in the first place if that is needed for providing the challenge. +Returned: always + |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.acme_inspect.
Allows to send direct requests to an ACME server with the ACME protocol, which is supported by CAs such as Let’s Encrypt.
This module can be used to debug failed certificate request attempts, for example when community.crypto.acme_certificate fails or encounters a problem which you wish to investigate.
The module can also be used to directly access features of an ACME servers which are not yet supported by the Ansible ACME modules.
The below requirements are needed on the host that executes this module.
+either openssl or cryptography >= 1.5
ipaddress
Parameter |
+Comments |
+
|---|---|
| + | Content of the ACME account RSA or Elliptic Curve key. +Mutually exclusive with Required if Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, or to revoke your certificates without knowing their private keys —, this might not be acceptable. +In case |
+
| + | Phassphrase to use to decode the account key. +Note: this is not supported by the |
+
| + | Path to a file containing the ACME account RSA or Elliptic Curve key. +Private keys can be created with the community.crypto.openssl_privatekey or community.crypto.openssl_privatekey_pipe modules. If the requisite (cryptography) is not available, keys can also be created directly with the Mutually exclusive with Required if |
+
| + | If specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails. + |
+
| + | The ACME directory to use. This is the entry point URL to access the ACME CA server API. +For safety reasons the default is set to the Let’s Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. +For Let’s Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/. For Buypass, all endpoints can be found here: https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints +For Let’s Encrypt, the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory. +For Buypass, the production directory URL for ACME v2 and v1 is https://api.buypass.com/acme/directory. +For ZeroSSL, the production directory URL for ACME v2 is https://acme.zerossl.com/v2/DV90. +For Sectigo, the production directory URL for ACME v2 is https://acme-qa.secure.trust-provider.com/v2/DV. +The notes for this module contain a list of ACME services this module has been tested against. + |
+
| + | The ACME version of the endpoint. +Must be The value Choices: +
|
+
| + | + |
| + | If Choices: +
|
+
| + | The method to use to access the given URL on the ACME server. +The value The value The value Choices: +
|
+
| + | The time Ansible should wait for a response from the ACME API. +This timeout is applied to all HTTP(S) requests (HEAD, GET, POST). +Default: |
+
| + | Determines which crypto backend to use. +The default choice is If set to If set to Choices: +
|
+
| + | The URL to send the request to. +Must be specified if |
+
| + | Whether calls to the ACME directory will validate TLS certificates. +Warning: Should only ever be set to Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Action groups: community.crypto.acme, acme + |
+Use |
+
| + | Support: none + |
+Can run in |
+
| + | Support: none + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+The account_uri option must be specified for properly authenticated ACME v2 requests (except a new-account request).
Using the ansible tool, community.crypto.acme_inspect can be used to directly execute ACME requests without the need of writing a playbook. For example, the following command retrieves the ACME account with ID 1 from Let’s Encrypt (assuming /path/to/key is the correct private account key): ansible localhost -m acme_inspect -a "account_key_src=/path/to/key acme_directory=https://acme-v02.api.letsencrypt.org/directory acme_version=2 account_uri=https://acme-v02.api.letsencrypt.org/acme/acct/1 method=get url=https://acme-v02.api.letsencrypt.org/acme/acct/1"
If a new enough version of the cryptography library is available (see Requirements for details), it will be used instead of the openssl binary. This can be explicitly disabled or enabled with the select_crypto_backend option. Note that using the openssl binary will be slower and less secure, as private key contents always have to be stored on disk (see account_key_content).
Although the defaults are chosen so that the module can be used with the Let’s Encrypt CA, the module can in principle be used with any CA providing an ACME endpoint, such as Buypass Go SSL.
So far, the ACME modules have only been tested by the developers against Let’s Encrypt (staging and production), Buypass (staging and production), ZeroSSL (production), and Pebble testing server. We have got community feedback that they also work with Sectigo ACME Service for InCommon. If you experience problems with another ACME server, please create an issue to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.
See also
+The specification of the ACME protocol (RFC 8555).
+The specification of the tls-alpn-01 challenge (RFC 8737).
- name: Get directory
+ community.crypto.acme_inspect:
+ acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+ acme_version: 2
+ method: directory-only
+ register: directory
+
+- name: Create an account
+ community.crypto.acme_inspect:
+ acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+ acme_version: 2
+ account_key_src: /etc/pki/cert/private/account.key
+ url: "{{ directory.newAccount}}"
+ method: post
+ content: '{"termsOfServiceAgreed":true}'
+ register: account_creation
+ # account_creation.headers.location contains the account URI
+ # if creation was successful
+
+- name: Get account information
+ community.crypto.acme_inspect:
+ acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+ acme_version: 2
+ account_key_src: /etc/pki/cert/private/account.key
+ account_uri: "{{ account_creation.headers.location }}"
+ url: "{{ account_creation.headers.location }}"
+ method: get
+
+- name: Update account contacts
+ community.crypto.acme_inspect:
+ acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+ acme_version: 2
+ account_key_src: /etc/pki/cert/private/account.key
+ account_uri: "{{ account_creation.headers.location }}"
+ url: "{{ account_creation.headers.location }}"
+ method: post
+ content: '{{ account_info | to_json }}'
+ vars:
+ account_info:
+ # For valid values, see
+ # https://tools.ietf.org/html/rfc8555#section-7.3
+ contact:
+ - mailto:me@example.com
+
+- name: Create certificate order
+ community.crypto.acme_certificate:
+ acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+ acme_version: 2
+ account_key_src: /etc/pki/cert/private/account.key
+ account_uri: "{{ account_creation.headers.location }}"
+ csr: /etc/pki/cert/csr/sample.com.csr
+ fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
+ challenge: http-01
+ register: certificate_request
+
+# Assume something went wrong. certificate_request.order_uri contains
+# the order URI.
+
+- name: Get order information
+ community.crypto.acme_inspect:
+ acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+ acme_version: 2
+ account_key_src: /etc/pki/cert/private/account.key
+ account_uri: "{{ account_creation.headers.location }}"
+ url: "{{ certificate_request.order_uri }}"
+ method: get
+ register: order
+
+- name: Get first authz for order
+ community.crypto.acme_inspect:
+ acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+ acme_version: 2
+ account_key_src: /etc/pki/cert/private/account.key
+ account_uri: "{{ account_creation.headers.location }}"
+ url: "{{ order.output_json.authorizations[0] }}"
+ method: get
+ register: authz
+
+- name: Get HTTP-01 challenge for authz
+ community.crypto.acme_inspect:
+ acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+ acme_version: 2
+ account_key_src: /etc/pki/cert/private/account.key
+ account_uri: "{{ account_creation.headers.location }}"
+ url: "{{ authz.output_json.challenges | selectattr('type', 'equalto', 'http-01') }}"
+ method: get
+ register: http01challenge
+
+- name: Activate HTTP-01 challenge manually
+ community.crypto.acme_inspect:
+ acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+ acme_version: 2
+ account_key_src: /etc/pki/cert/private/account.key
+ account_uri: "{{ account_creation.headers.location }}"
+ url: "{{ http01challenge.url }}"
+ method: post
+ content: '{}'
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | The ACME directory’s content +Returned: always +Sample: |
+
| + | The request’s HTTP headers (with lowercase keys) +Returned: always +Sample: |
+
| + | The output parsed as JSON +Returned: if output can be parsed as JSON +Sample: |
+
| + | The raw text output +Returned: always +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.certificate_complete_chain.
This module completes a given chain of certificates in PEM format by finding intermediate certificates from a given set of certificates, until it finds a root certificate in another given set of certificates.
This can for example be used to find the root certificate for a certificate chain returned by community.crypto.acme_certificate.
Note that this module does not check for validity of the chains. It only checks that issuer and subject match, and that the signature is correct. It ignores validity dates and key usage completely. If you need to verify that a generated chain is valid, please use openssl verify ....
The below requirements are needed on the host that executes this module.
+cryptography >= 1.5
Parameter |
+Comments |
+
|---|---|
| + | A concatenated set of certificates in PEM format forming a chain. +The module will try to complete this chain. + |
+
| + | A list of filenames or directories. +A filename is assumed to point to a file containing one or more certificates in PEM format. All certificates in this file will be added to the set of root certificates. +If a directory name is given, all files in the directory and its subdirectories will be scanned and tried to be parsed as concatenated certificates in PEM format. +Symbolic links will be followed. +Default: |
+
| + | A list of filenames or directories. +A filename is assumed to point to a file containing one or more certificates in PEM format. All certificates in this file will be added to the set of root certificates. +If a directory name is given, all files in the directory and its subdirectories will be scanned and tried to be parsed as concatenated certificates in PEM format. +Symbolic links will be followed. + |
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
# Given a leaf certificate for www.ansible.com and one or more intermediate
+# certificates, finds the associated root certificate.
+- name: Find root certificate
+ community.crypto.certificate_complete_chain:
+ input_chain: "{{ lookup('ansible.builtin.file', '/etc/ssl/csr/www.ansible.com-fullchain.pem') }}"
+ root_certificates:
+ - /etc/ca-certificates/
+ register: www_ansible_com
+- name: Write root certificate to disk
+ ansible.builtin.copy:
+ dest: /etc/ssl/csr/www.ansible.com-root.pem
+ content: "{{ www_ansible_com.root }}"
+
+# Given a leaf certificate for www.ansible.com, and a list of intermediate
+# certificates, finds the associated root certificate.
+- name: Find root certificate
+ community.crypto.certificate_complete_chain:
+ input_chain: "{{ lookup('ansible.builtin.file', '/etc/ssl/csr/www.ansible.com.pem') }}"
+ intermediate_certificates:
+ - /etc/ssl/csr/www.ansible.com-chain.pem
+ root_certificates:
+ - /etc/ca-certificates/
+ register: www_ansible_com
+- name: Write complete chain to disk
+ ansible.builtin.copy:
+ dest: /etc/ssl/csr/www.ansible.com-completechain.pem
+ content: "{{ ''.join(www_ansible_com.complete_chain) }}"
+- name: Write root chain (intermediates and root) to disk
+ ansible.builtin.copy:
+ dest: /etc/ssl/csr/www.ansible.com-rootchain.pem
+ content: "{{ ''.join(www_ansible_com.chain) }}"
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | The chain added to the given input chain. Includes the root certificate. +Returned as a list of PEM certificates. +Returned: success + |
+
| + | The completed chain, including leaf, all intermediates, and root. +Returned as a list of PEM certificates. +Returned: success + |
+
| + | The root certificate in PEM format. +Returned: success + |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
To use it in a playbook, specify: community.crypto.crypto_info.
New in community.crypto 2.1.0
+ +Retrieve information on cryptographic capabilities.
The current version retrieves information on the Python cryptography library available to Ansible modules, and on the OpenSSL binary openssl found in the path.
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
- name: Retrieve information
+ community.crypto.crypto_info:
+ account_key_src: /etc/pki/cert/private/account.key
+ register: crypto_information
+
+- name: Show retrieved information
+ ansible.builtin.debug:
+ var: crypto_information
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Information on the installed OpenSSL binary. +Returned: when |
+
| + | Path of the OpenSSL binary. +Returned: success +Sample: |
+
| + | The OpenSSL version. +Returned: success +Sample: |
+
| + | The complete output of Returned: success +Sample: |
+
| + | Whether the OpenSSL binary Returned: always +Sample: |
+
| + | Information on the installed Python cryptography library. +Returned: when |
+
| + | List of all supported elliptic curves. +Theoretically this should be non-empty for version 0.5 and higher, depending on the libssl version used. +Returned: success + |
+
| + | Whether DSA keys are supported. +Theoretically this should be the case for version 0.5 and higher. +Returned: success + |
+
| + | Whether signing with DSA keys is supported. +Theoretically this should be the case for version 1.5 and higher. +Returned: success + |
+
| + | Whether elliptic curves are supported. +Theoretically this should be the case for version 0.5 and higher, depending on the libssl version used. +Returned: success + |
+
| + | Whether signing with elliptic curves is supported. +Theoretically this should be the case for version 1.5 and higher, depending on the libssl version used. +Returned: success + |
+
| + | Whether Ed25519 keys are supported. +Theoretically this should be the case for version 2.6 and higher, depending on the libssl version used. +Returned: success + |
+
| + | Whether signing with Ed25519 keys is supported. +Theoretically this should be the case for version 2.6 and higher, depending on the libssl version used. +Returned: success + |
+
| + | Whether Ed448 keys are supported. +Theoretically this should be the case for version 2.6 and higher, depending on the libssl version used. +Returned: success + |
+
| + | Whether signing with Ed448 keys is supported. +Theoretically this should be the case for version 2.6 and higher, depending on the libssl version used. +Returned: success + |
+
| + | Whether RSA keys are supported. +Theoretically this should be the case for version 0.5 and higher. +Returned: success + |
+
| + | Whether signing with RSA keys is supported. +Theoretically this should be the case for version 1.4 and higher. +Returned: success + |
+
| + | Whether X25519 keys are supported. +Theoretically this should be the case for version 2.0 and higher, depending on the libssl version used. +Returned: success + |
+
| + | Whether serialization of X25519 keys is supported. +Theoretically this should be the case for version 2.5 and higher, depending on the libssl version used. +Returned: success + |
+
| + | Whether X448 keys are supported. +Theoretically this should be the case for version 2.5 and higher, depending on the libssl version used. +Returned: success + |
+
| + | The library version. +Returned: success + |
+
| + | Import error when trying to import the Python cryptography library. +Returned: when |
+
| + | + |
+ The community.crypto collection offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create your own small CA and how to use it to sign certificates.
+In all examples, we assume that the CA’s private key is password protected, where the password is provided in the secret_ca_passphrase variable.
Any certificate can be used as a CA certificate. You can create a self-signed certificate (see How to create self-signed certificates), use another CA certificate to sign a new certificate (using the instructions below for signing a certificate), ask (and pay) a commercial CA to sign your CA certificate, etc.
+The following instructions show how to set up a simple self-signed CA certificate.
+- name: Create private key with password protection
+ community.crypto.openssl_privatekey:
+ path: /path/to/ca-certificate.key
+ passphrase: "{{ secret_ca_passphrase }}"
+
+- name: Create certificate signing request (CSR) for CA certificate
+ community.crypto.openssl_csr_pipe:
+ privatekey_path: /path/to/ca-certificate.key
+ privatekey_passphrase: "{{ secret_ca_passphrase }}"
+ common_name: Ansible CA
+ use_common_name_for_san: false # since we do not specify SANs, don't use CN as a SAN
+ basic_constraints:
+ - 'CA:TRUE'
+ basic_constraints_critical: true
+ key_usage:
+ - keyCertSign
+ key_usage_critical: true
+ register: ca_csr
+
+- name: Create self-signed CA certificate from CSR
+ community.crypto.x509_certificate:
+ path: /path/to/ca-certificate.pem
+ csr_content: "{{ ca_csr.csr }}"
+ privatekey_path: /path/to/ca-certificate.key
+ privatekey_passphrase: "{{ secret_ca_passphrase }}"
+ provider: selfsigned
+To sign a certificate, you must pass a CSR to the community.crypto.x509_certificate module or community.crypto.x509_certificate_pipe module.
+In the following example, we assume that the certificate to sign (including its private key) are on server_1, while our CA certificate is on server_2. We do not want any key material to leave each respective server.
- name: Create private key for new certificate on server_1
+ community.crypto.openssl_privatekey:
+ path: /path/to/certificate.key
+ delegate_to: server_1
+ run_once: true
+
+- name: Create certificate signing request (CSR) for new certificate
+ community.crypto.openssl_csr_pipe:
+ privatekey_path: /path/to/certificate.key
+ subject_alt_name:
+ - "DNS:ansible.com"
+ - "DNS:www.ansible.com"
+ - "DNS:docs.ansible.com"
+ delegate_to: server_1
+ run_once: true
+ register: csr
+
+- name: Sign certificate with our CA
+ community.crypto.x509_certificate_pipe:
+ csr_content: "{{ csr.csr }}"
+ provider: ownca
+ ownca_path: /path/to/ca-certificate.pem
+ ownca_privatekey_path: /path/to/ca-certificate.key
+ ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
+ ownca_not_after: +365d # valid for one year
+ ownca_not_before: "-1d" # valid since yesterday
+ delegate_to: server_2
+ run_once: true
+ register: certificate
+
+- name: Write certificate file on server_1
+ copy:
+ dest: /path/to/certificate.pem
+ content: "{{ certificate.certificate }}"
+ delegate_to: server_1
+ run_once: true
+Please note that the above procedure is not idempotent. The following extended example reads the existing certificate from server_1 (if exists) and provides it to the community.crypto.x509_certificate_pipe module, and only writes the result back if it was changed:
- name: Create private key for new certificate on server_1
+ community.crypto.openssl_privatekey:
+ path: /path/to/certificate.key
+ delegate_to: server_1
+ run_once: true
+
+- name: Create certificate signing request (CSR) for new certificate
+ community.crypto.openssl_csr_pipe:
+ privatekey_path: /path/to/certificate.key
+ subject_alt_name:
+ - "DNS:ansible.com"
+ - "DNS:www.ansible.com"
+ - "DNS:docs.ansible.com"
+ delegate_to: server_1
+ run_once: true
+ register: csr
+
+- name: Check whether certificate exists
+ stat:
+ path: /path/to/certificate.pem
+ delegate_to: server_1
+ run_once: true
+ register: certificate_exists
+
+- name: Read existing certificate if exists
+ slurp:
+ src: /path/to/certificate.pem
+ when: certificate_exists.stat.exists
+ delegate_to: server_1
+ run_once: true
+ register: certificate
+
+- name: Sign certificate with our CA
+ community.crypto.x509_certificate_pipe:
+ content: "{{ (certificate.content | b64decode) if certificate_exists.stat.exists else omit }}"
+ csr_content: "{{ csr.csr }}"
+ provider: ownca
+ ownca_path: /path/to/ca-certificate.pem
+ ownca_privatekey_path: /path/to/ca-certificate.key
+ ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
+ ownca_not_after: +365d # valid for one year
+ ownca_not_before: "-1d" # valid since yesterday
+ delegate_to: server_2
+ run_once: true
+ register: certificate
+
+- name: Write certificate file on server_1
+ copy:
+ dest: /path/to/certificate.pem
+ content: "{{ certificate.certificate }}"
+ delegate_to: server_1
+ run_once: true
+ when: certificate is changed
+
+ The community.crypto collection offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create self-signed certificates.
+For creating any kind of certificate, you always have to start with a private key. You can use the community.crypto.openssl_privatekey module to create a private key. If you only specify path, the default parameters will be used. This will result in a 4096 bit RSA private key:
- name: Create private key (RSA, 4096 bits)
+ community.crypto.openssl_privatekey:
+ path: /path/to/certificate.key
+You can specify type to select another key type, size to select a different key size (only available for RSA and DSA keys), or passphrase if you want to store the key password-protected:
- name: Create private key (X25519) with password protection
+ community.crypto.openssl_privatekey:
+ path: /path/to/certificate.key
+ type: X25519
+ passphrase: changeme
+To create a very simple self-signed certificate with no specific information, you can proceed directly with the community.crypto.x509_certificate module:
+- name: Create simple self-signed certificate
+ community.crypto.x509_certificate:
+ path: /path/to/certificate.pem
+ privatekey_path: /path/to/certificate.key
+ provider: selfsigned
+(If you used passphrase for the private key, you have to provide privatekey_passphrase.)
You can use selfsigned_not_after to define when the certificate expires (default: in roughly 10 years), and selfsigned_not_before to define from when the certificate is valid (default: now).
To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the community.crypto.x509_certificate module. If you do not need the CSR file, you can use the community.crypto.openssl_csr_pipe module as in the example below. (To store it to disk, use the community.crypto.openssl_csr module instead.)
+- name: Create certificate signing request (CSR) for self-signed certificate
+ community.crypto.openssl_csr_pipe:
+ privatekey_path: /path/to/certificate.key
+ common_name: ansible.com
+ organization_name: Ansible, Inc.
+ subject_alt_name:
+ - "DNS:ansible.com"
+ - "DNS:www.ansible.com"
+ - "DNS:docs.ansible.com"
+ register: csr
+
+- name: Create self-signed certificate from CSR
+ community.crypto.x509_certificate:
+ path: /path/to/certificate.pem
+ csr_content: "{{ csr.csr }}"
+ privatekey_path: /path/to/certificate.key
+ provider: selfsigned
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.ecs_certificate.
Create, reissue, and renew certificates with the Entrust Certificate Services (ECS) API.
Requires credentials for the Entrust Certificate Services (ECS) API.
In order to request a certificate, the domain and organization used in the certificate signing request must be already validated in the ECS system. It is not the responsibility of this module to perform those steps.
The below requirements are needed on the host that executes this module.
+PyYAML >= 3.11
cryptography >= 1.6
Parameter |
+Comments |
+
|---|---|
| + | A list of additional email addresses to receive the delivery notice and expiry notification for the certificate. + |
+
| + | Whether a backup should be made for the certificate in Choices: +
|
+
| + | The date the certificate should be set to expire, in RFC3339 compliant date or date-time format. For example,
A reissued certificate will always have the same expiry as the original certificate. +Note that only the date (day, month, year) is supported for specifying the expiry date. If you choose to specify an expiry time with the expiry date, the time will be adjusted to Eastern Standard Time (EST). This could have the unintended effect of moving your expiry date to the previous day. +Applies only to accounts with a pooling inventory model. +Only one of |
+
| + | The lifetime of the certificate. +Applies to all certificates for accounts with a non-pooling inventory model. +
Applies to certificates of
Only one of Choices: +
|
+
| + | Specify the type of certificate requested. +If a certificate is being reissued or renewed, this parameter is ignored, and the Choices: +
|
+
| + | The client ID to submit the Certificate Signing Request under. +If no client ID is specified, the certificate will be submitted under the primary client with ID of 1. +When using a client other than the primary client, the The issued certificate will have an organization value in the subject distinguished name represented by the client. +Default: |
+
| + | Base-64 encoded Certificate Signing Request (CSR). If no If If If The organization “O=” field from the CSR will not be used. It will be replaced in the issued certificate by |
+
| + | In compliance with browser requirements, this certificate may be posted to the Certificate Transparency (CT) logs. This is a best practice technique that helps domain owners monitor certificates issued to their domains. Note that not all certificates are eligible for CT logging. +If If If Choices: +
|
+
| + | Mapping of custom fields to associate with the certificate request and certificate. +Only supported if custom fields are enabled for your account. +Each custom field specified must be a custom field you have defined for your account. + |
+
| + | Custom date field. + |
+
| + | Custom date field. + |
+
| + | Custom date field. + |
+
| + | Custom date field. + |
+
| + | Custom date field. + |
+
| + | Custom dropdown field. + |
+
| + | Custom dropdown field. + |
+
| + | Custom dropdown field. + |
+
| + | Custom dropdown field. + |
+
| + | Custom dropdown field. + |
+
| + | Custom email field. + |
+
| + | Custom email field. + |
+
| + | Custom email field. + |
+
| + | Custom email field. + |
+
| + | Custom email field. + |
+
| + | Custom number field. + |
+
| + | Custom number field. + |
+
| + | Custom number field. + |
+
| + | Custom number field. + |
+
| + | Custom number field. + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | Custom text field (maximum 500 characters) + |
+
| + | If specified, overrides the key usage in the Choices: +
|
+
| + | The end user of the Code Signing certificate must generate and store the private key for this request on cryptographically secure hardware to be compliant with the Entrust CSP and Subscription agreement. If requesting a certificate of type Applicable only to Choices: +
|
+
| + | The path to the key for the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. + |
+
| + | The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. + |
+
| + | The key (password) for authentication to the Entrust Certificate Services (ECS) API. + |
+
| + | The path to the specification file defining the Entrust Certificate Services (ECS) API configuration. +You can use this to keep a local copy of the specification to avoid downloading it every time the module is used. +Default: |
+
| + | The username for authentication to the Entrust Certificate Services (ECS) API. + |
+
| + | If force is used, a certificate is requested regardless of whether If Choices: +
|
+
| + | The destination path for the full certificate chain of the certificate, intermediates, and roots. + |
+
| + | Organization “O=” to include in the certificate. +If Unless the |
+
| + | Organizational unit “OU=” to include in the certificate. +
If both If neither An invalid OU from A maximum of one OU may be specified for current products. Multiple OUs are reserved for future products. + |
+
| + | The destination path for the generated certificate as a PEM encoded cert. +If the certificate at this location is not an Entrust issued certificate, a new certificate will always be requested even if the current certificate is technically valid. +If there is already an Entrust certificate at this location, whether it is replaced is depends on the If an existing certificate is being replaced (see |
+
| + | The number of days the certificate must have left being valid. If If For example, if you are requesting Certificates with a 90 day lifetime, do not set The Default: |
+
| + | The operation performed if Specifying Specifying Specifying Specifying If a certificate was issued within the past 30 days, the Note that check_mode is only supported if For example, setting Choices: +
|
+
| + | The requester email to associate with certificate tracking information and receive delivery and expiry notices for the certificate. + |
+
| + | The requester name to associate with certificate tracking information. + |
+
| + | The requester phone number to associate with certificate tracking information. + |
+
| + | The subject alternative name identifiers, as an array of values (applies to If you are requesting a new SSL certificate, and you pass a See In the case of certificates of type |
+
| + | The tracking ID of the certificate to reissue or renew. +
If there is a certificate present in If there is no certificate present in If there is no certificate present in This can be used when a known certificate is not currently present on a server, but you want to renew or reissue it to be managed by an ansible playbook. For example, if you specify |
+
| + | Free form tracking information to attach to the record for the certificate. + |
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: partial +Check mode is only supported if |
+Can run in |
+
| + | Support: none + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
Note
+path must be specified as the output location of the certificate.
See also
+Can be used to create private keys (both for certificates and accounts).
+Can be used to create a Certificate Signing Request (CSR).
+Convert an integer to a colon-separated list of hex numbers.
+- name: Request a new certificate from Entrust with bare minimum parameters.
+ Will request a new certificate if current one is valid but within 30
+ days of expiry. If replacing an existing file in path, will back it up.
+ community.crypto.ecs_certificate:
+ backup: true
+ path: /etc/ssl/crt/ansible.com.crt
+ full_chain_path: /etc/ssl/crt/ansible.com.chain.crt
+ csr: /etc/ssl/csr/ansible.com.csr
+ cert_type: EV_SSL
+ requester_name: Jo Doe
+ requester_email: jdoe@ansible.com
+ requester_phone: 555-555-5555
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-client.key
+
+- name: If there is no certificate present in path, request a new certificate
+ of type EV_SSL. Otherwise, if there is an Entrust managed certificate
+ in path and it is within 63 days of expiration, request a renew of that
+ certificate.
+ community.crypto.ecs_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ csr: /etc/ssl/csr/ansible.com.csr
+ cert_type: EV_SSL
+ cert_expiry: '2020-08-20'
+ request_type: renew
+ remaining_days: 63
+ requester_name: Jo Doe
+ requester_email: jdoe@ansible.com
+ requester_phone: 555-555-5555
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-client.key
+
+- name: If there is no certificate present in path, download certificate
+ specified by tracking_id if it is still valid. Otherwise, if the
+ certificate is within 79 days of expiration, request a renew of that
+ certificate and save it in path. This can be used to "migrate" a
+ certificate to be Ansible managed.
+ community.crypto.ecs_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ csr: /etc/ssl/csr/ansible.com.csr
+ tracking_id: 2378915
+ request_type: renew
+ remaining_days: 79
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-client.key
+
+- name: Force a reissue of the certificate specified by tracking_id.
+ community.crypto.ecs_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ force: true
+ tracking_id: 2378915
+ request_type: reissue
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-client.key
+
+- name: Request a new certificate with an alternative client. Note that the
+ issued certificate will have it's Subject Distinguished Name use the
+ organization details associated with that client, rather than what is
+ in the CSR.
+ community.crypto.ecs_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ csr: /etc/ssl/csr/ansible.com.csr
+ client_id: 2
+ requester_name: Jo Doe
+ requester_email: jdoe@ansible.com
+ requester_phone: 555-555-5555
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-client.key
+
+- name: Request a new certificate with a number of CSR parameters overridden
+ and tracking information
+ community.crypto.ecs_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ full_chain_path: /etc/ssl/crt/ansible.com.chain.crt
+ csr: /etc/ssl/csr/ansible.com.csr
+ subject_alt_name:
+ - ansible.testcertificates.com
+ - www.testcertificates.com
+ eku: SERVER_AND_CLIENT_AUTH
+ ct_log: true
+ org: Test Organization Inc.
+ ou:
+ - Administration
+ tracking_info: "Submitted via Ansible"
+ additional_emails:
+ - itsupport@testcertificates.com
+ - jsmith@ansible.com
+ custom_fields:
+ text1: Admin
+ text2: Invoice 25
+ number1: 342
+ date1: '2018-01-01'
+ email1: sales@ansible.testcertificates.com
+ dropdown1: red
+ cert_expiry: '2020-08-15'
+ requester_name: Jo Doe
+ requester_email: jdoe@ansible.com
+ requester_phone: 555-555-5555
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-client.key
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Name of backup file created for the certificate. +Returned: changed and if Sample: |
+
| + | Name of the backup file created for the certificate chain. +Returned: changed and if Sample: |
+
| + | The number of days the certificate remains valid. +Returned: success +Sample: |
+
| + | The full response JSON from the Get Certificate call of the ECS API. +While the response contents are guaranteed to be forwards compatible with new ECS API releases, Entrust recommends that you do not make any playbooks take actions based on the content of this field. However it may be useful for debugging, logging, or auditing purposes. +Returned: success + |
+
| + | The certificate status in ECS. +Current possible values (which may be expanded in the future) are: Returned: success +Sample: |
+
| + | The destination path for the generated certificate. +Returned: changed or success +Sample: |
+
| + | The serial number of the issued certificate. +This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success +Sample: |
+
| + | The tracking ID to reference and track the certificate in ECS. +Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.ecs_domain.
New in community.crypto 1.0.0
+ +Request validation or re-validation of a domain with the Entrust Certificate Services (ECS) API.
Requires credentials for the Entrust Certificate Services (ECS) API.
If the domain is already in the validation process, no new validation will be requested, but the validation data (if applicable) will be returned.
If the domain is already in the validation process but the verification_method specified is different than the current verification_method, the verification_method will be updated and validation data (if applicable) will be returned.
If the domain is an active, validated domain, the return value of changed will be false, unless domain_status=EXPIRED, in which case a re-validation will be performed.
If verification_method=dns, details about the required DNS entry will be specified in the return parameters dns_contents, dns_location, and dns_resource_type.
If verification_method=web_server, details about the required file details will be specified in the return parameters file_contents and file_location.
If verification_method=email, the email address(es) that the validation email(s) were sent to will be in the return parameter emails. This is purely informational. For domains requested using this module, this will always be a list of size 1.
The below requirements are needed on the host that executes this module.
+PyYAML >= 3.11
Parameter |
+Comments |
+
|---|---|
| + | The client ID to request the domain be associated with. +If no client ID is specified, the domain will be added under the primary client with ID of 1. +Default: |
+
| + | The domain name to be verified or reverified. + |
+
| + | The path to the key for the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. + |
+
| + | The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. + |
+
| + | The key (password) for authentication to the Entrust Certificate Services (ECS) API. + |
+
| + | The path to the specification file defining the Entrust Certificate Services (ECS) API configuration. +You can use this to keep a local copy of the specification to avoid downloading it every time the module is used. +Default: |
+
| + | The username for authentication to the Entrust Certificate Services (ECS) API. + |
+
| + | Email address to be used to verify domain ownership. +Email address must be either an email address present in the WHOIS data for Note that if If using the email values from the WHOIS data for the domain or its top level namespace, they must be exact matches. +If To verify domain ownership, domain owner must follow the instructions in the email they receive. +Only allowed if |
+
| + | The verification method to be used to prove control of the domain. +If If If If Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: none + |
+Can run in |
+
| + | Support: none + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+There is a small delay (typically about 5 seconds, but can be as long as 60 seconds) before obtaining the random values when requesting a validation while verification_method=dns or verification_method=web_server. Be aware of that if doing many domain validation requests.
See also
+Can be used to request certificates from ECS, with provider=entrust.
Can be used to request a Certificate from ECS using a verified domain.
+- name: Request domain validation using email validation for client ID of 2.
+ community.crypto.ecs_domain:
+ domain_name: ansible.com
+ client_id: 2
+ verification_method: email
+ verification_email: admin@ansible.com
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-client.key
+
+- name: Request domain validation using DNS. If domain is already valid,
+ request revalidation if expires within 90 days
+ community.crypto.ecs_domain:
+ domain_name: ansible.com
+ verification_method: dns
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-client.key
+
+- name: Request domain validation using web server validation, and revalidate
+ if fewer than 60 days remaining of EV eligibility.
+ community.crypto.ecs_domain:
+ domain_name: ansible.com
+ verification_method: web_server
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-client.key
+
+- name: Request domain validation using manual validation.
+ community.crypto.ecs_domain:
+ domain_name: ansible.com
+ verification_method: manual
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-client.key
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | + |
| + | The value that ECS will be expecting to find in the DNS record located at Returned: changed and if Sample: |
+
| + | The location that ECS will be expecting to be able to find the DNS entry for domain verification, containing the contents of Returned: changed and if Sample: |
+
| + | The type of resource record that ECS will be expecting for the DNS record located at Returned: changed and if Sample: |
+
| + | Status of the current domain. Will be one of Returned: changed or success +Sample: |
+
| + | The list of emails used to request validation of this domain. +Domains requested using this module will only have a list of size 1. +Returned: Sample: |
+
| + | The number of days the domain remains eligible for submission of “EV” certificates. Will never be greater than the value of Returned: success and Sample: |
+
| + | Whether the domain is eligible for submission of “EV” certificates. Will never be Returned: success and Sample: |
+
| + | The contents of the file that ECS will be expecting to find at Returned: Sample: |
+
| + | The location that ECS will be expecting to be able to find the file for domain verification, containing the contents of Returned: Sample: |
+
| + | The number of days the domain remains eligible for submission of “OV” certificates. Will never be less than the value of Returned: success and Sample: |
+
| + | Whether the domain is eligible for submission of “OV” certificates. Will never be Returned: success and Sample: |
+
| + | Verification method used to request the domain validation. If Returned: changed or success +Sample: |
+
+ The following index documents all environment variables declared by plugins in collections. +Environment variables used by the ansible-core configuration are documented in Ansible Configuration Settings.
+No environment variables have been defined.
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.get_certificate.
Makes a secure connection and returns information about the presented certificate
The module uses the cryptography Python library.
Support SNI (Server Name Indication) only with python >= 2.7.
The below requirements are needed on the host that executes this module.
+python >= 2.7 when using proxy_host
cryptography >= 1.6
Parameter |
+Comments |
+
|---|---|
| + | Whether to encode the ASN.1 values in the The documentation claimed for a long time that the values are Base64 encoded, but they never were. For compatibility this option is set to The default value Choices: +
|
+
| + | A PEM file containing one or more root certificates; if present, the cert will be validated against these root certs. +Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it. + |
+
| + | SSL/TLS Ciphers to use for the request. +When a list is provided, all ciphers are joined in order with See the OpenSSL Cipher List Format for more details. +The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions. + |
+
| + | The host to get the cert for (IP is fine) + |
+
| + | The port to connect to + |
+
| + | Proxy host used when get a certificate. + |
+
| + | Proxy port used when get a certificate. +Default: |
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
| + | Server name used for SNI (Server Name Indication) when hostname is an IP or is different from server name. + |
+
| + | Requests a secure connection for protocols which require clients to initiate encryption. +Only available for Choices: +
|
+
| + | The timeout in seconds +Default: |
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: none +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.
See also
+Convert an integer to a colon-separated list of hex numbers.
+- name: Get the cert from an RDP port
+ community.crypto.get_certificate:
+ host: "1.2.3.4"
+ port: 3389
+ delegate_to: localhost
+ run_once: true
+ register: cert
+
+- name: Get a cert from an https port
+ community.crypto.get_certificate:
+ host: "www.google.com"
+ port: 443
+ delegate_to: localhost
+ run_once: true
+ register: cert
+
+- name: How many days until cert expires
+ ansible.builtin.debug:
+ msg: "cert expires in: {{ expire_days }} days."
+ vars:
+ expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | The certificate retrieved from the port +Returned: success + |
+
| + | Boolean indicating if the cert is expired +Returned: success + |
+
| + | Extensions applied to the cert +Returned: success + |
+
| + | The ASN.1 content of the extension. +If Please note that the raw binary value might not survive JSON serialization to the Ansible controller, and also might cause failures when displaying it. See https://github.com/ansible/ansible/issues/80258 for more information. +Note that depending on the Returned: success + |
+
| + | Whether the extension is critical. +Returned: success + |
+
| + | The extension’s name. +Returned: success + |
+
| + | Information about the issuer of the cert. +Returned: success + |
+
| + | Expiration date of the cert. +Returned: success + |
+
| + | Issue date of the cert. +Returned: success + |
+
| + | The serial number of the cert. +This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success + |
+
| + | The algorithm used to sign the cert. +Returned: success + |
+
| + | Information about the subject of the cert ( Returned: success + |
+
| + | The version number of the certificate. +Returned: success + |
+
+ Note
+This filter plugin is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this filter plugin,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.gpg_fingerprint.
New in community.crypto 2.15.0
+ +Takes the content of a private or public GPG key as input and returns its fingerprint.
The below requirements are needed on the local controller node that executes this filter.
+GnuPG (gpg executable)
This describes the input of the filter, the value before | community.crypto.gpg_fingerprint.
Parameter |
+Comments |
+
|---|---|
| + | The content of a GPG public or private key. + |
+
See also
+Retrieve a GPG fingerprint from a GPG public or private key file.
+- name: Show fingerprint of GPG public key
+ ansible.builtin.debug:
+ msg: "{{ lookup('file', '/path/to/public_key.gpg') | community.crypto.gpg_fingerprint }}"
+Key |
+Description |
+
|---|---|
| + | The fingerprint of the provided public or private GPG key. +Returned: success + |
+
+ Note
+This lookup plugin is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this lookup plugin,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.gpg_fingerprint.
New in community.crypto 2.15.0
+ +Takes a list of filenames pointing to GPG public or private key files. Returns the fingerprints for each of these keys.
The below requirements are needed on the local controller node that executes this lookup.
+GnuPG (gpg executable)
Parameter |
+Comments |
+
|---|---|
| + | A path to a GPG public or private key. + |
+
See also
+Retrieve a GPG fingerprint from a GPG public or private key.
+- name: Show fingerprint of GPG public key
+ ansible.builtin.debug:
+ msg: "{{ lookup('community.crypto.gpg_fingerprint', '/path/to/public_key.gpg') }}"
+Key |
+Description |
+
|---|---|
| + | The fingerprints of the provided public or private GPG keys. +The list has one entry for every path provided. +Returned: success + |
+
+ Collection version 2.18.0
+ +Author:
+Ansible (github.com/ansible)
Supported ansible-core versions:
+2.9.10 or newer
Matrix room #users:ansible.im: General usage and support questions.
IRC channel #ansible (Libera network):
+General usage and support questions.
Mailing list: Ansible Project List. +(Subscribe)
These are the plugins in the community.crypto collection:
+acme_account module – Create, modify or delete ACME accounts
acme_account_info module – Retrieves information on ACME accounts
acme_certificate module – Create SSL/TLS certificates with the ACME protocol
acme_certificate_revoke module – Revoke certificates with the ACME protocol
acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as tls-alpn-01
acme_inspect module – Send direct requests to an ACME server
certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates
crypto_info module – Retrieve cryptographic capabilities
ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API
ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API
get_certificate module – Get a certificate from a host:port
luks_device module – Manage encrypted (LUKS) devices
openssh_cert module – Generate OpenSSH host or user certificates.
openssh_keypair module – Generate OpenSSH private and public keys
openssl_csr module – Generate OpenSSL Certificate Signing Request (CSR)
openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)
openssl_csr_pipe module – Generate OpenSSL Certificate Signing Request (CSR)
openssl_dhparam module – Generate OpenSSL Diffie-Hellman Parameters
openssl_pkcs12 module – Generate OpenSSL PKCS#12 archive
openssl_privatekey module – Generate OpenSSL private keys
openssl_privatekey_convert module – Convert OpenSSL private keys
openssl_privatekey_info module – Provide information for OpenSSL private keys
openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access
openssl_publickey module – Generate an OpenSSL public key from its private key.
openssl_publickey_info module – Provide information for OpenSSL public keys
openssl_signature module – Sign data with openssl
openssl_signature_info module – Verify signatures with openssl
x509_certificate module – Generate and/or check OpenSSL certificates
x509_certificate_info module – Provide information of OpenSSL X.509 certificates
x509_certificate_pipe module – Generate and/or check OpenSSL certificates
x509_crl module – Generate Certificate Revocation Lists (CRLs)
x509_crl_info module – Retrieve information on Certificate Revocation Lists (CRLs)
gpg_fingerprint filter – Retrieve a GPG fingerprint from a GPG public or private key
openssl_csr_info filter – Retrieve information from OpenSSL Certificate Signing Requests (CSR)
openssl_privatekey_info filter – Retrieve information from OpenSSL private keys
openssl_publickey_info filter – Retrieve information from OpenSSL public keys in PEM format
parse_serial filter – Convert a serial number as a colon-separated list of hex numbers to an integer
split_pem filter – Split PEM file contents into multiple objects
to_serial filter – Convert an integer to a colon-separated list of hex numbers
x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format
x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format
gpg_fingerprint lookup – Retrieve a GPG fingerprint from a GPG public or private key file
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.luks_device.
Module manages LUKS on given device. Supports creating, destroying, opening and closing of LUKS container and adding or removing new keys and passphrases.
The below requirements are needed on the host that executes this module.
+ +Parameter |
+Comments |
+
|---|---|
| + | Allow discards (also known as TRIM) requests for device. +Will only be used when opening containers. +Choices: +
|
+
| + | This option allows the user to define the cipher specification string for the LUKS container. +Will only be used on container creation. +For pre-2.6.10 kernels, use |
+
| + | Device to work with (for example |
+
| + | If set to BEWARE that when the last key has been removed from a container, the container can no longer be opened! +Choices: +
|
+
| + | This option allows the user to specify the hash function used in LUKS key setup scheme and volume key digest. +Will only be used on container creation. + |
+
| + | Used to unlock the container. Either a BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected. + |
+
| + | Sets the key size only if LUKS container does not exist. + |
+
| + | Adds the Note that a device of |
+
| + | + |
| + | Sets container name when |
+
| + | Adds additional key to given container on NOTE that adding additional keys is idempotent only since community.crypto 1.4.0. For older versions, a new keyslot will be used even if another keyslot already exists for this keyfile. +BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected. + |
+
| + | Adds the additional Note that a device of |
+
| + | Adds additional passphrase to given container on NOTE that adding additional passphrase is idempotent only since community.crypto 1.4.0. For older versions, a new keyslot will be used even if another keyslot already exists for this passphrase. + |
+
| + | Used to unlock the container. Either a |
+
| + | This option allows the user to configure the Password-Based Key Derivation Function (PBKDF) used. +Will only be used on container creation, and when adding keys to an existing container. + |
+
| + | The algorithm to use. +Only available for the LUKS 2 format. +Choices: +
|
+
| + | Specify the iteration count used for the PBKDF. +Mutually exclusive with |
+
| + | Specify the iteration time used for the PBKDF. +Note that this is in seconds, not in milliseconds as on the command line. +Mutually exclusive with |
+
| + | The memory cost limit in kilobytes for the PBKDF. +This is not used for PBKDF2, but only for the Argon PBKDFs. + |
+
| + | The parallel cost for the PBKDF. This is the number of threads that run in parallel. +This is not used for PBKDF2, but only for the Argon PBKDFs. + |
+
| + | Allows the user to bypass dm-crypt internal workqueue and process read requests synchronously. +Will only be used when opening containers. +Choices: +
|
+
| + | Allows the user to bypass dm-crypt internal workqueue and process write requests synchronously. +Will only be used when opening containers. +Choices: +
|
+
| + | Allows the user to perform encryption using the same CPU that IO was submitted on. +The default is to use an unbound workqueue so that encryption work is automatically balanced between available CPUs. +Will only be used when opening containers. +Choices: +
|
+
| + | Allows the user to disable offloading writes to a separate thread after encryption. +There are some situations where offloading block write IO operations from the encryption threads to a single thread degrades performance significantly. +The default is to offload block write IO operations to the same thread. +Will only be used when opening containers. +Choices: +
|
+
| + | Allows the user to store options into container’s metadata persistently and automatically use them next time. Only Will only work with LUKS2 containers. +Will only be used when opening containers. +Choices: +
|
+
| + | Removes given key from the container on NOTE that removing keys is idempotent only since community.crypto 1.4.0. For older versions, trying to remove a key which no longer exists results in an error. +NOTE that to remove the last key from a LUKS container, the BEWARE that working with keyfiles in plaintext is dangerous. Make sure that they are protected. + |
+
| + | Removes the key in the given slot on Note that a device of Note that the given |
+
| + | Removes given passphrase from the container on NOTE that removing passphrases is idempotent only since community.crypto 1.4.0. For older versions, trying to remove a passphrase which no longer exists results in an error. +NOTE that to remove the last keyslot from a LUKS container, the |
+
| + | This option allows the user to specify the sector size (in bytes) used for LUKS2 containers. +Will only be used on container creation. + |
+
| + | Desired state of the LUKS container. Based on its value creates, destroys, opens or closes the LUKS container on a given device. +
Choices: +
|
+
| + | This option allow the user explicit define the format of LUKS container that wants to work with. Options are Choices: +
|
+
| + | + |
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: none + |
+Will return details on what has changed (or possibly needs changing in |
+
- name: Create LUKS container (remains unchanged if it already exists)
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ state: "present"
+ keyfile: "/vault/keyfile"
+
+- name: Create LUKS container with a passphrase
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ state: "present"
+ passphrase: "foo"
+
+- name: Create LUKS container with specific encryption
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ state: "present"
+ cipher: "aes"
+ hash: "sha256"
+
+- name: (Create and) open the LUKS container; name it "mycrypt"
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ state: "opened"
+ name: "mycrypt"
+ keyfile: "/vault/keyfile"
+
+- name: Close the existing LUKS container "mycrypt"
+ community.crypto.luks_device:
+ state: "closed"
+ name: "mycrypt"
+
+- name: Make sure LUKS container exists and is closed
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ state: "closed"
+ keyfile: "/vault/keyfile"
+
+- name: Create container if it does not exist and add new key to it
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ state: "present"
+ keyfile: "/vault/keyfile"
+ new_keyfile: "/vault/keyfile2"
+
+- name: Add new key to the LUKS container (container has to exist)
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ keyfile: "/vault/keyfile"
+ new_keyfile: "/vault/keyfile2"
+
+- name: Add new passphrase to the LUKS container
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ keyfile: "/vault/keyfile"
+ new_passphrase: "foo"
+
+- name: Remove existing keyfile from the LUKS container
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ remove_keyfile: "/vault/keyfile2"
+
+- name: Remove existing passphrase from the LUKS container
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ remove_passphrase: "foo"
+
+- name: Completely remove the LUKS container and its contents
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ state: "absent"
+
+- name: Create a container with label
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ state: "present"
+ keyfile: "/vault/keyfile"
+ label: personalLabelName
+
+- name: Open the LUKS container based on label without device; name it "mycrypt"
+ community.crypto.luks_device:
+ label: "personalLabelName"
+ state: "opened"
+ name: "mycrypt"
+ keyfile: "/vault/keyfile"
+
+- name: Close container based on UUID
+ community.crypto.luks_device:
+ uuid: 03ecd578-fad4-4e6c-9348-842e3e8fa340
+ state: "closed"
+ name: "mycrypt"
+
+- name: Create a container using luks2 format
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ state: "present"
+ keyfile: "/vault/keyfile"
+ type: luks2
+
+- name: Create a container with key in slot 4
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ state: "present"
+ keyfile: "/vault/keyfile"
+ keyslot: 4
+
+- name: Add a new key in slot 5
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ keyfile: "/vault/keyfile"
+ new_keyfile: "/vault/keyfile"
+ new_keyslot: 5
+
+- name: Remove the key from slot 4 (given keyfile must not be slot 4)
+ community.crypto.luks_device:
+ device: "/dev/loop0"
+ keyfile: "/vault/keyfile"
+ remove_keyslot: 4
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | When Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssh_cert.
Generate and regenerate OpenSSH host or user certificates.
The below requirements are needed on the host that executes this module.
+ssh-keygen
Parameter |
+Comments |
+
|---|---|
| + | The attributes the resulting filesystem object should have. +To get supported flags look at the man page for chattr on the target system. +This string should contain the attributes in the same order as the one displayed by lsattr. +The |
+
| + | Should the certificate be regenerated even if it already exists and is valid. +Equivalent to Choices: +
|
+
| + | Name of the group that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. + |
+
| + | Specify the key identity when signing a public key. The identifier that is logged by the server when the certificate is used for authentication. + |
+
| + | Whether the However, the values will still be applied to a new certificate if it meets any other necessary conditions for generation/regeneration. +Choices: +
|
+
| + | The permissions the resulting filesystem object should have. +For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. +As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
+
| + | Specify certificate options when signing a key. The option that are valid for user certificates are: +
At present, no options are valid for host keys. + |
+
| + | Name of the user that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. +Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. + |
+
| + | Path of the file containing the certificate. + |
+
| + | To use a signing key that resides on a PKCS#11 token, set this to the name (or full path) of the shared library to use with the token. Usually If this is set, |
+
| + | Certificates may be limited to be valid for a set of principal (user/host) names. By default, generated certificates are valid for all users or hosts. + |
+
| + | The path to the public key that will be signed with the signing key in order to generate the certificate. +Required if |
+
| + | When When When When
Choices: +
|
+
| + | The level part of the SELinux filesystem object context. +This is the MLS/MCS attribute, sometimes known as the When set to |
+
| + | Specify the certificate serial number. The serial number is logged by the server when the certificate is used for authentication. The certificate serial number may be used in a KeyRevocationList. The serial number may be omitted for checks, but must be specified again for a new certificate. Note: The default value set by ssh-keygen is 0. +This option accepts an integer. If you want to provide serial numbers as colon-separated hex strings, such as |
+
| + | The role part of the SELinux filesystem object context. +When set to |
+
| + | The type part of the SELinux filesystem object context. +When set to |
+
| + | The user part of the SELinux filesystem object context. +By default it uses the When set to |
+
| + | As of OpenSSH 8.2 the SHA-1 signature algorithm for RSA keys has been disabled and Using any value for this option with a non-RSA Note: OpenSSH versions prior to 7.2 do not support SHA-2 signature algorithms for RSA keys and OpenSSH versions prior to 7.3 do not support SHA-2 signature algorithms for certificates. +See https://www.openssh.com/txt/release-8.2 for more information. +Choices: +
|
+
| + | The path to the private openssh key that is used for signing the public key in order to generate the certificate. +If the private key is on a PKCS#11 token ( Required if |
+
| + | Whether the host or user certificate should exist or not, taking action if the state is different from what is stated. +Choices: +
|
+
| + | Whether the module should generate a host or a user certificate. +Required if Choices: +
|
+
| + | Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. +By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. +This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). +IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. +Choices: +
|
+
| + | Should the ssh-keygen use a CA key residing in a ssh-agent. +Choices: +
|
+
| + | Check if the certificate is valid at a certain point in time. If it is not the certificate will be regenerated. Time will always be interpreted as UTC. Mainly to be used with relative timespec for |
+
| + | The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid formats are: The value To ignore this value during comparison with an existing certificate set Required if |
+
| + | The point in time the certificate is valid to. Time can be specified either as relative time or as absolute timestamp. Time will always be interpreted as UTC. Valid formats are: To ignore this value during comparison with an existing certificate set Required if |
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
See also
+Convert a serial number as a colon-separated list of hex numbers to an integer.
+- name: Generate an OpenSSH user certificate that is valid forever and for all users
+ community.crypto.openssh_cert:
+ type: user
+ signing_key: /path/to/private_key
+ public_key: /path/to/public_key.pub
+ path: /path/to/certificate
+ valid_from: always
+ valid_to: forever
+
+# Generate an OpenSSH host certificate that is valid for 32 weeks from now and will be regenerated
+# if it is valid for less than 2 weeks from the time the module is being run
+- name: Generate an OpenSSH host certificate with valid_from, valid_to and valid_at parameters
+ community.crypto.openssh_cert:
+ type: host
+ signing_key: /path/to/private_key
+ public_key: /path/to/public_key.pub
+ path: /path/to/certificate
+ valid_from: +0s
+ valid_to: +32w
+ valid_at: +2w
+ ignore_timestamps: true
+
+- name: Generate an OpenSSH host certificate that is valid forever and only for example.com and examplehost
+ community.crypto.openssh_cert:
+ type: host
+ signing_key: /path/to/private_key
+ public_key: /path/to/public_key.pub
+ path: /path/to/certificate
+ valid_from: always
+ valid_to: forever
+ principals:
+ - example.com
+ - examplehost
+
+- name: Generate an OpenSSH host Certificate that is valid from 21.1.2001 to 21.1.2019
+ community.crypto.openssh_cert:
+ type: host
+ signing_key: /path/to/private_key
+ public_key: /path/to/public_key.pub
+ path: /path/to/certificate
+ valid_from: "2001-01-21"
+ valid_to: "2019-01-21"
+
+- name: Generate an OpenSSH user Certificate with clear and force-command option
+ community.crypto.openssh_cert:
+ type: user
+ signing_key: /path/to/private_key
+ public_key: /path/to/public_key.pub
+ path: /path/to/certificate
+ valid_from: always
+ valid_to: forever
+ options:
+ - "clear"
+ - "force-command=/tmp/bla/foo"
+
+- name: Generate an OpenSSH user certificate using a PKCS#11 token
+ community.crypto.openssh_cert:
+ type: user
+ signing_key: /path/to/ca_public_key.pub
+ pkcs11_provider: libpkcs11.so
+ public_key: /path/to/public_key.pub
+ path: /path/to/certificate
+ valid_from: always
+ valid_to: forever
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | path to the certificate +Returned: changed or success +Sample: |
+
| + | Information about the certificate. Output of Returned: change or success + |
+
| + | type of the certificate (host or user) +Returned: changed or success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssh_keypair.
This module allows one to (re)generate OpenSSH private and public keys. It uses ssh-keygen to generate keys. One can generate rsa, dsa, rsa1, ed25519 or ecdsa private keys.
The below requirements are needed on the host that executes this module.
+ssh-keygen (if backend=openssh)
cryptography >= 2.6 (if backend=cryptography and OpenSSH < 7.8 is installed)
cryptography >= 3.0 (if backend=cryptography and OpenSSH >= 7.8 is installed)
Parameter |
+Comments |
+
|---|---|
| + | The attributes the resulting filesystem object should have. +To get supported flags look at the man page for chattr on the target system. +This string should contain the attributes in the same order as the one displayed by lsattr. +The |
+
| + | Selects between the
Choices: +
|
+
| + | Provides a new comment to the public key. + |
+
| + | Should the key be regenerated even if it already exists +Choices: +
|
+
| + | Name of the group that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. + |
+
| + | The permissions the resulting filesystem object should have. +For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. +As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
+
| + | Name of the user that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. +Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. + |
+
| + | Passphrase used to decrypt an existing private key or encrypt a newly generated private key. +Passphrases are not supported for Can only be used when |
+
| + | Name of the files containing the public and private key. The file containing the public key will have the extension |
+
| + | Used when When set to For OpenSSH < 7.8 private keys will be in PKCS1 format except ed25519 keys which will be in OpenSSH format. +For OpenSSH >= 7.8 all private key types will be in the OpenSSH format. +Using this option when Choices: +
|
+
| + | Allows to configure in which situations the module is allowed to regenerate private keys. The module will always generate a new key if the destination file does not exist. +By default, the key will be regenerated when it does not match the module’s options, except when the key cannot be read or the passphrase does not match. Please note that this changed for Ansible 2.10. For Ansible 2.9, the behavior was as if If set to If set to If set to If set to If set to Note that adjusting the comment and the permissions can be changed without regeneration. Therefore, even for Choices: +
|
+
| + | The level part of the SELinux filesystem object context. +This is the MLS/MCS attribute, sometimes known as the When set to |
+
| + | The role part of the SELinux filesystem object context. +When set to |
+
| + | The type part of the SELinux filesystem object context. +When set to |
+
| + | The user part of the SELinux filesystem object context. +By default it uses the When set to |
+
| + | Specifies the number of bits in the private key to create. For RSA keys, the minimum size is 1024 bits and the default is 4096 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, size determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will cause this module to fail. Ed25519 keys have a fixed length and the size will be ignored. + |
+
| + | Whether the private and public keys should exist or not, taking action if the state is different from what is stated. +Choices: +
|
+
| + | The algorithm used to generate the SSH private key. Choices: +
|
+
| + | Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. +By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. +This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). +IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. +Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
- name: Generate an OpenSSH keypair with the default values (4096 bits, rsa)
+ community.crypto.openssh_keypair:
+ path: /tmp/id_ssh_rsa
+
+- name: Generate an OpenSSH keypair with the default values (4096 bits, rsa) and encrypted private key
+ community.crypto.openssh_keypair:
+ path: /tmp/id_ssh_rsa
+ passphrase: super_secret_password
+
+- name: Generate an OpenSSH rsa keypair with a different size (2048 bits)
+ community.crypto.openssh_keypair:
+ path: /tmp/id_ssh_rsa
+ size: 2048
+
+- name: Force regenerate an OpenSSH keypair if it already exists
+ community.crypto.openssh_keypair:
+ path: /tmp/id_ssh_rsa
+ force: true
+
+- name: Generate an OpenSSH keypair with a different algorithm (dsa)
+ community.crypto.openssh_keypair:
+ path: /tmp/id_ssh_dsa
+ type: dsa
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | The comment of the generated key. +Returned: changed or success +Sample: |
+
| + | Path to the generated SSH private key file. +Returned: changed or success +Sample: |
+
| + | The fingerprint of the key. +Returned: changed or success +Sample: |
+
| + | The public key of the generated SSH private key. +Returned: changed or success +Sample: |
+
| + | Size (in bits) of the SSH private key. +Returned: changed or success +Sample: |
+
| + | Algorithm used to generate the SSH private key. +Returned: changed or success +Sample: |
+
+ Note
+This plugin was part of the community.crypto collection (version 2.18.0).
+This module has been removed +in version 2.0.0 of community.crypto. +The ‘community.crypto.openssl_certificate_info’ module has been renamed to ‘community.crypto.x509_certificate_info’
+
+ Note
+This plugin was part of the community.crypto collection (version 2.18.0).
+This module has been removed +in version 2.0.0 of community.crypto. +The ‘community.crypto.openssl_certificate’ module has been renamed to ‘community.crypto.x509_certificate’
+
+ Note
+This filter plugin is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this filter plugin,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_csr_info.
New in community.crypto 2.10.0
+ +Provided an OpenSSL Certificate Signing Requests (CSR), retrieve information.
This is a filter version of the community.crypto.openssl_csr_info module.
The below requirements are needed on the local controller node that executes this filter.
+If name_encoding is set to another value than ignore, the idna Python library needs to be installed.
This describes the input of the filter, the value before | community.crypto.openssl_csr_info.
Parameter |
+Comments |
+
|---|---|
| + | The content of the OpenSSL CSR. + |
+
This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following
+example: input | community.crypto.openssl_csr_info(key1=value1, key2=value2, ...)
Parameter |
+Comments |
+
|---|---|
| + | How to encode names (DNS names, URIs, email addresses) in return values. +
Note that Choices: +
|
+
See also
+Provide information of OpenSSL Certificate Signing Requests (CSR).
+Convert an integer to a colon-separated list of hex numbers.
+- name: Show the Subject Alt Names of the CSR
+ ansible.builtin.debug:
+ msg: >-
+ {{
+ (
+ lookup('ansible.builtin.file', '/path/to/cert.csr')
+ | community.crypto.openssl_csr_info
+ ).subject_alt_name | join(', ')
+ }}
+Key |
+Description |
+
|---|---|
| + | Information on the certificate. +Returned: success + |
+
| + | The CSR’s authority cert issuer as a list of general names. +Is See Returned: success +Sample: |
+
| + | The CSR’s authority cert serial number. +Is This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success +Sample: |
+
| + | The CSR’s authority key identifier. +The identifier is returned in hexadecimal, with Is Returned: success +Sample: |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | Returns a dictionary for every extension OID +Returned: success +Sample: |
+
| + | Whether the extension is critical. +Returned: success + |
+
| + | The Base64 encoded value (in DER format) of the extension. +Note that depending on the Returned: success +Sample: |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | Whether the Is Returned: success + |
+
| + | List of excluded subtrees the CA cannot sign certificates for. +Is See Returned: success +Sample: |
+
| + | List of permitted subtrees to sign certificates for. +Returned: success +Sample: |
+
| + |
Returned: success + |
+
| + | Whether the Returned: success + |
+
| + | CSR’s public key in PEM format +Returned: success +Sample: |
+
| + | Public key data. Depends on the public key’s type. +Returned: success + |
+
| + | The curve’s name for ECC. +Returned: When |
+
| + | The RSA key’s public exponent. +Returned: When |
+
| + | The maximum number of bits of a private key. This is basically the bit size of the subgroup used. +Returned: When |
+
| + | The This is the element spanning the subgroup of the multiplicative group of the prime field used. +Returned: When |
+
| + | The RSA key’s modulus. +Returned: When |
+
| + | The This is the prime modulus upon which arithmetic takes place. +Returned: When |
+
| + | The This is a prime that divides Returned: When |
+
| + | Bit size of modulus (RSA) or prime number (DSA). +Returned: When |
+
| + | The Returned: When |
+
| + | For For Returned: When |
+
| + | Fingerprints of CSR’s public key. +For every hash algorithm available, the fingerprint is computed. +Returned: success +Sample: |
+
| + | The CSR’s public key’s type. +One of Will start with Returned: success +Sample: |
+
| + | Whether the CSR’s signature is valid. +In case the check returns Returned: success + |
+
| + | The CSR’s subject as a dictionary. +Note that for repeated values, only the last one will be returned. +Returned: success +Sample: |
+
| + | Entries in the See Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | The CSR’s subject key identifier. +The identifier is returned in hexadecimal, with Is Returned: success +Sample: |
+
| + | The CSR’s subject as an ordered list of tuples. +Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_csr_info.
This module allows one to query information on OpenSSL Certificate Signing Requests (CSR).
In case the CSR signature cannot be validated, the module will fail. In this case, all return variables are still returned.
It uses the cryptography python library to interact with OpenSSL.
The below requirements are needed on the host that executes this module.
+If name_encoding is set to another value than ignore, the idna Python library needs to be installed.
cryptography >= 1.3
Parameter |
+Comments |
+
|---|---|
| + | + |
| + | How to encode names (DNS names, URIs, email addresses) in return values. +
Note that Choices: +
|
+
| + | + |
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
See also
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Certificate Signing Request (CSR).
+A filter variant of this module.
+Convert an integer to a colon-separated list of hex numbers.
+- name: Generate an OpenSSL Certificate Signing Request
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ common_name: www.ansible.com
+
+- name: Get information on the CSR
+ community.crypto.openssl_csr_info:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ register: result
+
+- name: Dump information
+ ansible.builtin.debug:
+ var: result
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | The CSR’s authority cert issuer as a list of general names. +Is See Returned: success +Sample: |
+
| + | The CSR’s authority cert serial number. +Is This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success +Sample: |
+
| + | The CSR’s authority key identifier. +The identifier is returned in hexadecimal, with Is Returned: success +Sample: |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | Returns a dictionary for every extension OID +Returned: success +Sample: |
+
| + | Whether the extension is critical. +Returned: success + |
+
| + | The Base64 encoded value (in DER format) of the extension. +Note that depending on the Returned: success +Sample: |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | Whether the Is Returned: success + |
+
| + | List of excluded subtrees the CA cannot sign certificates for. +Is See Returned: success +Sample: |
+
| + | List of permitted subtrees to sign certificates for. +Returned: success +Sample: |
+
| + |
Returned: success + |
+
| + | Whether the Returned: success + |
+
| + | CSR’s public key in PEM format +Returned: success +Sample: |
+
| + | Public key data. Depends on the public key’s type. +Returned: success + |
+
| + | The curve’s name for ECC. +Returned: When |
+
| + | The RSA key’s public exponent. +Returned: When |
+
| + | The maximum number of bits of a private key. This is basically the bit size of the subgroup used. +Returned: When |
+
| + | The This is the element spanning the subgroup of the multiplicative group of the prime field used. +Returned: When |
+
| + | The RSA key’s modulus. +Returned: When |
+
| + | The This is the prime modulus upon which arithmetic takes place. +Returned: When |
+
| + | The This is a prime that divides Returned: When |
+
| + | Bit size of modulus (RSA) or prime number (DSA). +Returned: When |
+
| + | The Returned: When |
+
| + | For For Returned: When |
+
| + | Fingerprints of CSR’s public key. +For every hash algorithm available, the fingerprint is computed. +Returned: success +Sample: |
+
| + | The CSR’s public key’s type. +One of Will start with Returned: success +Sample: |
+
| + | Whether the CSR’s signature is valid. +In case the check returns Returned: success + |
+
| + | The CSR’s subject as a dictionary. +Note that for repeated values, only the last one will be returned. +Returned: success +Sample: |
+
| + | Entries in the See Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | The CSR’s subject key identifier. +The identifier is returned in hexadecimal, with Is Returned: success +Sample: |
+
| + | The CSR’s subject as an ordered list of tuples. +Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_csr.
Please note that the module regenerates an existing CSR if it does not match the module’s options, or if it seems to be corrupt. If you are concerned that this could overwrite your existing CSR, consider using the backup option.
This module allows one to (re)generate OpenSSL certificate signing requests.
This module supports the subjectAltName, keyUsage, extendedKeyUsage, basicConstraints and OCSP Must Staple extensions.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.3
Parameter |
+Comments |
+
|---|---|
| + | The attributes the resulting filesystem object should have. +To get supported flags look at the man page for chattr on the target system. +This string should contain the attributes in the same order as the one displayed by lsattr. +The |
+
| + | Names that will be present in the authority cert issuer field of the certificate signing request. +Values must be prefixed by their options. (That is, Example: If specified, Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs. +Note that this is only supported if the The |
+
| + | The authority cert serial number. +If specified, Note that this is only supported if the Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs. +The This option accepts an integer. If you want to provide serial numbers as colon-separated hex strings, such as |
+
| + | The authority key identifier as a hex string, where two bytes are separated by colons. +Example: Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs. +Note that this is only supported if the The |
+
| + | Create a backup file including a timestamp so you can get the original CSR back if you overwrote it with a new one by accident. +Choices: +
|
+
| + | Indicates basic constraints, such as if the certificate is a CA. + |
+
| + | Should the basicConstraints extension be considered as critical. +Choices: +
|
+
| + | The commonName field of the certificate signing request subject. + |
+
| + | The countryName field of the certificate signing request subject. + |
+
| + | Create the Subject Key Identifier from the public key. +Please note that commercial CAs can ignore the value, respectively use a value of their own choice instead. Specifying this option is mostly useful for self-signed certificates or for own CAs. +Note that this is only supported if the Choices: +
|
+
| + | Allows to specify one or multiple CRL distribution points. +Only supported by the |
+
| + | Information about the issuer of the CRL. + |
+
| + | Describes how the CRL can be retrieved. +Mutually exclusive with Example: |
+
| + | List of reasons that this distribution point can be used for when performing revocation checks. +Choices: +
|
+
| + | Describes how the CRL can be retrieved relative to the CRL issuer. +Mutually exclusive with Example: Can only be used when cryptography >= 1.6 is installed. + |
+
| + | The digest used when signing the certificate signing request with the private key. +Default: |
+
| + | The emailAddress field of the certificate signing request subject. + |
+
| + | Additional restrictions (for example client authentication, server authentication) on the allowed purposes for which the public key may be used. + |
+
| + | Should the extkeyUsage extension be considered as critical. +Choices: +
|
+
| + | Should the certificate signing request be forced regenerated by this ansible module. +Choices: +
|
+
| + | Name of the group that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. + |
+
| + | This defines the purpose (for example encipherment, signature, certificate signing) of the key contained in the certificate. + |
+
| + | Should the keyUsage extension be considered as critical. +Choices: +
|
+
| + | The localityName field of the certificate signing request subject. + |
+
| + | The permissions the resulting filesystem object should have. +For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. +As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
+
| + | Should the Name Constraints extension be considered as critical. +Choices: +
|
+
| + | For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is not allowed to issue certificates for. +Values must be prefixed by their options. (That is, |
+
| + | For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is allowed to issue certificates for. +Values must be prefixed by their options. (That is, |
+
| + | Indicates that the certificate should contain the OCSP Must Staple extension (https://tools.ietf.org/html/rfc7633). +Choices: +
|
+
| + | Should the OCSP Must Staple extension be considered as critical. +Note that according to the RFC, this extension should not be marked as critical, as old clients not knowing about OCSP Must Staple are required to reject such certificates (see https://tools.ietf.org/html/rfc7633#section-4). +Choices: +
|
+
| + | The organizationName field of the certificate signing request subject. + |
+
| + | The organizationalUnitName field of the certificate signing request subject. + |
+
| + | Name of the user that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. +Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. + |
+
| + | The name of the file into which the generated OpenSSL certificate signing request will be written. + |
+
| + | The content of the private key to use when signing the certificate signing request. +Either |
+
| + | The passphrase for the private key. +This is required if the private key is password protected. + |
+
| + | The path to the private key to use when signing the certificate signing request. +Either |
+
| + | If set to Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
| + | The level part of the SELinux filesystem object context. +This is the MLS/MCS attribute, sometimes known as the When set to |
+
| + | The role part of the SELinux filesystem object context. +When set to |
+
| + | The type part of the SELinux filesystem object context. +When set to |
+
| + | The user part of the SELinux filesystem object context. +By default it uses the When set to |
+
| + | Whether the certificate signing request should exist or not, taking action if the state is different from what is stated. +Choices: +
|
+
| + | The stateOrProvinceName field of the certificate signing request subject. + |
+
| + | Key/value pairs that will be present in the subject name field of the certificate signing request. +If you need to specify more than one value with the same key, use a list as value. +If the order of the components is important, use Mutually exclusive with |
+
| + | Subject Alternative Name (SAN) extension to attach to the certificate signing request. +Values must be prefixed by their options. (These are Note that if no SAN is specified, but a common name, the common name will be added as a SAN except if More at https://tools.ietf.org/html/rfc5280#section-4.2.1.6. + |
+
| + | Should the subjectAltName extension be considered as critical. +Choices: +
|
+
| + | The subject key identifier as a hex string, where two bytes are separated by colons. +Example: Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs. +Note that this option can only be used if Note that this is only supported if the |
+
| + | A list of dictionaries, where every dictionary must contain one key/value pair. This key/value pair will be present in the subject name field of the certificate signing request. +If you want to specify more than one value with the same key in a row, you can use a list as value. +Mutually exclusive with |
+
| + | Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. +By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. +This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). +IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. +Choices: +
|
+
| + | If set to Choices: +
|
+
| + | The version of the certificate signing request. +The only allowed value according to RFC 2986 is 1. +This option no longer accepts unsupported values since community.crypto 2.0.0. +Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
Note
+If the certificate signing request already exists it will be checked whether subjectAltName, keyUsage, extendedKeyUsage and basicConstraints only contain the requested values, whether OCSP Must Staple is as requested, and if the request was signed by the given private key.
See also
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate and/or check OpenSSL certificates.
+Generate and/or check OpenSSL certificates.
+Generate OpenSSL Diffie-Hellman Parameters.
+Generate OpenSSL PKCS#12 archive.
+Generate OpenSSL private keys.
+Generate OpenSSL private keys without disk access.
+Generate an OpenSSL public key from its private key.
+Provide information of OpenSSL Certificate Signing Requests (CSR).
+Convert a serial number as a colon-separated list of hex numbers to an integer.
+- name: Generate an OpenSSL Certificate Signing Request
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ common_name: www.ansible.com
+
+- name: Generate an OpenSSL Certificate Signing Request with an inline key
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_content: "{{ private_key_content }}"
+ common_name: www.ansible.com
+
+- name: Generate an OpenSSL Certificate Signing Request with a passphrase protected private key
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ privatekey_passphrase: ansible
+ common_name: www.ansible.com
+
+- name: Generate an OpenSSL Certificate Signing Request with Subject information
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ country_name: FR
+ organization_name: Ansible
+ email_address: jdoe@ansible.com
+ common_name: www.ansible.com
+
+- name: Generate an OpenSSL Certificate Signing Request with subjectAltName extension
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ subject_alt_name: 'DNS:www.ansible.com,DNS:m.ansible.com'
+
+- name: Generate an OpenSSL CSR with subjectAltName extension with dynamic list
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ subject_alt_name: "{{ item.value | map('regex_replace', '^', 'DNS:') | list }}"
+ with_dict:
+ dns_server:
+ - www.ansible.com
+ - m.ansible.com
+
+- name: Force regenerate an OpenSSL Certificate Signing Request
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ force: true
+ common_name: www.ansible.com
+
+- name: Generate an OpenSSL Certificate Signing Request with special key usages
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ common_name: www.ansible.com
+ key_usage:
+ - digitalSignature
+ - keyAgreement
+ extended_key_usage:
+ - clientAuth
+
+- name: Generate an OpenSSL Certificate Signing Request with OCSP Must Staple
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ common_name: www.ansible.com
+ ocsp_must_staple: true
+
+- name: Generate an OpenSSL Certificate Signing Request for WinRM Certificate authentication
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/winrm.auth.csr
+ privatekey_path: /etc/ssl/private/winrm.auth.pem
+ common_name: username
+ extended_key_usage:
+ - clientAuth
+ subject_alt_name: otherName:1.3.6.1.4.1.311.20.2.3;UTF8:username@localhost
+
+- name: Generate an OpenSSL Certificate Signing Request with a CRL distribution point
+ community.crypto.openssl_csr:
+ path: /etc/ssl/csr/www.ansible.com.csr
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ common_name: www.ansible.com
+ crl_distribution_points:
+ - full_name:
+ - "URI:https://ca.example.com/revocations.crl"
+ crl_issuer:
+ - "URI:https://ca.example.com/"
+ reasons:
+ - key_compromise
+ - ca_compromise
+ - cessation_of_operation
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Name of backup file created. +Returned: changed and if Sample: |
+
| + | Indicates if the certificate belongs to a CA +Returned: changed or success +Sample: |
+
| + | The (current or generated) CSR’s content. +Returned: if |
+
| + | Additional restriction on the public key purposes +Returned: changed or success +Sample: |
+
| + | Path to the generated Certificate Signing Request +Returned: changed or success +Sample: |
+
| + | Purpose for which the public key may be used +Returned: changed or success +Sample: |
+
| + | List of excluded subtrees the CA cannot sign certificates for. +Returned: changed or success +Sample: |
+
| + | List of permitted subtrees to sign certificates for. +Returned: changed or success +Sample: |
+
| + | Indicates whether the certificate has the OCSP Must Staple feature enabled +Returned: changed or success +Sample: |
+
| + | Path to the TLS/SSL private key the CSR was generated for +Will be Returned: changed or success +Sample: |
+
| + | A list of the subject tuples attached to the CSR +Returned: changed or success +Sample: |
+
| + | The alternative names this CSR is valid for +Returned: changed or success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_csr_pipe.
New in community.crypto 1.3.0
+ +Please note that the module regenerates an existing CSR if it does not match the module’s options, or if it seems to be corrupt.
This module allows one to (re)generate OpenSSL certificate signing requests.
This module supports the subjectAltName, keyUsage, extendedKeyUsage, basicConstraints and OCSP Must Staple extensions.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.3
Parameter |
+Comments |
+
|---|---|
| + | Names that will be present in the authority cert issuer field of the certificate signing request. +Values must be prefixed by their options. (That is, Example: If specified, Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs. +Note that this is only supported if the The |
+
| + | The authority cert serial number. +If specified, Note that this is only supported if the Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs. +The This option accepts an integer. If you want to provide serial numbers as colon-separated hex strings, such as |
+
| + | The authority key identifier as a hex string, where two bytes are separated by colons. +Example: Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs. +Note that this is only supported if the The |
+
| + | Indicates basic constraints, such as if the certificate is a CA. + |
+
| + | Should the basicConstraints extension be considered as critical. +Choices: +
|
+
| + | The commonName field of the certificate signing request subject. + |
+
| + | The existing CSR. + |
+
| + | The countryName field of the certificate signing request subject. + |
+
| + | Create the Subject Key Identifier from the public key. +Please note that commercial CAs can ignore the value, respectively use a value of their own choice instead. Specifying this option is mostly useful for self-signed certificates or for own CAs. +Note that this is only supported if the Choices: +
|
+
| + | Allows to specify one or multiple CRL distribution points. +Only supported by the |
+
| + | Information about the issuer of the CRL. + |
+
| + | Describes how the CRL can be retrieved. +Mutually exclusive with Example: |
+
| + | List of reasons that this distribution point can be used for when performing revocation checks. +Choices: +
|
+
| + | Describes how the CRL can be retrieved relative to the CRL issuer. +Mutually exclusive with Example: Can only be used when cryptography >= 1.6 is installed. + |
+
| + | The digest used when signing the certificate signing request with the private key. +Default: |
+
| + | The emailAddress field of the certificate signing request subject. + |
+
| + | Additional restrictions (for example client authentication, server authentication) on the allowed purposes for which the public key may be used. + |
+
| + | Should the extkeyUsage extension be considered as critical. +Choices: +
|
+
| + | This defines the purpose (for example encipherment, signature, certificate signing) of the key contained in the certificate. + |
+
| + | Should the keyUsage extension be considered as critical. +Choices: +
|
+
| + | The localityName field of the certificate signing request subject. + |
+
| + | Should the Name Constraints extension be considered as critical. +Choices: +
|
+
| + | For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is not allowed to issue certificates for. +Values must be prefixed by their options. (That is, |
+
| + | For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is allowed to issue certificates for. +Values must be prefixed by their options. (That is, |
+
| + | Indicates that the certificate should contain the OCSP Must Staple extension (https://tools.ietf.org/html/rfc7633). +Choices: +
|
+
| + | Should the OCSP Must Staple extension be considered as critical. +Note that according to the RFC, this extension should not be marked as critical, as old clients not knowing about OCSP Must Staple are required to reject such certificates (see https://tools.ietf.org/html/rfc7633#section-4). +Choices: +
|
+
| + | The organizationName field of the certificate signing request subject. + |
+
| + | The organizationalUnitName field of the certificate signing request subject. + |
+
| + | The content of the private key to use when signing the certificate signing request. +Either |
+
| + | The passphrase for the private key. +This is required if the private key is password protected. + |
+
| + | The path to the private key to use when signing the certificate signing request. +Either |
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
| + | The stateOrProvinceName field of the certificate signing request subject. + |
+
| + | Key/value pairs that will be present in the subject name field of the certificate signing request. +If you need to specify more than one value with the same key, use a list as value. +If the order of the components is important, use Mutually exclusive with |
+
| + | Subject Alternative Name (SAN) extension to attach to the certificate signing request. +Values must be prefixed by their options. (These are Note that if no SAN is specified, but a common name, the common name will be added as a SAN except if More at https://tools.ietf.org/html/rfc5280#section-4.2.1.6. + |
+
| + | Should the subjectAltName extension be considered as critical. +Choices: +
|
+
| + | The subject key identifier as a hex string, where two bytes are separated by colons. +Example: Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option is mostly useful for self-signed certificates or for own CAs. +Note that this option can only be used if Note that this is only supported if the |
+
| + | A list of dictionaries, where every dictionary must contain one key/value pair. This key/value pair will be present in the subject name field of the certificate signing request. +If you want to specify more than one value with the same key in a row, you can use a list as value. +Mutually exclusive with |
+
| + | If set to Choices: +
|
+
| + | The version of the certificate signing request. +The only allowed value according to RFC 2986 is 1. +This option no longer accepts unsupported values since community.crypto 2.0.0. +Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +Currently in check mode, private keys will not be (re-)generated, only the changed status is set. This will change in community.crypto 3.0.0. +From community.crypto 3.0.0 on, the module will ignore check mode and always behave as if check mode is not active. If you think this breaks your use-case of this module, please create an issue in the community.crypto repository. + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+If the certificate signing request already exists it will be checked whether subjectAltName, keyUsage, extendedKeyUsage and basicConstraints only contain the requested values, whether OCSP Must Staple is as requested, and if the request was signed by the given private key.
See also
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate and/or check OpenSSL certificates.
+Generate and/or check OpenSSL certificates.
+Generate OpenSSL Diffie-Hellman Parameters.
+Generate OpenSSL PKCS#12 archive.
+Generate OpenSSL private keys.
+Generate OpenSSL private keys without disk access.
+Generate an OpenSSL public key from its private key.
+Provide information of OpenSSL Certificate Signing Requests (CSR).
+Convert a serial number as a colon-separated list of hex numbers to an integer.
+- name: Generate an OpenSSL Certificate Signing Request
+ community.crypto.openssl_csr_pipe:
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ common_name: www.ansible.com
+ register: result
+- name: Print CSR
+ ansible.builtin.debug:
+ var: result.csr
+
+- name: Generate an OpenSSL Certificate Signing Request with an inline CSR
+ community.crypto.openssl_csr:
+ content: "{{ lookup('ansible.builtin.file', '/etc/ssl/csr/www.ansible.com.csr') }}"
+ privatekey_content: "{{ private_key_content }}"
+ common_name: www.ansible.com
+ register: result
+- name: Store CSR
+ ansible.builtin.copy:
+ dest: /etc/ssl/csr/www.ansible.com.csr
+ content: "{{ result.csr }}"
+ when: result is changed
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Indicates if the certificate belongs to a CA +Returned: changed or success +Sample: |
+
| + | The (current or generated) CSR’s content. +Returned: changed or success + |
+
| + | Additional restriction on the public key purposes +Returned: changed or success +Sample: |
+
| + | Purpose for which the public key may be used +Returned: changed or success +Sample: |
+
| + | List of excluded subtrees the CA cannot sign certificates for. +Returned: changed or success +Sample: |
+
| + | List of permitted subtrees to sign certificates for. +Returned: changed or success +Sample: |
+
| + | Indicates whether the certificate has the OCSP Must Staple feature enabled +Returned: changed or success +Sample: |
+
| + | Path to the TLS/SSL private key the CSR was generated for +Will be Returned: changed or success +Sample: |
+
| + | A list of the subject tuples attached to the CSR +Returned: changed or success +Sample: |
+
| + | The alternative names this CSR is valid for +Returned: changed or success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_dhparam.
This module allows one to (re)generate OpenSSL DH-params.
This module uses file common arguments to specify generated file permissions.
Please note that the module regenerates existing DH params if they do not match the module’s options. If you are concerned that this could overwrite your existing DH params, consider using the backup option.
The module can use the cryptography Python library, or the openssl executable. By default, it tries to detect which one is available. This can be overridden with the select_crypto_backend option.
The below requirements are needed on the host that executes this module.
+Either cryptography >= 2.0
Or OpenSSL binary openssl
Parameter |
+Comments |
+
|---|---|
| + | The attributes the resulting filesystem object should have. +To get supported flags look at the man page for chattr on the target system. +This string should contain the attributes in the same order as the one displayed by lsattr. +The |
+
| + | Create a backup file including a timestamp so you can get the original DH params back if you overwrote them with new ones by accident. +Choices: +
|
+
| + | Should the parameters be regenerated even it it already exists. +Choices: +
|
+
| + | Name of the group that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. + |
+
| + | The permissions the resulting filesystem object should have. +For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. +As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
+
| + | Name of the user that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. +Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. + |
+
| + | Name of the file in which the generated parameters will be saved. + |
+
| + | If set to Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to If set to Choices: +
|
+
| + | The level part of the SELinux filesystem object context. +This is the MLS/MCS attribute, sometimes known as the When set to |
+
| + | The role part of the SELinux filesystem object context. +When set to |
+
| + | The type part of the SELinux filesystem object context. +When set to |
+
| + | The user part of the SELinux filesystem object context. +By default it uses the When set to |
+
| + | Size (in bits) of the generated DH-params. +Default: |
+
| + | Whether the parameters should exist or not, taking action if the state is different from what is stated. +Choices: +
|
+
| + | Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. +By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. +This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). +IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. +Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: none + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
See also
+Generate and/or check OpenSSL certificates.
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL PKCS#12 archive.
+Generate OpenSSL private keys.
+Generate an OpenSSL public key from its private key.
+- name: Generate Diffie-Hellman parameters with the default size (4096 bits)
+ community.crypto.openssl_dhparam:
+ path: /etc/ssl/dhparams.pem
+
+- name: Generate DH Parameters with a different size (2048 bits)
+ community.crypto.openssl_dhparam:
+ path: /etc/ssl/dhparams.pem
+ size: 2048
+
+- name: Force regenerate an DH parameters if they already exist
+ community.crypto.openssl_dhparam:
+ path: /etc/ssl/dhparams.pem
+ force: true
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Name of backup file created. +Returned: changed and if Sample: |
+
| + | The (current or generated) DH params’ content. +Returned: if |
+
| + | Path to the generated Diffie-Hellman parameters. +Returned: changed or success +Sample: |
+
| + | Size (in bits) of the Diffie-Hellman parameters. +Returned: changed or success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_pkcs12.
This module allows one to (re-)generate PKCS#12.
The module can use the cryptography Python library, or the pyOpenSSL Python library. By default, it tries to detect which one is available, assuming none of the iter_size and maciter_size options are used. This can be overridden with the select_crypto_backend option.
The below requirements are needed on the host that executes this module.
+PyOpenSSL >= 0.15, < 23.3.0 or cryptography >= 3.0
Parameter |
+Comments |
+
|---|---|
| + |
Choices: +
|
+
| + | The attributes the resulting filesystem object should have. +To get supported flags look at the man page for chattr on the target system. +This string should contain the attributes in the same order as the one displayed by lsattr. +The |
+
| + | Create a backup file including a timestamp so you can get the original output file back if you overwrote it with a new one by accident. +Choices: +
|
+
| + | The path to read certificates and private keys from. +Must be in PEM format. + |
+
| + | Determines the encryption level used. +
Note that this option is not used for idempotency. +Choices: +
|
+
| + | Should the file be regenerated even if it already exists. +Choices: +
|
+
| + | Specifies the friendly name for the certificate and private key. + |
+
| + | Name of the group that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. + |
+
| + | Number of times to repeat the encryption step. +This is not considered during idempotency checks. +This is only used by the When using it, the default is |
+
| + | Number of times to repeat the MAC step. +This is not considered during idempotency checks. +This is only used by the |
+
| + | The permissions the resulting filesystem object should have. +For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. +As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
+
| + | List of other certificates to include. Pre Ansible 2.8 this parameter was called Assumes there is one PEM-encoded certificate per file. If a file contains multiple PEM certificates, set |
+
| + | If set to Choices: +
|
+
| + | Name of the user that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. +Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. + |
+
| + | The PKCS#12 password. +Note: PKCS12 encryption is not secure and should not be used as a security mechanism. If you need to store or send a PKCS12 file safely, you should additionally encrypt it with something else. + |
+
| + | Filename to write the PKCS#12 file to. + |
+
| + | Content of the private key file. +Mutually exclusive with |
+
| + | Passphrase source to decrypt any input private keys with. + |
+
| + | File to read private key from. +Mutually exclusive with |
+
| + | If set to Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to If set to Choices: +
|
+
| + | The level part of the SELinux filesystem object context. +This is the MLS/MCS attribute, sometimes known as the When set to |
+
| + | The role part of the SELinux filesystem object context. +When set to |
+
| + | The type part of the SELinux filesystem object context. +When set to |
+
| + | The user part of the SELinux filesystem object context. +By default it uses the When set to |
+
| + | PKCS#12 file path to parse. + |
+
| + | Whether the file should exist or not. All parameters except Choices: +
|
+
| + | Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. +By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. +This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). +IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. +Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: none + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
See also
+Generate and/or check OpenSSL certificates.
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Diffie-Hellman Parameters.
+Generate OpenSSL private keys.
+Generate an OpenSSL public key from its private key.
+- name: Generate PKCS#12 file
+ community.crypto.openssl_pkcs12:
+ action: export
+ path: /opt/certs/ansible.p12
+ friendly_name: raclette
+ privatekey_path: /opt/certs/keys/key.pem
+ certificate_path: /opt/certs/cert.pem
+ other_certificates: /opt/certs/ca.pem
+ # Note that if /opt/certs/ca.pem contains multiple certificates,
+ # only the first one will be used. See the other_certificates_parse_all
+ # option for changing this behavior.
+ state: present
+
+- name: Generate PKCS#12 file
+ community.crypto.openssl_pkcs12:
+ action: export
+ path: /opt/certs/ansible.p12
+ friendly_name: raclette
+ privatekey_content: '{{ private_key_contents }}'
+ certificate_path: /opt/certs/cert.pem
+ other_certificates_parse_all: true
+ other_certificates:
+ - /opt/certs/ca_bundle.pem
+ # Since we set other_certificates_parse_all to true, all
+ # certificates in the CA bundle are included and not just
+ # the first one.
+ - /opt/certs/intermediate.pem
+ # In case this file has multiple certificates in it,
+ # all will be included as well.
+ state: present
+
+- name: Change PKCS#12 file permission
+ community.crypto.openssl_pkcs12:
+ action: export
+ path: /opt/certs/ansible.p12
+ friendly_name: raclette
+ privatekey_path: /opt/certs/keys/key.pem
+ certificate_path: /opt/certs/cert.pem
+ other_certificates: /opt/certs/ca.pem
+ state: present
+ mode: '0600'
+
+- name: Regen PKCS#12 file
+ community.crypto.openssl_pkcs12:
+ action: export
+ src: /opt/certs/ansible.p12
+ path: /opt/certs/ansible.p12
+ friendly_name: raclette
+ privatekey_path: /opt/certs/keys/key.pem
+ certificate_path: /opt/certs/cert.pem
+ other_certificates: /opt/certs/ca.pem
+ state: present
+ mode: '0600'
+ force: true
+
+- name: Dump/Parse PKCS#12 file
+ community.crypto.openssl_pkcs12:
+ action: parse
+ src: /opt/certs/ansible.p12
+ path: /opt/certs/ansible.pem
+ state: present
+
+- name: Remove PKCS#12 file
+ community.crypto.openssl_pkcs12:
+ path: /opt/certs/ansible.p12
+ state: absent
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Name of backup file created. +Returned: changed and if Sample: |
+
| + | Path to the generate PKCS#12 file. +Returned: changed or success +Sample: |
+
| + | The (current or generated) PKCS#12’s content Base64 encoded. +Returned: if |
+
| + | Path to the TLS/SSL private key the public key was generated from. +Returned: changed or success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_privatekey_convert.
New in community.crypto 2.1.0
+ +This module allows one to convert OpenSSL private keys.
The default mode for the private key file will be 0600 if mode is not explicitly set.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.2.3 (older versions might work as well)
Parameter |
+Comments |
+
|---|---|
| + | The attributes the resulting filesystem object should have. +To get supported flags look at the man page for chattr on the target system. +This string should contain the attributes in the same order as the one displayed by lsattr. +The |
+
| + | Create a backup file including a timestamp so you can get the original private key back if you overwrote it with a new one by accident. +Choices: +
|
+
| + | The passphrase for the private key to store. + |
+
| + | Name of the file in which the generated TLS/SSL private key will be written. It will have |
+
| + | Determines which format the destination private key should be written in. +Please note that not every key can be exported in any format, and that not every format supports encryption. +Choices: +
|
+
| + | Name of the group that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. + |
+
| + | The permissions the resulting filesystem object should have. +For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. +As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
+
| + | Name of the user that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. +Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. + |
+
| + | The level part of the SELinux filesystem object context. +This is the MLS/MCS attribute, sometimes known as the When set to |
+
| + | The role part of the SELinux filesystem object context. +When set to |
+
| + | The type part of the SELinux filesystem object context. +When set to |
+
| + | The user part of the SELinux filesystem object context. +By default it uses the When set to |
+
| + | The content of the file containing the OpenSSL private key to convert. +Exactly one of |
+
| + | The passphrase for the private key to load. + |
+
| + | Name of the file containing the OpenSSL private key to convert. +Exactly one of |
+
| + | Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. +By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. +This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). +IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. +Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: none + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
See also
+Generate OpenSSL private keys.
+Generate OpenSSL private keys without disk access.
+Generate an OpenSSL public key from its private key.
+- name: Convert private key to PKCS8 format with passphrase
+ community.crypto.openssl_privatekey_convert:
+ src_path: /etc/ssl/private/ansible.com.pem
+ dest_path: /etc/ssl/private/ansible.com.key
+ dest_passphrase: '{{ private_key_passphrase }}'
+ format: pkcs8
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Name of backup file created. +Returned: changed and if Sample: |
+
+ Note
+This filter plugin is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this filter plugin,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_privatekey_info.
New in community.crypto 2.10.0
+ +Provided an OpenSSL private keys, retrieve information.
This is a filter version of the community.crypto.openssl_privatekey_info module.
The below requirements are needed on the local controller node that executes this filter.
+If name_encoding is set to another value than ignore, the idna Python library needs to be installed.
This describes the input of the filter, the value before | community.crypto.openssl_privatekey_info.
Parameter |
+Comments |
+
|---|---|
| + | The content of the OpenSSL private key. + |
+
This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following
+example: input | community.crypto.openssl_privatekey_info(key1=value1, key2=value2, ...)
Parameter |
+Comments |
+
|---|---|
| + | How to encode names (DNS names, URIs, email addresses) in return values. +
Note that Choices: +
|
+
| + | The passphrase for the private key. + |
+
| + | Whether to return private key data. +Only set this to WARNING: you have to make sure that private key data is not accidentally logged! +Choices: +
|
+
See also
+Provide information for OpenSSL private keys.
+- name: Show the Subject Alt Names of the CSR
+ ansible.builtin.debug:
+ msg: >-
+ {{
+ (
+ lookup('ansible.builtin.file', '/path/to/cert.csr')
+ | community.crypto.openssl_privatekey_info
+ ).subject_alt_name | join(', ')
+ }}
+Key |
+Description |
+
|---|---|
| + | Information on the certificate. +Returned: success + |
+
| + | Private key data. Depends on key type. +Returned: success and when |
+
| + | Public key data. Depends on key type. +Returned: success + |
+
| + | The curve’s name for ECC. +Returned: When |
+
| + | The RSA key’s public exponent. +Returned: When |
+
| + | The maximum number of bits of a private key. This is basically the bit size of the subgroup used. +Returned: When |
+
| + | The This is the element spanning the subgroup of the multiplicative group of the prime field used. +Returned: When |
+
| + | The RSA key’s modulus. +Returned: When |
+
| + | The This is the prime modulus upon which arithmetic takes place. +Returned: When |
+
| + | The This is a prime that divides Returned: When |
+
| + | Bit size of modulus (RSA) or prime number (DSA). +Returned: When |
+
| + | The Returned: When |
+
| + | For For Returned: When |
+
| + | Private key’s public key in PEM format. +Returned: success +Sample: |
+
| + | Fingerprints of private key’s public key. +For every hash algorithm available, the fingerprint is computed. +Returned: success +Sample: |
+
| + | The key’s type. +One of Will start with Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_privatekey_info.
This module allows one to query information on OpenSSL private keys.
In case the key consistency checks fail, the module will fail as this indicates a faked private key. In this case, all return variables are still returned. Note that key consistency checks are not available all key types; if none is available, none is returned for key_is_consistent.
It uses the cryptography python library to interact with OpenSSL.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.2.3
Parameter |
+Comments |
+
|---|---|
| + | Whether to check consistency of the private key. +In community.crypto < 2.0.0, consistency was always checked. +Since community.crypto 2.0.0, the consistency check has been disabled by default to avoid private key material to be transported around and computed with, and only do so when requested explicitly. This can potentially prevent side-channel attacks. +Note that consistency checks only work for certain key types, and might depend on the version of the cryptography library. For example, with cryptography 42.0.0 and newer consistency of RSA keys can no longer be checked. +Choices: +
|
+
| + | + |
| + | The passphrase for the private key. + |
+
| + | Remote absolute path where the private key file is loaded from. + |
+
| + | Whether to return private key data. +Only set this to WARNING: you have to make sure that private key data is not accidentally logged! +Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
See also
+Generate OpenSSL private keys.
+Generate OpenSSL private keys without disk access.
+A filter variant of this module.
+- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
+ community.crypto.openssl_privatekey:
+ path: /etc/ssl/private/ansible.com.pem
+
+- name: Get information on generated key
+ community.crypto.openssl_privatekey_info:
+ path: /etc/ssl/private/ansible.com.pem
+ register: result
+
+- name: Dump information
+ ansible.builtin.debug:
+ var: result
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Whether the module was able to load the private key from disk. +Returned: always + |
+
| + | Whether the module was able to parse the private key. +Returned: always + |
+
| + | Whether the key is consistent. Can also return In case the check returns Returned: when |
+
| + | Private key data. Depends on key type. +Returned: success and when |
+
| + | Public key data. Depends on key type. +Returned: success + |
+
| + | The curve’s name for ECC. +Returned: When |
+
| + | The RSA key’s public exponent. +Returned: When |
+
| + | The maximum number of bits of a private key. This is basically the bit size of the subgroup used. +Returned: When |
+
| + | The This is the element spanning the subgroup of the multiplicative group of the prime field used. +Returned: When |
+
| + | The RSA key’s modulus. +Returned: When |
+
| + | The This is the prime modulus upon which arithmetic takes place. +Returned: When |
+
| + | The This is a prime that divides Returned: When |
+
| + | + |
| + | The Returned: When |
+
| + | + |
| + | Private key’s public key in PEM format. +Returned: success +Sample: |
+
| + | Fingerprints of private key’s public key. +For every hash algorithm available, the fingerprint is computed. +Returned: success +Sample: |
+
| + | The key’s type. +One of Will start with Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_privatekey.
Keys are generated in PEM format.
Please note that the module regenerates private keys if they do not match the module’s options. In particular, if you provide another passphrase (or specify none), change the keysize, etc., the private key will be regenerated. If you are concerned that this could overwrite your private key, consider using the backup option.
The default mode for the private key file will be 0600 if mode is not explicitly set.
This module allows one to (re)generate OpenSSL private keys.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.2.3 (older versions might work as well)
Parameter |
+Comments |
+
|---|---|
| + | The attributes the resulting filesystem object should have. +To get supported flags look at the man page for chattr on the target system. +This string should contain the attributes in the same order as the one displayed by lsattr. +The |
+
| + | Create a backup file including a timestamp so you can get the original private key back if you overwrote it with a new one by accident. +Choices: +
|
+
| + | The cipher to encrypt the private key. Must be |
+
| + | Note that not all curves are supported by all versions of For maximal interoperability, We use the curve names as defined in the IANA registry for TLS. +Please note that all curves except Choices: +
|
+
| + | Should the key be regenerated even if it already exists. +Choices: +
|
+
| + | Determines which format the private key is written in. By default, PKCS1 (traditional OpenSSL format) is used for all keys which support it. Please note that not every key can be exported in any format. +The value Note that if the format for an existing private key mismatches, the key is regenerated by default. To change this behavior, use the Choices: +
|
+
| + | Determines behavior of the module if the format of a private key does not match the expected format, but all other parameters are as expected. +If set to If set to Only supported by the Choices: +
|
+
| + | Name of the group that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. + |
+
| + | The permissions the resulting filesystem object should have. +For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. +As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
+
| + | Name of the user that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. +Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. + |
+
| + | The passphrase for the private key. + |
+
| + | Name of the file in which the generated TLS/SSL private key will be written. It will have |
+
| + | Allows to configure in which situations the module is allowed to regenerate private keys. The module will always generate a new key if the destination file does not exist. +By default, the key will be regenerated when it does not match the module’s options, except when the key cannot be read or the passphrase does not match. Please note that this changed for Ansible 2.10. For Ansible 2.9, the behavior was as if If set to If set to If set to If set to If set to Note that if Choices: +
|
+
| + | If set to Note that especially if the private key is not encrypted, you have to make sure that the returned value is treated appropriately and not accidentally written to logs etc.! Use with care! +Use Ansible’s Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
| + | The level part of the SELinux filesystem object context. +This is the MLS/MCS attribute, sometimes known as the When set to |
+
| + | The role part of the SELinux filesystem object context. +When set to |
+
| + | The type part of the SELinux filesystem object context. +When set to |
+
| + | The user part of the SELinux filesystem object context. +By default it uses the When set to |
+
| + | Size (in bits) of the TLS/SSL key to generate. +Default: |
+
| + | Whether the private key should exist or not, taking action if the state is different from what is stated. +Choices: +
|
+
| + | The algorithm used to generate the TLS/SSL private key. +Note that Choices: +
|
+
| + | Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. +By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. +This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). +IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. +Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
See also
+Generate OpenSSL private keys without disk access.
+Provide information for OpenSSL private keys.
+Generate and/or check OpenSSL certificates.
+Generate and/or check OpenSSL certificates.
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Diffie-Hellman Parameters.
+Generate OpenSSL PKCS#12 archive.
+Generate an OpenSSL public key from its private key.
+- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
+ community.crypto.openssl_privatekey:
+ path: /etc/ssl/private/ansible.com.pem
+
+- name: Generate an OpenSSL private key with the default values (4096 bits, RSA) and a passphrase
+ community.crypto.openssl_privatekey:
+ path: /etc/ssl/private/ansible.com.pem
+ passphrase: ansible
+ cipher: auto
+
+- name: Generate an OpenSSL private key with a different size (2048 bits)
+ community.crypto.openssl_privatekey:
+ path: /etc/ssl/private/ansible.com.pem
+ size: 2048
+
+- name: Force regenerate an OpenSSL private key if it already exists
+ community.crypto.openssl_privatekey:
+ path: /etc/ssl/private/ansible.com.pem
+ force: true
+
+- name: Generate an OpenSSL private key with a different algorithm (DSA)
+ community.crypto.openssl_privatekey:
+ path: /etc/ssl/private/ansible.com.pem
+ type: DSA
+
+- name: Generate an OpenSSL private key with elliptic curve cryptography (ECC)
+ community.crypto.openssl_privatekey:
+ path: /etc/ssl/private/ansible.com.pem
+ type: ECC
+ curve: secp256r1
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Name of backup file created. +Returned: changed and if Sample: |
+
| + | Elliptic curve used to generate the TLS/SSL private key. +Returned: changed or success, and Sample: |
+
| + | Path to the generated TLS/SSL private key file. +Returned: changed or success +Sample: |
+
| + | The fingerprint of the public key. Fingerprint will be generated for each Returned: changed or success +Sample: |
+
| + | The (current or generated) private key’s content. +Will be Base64-encoded if the key is in raw format. +Returned: if |
+
| + | Size (in bits) of the TLS/SSL private key. +Returned: changed or success +Sample: |
+
| + | Algorithm used to generate the TLS/SSL private key. +Returned: changed or success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_privatekey_pipe.
New in community.crypto 1.3.0
+ +Keys are generated in PEM format.
Make sure to not write the result of this module into logs or to the console, as it contains private key data! Use the no_log task option to be sure.
Note that this module is implemented as an action plugin and will always be executed on the controller.
This allows to read and write keys to vaults without having to write intermediate versions to disk.
This module allows one to (re)generate OpenSSL private keys without disk access.
Note
+This module has a corresponding action plugin.
+The below requirements are needed on the host that executes this module.
+cryptography >= 1.2.3 (older versions might work as well)
Parameter |
+Comments |
+
|---|---|
| + | The cipher to encrypt the private key. Must be |
+
| + | The current private key data. +Needed for idempotency. If not provided, the module will always return a change, and all idempotence-related options are ignored. + |
+
| + | Set to Choices: +
|
+
| + | Note that not all curves are supported by all versions of For maximal interoperability, We use the curve names as defined in the IANA registry for TLS. +Please note that all curves except Choices: +
|
+
| + | Determines which format the private key is written in. By default, PKCS1 (traditional OpenSSL format) is used for all keys which support it. Please note that not every key can be exported in any format. +The value Note that if the format for an existing private key mismatches, the key is regenerated by default. To change this behavior, use the Choices: +
|
+
| + | Determines behavior of the module if the format of a private key does not match the expected format, but all other parameters are as expected. +If set to If set to Only supported by the Choices: +
|
+
| + | The passphrase for the private key. + |
+
| + | Allows to configure in which situations the module is allowed to regenerate private keys. The module will always generate a new key if the destination file does not exist. +By default, the key will be regenerated when it does not match the module’s options, except when the key cannot be read or the passphrase does not match. Please note that this changed for Ansible 2.10. For Ansible 2.9, the behavior was as if If set to If set to If set to If set to If set to Note that if Choices: +
|
+
| + | Set to Note that in case of check mode, when this option is not set to Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
| + | Size (in bits) of the TLS/SSL key to generate. +Default: |
+
| + | The algorithm used to generate the TLS/SSL private key. +Note that Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Indicates this has a corresponding action plugin so some parts of the options can be executed on the controller. + |
+
| + | Support: none +This action runs completely on the controller. + |
+Supports being used with the |
+
| + | Support: full +Currently in check mode, private keys will not be (re-)generated, only the changed status is set. This will change in community.crypto 3.0.0. +From community.crypto 3.0.0 on, the module will ignore check mode and always behave as if check mode is not active. If you think this breaks your use-case of this module, please create an issue in the community.crypto repository. + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
See also
+Generate OpenSSL private keys.
+Provide information for OpenSSL private keys.
+Generate and/or check OpenSSL certificates.
+Generate and/or check OpenSSL certificates.
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Diffie-Hellman Parameters.
+Generate OpenSSL PKCS#12 archive.
+Generate an OpenSSL public key from its private key.
+- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
+ community.crypto.openssl_privatekey_pipe:
+ register: output
+ no_log: true # make sure that private key data is not accidentally revealed in logs!
+- name: Show generated key
+ ansible.builtin.debug:
+ msg: "{{ output.privatekey }}"
+ # DO NOT OUTPUT KEY MATERIAL TO CONSOLE OR LOGS IN PRODUCTION!
+
+
+- name: Generate or update a Mozilla sops encrypted key
+ block:
+ - name: Update sops-encrypted key with the community.sops collection
+ community.crypto.openssl_privatekey_pipe:
+ content: "{{ lookup('community.sops.sops', 'private_key.pem.sops') }}"
+ size: 2048
+ register: output
+ no_log: true # make sure that private key data is not accidentally revealed in logs!
+
+ - name: Update encrypted key when openssl_privatekey_pipe reported a change
+ community.sops.sops_encrypt:
+ path: private_key.pem.sops
+ content_text: "{{ output.privatekey }}"
+ when: output is changed
+ always:
+ - name: Make sure that output (which contains the private key) is overwritten
+ ansible.builtin.set_fact:
+ output: ''
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Elliptic curve used to generate the TLS/SSL private key. +Returned: changed or success, and Sample: |
+
| + | The fingerprint of the public key. Fingerprint will be generated for each Returned: changed or success +Sample: |
+
| + | The generated private key’s content. +Please note that if the result is not changed, the current private key will only be returned if the Will be Base64-encoded if the key is in raw format. +Returned: changed, or |
+
| + | Size (in bits) of the TLS/SSL private key. +Returned: changed or success +Sample: |
+
| + | Algorithm used to generate the TLS/SSL private key. +Returned: changed or success +Sample: |
+
+ Note
+This filter plugin is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
To use it in a playbook, specify: community.crypto.openssl_publickey_info.
New in community.crypto 2.10.0
+ +Provided a public key in OpenSSL PEM format, retrieve information.
This is a filter version of the community.crypto.openssl_publickey_info module.
This describes the input of the filter, the value before | community.crypto.openssl_publickey_info.
Parameter |
+Comments |
+
|---|---|
| + | The content of the OpenSSL PEM public key. + |
+
See also
+Provide information for OpenSSL public keys.
+- name: Show the type of a public key
+ ansible.builtin.debug:
+ msg: >-
+ {{
+ (
+ lookup('ansible.builtin.file', '/path/to/public-key.pem')
+ | community.crypto.openssl_publickey_info
+ ).type
+ }}
+Key |
+Description |
+
|---|---|
| + | Information on the public key. +Returned: success + |
+
| + | Fingerprints of public key. +For every hash algorithm available, the fingerprint is computed. +Returned: success +Sample: |
+
| + | Public key data. Depends on key type. +Returned: success + |
+
| + | The curve’s name for ECC. +Returned: When |
+
| + | The RSA key’s public exponent. +Returned: When |
+
| + | The maximum number of bits of a private key. This is basically the bit size of the subgroup used. +Returned: When |
+
| + | The This is the element spanning the subgroup of the multiplicative group of the prime field used. +Returned: When |
+
| + | The RSA key’s modulus. +Returned: When |
+
| + | The This is the prime modulus upon which arithmetic takes place. +Returned: When |
+
| + | The This is a prime that divides Returned: When |
+
| + | Bit size of modulus (RSA) or prime number (DSA). +Returned: When |
+
| + | The Returned: When |
+
| + | For For Returned: When |
+
| + | The key’s type. +One of Will start with Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_publickey_info.
New in community.crypto 1.7.0
+ +This module allows one to query information on OpenSSL public keys.
It uses the cryptography python library to interact with OpenSSL.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.2.3
Parameter |
+Comments |
+
|---|---|
| + | + |
| + | Remote absolute path where the public key file is loaded from. + |
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
See also
+Generate an OpenSSL public key from its private key.
+Provide information for OpenSSL private keys.
+A filter variant of this module.
+- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
+ community.crypto.openssl_privatekey:
+ path: /etc/ssl/private/ansible.com.pem
+
+- name: Create public key from private key
+ community.crypto.openssl_publickey:
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ path: /etc/ssl/ansible.com.pub
+
+- name: Get information on public key
+ community.crypto.openssl_publickey_info:
+ path: /etc/ssl/ansible.com.pub
+ register: result
+
+- name: Dump information
+ ansible.builtin.debug:
+ var: result
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Fingerprints of public key. +For every hash algorithm available, the fingerprint is computed. +Returned: success +Sample: |
+
| + | Public key data. Depends on key type. +Returned: success + |
+
| + | The curve’s name for ECC. +Returned: When |
+
| + | The RSA key’s public exponent. +Returned: When |
+
| + | The maximum number of bits of a private key. This is basically the bit size of the subgroup used. +Returned: When |
+
| + | The This is the element spanning the subgroup of the multiplicative group of the prime field used. +Returned: When |
+
| + | The RSA key’s modulus. +Returned: When |
+
| + | The This is the prime modulus upon which arithmetic takes place. +Returned: When |
+
| + | The This is a prime that divides Returned: When |
+
| + | + |
| + | The Returned: When |
+
| + | + |
| + | The key’s type. +One of Will start with Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_publickey.
This module allows one to (re)generate public keys from their private keys.
Public keys are generated in PEM or OpenSSH format. Private keys must be OpenSSL PEM keys. OpenSSH private keys are not supported, use the community.crypto.openssh_keypair module to manage these.
The module uses the cryptography Python library.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.2.3 (older versions might work as well)
Needs cryptography >= 1.4 if format is OpenSSH
Parameter |
+Comments |
+
|---|---|
| + | The attributes the resulting filesystem object should have. +To get supported flags look at the man page for chattr on the target system. +This string should contain the attributes in the same order as the one displayed by lsattr. +The |
+
| + | Create a backup file including a timestamp so you can get the original public key back if you overwrote it with a different one by accident. +Choices: +
|
+
| + | Should the key be regenerated even it it already exists. +Choices: +
|
+
| + | The format of the public key. +Choices: +
|
+
| + | Name of the group that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. + |
+
| + | The permissions the resulting filesystem object should have. +For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. +As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
+
| + | Name of the user that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. +Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. + |
+
| + | Name of the file in which the generated TLS/SSL public key will be written. + |
+
| + | The content of the TLS/SSL private key from which to generate the public key. +Either |
+
| + | The passphrase for the private key. + |
+
| + | Path to the TLS/SSL private key from which to generate the public key. +Either |
+
| + | If set to Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
| + | The level part of the SELinux filesystem object context. +This is the MLS/MCS attribute, sometimes known as the When set to |
+
| + | The role part of the SELinux filesystem object context. +When set to |
+
| + | The type part of the SELinux filesystem object context. +When set to |
+
| + | The user part of the SELinux filesystem object context. +By default it uses the When set to |
+
| + | Whether the public key should exist or not, taking action if the state is different from what is stated. +Choices: +
|
+
| + | Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. +By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. +This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). +IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. +Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
See also
+Generate and/or check OpenSSL certificates.
+Generate and/or check OpenSSL certificates.
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Diffie-Hellman Parameters.
+Generate OpenSSL PKCS#12 archive.
+Generate OpenSSL private keys.
+Generate OpenSSL private keys without disk access.
+- name: Generate an OpenSSL public key in PEM format
+ community.crypto.openssl_publickey:
+ path: /etc/ssl/public/ansible.com.pem
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+
+- name: Generate an OpenSSL public key in PEM format from an inline key
+ community.crypto.openssl_publickey:
+ path: /etc/ssl/public/ansible.com.pem
+ privatekey_content: "{{ private_key_content }}"
+
+- name: Generate an OpenSSL public key in OpenSSH v2 format
+ community.crypto.openssl_publickey:
+ path: /etc/ssl/public/ansible.com.pem
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ format: OpenSSH
+
+- name: Generate an OpenSSL public key with a passphrase protected private key
+ community.crypto.openssl_publickey:
+ path: /etc/ssl/public/ansible.com.pem
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ privatekey_passphrase: ansible
+
+- name: Force regenerate an OpenSSL public key if it already exists
+ community.crypto.openssl_publickey:
+ path: /etc/ssl/public/ansible.com.pem
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ force: true
+
+- name: Remove an OpenSSL public key
+ community.crypto.openssl_publickey:
+ path: /etc/ssl/public/ansible.com.pem
+ state: absent
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Name of backup file created. +Returned: changed and if Sample: |
+
| + | Path to the generated TLS/SSL public key file. +Returned: changed or success +Sample: |
+
| + | The fingerprint of the public key. Fingerprint will be generated for each hashlib.algorithms available. +Returned: changed or success +Sample: |
+
| + | The format of the public key (PEM, OpenSSH, …). +Returned: changed or success +Sample: |
+
| + | Path to the TLS/SSL private key the public key was generated from. +Will be Returned: changed or success +Sample: |
+
| + | The (current or generated) public key’s content. +Returned: if |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_signature_info.
New in community.crypto 1.1.0
+ +This module allows one to verify a signature for a file by a certificate.
The module uses the cryptography Python library.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.4 (some key types require newer versions)
Parameter |
+Comments |
+
|---|---|
| + | The content of the certificate used to verify the signature. +Either |
+
| + | The path to the certificate used to verify the signature. +Either |
+
| + | The signed file to verify. +This file will only be read and not modified. + |
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
| + | Base64 encoded signature. + |
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+When using the cryptography backend, the following key types require at least the following cryptography version:
+RSA keys: cryptography >= 1.4
+DSA and ECDSA keys: cryptography >= 1.5
+ed448 and ed25519 keys: cryptography >= 2.6
See also
+Sign data with openssl.
+Generate and/or check OpenSSL certificates.
+- name: Sign example file
+ community.crypto.openssl_signature:
+ privatekey_path: private.key
+ path: /tmp/example_file
+ register: sig
+
+- name: Verify signature of example file
+ community.crypto.openssl_signature_info:
+ certificate_path: cert.pem
+ path: /tmp/example_file
+ signature: "{{ sig.signature }}"
+ register: verify
+
+- name: Make sure the signature is valid
+ ansible.builtin.assert:
+ that:
+ - verify.valid
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + |
Returned: success + |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.openssl_signature.
New in community.crypto 1.1.0
+ +This module allows one to sign data using a private key.
The module uses the cryptography Python library.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.4 (some key types require newer versions)
Parameter |
+Comments |
+
|---|---|
| + | The file to sign. +This file will only be read and not modified. + |
+
| + | The content of the private key to use when signing the certificate signing request. +Either |
+
| + | The passphrase for the private key. +This is required if the private key is password protected. + |
+
| + | The path to the private key to use when signing. +Either |
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +This action does not modify state. + |
+Can run in |
+
| + | Support: none + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+When using the cryptography backend, the following key types require at least the following cryptography version:
+RSA keys: cryptography >= 1.4
+DSA and ECDSA keys: cryptography >= 1.5
+ed448 and ed25519 keys: cryptography >= 2.6
See also
+Verify signatures with openssl.
+Generate OpenSSL private keys.
+- name: Sign example file
+ community.crypto.openssl_signature:
+ privatekey_path: private.key
+ path: /tmp/example_file
+ register: sig
+
+- name: Verify signature of example file
+ community.crypto.openssl_signature_info:
+ certificate_path: cert.pem
+ path: /tmp/example_file
+ signature: "{{ sig.signature }}"
+ register: verify
+
+- name: Make sure the signature is valid
+ ansible.builtin.assert:
+ that:
+ - verify.valid
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Base64 encoded signature. +Returned: success + |
+
+ Note
+This filter plugin is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
To use it in a playbook, specify: community.crypto.parse_serial.
New in community.crypto 2.18.0
+ +Parses a colon-separated list of hex numbers of the form 00:11:22:33 and returns the corresponding integer.
This describes the input of the filter, the value before | community.crypto.parse_serial.
Parameter |
+Comments |
+
|---|---|
| + | A serial number represented as a colon-separated list of hex numbers between 0 and 255. +These numbers are interpreted as the byte presentation of an unsigned integer in network byte order. That is, |
+
See also
+Convert an integer to a colon-separated list of hex numbers.
+- name: Parse serial number
+ ansible.builtin.debug:
+ msg: "{{ '11:22:33' | community.crypto.parse_serial }}"
+Key |
+Description |
+
|---|---|
| + | The serial number as an integer. +Returned: success + |
+
+ tls-alpn-01", "community.crypto.acme_inspect module \u2013 Send direct requests to an ACME server", "community.crypto.certificate_complete_chain module \u2013 Complete certificate chain given a set of untrusted and root certificates", "community.crypto.crypto_info module \u2013 Retrieve cryptographic capabilities", "How to create a small CA", "How to create self-signed certificates", "community.crypto.ecs_certificate module \u2013 Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API", "community.crypto.ecs_domain module \u2013 Request validation of a domain with the Entrust Certificate Services (ECS) API", "Index of all Collection Environment Variables", "community.crypto.get_certificate module \u2013 Get a certificate from a host:port", "community.crypto.gpg_fingerprint filter \u2013 Retrieve a GPG fingerprint from a GPG public or private key", "community.crypto.gpg_fingerprint lookup \u2013 Retrieve a GPG fingerprint from a GPG public or private key file", "Community.Crypto", "community.crypto.luks_device module \u2013 Manage encrypted (LUKS) devices", "community.crypto.openssh_cert module \u2013 Generate OpenSSH host or user certificates.", "community.crypto.openssh_keypair module \u2013 Generate OpenSSH private and public keys", "community.crypto.openssl_certificate_info", "community.crypto.openssl_certificate", "community.crypto.openssl_csr_info filter \u2013 Retrieve information from OpenSSL Certificate Signing Requests (CSR)", "community.crypto.openssl_csr_info module \u2013 Provide information of OpenSSL Certificate Signing Requests (CSR)", "community.crypto.openssl_csr module \u2013 Generate OpenSSL Certificate Signing Request (CSR)", "community.crypto.openssl_csr_pipe module \u2013 Generate OpenSSL Certificate Signing Request (CSR)", "community.crypto.openssl_dhparam module \u2013 Generate OpenSSL Diffie-Hellman Parameters", "community.crypto.openssl_pkcs12 module \u2013 Generate OpenSSL PKCS#12 archive", "community.crypto.openssl_privatekey_convert module \u2013 Convert OpenSSL private keys", "community.crypto.openssl_privatekey_info filter \u2013 Retrieve information from OpenSSL private keys", "community.crypto.openssl_privatekey_info module \u2013 Provide information for OpenSSL private keys", "community.crypto.openssl_privatekey module \u2013 Generate OpenSSL private keys", "community.crypto.openssl_privatekey_pipe module \u2013 Generate OpenSSL private keys without disk access", "community.crypto.openssl_publickey_info filter \u2013 Retrieve information from OpenSSL public keys in PEM format", "community.crypto.openssl_publickey_info module \u2013 Provide information for OpenSSL public keys", "community.crypto.openssl_publickey module \u2013 Generate an OpenSSL public key from its private key.", "community.crypto.openssl_signature_info module \u2013 Verify signatures with openssl", "community.crypto.openssl_signature module \u2013 Sign data with openssl", "community.crypto.parse_serial filter \u2013 Convert a serial number as a colon-separated list of hex numbers to an integer", "community.crypto.split_pem filter \u2013 Split PEM file contents into multiple objects", "community.crypto.to_serial filter \u2013 Convert an integer to a colon-separated list of hex numbers", "community.crypto.x509_certificate_info filter \u2013 Retrieve information from X.509 certificates in PEM format", "community.crypto.x509_certificate_info module \u2013 Provide information of OpenSSL X.509 certificates", "community.crypto.x509_certificate module \u2013 Generate and/or check OpenSSL certificates", "community.crypto.x509_certificate_pipe module \u2013 Generate and/or check OpenSSL certificates", "community.crypto.x509_crl_info filter \u2013 Retrieve information from X.509 CRLs in PEM format", "community.crypto.x509_crl_info module \u2013 Retrieve information on Certificate Revocation Lists (CRLs)", "community.crypto.x509_crl module \u2013 Generate Certificate Revocation Lists (CRLs)"], "terms": {"thi": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "plugin": [0, 11, 13, 14, 15, 16, 19, 21, 22, 23, 24, 25, 26, 30, 31, 33, 34, 35, 39, 40, 41, 42, 43, 46, 47, 48], "wa": [0, 1, 3, 4, 6, 9, 11, 14, 18, 20, 21, 22, 23, 24, 25, 26, 28, 31, 32, 33, 36, 37, 42, 43, 44, 46, 47, 48], "part": [0, 1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "collect": [0, 9, 10, 17, 21, 22], "version": [0, 1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "2": [0, 1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "18": [0, 1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "0": [0, 1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "modul": [0, 9, 10, 21, 22, 23, 30, 34, 42, 46], "ha": [0, 1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 16, 18, 19, 20, 21, 22, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 46, 47, 48], "been": [0, 1, 2, 3, 4, 6, 11, 13, 14, 18, 19, 21, 22, 25, 26, 31, 36, 45, 48], "remov": [0, 1, 2, 3, 4, 6, 18, 21, 22, 28, 36, 44, 48], "The": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "renam": [0, 21, 22, 43, 44, 48], "acme_account_info": [0, 2, 17], "i": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "It": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "includ": [1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "ansibl": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "core": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "To": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "check": [1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 46, 47, 48], "whether": [1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "instal": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "run": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "galaxi": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "list": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 40, 42, 43, 44, 45, 46], "us": [1, 2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "you": [1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "need": [1, 2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "further": [1, 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "abl": [1, 2, 3, 4, 5, 6, 7, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "detail": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "playbook": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "specifi": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "allow": [1, 2, 3, 4, 6, 11, 12, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "ca": [1, 2, 3, 4, 6, 7, 11, 17, 19, 23, 24, 25, 26, 28, 40, 42, 43, 44, 45, 46, 47, 48], "support": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 17, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "protocol": [1, 2, 5, 6, 14, 17, 20, 44], "let": [1, 2, 3, 4, 6, 44], "": [1, 2, 3, 4, 5, 6, 9, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44, 45, 46, 47, 48], "encrypt": [1, 2, 3, 4, 6, 14, 17, 20, 28, 29, 32, 33, 44], "onli": [1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "work": [1, 2, 3, 4, 6, 18, 19, 20, 25, 27, 28, 29, 31, 32, 33, 36, 44], "v2": [1, 2, 3, 4, 6, 36], "below": [1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "ar": [1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "host": [1, 2, 3, 4, 5, 6, 7, 11, 12, 17, 18, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "execut": [1, 2, 3, 4, 5, 6, 7, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "either": [1, 2, 3, 4, 6, 11, 12, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 35, 36, 37, 38, 43, 44, 45, 47, 48], "openssl": [1, 2, 3, 4, 6, 7, 8, 14, 17, 42], "cryptographi": [1, 2, 3, 4, 5, 6, 7, 8, 11, 14, 20, 23, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 47, 48], "1": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "5": [1, 2, 3, 4, 6, 7, 8, 12, 18, 23, 24, 32, 33, 37, 38, 42, 43, 44, 45], "ipaddress": [1, 2, 3, 4, 6], "comment": [1, 2, 3, 4, 5, 6, 7, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "account_key_cont": [1, 2, 3, 4, 6], "string": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "content": [1, 2, 3, 4, 5, 6, 7, 9, 11, 12, 14, 15, 17, 18, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "rsa": [1, 2, 3, 4, 6, 8, 10, 19, 20, 23, 24, 30, 31, 32, 33, 34, 35, 37, 38, 42, 43], "ellipt": [1, 2, 3, 4, 6, 8, 20, 23, 24, 30, 31, 32, 33, 34, 35, 42, 43], "curv": [1, 2, 3, 4, 6, 8, 20, 23, 24, 30, 31, 32, 33, 34, 35, 42, 43], "kei": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 17, 18, 19, 23, 24, 25, 26, 27, 28, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "mutual": [1, 2, 3, 4, 5, 6, 18, 25, 26, 28, 44, 45, 48], "exclus": [1, 2, 3, 4, 5, 6, 18, 25, 26, 28, 44, 45, 48], "account_key_src": [1, 2, 3, 4, 5, 6, 8], "warn": [1, 2, 3, 4, 6, 30, 31, 43, 44], "written": [1, 2, 3, 4, 6, 19, 20, 25, 27, 28, 29, 32, 33, 36, 44, 48], "temporari": [1, 2, 3, 4, 6], "file": [1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 14, 15, 17, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "which": [1, 2, 3, 4, 6, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "delet": [1, 3, 4, 6, 17], "when": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "complet": [1, 2, 3, 4, 6, 8, 17, 18, 33], "sinc": [1, 2, 3, 4, 6, 9, 18, 25, 26, 28, 31], "an": [1, 2, 3, 4, 5, 11, 12, 14, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 42, 43, 44, 45, 46, 47, 48], "import": [1, 2, 3, 4, 6, 8, 19, 20, 25, 26, 27, 28, 29, 32, 36, 44, 48], "privat": [1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 17, 19, 23, 24, 25, 26, 27, 28, 34, 35, 37, 38, 42, 43, 44, 45, 46, 47, 48], "can": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 46, 47, 48], "chang": [1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "revok": [1, 2, 3, 6, 11, 17, 46, 47, 48], "your": [1, 2, 3, 4, 6, 9, 11, 12, 25, 26, 27, 32, 33, 44, 45], "certif": [1, 2, 6, 17, 27, 28, 30, 32, 33, 36, 37, 38, 40, 46], "without": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 17, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 35, 36, 37, 38, 43, 44, 45, 47, 48], "know": [1, 2, 3, 4, 6, 25, 26], "might": [1, 2, 3, 4, 6, 14, 29, 31, 32, 33, 36, 48], "accept": [1, 2, 3, 4, 6, 11, 19, 25, 26, 48], "In": [1, 2, 3, 4, 6, 9, 11, 18, 20, 23, 24, 28, 31, 32, 45], "case": [1, 2, 3, 4, 6, 8, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 31, 32, 33, 36, 41, 42, 43, 44, 45, 48], "still": [1, 2, 3, 4, 6, 11, 19, 24, 31, 43, 44], "happen": [1, 2, 3, 4, 6], "disk": [1, 2, 3, 4, 6, 7, 10, 17, 25, 26, 29, 31, 32, 36, 44, 45], "process": [1, 2, 3, 4, 6, 12, 18, 48], "move": [1, 2, 3, 4, 6, 11, 43, 44, 45], "its": [1, 2, 3, 4, 6, 7, 9, 11, 12, 15, 17, 18, 19, 20, 25, 26, 27, 28, 29, 32, 33, 35, 44, 45], "argument": [1, 2, 3, 4, 6, 27], "node": [1, 2, 3, 4, 6, 15, 16, 23, 30, 42, 46], "where": [1, 2, 3, 4, 6, 9, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 35, 36, 43, 44, 45, 47, 48], "account_key_passphras": [1, 2, 3, 4, 6], "ad": [1, 2, 3, 4, 5, 6, 7, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 36, 43, 44, 45, 46, 47, 48], "6": [1, 2, 3, 4, 5, 6, 8, 11, 14, 18, 20, 23, 24, 25, 26, 32, 33, 37, 38, 42, 43, 44, 45], "phassphras": [1, 2, 3, 4, 5, 6], "decod": [1, 2, 3, 4, 5, 6, 23, 24, 30, 42, 43, 46, 47, 48], "backend": [1, 2, 3, 4, 6, 14, 20, 23, 24, 25, 26, 27, 28, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "alias": [1, 2, 3, 4, 6, 19, 20, 25, 26, 27, 28, 29, 32, 36, 44, 45, 48], "account_kei": [1, 2, 3, 4, 6], "path": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 40, 42, 43, 44, 45, 46, 47, 48], "contain": [1, 2, 3, 4, 5, 6, 7, 12, 14, 18, 19, 20, 25, 26, 27, 28, 29, 32, 33, 36, 44, 48], "creat": [1, 4, 5, 6, 11, 17, 18, 19, 20, 25, 26, 27, 28, 29, 32, 33, 35, 36, 44, 45, 47, 48], "openssl_privatekei": [1, 2, 3, 6, 9, 10, 11, 17, 25, 26, 27, 28, 29, 31, 33, 35, 36, 38, 44, 45], "openssl_privatekey_pip": [1, 2, 3, 6, 17, 25, 26, 29, 31, 32, 36, 44, 45], "If": [1, 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "requisit": [1, 2, 3, 6], "avail": [1, 2, 3, 4, 6, 8, 10, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 42, 43, 44, 45, 48], "directli": [1, 2, 3, 6, 10, 43, 44], "command": [1, 2, 3, 6, 18, 19], "line": [1, 2, 3, 6, 18], "tool": [1, 2, 3, 4, 6, 25, 26], "genrsa": [1, 2, 3, 6], "ecparam": [1, 2, 3, 4, 6], "genkei": [1, 2, 3, 4, 6], "ani": [1, 2, 3, 4, 6, 9, 10, 11, 19, 20, 25, 26, 27, 28, 29, 32, 33, 36, 44, 45, 48], "other": [1, 2, 3, 4, 6, 11, 19, 20, 25, 26, 27, 28, 29, 32, 33, 36, 42, 43, 44, 47, 48], "pem": [1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 14, 17, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "format": [1, 2, 3, 4, 5, 6, 7, 11, 14, 17, 18, 19, 20, 23, 24, 28, 29, 30, 31, 32, 33, 36, 43, 44, 45, 47, 48], "well": [1, 2, 3, 4, 6, 12, 28, 29, 32, 33, 36, 44], "account_uri": [1, 2, 3, 4, 6], "assum": [1, 2, 3, 4, 6, 7, 9, 11, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "uri": [1, 2, 3, 4, 6, 23, 24, 25, 26, 30, 42, 43, 46, 47, 48], "given": [1, 2, 3, 4, 5, 6, 17, 18, 25, 26, 37], "doe": [1, 2, 3, 4, 5, 6, 7, 8, 11, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "match": [1, 2, 3, 4, 6, 7, 12, 19, 20, 25, 26, 27, 32, 33, 44, 48], "exist": [1, 2, 3, 4, 5, 6, 9, 11, 18, 19, 20, 25, 26, 27, 28, 29, 32, 33, 36, 44, 45, 48], "fail": [1, 2, 3, 4, 6, 11, 19, 20, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 36, 42, 43, 44, 46, 47, 48], "acme_directori": [1, 2, 3, 4, 6, 44], "directori": [1, 2, 3, 4, 6, 7, 44], "entri": [1, 2, 3, 4, 5, 6, 12, 15, 16, 23, 24, 30, 34, 39, 40, 41, 42, 43, 44, 46, 48], "point": [1, 2, 3, 4, 6, 7, 11, 16, 19, 23, 24, 25, 26, 30, 31, 34, 35, 42, 43, 44, 45, 46, 47, 48], "url": [1, 2, 3, 4, 6], "access": [1, 2, 3, 4, 6, 12, 17, 25, 26, 29, 31, 32, 36, 44, 45, 48], "server": [1, 2, 3, 4, 9, 11, 12, 14, 17, 19, 25, 26, 44, 45], "api": [1, 2, 3, 4, 6, 17, 44, 45], "For": [1, 2, 3, 4, 6, 10, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 39, 40, 41, 42, 43, 44, 45, 46], "safeti": [1, 2, 3, 4, 6], "reason": [1, 2, 3, 4, 6, 25, 26, 44, 45, 46, 47, 48], "default": [1, 2, 3, 4, 6, 7, 10, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "set": [1, 2, 3, 4, 5, 6, 11, 13, 14, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "stage": [1, 2, 3, 4, 6, 44], "v1": [1, 2, 3, 4, 6], "technic": [1, 2, 3, 4, 6, 11], "correct": [1, 2, 3, 4, 6, 7, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "untrust": [1, 2, 3, 4, 6, 17], "all": [1, 2, 3, 4, 6, 7, 8, 9, 11, 14, 19, 20, 23, 24, 28, 30, 31, 32, 33, 40, 41, 42, 43, 44, 45, 46, 47, 48], "endpoint": [1, 2, 3, 4, 6], "found": [1, 2, 3, 4, 6, 8, 12], "here": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "http": [1, 2, 3, 4, 5, 6, 11, 12, 14, 19, 25, 26, 32, 44, 45], "letsencrypt": [1, 2, 3, 4, 6, 44], "org": [1, 2, 3, 4, 6, 11, 25, 26, 44, 46, 47, 48], "doc": [1, 2, 3, 4, 6, 9, 10, 32, 44], "environ": [1, 2, 3, 4, 5, 6, 44], "buypass": [1, 2, 3, 4, 6, 44], "com": [1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 14, 17, 19, 23, 24, 25, 26, 28, 29, 31, 32, 35, 36, 42, 43, 44, 45, 46, 47, 48], "t": [1, 2, 3, 4, 6, 9, 19, 20, 24, 25, 27, 28, 29, 31, 32, 35, 36, 43, 44, 48], "63d4ai": [1, 2, 3, 4, 6], "go": [1, 2, 3, 4, 6], "ssl": [1, 2, 4, 5, 6, 7, 12, 14, 17, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 43, 44, 45, 47, 48], "product": [1, 2, 3, 4, 6, 11, 33], "v02": [1, 2, 3, 4, 6, 44], "zerossl": [1, 2, 3, 4, 6], "dv90": [1, 2, 3, 4, 6], "sectigo": [1, 2, 3, 4, 6], "qa": [1, 2, 3, 4, 6], "secur": [1, 2, 3, 4, 6, 11, 14, 28, 44, 45], "trust": [1, 2, 3, 4, 6, 46, 47, 48], "provid": [1, 2, 3, 4, 5, 6, 9, 10, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 25, 26, 30, 32, 33, 34, 36, 42, 44, 45, 46, 47, 48], "dv": [1, 2, 3, 4, 6], "servic": [1, 2, 3, 4, 6, 17, 44, 45], "test": [1, 2, 3, 4, 6, 11, 12, 20, 23, 24, 42, 43], "against": [1, 2, 3, 4, 6, 11, 14, 19], "acme_vers": [1, 2, 3, 4, 6], "integ": [1, 2, 3, 4, 6, 11, 12, 14, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 30, 31, 32, 33, 34, 35, 42, 43, 44, 45, 46, 47, 48], "must": [1, 2, 3, 4, 5, 6, 9, 11, 12, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 47, 48], "classic": [1, 2, 3, 4, 6], "standard": [1, 2, 3, 4, 6, 11], "deprec": [1, 2, 3, 4, 6, 14, 20, 43, 44, 48], "from": [1, 2, 3, 4, 6, 7, 9, 10, 11, 12, 17, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 43, 44, 45, 47, 48], "3": [1, 2, 3, 4, 5, 6, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 28, 29, 31, 32, 33, 35, 36, 42, 43, 44, 45, 48], "choic": [1, 2, 3, 4, 5, 6, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "request_timeout": [1, 2, 3, 4, 6], "time": [1, 2, 3, 4, 6, 11, 12, 14, 18, 19, 23, 24, 28, 30, 31, 34, 35, 42, 43, 44, 45, 46, 47, 48], "should": [1, 2, 3, 4, 5, 6, 8, 11, 12, 14, 19, 20, 23, 24, 25, 26, 27, 28, 29, 32, 33, 36, 42, 43, 44, 45, 47, 48], "wait": [1, 2, 3, 4, 6], "respons": [1, 2, 3, 4, 6, 11], "timeout": [1, 2, 3, 4, 6, 14], "appli": [1, 2, 3, 4, 6, 11, 14, 19, 20], "request": [1, 2, 3, 4, 5, 7, 8, 9, 10, 14, 15, 16, 17, 18, 19, 20, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "head": [1, 2, 3, 4, 6], "get": [1, 2, 3, 4, 6, 11, 17, 19, 20, 24, 25, 27, 28, 29, 31, 32, 35, 36, 43, 44, 47, 48], "post": [1, 2, 3, 4, 6, 11], "10": [1, 2, 3, 4, 6, 10, 14, 17, 18, 19, 20, 23, 30, 32, 33, 34, 36, 40, 42, 43, 44, 45, 46], "retrieve_ord": 1, "order": [1, 3, 6, 11, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 34, 35, 36, 39, 40, 41, 42, 43, 44, 46, 47, 48], "object": [1, 3, 6, 17, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "A": [1, 2, 5, 7, 8, 11, 14, 16, 24, 25, 26, 31, 35, 37, 39, 40, 41, 43, 44, 45, 47, 48], "ignor": [1, 2, 3, 7, 11, 19, 20, 23, 24, 25, 26, 28, 30, 33, 40, 42, 43, 44, 45, 46, 47, 48], "fetch": 1, "order_uri": [1, 3, 6], "alwai": [1, 2, 3, 4, 5, 6, 8, 10, 11, 12, 14, 19, 20, 26, 28, 31, 32, 33, 43, 44, 45, 48], "popul": 1, "option": [1, 2, 3, 4, 6, 11, 14, 18, 19, 20, 25, 26, 27, 28, 29, 32, 33, 36, 43, 44, 45, 48], "object_list": 1, "current": [1, 3, 8, 11, 12, 14, 19, 20, 25, 26, 27, 28, 29, 32, 33, 36, 44, 45, 48], "so": [1, 2, 3, 4, 6, 11, 12, 18, 19, 20, 23, 25, 27, 28, 29, 30, 31, 32, 33, 36, 42, 44, 46, 48], "result": [1, 4, 5, 9, 10, 11, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 42, 43, 44, 45, 46, 47, 48], "empti": [1, 3, 8, 41], "url_list": 1, "select_crypto_backend": [1, 2, 3, 4, 6, 14, 24, 25, 26, 27, 28, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45], "determin": [1, 2, 3, 4, 6, 14, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 42, 43, 44, 45, 48], "auto": [1, 2, 3, 4, 6, 14, 20, 24, 25, 26, 27, 28, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45], "tri": [1, 2, 3, 4, 6, 7, 14, 24, 25, 26, 27, 28, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45], "fall": [1, 2, 3, 4, 6, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "back": [1, 2, 3, 4, 6, 9, 11, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "try": [1, 2, 3, 4, 6, 7, 8, 14, 18, 24, 25, 26, 27, 28, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45], "binari": [1, 2, 3, 4, 6, 8, 14, 20, 27], "librari": [1, 2, 3, 4, 6, 8, 14, 19, 20, 23, 24, 25, 26, 27, 28, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "validate_cert": [1, 2, 3, 4, 6], "boolean": [1, 2, 3, 4, 6, 8, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 36, 37, 42, 43, 44, 45, 46, 47, 48], "call": [1, 2, 3, 4, 6, 11, 28, 43, 44, 48], "valid": [1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 14, 17, 19, 23, 24, 25, 26, 37, 38, 43, 44, 45, 48], "tl": [1, 2, 4, 6, 14, 17, 25, 26, 28, 29, 32, 33, 36, 44, 45], "ever": [1, 2, 3, 4, 6], "fals": [1, 2, 3, 4, 6, 8, 9, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 36, 37, 42, 43, 44, 45, 46, 47, 48], "purpos": [1, 2, 3, 4, 6, 11, 25, 26, 44, 45], "local": [1, 2, 3, 4, 6, 11, 12, 15, 16, 23, 30, 42, 44, 45, 46], "pebbl": [1, 2, 3, 4, 6], "true": [1, 2, 3, 4, 6, 8, 9, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 36, 37, 42, 43, 44, 45, 46, 47, 48], "descript": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "action_group": [1, 2, 3, 4, 6], "action": [1, 2, 3, 4, 5, 6, 7, 8, 11, 14, 19, 20, 24, 25, 27, 28, 31, 32, 33, 35, 36, 37, 38, 43, 44, 47, 48], "group": [1, 2, 3, 4, 6, 19, 20, 23, 24, 25, 27, 28, 29, 30, 31, 32, 34, 35, 36, 42, 43, 44, 48], "module_default": [1, 2, 3, 4, 6], "check_mod": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "full": [1, 2, 3, 7, 8, 11, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "modifi": [1, 3, 4, 5, 6, 7, 8, 11, 12, 14, 17, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "state": [1, 2, 3, 5, 7, 8, 14, 18, 19, 20, 24, 25, 27, 28, 31, 32, 35, 36, 37, 38, 43, 44, 47, 48], "statu": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "predict": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "target": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "diff_mod": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "n": [1, 5, 6, 7, 8, 14, 24, 31, 35, 37, 43, 47], "Will": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 42, 43, 44, 45, 47, 48], "what": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "possibli": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "diff": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "mode": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "acme_account": [1, 3, 17], "acme_account_fact": 1, "befor": [1, 3, 12, 15, 23, 30, 34, 39, 40, 41, 42, 44, 45, 46, 48], "8": [1, 3, 4, 18, 19, 20, 25, 27, 28, 29, 32, 36, 44], "usag": [1, 3, 7, 10, 11, 17, 18, 25, 44, 45, 48], "did": [1, 3, 33], "new": [1, 2, 3, 4, 5, 6, 8, 9, 11, 12, 15, 16, 18, 19, 20, 23, 25, 26, 27, 28, 29, 30, 32, 33, 34, 35, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "enough": [1, 2, 3, 4, 6, 19, 20, 25, 27, 28, 29, 32, 36, 44], "instead": [1, 2, 3, 4, 6, 10, 18, 19, 25, 26, 32, 33, 48], "explicitli": [1, 2, 3, 4, 6, 29, 31, 32], "disabl": [1, 2, 3, 4, 6, 11, 18, 19, 31], "enabl": [1, 2, 3, 4, 6, 11, 19, 25, 26], "slower": [1, 2, 3, 4, 6], "less": [1, 2, 3, 4, 6, 12, 19], "have": [1, 2, 3, 4, 6, 10, 11, 12, 13, 15, 16, 19, 20, 23, 25, 27, 28, 29, 30, 31, 32, 33, 34, 36, 39, 40, 41, 42, 44, 45, 46, 48], "store": [1, 2, 3, 4, 6, 10, 11, 12, 18, 26, 28, 29, 44, 45], "although": [1, 2, 3, 4, 6], "chosen": [1, 2, 3, 4, 6, 28], "principl": [1, 2, 3, 4, 6], "far": [1, 2, 3, 4, 6], "develop": [1, 2, 3, 4, 6, 44], "we": [1, 2, 3, 4, 5, 6, 9, 28, 32, 33], "got": [1, 2, 3, 4, 6], "feedback": [1, 2, 3, 4, 6], "thei": [1, 2, 3, 4, 6, 12, 14, 18, 20, 27, 32, 33, 43, 47], "incommon": [1, 2, 3, 4, 6], "experi": [1, 2, 3, 4, 6], "problem": [1, 2, 3, 4, 6], "anoth": [1, 2, 3, 4, 6, 7, 9, 10, 11, 18, 23, 24, 30, 32, 42, 43, 45, 46, 47, 48], "pleas": [1, 2, 3, 4, 6, 7, 9, 14, 20, 25, 26, 27, 29, 32, 33, 44, 45], "issu": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "help": [1, 2, 3, 4, 6, 11], "u": [1, 2, 3, 4, 6, 19, 20, 25, 27, 28, 29, 32, 36, 44, 45], "mention": [1, 2, 3, 4, 6, 28], "appreci": [1, 2, 3, 4, 6], "name": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "etc": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 24, 25, 26, 27, 28, 29, 31, 32, 35, 36, 43, 44, 45, 47, 48], "pki": [1, 2, 3, 4, 5, 6, 8, 12], "cert": [1, 2, 3, 4, 5, 6, 8, 11, 14, 19, 23, 24, 25, 26, 28, 30, 37, 38, 42, 43, 46, 48], "regist": [1, 3, 5, 6, 7, 8, 9, 10, 14, 24, 26, 31, 33, 35, 37, 38, 43, 44, 45, 47], "account_data": 1, "verifi": [1, 7, 12, 17, 38, 44], "builtin": [1, 3, 7, 8, 14, 15, 16, 23, 24, 26, 30, 31, 33, 34, 35, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47], "assert": [1, 37, 38, 43, 44], "print": [1, 26, 40, 45, 47], "debug": [1, 2, 3, 4, 6, 8, 11, 14, 15, 16, 23, 24, 26, 30, 31, 33, 34, 35, 39, 40, 41, 42, 43, 45, 46, 47], "var": [1, 3, 6, 8, 14, 24, 26, 31, 35, 43, 45], "contact": [1, 2, 3, 6], "acme_account_kei": 1, "acme_account_uri": 1, "common": [1, 2, 3, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "document": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "follow": [1, 2, 3, 5, 6, 7, 8, 9, 11, 12, 13, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "field": [1, 2, 3, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 42, 43, 44, 45, 47, 48], "uniqu": [1, 2, 3, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "dictionari": [1, 2, 3, 5, 6, 8, 11, 14, 18, 23, 24, 25, 26, 30, 31, 32, 33, 34, 35, 36, 42, 43, 46, 47, 48], "element": [1, 2, 3, 7, 8, 11, 12, 14, 16, 19, 23, 24, 25, 26, 28, 30, 31, 34, 35, 40, 42, 43, 46, 47, 48], "challeng": [1, 3, 6, 17, 44], "resourc": [1, 3, 5, 12], "sampl": [1, 3, 4, 5, 6, 8, 11, 12, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44, 46, 47, 48], "mailto": [1, 2, 6], "me": [1, 2, 6], "tel": 1, "00123456789": 1, "queri": [1, 3, 24, 31, 35, 43], "public_account_kei": 1, "public": [1, 3, 11, 17, 19, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 42, 43, 44, 45], "json": [1, 6, 11, 14, 46, 47], "web": [1, 12], "kty": [1, 6], "ec": [1, 3, 17, 44, 45], "crv": 1, "p": [1, 23, 24, 30, 31, 34, 35, 42, 43], "256": [1, 19, 20, 39], "x": [1, 6, 14, 17, 23, 24, 30, 31, 34, 35, 47], "mkbctnickusdii11yss3526idz8aito7tu6kpaqv7d4": 1, "y": [1, 14, 23, 24, 30, 31, 34, 35, 42, 43], "4etl6srw2yilurn5vfvvhuhp7x8pxltmwwlbbm4ifym": 1, "deactiv": [1, 2, 3, 11], "none": [1, 2, 3, 4, 5, 6, 11, 12, 14, 18, 23, 24, 25, 26, 27, 28, 29, 31, 32, 33, 36, 38, 42, 43], "success": [1, 3, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "error": [1, 3, 4, 6, 8, 11, 18, 44], "occur": [1, 48], "dure": [1, 2, 3, 11, 19, 28], "about": [1, 2, 11, 12, 14, 19, 25, 26, 30, 31], "structur": 1, "rfc7807": 1, "expir": [1, 3, 6, 10, 11, 12, 14, 42, 43, 44, 45, 48], "timestamp": [1, 19, 25, 27, 28, 29, 32, 36, 43, 44, 45, 47, 48], "describ": [1, 15, 23, 25, 26, 30, 34, 39, 40, 41, 42, 46], "rfc3339": [1, 11], "pend": [1, 11], "give": [1, 19, 20, 25, 27, 28, 29, 32, 36, 44], "expiri": [1, 11, 44, 45], "date": [1, 6, 7, 11, 14, 42, 43, 44, 45, 46, 47, 48], "final": [1, 3], "identifi": [1, 2, 3, 5, 11, 18, 19, 23, 24, 25, 26, 42, 43, 44, 45], "type": [1, 3, 5, 6, 10, 11, 12, 15, 16, 18, 19, 20, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 48], "dn": [1, 3, 5, 9, 10, 12, 23, 24, 25, 26, 30, 42, 43, 44, 46, 47, 48], "ip": [1, 3, 5, 14, 23, 24, 25, 26, 42, 43], "hostnam": [1, 14], "address": [1, 2, 3, 5, 11, 12, 19, 23, 24, 30, 42, 43, 46, 47, 48], "wildcard": [1, 3], "actual": [1, 5, 19, 20, 25, 27, 28, 29, 32, 36, 44], "prefix": [1, 2, 25, 26], "notaft": [1, 42, 43], "notbefor": [1, 42, 43], "readi": [1, 11], "invalid": [1, 11, 40, 46, 47, 48], "felix": [1, 2, 4, 5, 6, 7, 8, 15, 16, 23, 24, 25, 26, 29, 30, 31, 32, 33, 34, 35, 36, 39, 40, 41, 42, 43, 45, 46, 47, 48], "fontein": [1, 2, 4, 5, 6, 7, 8, 15, 16, 23, 24, 25, 26, 29, 30, 31, 32, 33, 34, 35, 36, 39, 40, 41, 42, 43, 45, 46, 47, 48], "felixfontein": [1, 2, 4, 5, 6, 7, 8, 15, 16, 23, 24, 25, 26, 29, 30, 31, 32, 33, 34, 35, 36, 39, 40, 41, 42, 43, 45, 46, 47, 48], "tracker": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "repositori": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "sourc": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "submit": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "bug": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "report": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "featur": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "allow_cr": 2, "creation": [2, 3, 6, 18], "present": [2, 3, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 32, 36, 39, 42, 43, 44, 48], "email": [2, 3, 11, 12, 23, 24, 25, 26, 30, 42, 43, 44, 45, 46, 47, 48], "ietf": [2, 3, 6, 25, 26], "html": [2, 3, 6, 25, 26, 32], "rfc8555": [2, 3, 6], "section": [2, 3, 4, 6, 25, 26], "7": [2, 3, 6, 14, 18, 19, 20, 23, 24, 28, 35, 42, 43, 46, 47], "absent": [2, 18, 19, 20, 25, 27, 28, 32, 36, 44, 48], "changed_kei": 2, "external_account_bind": 2, "extern": [2, 3], "bind": [2, 3], "data": [2, 3, 5, 11, 12, 17, 19, 20, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 42, 43, 44, 45, 48], "like": [2, 3, 10, 44, 45], "specif": [2, 3, 4, 5, 6, 10, 11, 12, 18, 25, 26, 28, 43, 44, 45], "properli": [2, 6], "custom": [2, 11, 20], "alg": 2, "mac": [2, 28], "algorithm": [2, 14, 18, 19, 20, 23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44, 45, 46, 47, 48], "probabl": 2, "hs256": 2, "hs384": 2, "hs512": 2, "base64": [2, 3, 14, 23, 24, 28, 32, 33, 37, 38, 42, 43, 47, 48], "encod": [2, 3, 6, 11, 14, 23, 24, 28, 30, 32, 33, 37, 38, 42, 43, 46, 47, 48], "pad": 2, "symbol": [2, 7, 19, 20, 25, 27, 28, 29, 32, 36, 44], "end": [2, 3, 11, 19, 20, 25, 27, 28, 29, 32, 36, 44], "omit": [2, 9, 18, 19, 20], "kid": 2, "new_account_key_cont": 2, "same": [2, 3, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44, 48], "restrict": [2, 3, 19, 25, 26], "new_account_key_src": 2, "new_account_key_passphras": 2, "inform": [2, 3, 4, 5, 6, 8, 10, 11, 12, 14, 17, 19, 20, 25, 26, 27, 28, 29, 32, 33, 36, 44, 45], "touch": 2, "terms_agre": [2, 3], "indic": [2, 3, 11, 14, 25, 26, 31, 33], "agre": [2, 3], "term": [2, 3, 6], "acme_certif": [2, 5, 6, 7, 17], "do": [2, 3, 6, 9, 10, 11, 12, 18, 19, 20, 25, 27, 28, 29, 31, 32, 33, 36, 44], "basic": [2, 3, 23, 24, 25, 26, 30, 31, 34, 35, 42, 43], "manag": [2, 3, 4, 5, 6, 11, 17, 36], "both": [2, 3, 11, 20, 24, 25, 26, 31, 35, 36, 37, 38, 43, 45, 47, 48], "recommend": [2, 11, 12, 44, 45], "modify_account": [2, 3], "automat": [2, 3, 4, 5, 6, 18, 32, 33, 44], "rfc": [2, 3, 4, 5, 6, 25, 26], "8555": [2, 3, 4, 5, 6], "retriev": [2, 3, 6, 14, 17, 25, 26, 44, 45], "fact": 2, "write": [2, 3, 6, 7, 9, 18, 19, 20, 25, 27, 28, 29, 32, 33, 36, 44, 45, 48], "acme_inspect": [2, 3, 4, 17], "make": [2, 3, 6, 11, 14, 18, 20, 30, 31, 32, 33, 37, 38, 43, 48], "sure": [2, 3, 18, 20, 30, 31, 32, 33, 37, 38, 48], "TOS": 2, "myself": [2, 3], "one": [2, 3, 4, 7, 9, 11, 12, 14, 16, 19, 20, 23, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "variabl": [2, 3, 9, 15, 16, 23, 24, 30, 31, 34, 39, 40, 41, 42, 46], "new_account_kei": 2, "renew": [3, 11], "implement": [3, 33, 44, 45], "01": [3, 6, 11, 17, 19, 32, 33, 36, 39, 48], "alpn": [3, 6, 17], "twice": 3, "two": [3, 25, 26, 41, 48], "differ": [3, 4, 10, 12, 14, 19, 20, 25, 27, 32, 36, 44, 48], "task": [3, 11, 19, 20, 32, 33, 43], "output": [3, 6, 8, 11, 19, 28, 32, 33], "first": [3, 5, 6, 10, 11, 12, 18, 28, 43], "record": [3, 11, 12], "pass": [3, 9, 11], "second": [3, 12, 14, 18, 43, 44, 45, 48], "between": [3, 18, 20, 39], "fulfil": 3, "step": [3, 11, 28], "whatev": 3, "mean": [3, 11, 37], "necessari": [3, 19], "destin": [3, 11, 19, 20, 25, 27, 28, 29, 32, 33, 36, 44], "webserv": 3, "serv": [3, 44], "perform": [3, 11, 12, 18, 19, 20, 25, 26, 27, 28, 29, 32, 36, 44, 48], "how": [3, 5, 12, 14, 17, 23, 24, 25, 26, 30, 32, 42, 43, 44, 46, 47, 48], "read": [3, 9, 18, 19, 20, 25, 27, 28, 29, 32, 33, 36, 37, 38, 44, 45, 48], "through": 3, "main": 3, "consid": [3, 19, 20, 25, 26, 27, 28, 32, 44], "experiment": 3, "accord": [3, 25, 26], "8738": 3, "account_email": 3, "associ": [3, 7, 11, 12], "account": [3, 4, 5, 6, 8, 11, 17], "more": [3, 7, 11, 14, 19, 25, 26, 28, 44, 45, 48], "than": [3, 4, 11, 12, 19, 20, 23, 24, 25, 26, 28, 30, 42, 43, 44, 45, 46, 47, 48], "updat": [3, 6, 12, 19, 20, 25, 27, 28, 29, 32, 33, 36, 44, 48], "most": [3, 18], "agreement": [3, 11, 23, 24, 42, 43], "latest": [3, 32, 48], "gather": 3, "chain_dest": 3, "chain": [3, 11, 14, 17, 44], "intermedi": [3, 7, 11, 28, 33, 44], "some": [3, 4, 14, 18, 19, 20, 25, 27, 28, 29, 32, 33, 36, 37, 38, 44, 46, 47], "assur": 3, "could": [3, 11, 25, 27, 31, 32, 44, 45], "foo": [3, 18, 19], "certain": [3, 19, 31, 43], "period": [3, 44, 45], "csr": [3, 5, 6, 7, 9, 10, 11, 17, 27, 28, 30, 32, 33, 36, 43, 44, 45], "src": [3, 9, 28, 45], "openssl_csr": [3, 10, 11, 17, 24, 26, 27, 28, 32, 33, 36, 44, 45], "req": 3, "mai": [3, 11, 19, 20, 25, 26, 27, 28, 29, 32, 36, 44, 45], "multipl": [3, 9, 10, 11, 17, 23, 24, 25, 26, 28, 30, 31, 34, 35, 42, 43], "subject": [3, 7, 10, 11, 14, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 32, 36, 42, 43, 44, 45, 46, 48], "altern": [3, 10, 11, 25, 26, 44, 45], "each": [3, 9, 11, 15, 16, 23, 30, 32, 33, 34, 36, 39, 40, 41, 42, 46], "lead": [3, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "individu": [3, 19], "sign": [3, 5, 8, 11, 14, 17, 19, 27, 28, 32, 33, 36, 37, 42, 43, 44, 45, 46, 47, 48], "bad": 3, "idea": 3, "view": 3, "precis": 3, "csr_content": [3, 9, 10, 44, 45], "openssl_csr_pip": [3, 9, 10, 17, 24, 25, 32, 33, 36, 44, 45], "ongo": 3, "previou": [3, 11, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "non": [3, 8, 11, 19, 41], "activ": [3, 6, 11, 12, 26, 33, 45], "taken": 3, "mark": [3, 25, 26], "no_log": [3, 32, 33], "up": [3, 5, 11, 15, 16, 18, 19, 20, 23, 25, 27, 28, 29, 30, 32, 34, 36, 39, 40, 41, 42, 43, 44, 46], "longer": [3, 18, 25, 26, 31], "wai": [3, 5, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "caus": [3, 14, 19, 20], "messag": 3, "come": 3, "unus": 3, "anywai": 3, "deactivate_authz": 3, "authent": [3, 6, 11, 12, 19, 25, 26, 44, 45], "authz": [3, 6], "after": [3, 18, 44, 45], "bound": 3, "remain": [3, 11, 12, 18, 19], "amount": 3, "re": [3, 12, 14, 20, 23, 24, 25, 26, 27, 28, 32, 33, 36, 42, 43, 44, 45, 48], "domain": [3, 5, 11, 17, 23, 24, 30, 42, 43, 46, 47, 48], "concern": [3, 25, 27, 32, 44], "dest": [3, 5, 7, 9, 26, 45], "fullchain_dest": [3, 6], "forc": [3, 11, 19, 20, 25, 27, 28, 29, 32, 33, 36, 44, 45, 48], "enforc": 3, "even": [3, 4, 11, 18, 19, 20, 27, 28, 32, 36, 44, 45], "remaining_dai": [3, 11], "especi": [3, 32], "addit": [3, 11, 18, 25, 26], "desir": [3, 18], "fullchain": [3, 6, 7], "want": [3, 9, 10, 11, 12, 18, 19, 20, 25, 26, 30, 31, 48], "avoid": [3, 11, 12, 19, 20, 25, 27, 28, 29, 31, 32, 36, 43, 44, 45, 48], "accident": [3, 30, 31, 32, 33], "old": [3, 11, 25, 26, 43, 44, 48], "number": [3, 11, 12, 14, 17, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 34, 35, 36, 42, 43, 44, 45, 46, 47, 48], "dai": [3, 11, 12, 14, 43, 44, 45], "left": [3, 11, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "being": [3, 11, 19, 32, 33, 43, 44, 45], "cert_dai": [3, 11], "challenge_data": [3, 5], "retrieve_all_altern": 3, "offer": [3, 9, 10], "These": [3, 17, 23, 25, 26, 30, 39, 42, 46], "togeth": [3, 18, 28], "all_chain": 3, "select_chain": 3, "criteria": 3, "select": [3, 5, 10, 20, 28, 32, 33], "until": [3, 7, 11, 14], "criterium": 3, "header": [3, 5, 6], "determinist": 3, "everi": [3, 11, 12, 16, 20, 23, 24, 25, 26, 29, 30, 31, 32, 33, 34, 35, 42, 43, 44, 45, 48], "consist": [3, 19, 20, 25, 27, 28, 29, 31, 32, 36, 44], "condit": [3, 14, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "issuer": [3, 7, 14, 23, 24, 25, 26, 42, 43, 44, 46, 47, 48], "authority_key_identifi": [3, 23, 24, 25, 26, 42, 43], "authoritykeyidentifi": [3, 23, 24, 25, 26, 42, 43], "extens": [3, 5, 6, 14, 20, 23, 24, 25, 26, 42, 43, 46, 47, 48], "base": [3, 11, 18, 19, 32, 33], "form": [3, 7, 11, 14, 23, 24, 39, 41, 42, 43, 46, 47, 48], "c4": 3, "a7": 3, "b1": [3, 32, 33, 36], "a4": 3, "7b": 3, "2c": [3, 32, 33, 36], "71": [3, 32, 33, 36], "fa": 3, "db": 3, "e1": [3, 32, 33, 36], "4b": 3, "90": [3, 11, 12, 44, 45], "75": [3, 32, 33, 36], "ff": [3, 23, 24, 25, 26, 30, 31, 34, 35, 42, 43], "15": [3, 6, 11, 15, 16, 28, 44, 45], "60": [3, 11, 12, 32, 33, 36], "85": [3, 32, 33, 36], "89": 3, "would": [3, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "commonnam": [3, 23, 24, 25, 26, 42, 43, 44, 46, 47, 48], "my": [3, 32, 47, 48], "prefer": [3, 23, 24, 30, 42, 43, 46, 47, 48], "root": [3, 11, 14, 17, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "cn": [3, 9, 11, 14, 25, 26, 48], "subject_key_identifi": [3, 23, 24, 25, 26, 42, 43], "subjectkeyidentifi": [3, 23, 24, 42, 43], "a8": 3, "4a": [3, 23, 24, 30, 31, 34, 35, 42, 43], "6a": [3, 32, 33, 36], "63": [3, 11, 23, 24, 30, 31, 34, 35, 42, 43], "04": [3, 23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "7d": [3, 48], "dd": [3, 19, 23, 24, 25, 26, 32, 33, 36, 42, 43], "ba": [3, 23, 24, 30, 31, 34, 35, 42, 43], "e6": [3, 23, 24, 30, 31, 34, 35, 42, 43], "d1": 3, "39": [3, 32, 33, 36], "b7": 3, "a6": [3, 32, 33, 36], "45": 3, "65": 3, "ef": [3, 32, 33, 36], "f3": 3, "a1": [3, 32, 33, 36], "test_certif": 3, "exclud": [3, 19, 23, 24, 25, 26], "leaf": [3, 7], "ident": [3, 19], "last": [3, 18, 23, 24, 42, 43, 46, 47, 48], "furthest": 3, "awai": 3, "Its": 3, "safe_file_oper": [3, 11, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "strict": [3, 6, 11, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "oper": [3, 11, 18, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "function": [3, 11, 18, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "ensur": [3, 11, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "proper": [3, 11, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "permiss": [3, 11, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "corrupt": [3, 11, 19, 20, 25, 26, 27, 28, 29, 32, 36, 44, 48], "At": [3, 19], "least": [3, 11, 25, 26, 37, 38], "control": [3, 6, 12, 14, 15, 16, 23, 30, 33, 42, 46, 47], "over": 3, "rate": [3, 4], "limit": [3, 4, 18, 19], "8737": [3, 5, 6], "acme_challenge_cert_help": [3, 17], "prepar": [3, 17], "certificate_complete_chain": [3, 17], "find": [3, 7, 12], "acme_certificate_revok": [3, 17], "account_private_kei": 3, "httpd": [3, 4, 5, 6], "crt": [3, 4, 5, 6, 11, 12, 43, 44, 45, 48], "sample_com_challeng": [3, 5], "hashi": 3, "vault": [3, 18, 33], "lookup": [3, 7, 15, 23, 26, 30, 33, 34, 40, 42, 45, 46], "hashi_vault": 3, "secret": [3, 32], "copi": [3, 7, 9, 11, 12, 26, 44, 45], "www": [3, 7, 9, 10, 11, 14, 19, 23, 24, 25, 26, 42, 43, 44, 45], "resource_valu": 3, "item": [3, 5, 25, 40], "loop": [3, 5, 19, 20, 25, 27, 28, 29, 32, 36, 40, 44], "dict2item": 3, "v01": 3, "30": [3, 11, 32, 33, 36], "aw": 3, "route53": 3, "zone": 3, "txt": [3, 12, 19], "ttl": 3, "enclos": 3, "quot": [3, 19, 20, 25, 27, 28, 29, 32, 36, 44], "regex_replac": [3, 25], "map": [3, 11, 25, 43], "challenge_data_dn": 3, "dst": 3, "x3": 3, "cross": 3, "identrust": 3, "As": [3, 19, 20, 25, 27, 28, 29, 32, 36, 44], "long": [3, 12, 14], "switch": 3, "own": [3, 9, 19, 20, 25, 26, 27, 28, 29, 32, 36, 44, 45, 48], "isrg": 3, "x1": 3, "compat": [3, 11, 14, 19, 28], "older": [3, 18, 28, 29, 32, 33, 36, 44], "client": [3, 11, 12, 14, 19, 25, 26, 44, 45, 46, 47, 48], "o": [3, 11, 14, 19, 20, 25, 26, 27, 28, 29, 32, 36, 44], "digit": [3, 41], "signatur": [3, 7, 17, 19, 23, 24, 25, 26, 38, 42, 43, 44, 46, 47, 48], "co": 3, "4": [3, 4, 8, 14, 18, 23, 24, 25, 26, 28, 36, 37, 38, 42, 43, 44], "itself": [3, 48], "concaten": [3, 7], "full_chain": 3, "token": [3, 19], "a5b1c3d2e9f8g7h6": 3, "12345": [3, 6, 23, 24, 42, 43], "2022": [3, 28], "08": [3, 11, 32, 33, 36], "01t01": 3, "02": [3, 11, 48], "34z": 3, "04t01": 3, "03": [3, 11, 25, 27, 28, 29, 32, 36, 44, 48], "45z": 3, "per": [3, 28], "yet": [3, 6], "_acm": 3, "known": [3, 11, 12, 18, 19, 20, 23, 24, 25, 27, 28, 29, 30, 31, 32, 34, 35, 36, 42, 43, 44, 46, 47, 48], "evagxfads6psrb2lav9izf17dt3juxgj": 3, "pct92wr": 3, "oa": 3, "resource_origin": 3, "origin": [3, 11, 14, 23, 24, 25, 27, 28, 29, 32, 36, 42, 43, 44, 48], "produc": 3, "blob": 3, "put": 3, "acmevalid": 3, "x509": 3, "editor": 3, "rfc8737": 3, "b64decod": [3, 9, 45], "jinja": 3, "filter": [3, 11, 14, 16, 19, 24, 25, 26, 31, 35, 43, 47, 48], "extract": [3, 14, 23, 24, 30, 42, 43, 48], "ilirfxkkxa": 3, "17dt3juxgj": 3, "finalization_uri": 3, "michael": 3, "gruener": 3, "mgruener": 3, "exactli": [4, 14, 20, 23, 24, 29, 41, 42, 43], "private_key_src": [4, 5], "private_key_cont": [4, 5, 25, 26, 28, 36], "valu": 4, "private_key_passphras": [4, 5, 29], "revoke_reason": 4, "One": [4, 19, 20, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44, 48], "revoc": [4, 11, 17, 25, 26, 46], "reasoncod": 4, "defin": [4, 10, 11, 12, 13, 18, 25, 26, 32, 33, 44, 45, 48], "rfc5280": [4, 25, 26], "possibl": [4, 11, 14, 23, 24, 42, 43], "unspecifi": [4, 19, 20, 25, 27, 28, 29, 32, 36, 44, 46, 47, 48], "keycompromis": 4, "cacompromis": 4, "affiliationchang": 4, "supersed": [4, 25, 26, 46, 47, 48], "cessationofoper": 4, "certificatehold": 4, "removefromcrl": 4, "9": [4, 14, 17, 20, 32, 33, 43, 44], "privilegewithdrawn": 4, "aacompromis": 4, "return": 4, "alreadi": [4, 11, 12, 18, 19, 20, 25, 26, 27, 28, 32, 36, 44, 45, 47, 48], "unchang": [4, 18], "depend": [4, 8, 11, 14, 23, 24, 30, 31, 32, 33, 34, 35, 42, 43, 48], "raw": [5, 6, 14, 29, 32, 33], "convert": [5, 11, 14, 17, 19, 20, 23, 24, 25, 26, 30, 32, 33, 42, 43, 46, 47, 48], "simpl": [5, 9, 10], "gener": [5, 7, 11, 17, 18, 23, 24, 29, 31, 35, 37, 38, 42, 43, 47], "dictsort": 5, "sample_com_challenge_cert": 5, "regular_certif": 5, "deliv": 5, "regular": [5, 6], "connect": [5, 6, 14], "except": [5, 6, 14, 20, 23, 24, 25, 26, 28, 32, 33, 42, 43, 48], "challenge_certif": 5, "achiev": 5, "veri": [5, 10, 47], "nginx": [5, 6], "search": 5, "ssl_preread": 5, "ssl_preread_alpn_protocol": 5, "rout": 5, "private_kei": [5, 19, 33], "identifier_typ": 5, "self": [5, 9, 17, 25, 26, 43, 44, 45], "place": [5, 23, 24, 30, 31, 34, 35, 42, 43], "attempt": [6, 20], "encount": 6, "wish": 6, "investig": 6, "sent": [6, 12], "method": [6, 12, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "otherwis": [6, 11, 14, 18, 19, 20, 23, 24, 25, 27, 28, 29, 32, 36, 42, 43, 44, 46, 47, 48], "fail_on_acme_error": 6, "id": [6, 11, 12, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "localhost": [6, 14, 25, 45], "m": [6, 14, 19, 25, 26, 43, 44, 45, 48], "acct": 6, "newaccount": 6, "termsofserviceagre": 6, "account_cr": 6, "locat": [6, 11, 12, 44, 47, 48], "account_info": 6, "to_json": 6, "certificate_request": 6, "someth": [6, 28, 43], "went": 6, "wrong": 6, "output_json": 6, "selectattr": 6, "equalto": 6, "http01challeng": 6, "manual": [6, 12], "a85k3x9f91a4": 6, "random": [6, 12], "33417": 6, "keychang": 6, "meta": 6, "caaident": 6, "termsofservic": 6, "le": 6, "sa": 6, "novemb": 6, "2017": 6, "pdf": 6, "websit": 6, "newnonc": 6, "nonc": 6, "neword": 6, "revokecert": 6, "lowercas": 6, "boulder": 6, "cach": 6, "max": 6, "ag": 6, "close": [6, 18], "length": [6, 20, 44], "904": 6, "applic": [6, 11, 12, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "cooki": 6, "cookies_str": 6, "wed": 6, "07": [6, 23, 24, 30, 31, 34, 35, 42, 43], "nov": 6, "2018": [6, 11], "12": [6, 14, 17, 25, 26, 27, 32, 33, 36, 44, 45], "34": [6, 23, 24, 30, 31, 34, 35, 42, 43], "56": [6, 32, 33, 36], "gmt": [6, 44, 45], "44": [6, 23, 24, 25, 26, 42, 43], "rel": [6, 19, 25, 26, 43, 44, 45, 48], "msg": [6, 14, 15, 16, 23, 30, 33, 34, 39, 40, 41, 42, 46, 47], "ok": 6, "byte": [6, 18, 23, 24, 25, 26, 39, 42, 43], "pragma": 6, "replai": 6, "1234567890abcdefghijklmnopqrstuvwxyzabcdefgh": 6, "200": 6, "transport": [6, 31], "604800": 6, "46161": 6, "frame": 6, "deni": 6, "pars": [6, 7, 14, 19, 20, 23, 24, 25, 27, 28, 29, 31, 32, 36, 39, 42, 43, 44], "output_text": 6, "text": [6, 11, 12], "see": [7, 9, 18, 20], "note": [7, 9, 18, 19, 23, 24, 27, 28, 29, 30, 31, 32, 33, 42, 46], "input_chain": 7, "intermediate_certif": 7, "filenam": [7, 11, 16, 19, 20, 25, 27, 28, 32, 36, 44, 48], "subdirectori": 7, "scan": 7, "root_certif": 7, "www_ansible_com": 7, "completechain": 7, "join": [7, 14, 23, 30, 42], "complete_chain": 7, "rootchain": 7, "input": [7, 12, 28], "python": [8, 14, 23, 24, 27, 28, 30, 31, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "crypto_inform": 8, "show": [8, 9, 10, 15, 16, 23, 30, 33, 34, 42, 44, 46], "openssl_pres": 8, "usr": [8, 19, 20, 25, 27, 28, 29, 32, 36, 44], "bin": [8, 19, 20, 25, 27, 28, 29, 32, 36, 44], "1m": 8, "version_output": 8, "14": [8, 32, 33, 36], "dec": 8, "2021": 8, "python_cryptography_cap": 8, "python_cryptography_instal": 8, "theoret": 8, "higher": [8, 11, 15, 16, 23, 30, 34, 39, 40, 41, 42, 46], "libssl": 8, "has_dsa": 8, "dsa": [8, 10, 20, 23, 24, 30, 31, 32, 33, 34, 35, 37, 38, 42, 43], "has_dsa_sign": 8, "has_ec": 8, "has_ec_sign": 8, "has_ed25519": 8, "ed25519": [8, 20, 23, 24, 30, 31, 32, 33, 34, 35, 37, 38, 42, 43], "has_ed25519_sign": 8, "has_ed448": 8, "ed448": [8, 23, 24, 30, 31, 32, 33, 34, 35, 37, 38, 42, 43], "has_ed448_sign": 8, "has_rsa": 8, "has_rsa_sign": 8, "has_x25519": 8, "x25519": [8, 10, 23, 24, 30, 31, 32, 33, 34, 35, 42, 43], "has_x25519_seri": 8, "serial": [8, 11, 14, 17, 19, 23, 24, 25, 26, 41, 42, 43, 46, 47, 48], "has_x448": 8, "x448": [8, 23, 24, 30, 31, 32, 33, 34, 35, 42, 43], "python_cryptography_import_error": 8, "commun": [9, 10], "crypto": [9, 10], "guid": [9, 10], "exampl": [9, 10], "password": [9, 10, 11, 12, 18, 20, 25, 26, 28, 38, 44, 45, 48], "protect": [9, 10, 18, 20, 25, 26, 32, 33, 36, 38, 44, 45, 48], "secret_ca_passphras": 9, "instruct": [9, 12], "ask": 9, "pai": 9, "commerci": [9, 25, 26], "passphras": [9, 10, 18, 20, 25, 26, 28, 29, 30, 31, 32, 33, 36, 38, 44, 45, 48], "privatekey_path": [9, 10, 24, 25, 26, 28, 35, 36, 37, 38, 43, 44, 45, 48], "privatekey_passphras": [9, 10, 25, 26, 28, 36, 38, 44, 45, 48], "common_nam": [9, 10, 24, 25, 26], "use_common_name_for_san": [9, 25, 26], "san": [9, 10, 11, 25, 26], "don": 9, "basic_constraint": [9, 23, 24, 25, 26, 42, 43], "basic_constraints_crit": [9, 23, 24, 25, 26, 42, 43], "key_usag": [9, 23, 24, 25, 26, 42, 43, 44], "keycertsign": 9, "key_usage_crit": [9, 23, 24, 25, 26, 42, 43], "ca_csr": 9, "x509_certif": [9, 10, 12, 17, 22, 25, 26, 27, 28, 32, 33, 36, 37, 43, 45], "selfsign": [9, 10, 43, 44, 45], "x509_certificate_pip": [9, 17, 25, 26, 32, 33, 36, 43, 44], "server_1": 9, "while": [9, 11, 12, 32, 33, 44, 45], "our": [9, 45], "server_2": 9, "materi": [9, 31, 33], "leav": [9, 31], "respect": [9, 18, 23, 25, 26, 30, 34, 42], "delegate_to": [9, 14, 45], "run_onc": [9, 14], "subject_alt_nam": [9, 10, 11, 23, 24, 25, 26, 30, 42, 43, 44], "ownca": [9, 44, 45], "ownca_path": [9, 44, 45], "ownca_privatekey_path": [9, 44, 45], "ownca_privatekey_passphras": [9, 44, 45], "ownca_not_aft": [9, 44, 45], "365d": [9, 44, 45], "year": [9, 10, 11, 44, 45], "ownca_not_befor": [9, 44, 45], "1d": [9, 32, 33, 36, 43], "yesterdai": 9, "abov": 9, "procedur": 9, "idempot": [9, 18, 19, 28, 33, 44, 45, 48], "extend": [9, 11], "stat": 9, "certificate_exist": 9, "slurp": [9, 45], "els": [9, 28], "kind": 10, "start": [10, 23, 24, 30, 31, 34, 35, 42, 43, 44, 45], "paramet": [10, 15, 16, 17, 34, 39, 40, 41], "4096": [10, 20, 27, 31, 32, 33, 35], "bit": [10, 20, 23, 24, 27, 30, 31, 32, 33, 34, 35, 42, 43], "size": [10, 12, 18, 20, 23, 24, 27, 30, 31, 32, 33, 34, 35, 42, 43], "changem": 10, "proce": 10, "selfsigned_not_aft": [10, 44, 45], "roughli": 10, "selfsigned_not_befor": [10, 44, 45], "now": [10, 11, 19, 44, 45, 48], "properti": 10, "constraint": [10, 25, 26], "organization_nam": [10, 25, 26], "inc": [10, 11], "reissu": 11, "credenti": [11, 12, 44, 45], "organ": [11, 46], "system": [11, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "those": [11, 19, 20, 25, 27, 28, 29, 32, 36, 44], "pyyaml": [11, 12], "11": [11, 12, 14, 19, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 34, 35, 36, 39, 41, 42, 43, 44, 46, 47, 48], "additional_email": 11, "receiv": [11, 12, 19, 20, 25, 27, 28, 29, 32, 36, 44], "deliveri": 11, "notic": 11, "notif": 11, "backup": [11, 20, 25, 27, 28, 29, 32, 33, 36, 44, 48], "made": [11, 12, 19], "cert_expiri": 11, "compliant": 11, "2020": [11, 19, 20, 25, 27, 28, 29, 32, 36, 44], "23": [11, 28], "23t15": 11, "00": [11, 19, 23, 24, 25, 26, 32, 33, 36, 39, 41, 42, 43, 44, 45], "05z": 11, "request_typ": 11, "issuanc": [11, 44, 45], "subsequ": 11, "initi": [11, 14], "month": [11, 44, 45], "choos": 11, "adjust": [11, 20, 44, 45], "eastern": 11, "est": [11, 44, 45], "unintend": 11, "effect": 11, "pool": 11, "inventori": 11, "model": 11, "cert_lifetim": 11, "lifetim": [11, 44, 45], "cert_typ": 11, "cds_individu": 11, "cds_group": 11, "cds_ent_lit": [11, 44, 45], "cds_ent_pro": [11, 44, 45], "smime_": [11, 44, 45], "p1y": 11, "p2y": 11, "p3y": 11, "standard_ssl": [11, 44, 45], "advantage_ssl": [11, 44, 45], "uc_ssl": [11, 44, 45], "ev_ssl": [11, 44, 45], "wildcard_ssl": [11, 44, 45], "private_ssl": [11, 44, 45], "pd_ssl": [11, 44, 45], "code_sign": 11, "ev_code_sign": 11, "client_id": [11, 12], "under": [11, 12], "primari": [11, 12], "cannot": [11, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44, 48], "distinguish": 11, "repres": [11, 39], "64": 11, "around": [11, 31], "overrid": [11, 15, 16, 23, 30, 34, 39, 40, 41, 42, 46], "eku": 11, "ou": [11, 14, 25, 26], "organiz": 11, "unit": 11, "replac": [11, 33, 48], "ti": 11, "ct_log": 11, "complianc": 11, "browser": 11, "transpar": 11, "ct": 11, "log": [11, 19, 30, 31, 32, 33], "best": [11, 19, 20, 25, 27, 28, 29, 32, 36, 44], "practic": 11, "techniqu": 11, "owner": [11, 12, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "monitor": 11, "elig": [11, 12], "custom_field": 11, "date1": 11, "date2": 11, "date3": 11, "date4": 11, "date5": 11, "dropdown1": 11, "dropdown": 11, "dropdown2": 11, "dropdown3": 11, "dropdown4": 11, "dropdown5": 11, "email1": 11, "email2": 11, "email3": 11, "email4": 11, "email5": 11, "number1": 11, "float": [11, 18], "number2": 11, "number3": 11, "number4": 11, "number5": 11, "text1": 11, "maximum": [11, 23, 24, 30, 31, 34, 35, 42, 43, 44, 45], "500": 11, "charact": 11, "text10": 11, "text11": 11, "text12": 11, "text13": 11, "text14": 11, "text15": 11, "text2": 11, "text3": 11, "text4": 11, "text5": 11, "text6": 11, "text7": 11, "text8": 11, "text9": 11, "server_auth": 11, "client_auth": 11, "server_and_client_auth": 11, "end_user_key_storage_agr": 11, "user": [11, 17, 18, 20, 25, 27, 28, 29, 32, 36, 44, 48], "code": 11, "cryptograph": [11, 17], "hardwar": 11, "csp": 11, "subscript": 11, "acknowledg": 11, "entrust_api_client_cert_key_path": [11, 12, 44, 45], "entrust_api_client_cert_path": [11, 12, 44, 45], "entrust_api_kei": [11, 12, 44, 45], "entrust_api_specification_path": [11, 12, 44, 45], "configur": [11, 12, 13, 15, 16, 18, 19, 20, 23, 25, 27, 28, 29, 30, 32, 33, 34, 36, 39, 40, 41, 42, 44, 45, 46, 48], "keep": [11, 12, 32, 44, 45], "download": [11, 12, 44, 45], "cloud": [11, 12, 44, 45], "net": [11, 12, 44, 45], "entrustcloud": [11, 12, 44, 45], "cm": [11, 12, 44, 45], "yaml": [11, 12, 44, 45], "entrust_api_us": [11, 12, 44, 45], "usernam": [11, 12, 19, 20, 25, 27, 28, 29, 32, 36, 44, 45, 48], "regardless": 11, "within": [11, 12], "past": [11, 42, 43], "full_chain_path": 11, "unless": [11, 12, 18, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "behavior": [11, 20, 28, 32, 33, 44], "neither": 11, "nor": 11, "reus": 11, "unapprov": 11, "failur": [11, 14], "reserv": 11, "futur": 11, "calcul": 11, "tracking_id": 11, "obtain": [11, 12], "act": [11, 19], "upon": [11, 23, 24, 30, 31, 34, 35, 42, 43], "refer": 11, "validate_onli": 11, "cautiou": 11, "along": 11, "requester_email": 11, "track": [11, 44, 45], "requester_nam": 11, "requester_phon": 11, "phone": [11, 44, 45], "arrai": 11, "subjectaltnam": [11, 25, 26], "understand": [11, 18], "tld": 11, "save": [11, 27], "referenc": 11, "tracking_info": 11, "free": 11, "attach": [11, 25, 26], "partial": 11, "to_seri": [11, 14, 17, 23, 24, 39, 42, 43, 46, 47, 48], "colon": [11, 14, 17, 19, 23, 24, 25, 26, 42, 43, 46, 47, 48], "separ": [11, 14, 17, 18, 19, 23, 24, 25, 26, 42, 43, 46, 47, 48], "hex": [11, 14, 17, 19, 23, 24, 25, 26, 42, 43, 46, 47, 48], "bare": 11, "minimum": [11, 20, 44, 45], "jo": [11, 44], "jdoe": [11, 25, 44], "555": [11, 44], "5555": [11, 44], "apiusernam": [11, 12, 44], "lv": [11, 12, 44], "32": [11, 12, 19, 23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44], "cd9lnt": [11, 12, 44], "20": [11, 25], "79": [11, 32, 33, 36], "migrat": 11, "2378915": 11, "rather": 11, "overridden": [11, 27, 28], "testcertif": 11, "administr": [11, 12], "via": [11, 44], "itsupport": 11, "jsmith": 11, "admin": [11, 12], "invoic": 11, "25": [11, 32, 33, 36], "342": 11, "sale": 11, "red": 11, "backup_fil": [11, 25, 27, 28, 29, 32, 36, 44, 48], "2019": [11, 19, 25, 27, 28, 29, 32, 36, 44, 45, 48], "09": [11, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44, 48], "22": [11, 14, 19, 23, 24, 25, 26, 27, 28, 29, 32, 33, 36, 39, 41, 42, 43, 44, 46, 47, 48], "backup_full_chain_fil": 11, "253": 11, "cert_detail": 11, "guarante": 11, "forward": [11, 19], "releas": [11, 19], "take": [11, 15, 16, 19, 20, 23, 24, 25, 27, 30, 31, 32, 34, 35, 36, 42, 43, 44, 46, 47, 48], "howev": [11, 18, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "audit": 11, "cert_statu": 11, "expand": 11, "approv": [11, 12], "declin": [11, 12], "na": 11, "pending_quorum": 11, "suspend": 11, "serial_numb": [11, 14, 19, 42, 43, 46, 47, 48], "33": [11, 14, 19, 23, 24, 25, 26, 30, 31, 32, 33, 34, 35, 36, 39, 41, 42, 43, 46, 47, 48], "1235262234164342": 11, "380079": 11, "chri": [11, 12], "trufan": [11, 12], "ctrufan": [11, 12], "verification_method": 12, "domain_statu": 12, "dns_content": 12, "dns_locat": 12, "dns_resource_typ": 12, "web_serv": 12, "file_cont": 12, "file_loc": 12, "e": [12, 25, 26], "were": [12, 14], "pure": 12, "domain_nam": 12, "reverifi": 12, "verification_email": 12, "ownership": [12, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "whoi": 12, "construct": 12, "webmast": 12, "hostmast": 12, "postmast": 12, "subdomain": 12, "top": 12, "level": [12, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "example1": 12, "example2": 12, "preconstruct": 12, "namespac": 12, "exact": [12, 48], "verif": 12, "prove": 12, "There": [12, 18], "small": [12, 17], "delai": 12, "typic": 12, "Be": 12, "awar": 12, "mani": [12, 14, 48], "ecs_certif": [12, 17], "revalid": 12, "fewer": [12, 44, 45], "ev": 12, "belong": [12, 25, 26], "expect": [12, 32, 33, 43, 44, 45, 48], "ab23cd41432522ff2526920393982fab": 12, "_pki": 12, "cancel": 12, "initial_verif": 12, "re_verif": 12, "ev_days_remain": 12, "submiss": 12, "never": [12, 14, 19, 20, 32, 33, 41, 44, 45, 48], "greater": [12, 19], "ov_days_remain": 12, "ev_elig": 12, "94": [12, 23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "ov_elig": 12, "abcd": 12, "ov": 12, "129": 12, "declar": 13, "No": 13, "sni": 14, "proxy_host": 14, "asn1_base64": 14, "asn": [14, 23, 24, 42, 43, 44, 45, 46, 47, 48], "claim": 14, "ca_cert": [14, 45], "cipher": [14, 18, 32, 33], "libressl": 14, "fine": 14, "proxi": 14, "proxy_port": 14, "8080": 14, "server_nam": 14, "starttl": 14, "mysql": 14, "succe": 14, "rdp": 14, "3389": 14, "googl": 14, "443": 14, "expire_dai": 14, "not_aft": [14, 42, 43, 44], "to_datetim": 14, "d": [14, 19, 43, 44, 45, 48], "h": [14, 19, 43, 44, 45, 48], "sz": 14, "ansible_date_tim": 14, "iso8601": 14, "dt": 14, "asn1_data": 14, "surviv": 14, "displai": [14, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "github": [14, 17], "80258": 14, "usual": [14, 19, 23, 24, 42, 43], "malform": [14, 23, 24, 42, 43], "critic": [14, 23, 24, 25, 26, 42, 43, 46, 47, 48], "not_befor": [14, 42, 43, 44], "signature_algorithm": [14, 19, 42, 43, 44], "john": 14, "westcott": 14, "iv": 14, "gnupg": [15, 16], "public_kei": [15, 16, 19, 20, 23, 24, 30, 31, 42, 43, 44], "low": [15, 16, 23, 30, 34, 39, 40, 41, 42, 46], "high": [15, 16, 23, 30, 34, 39, 40, 41, 42, 46], "prioriti": [15, 16, 23, 30, 34, 39, 40, 41, 42, 46], "lower": [15, 16, 23, 30, 34, 39, 40, 41, 42, 46], "author": 17, "newer": [17, 19, 31, 32, 33, 37, 38], "matrix": 17, "room": 17, "im": 17, "question": 17, "irc": 17, "channel": [17, 31], "libera": 17, "network": [17, 39], "mail": 17, "project": 17, "subscrib": 17, "acm": [17, 44], "requir": [17, 34, 39, 40, 41], "send": [17, 28, 46, 47], "direct": 17, "crypto_info": 17, "capabl": 17, "entrust": [17, 44, 45], "ecs_domain": 17, "get_certif": 17, "port": [17, 19], "luks_devic": 17, "luk": 17, "devic": 17, "openssh_cert": 17, "openssh": [17, 36], "openssh_keypair": [17, 36], "openssl_csr_info": [17, 25, 26, 44], "openssl_dhparam": [17, 25, 26, 28, 32, 33, 36, 44, 45], "diffi": [17, 25, 26, 28, 32, 33, 36, 44, 45], "hellman": [17, 25, 26, 28, 32, 33, 36, 44, 45], "openssl_pkcs12": [17, 25, 26, 27, 32, 33, 36, 44, 45], "pkc": [17, 19, 25, 26, 27, 32, 33, 36, 44, 45], "archiv": [17, 25, 26, 27, 32, 33, 36, 44, 45], "openssl_privatekey_convert": 17, "openssl_privatekey_info": [17, 32, 33, 35, 44], "openssl_publickei": [17, 25, 26, 27, 28, 29, 32, 33, 35, 44, 45], "openssl_publickey_info": 17, "openssl_signatur": [17, 37], "openssl_signature_info": [17, 38], "x509_certificate_info": [17, 21, 44], "509": [17, 47], "x509_crl": [17, 47], "crl": [17, 25, 26], "x509_crl_info": 17, "gpg_fingerprint": 17, "gpg": 17, "fingerprint": [17, 20, 23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "parse_seri": [17, 19, 25, 26, 48], "split_pem": 17, "split": 17, "destroi": 18, "open": 18, "cryptsetup": 18, "wipef": 18, "lsblk": 18, "blkid": 18, "label": [18, 23, 24, 30, 42, 43, 46, 47, 48], "uuid": 18, "allow_discard": 18, "17": 18, "discard": 18, "also": [18, 20], "trim": 18, "pre": [18, 28], "kernel": 18, "ae": [18, 32, 33, 36], "plain": 18, "spec": 18, "essiv": 18, "cbc": 18, "sha256": [18, 20, 23, 24, 25, 26, 30, 31, 32, 33, 34, 35, 36, 42, 43, 44, 45, 48], "dev": 18, "sda1": 18, "force_remove_last_kei": 18, "bewar": 18, "hash": [18, 23, 24, 30, 31, 34, 35, 42, 43], "setup": 18, "scheme": 18, "volum": 18, "digest": [18, 25, 26, 44, 45, 46, 47, 48], "keyfil": 18, "unlock": 18, "plaintext": 18, "danger": 18, "keysiz": [18, 32], "keyslot": 18, "16": 18, "add": [18, 19], "luks1": 18, "luks2": 18, "31": 18, "later": 18, "new_keyfil": 18, "new_keyslot": 18, "new_passphras": 18, "pbkdf": 18, "deriv": 18, "argon2i": 18, "argon2id": 18, "pbkdf2": 18, "iteration_count": 18, "iter": 18, "count": 18, "iteration_tim": 18, "millisecond": 18, "memori": 18, "cost": 18, "kilobyt": 18, "argon": 18, "parallel": 18, "thread": 18, "perf_no_read_workqueu": 18, "bypass": 18, "dm": 18, "crypt": 18, "intern": 18, "workqueu": 18, "synchron": 18, "perf_no_write_workqueu": 18, "perf_same_cpu_crypt": 18, "cpu": 18, "io": 18, "unbound": 18, "balanc": 18, "perf_submit_from_crypt_cpu": 18, "offload": 18, "situat": [18, 20, 32, 33], "block": [18, 33], "singl": 18, "degrad": 18, "significantli": 18, "persist": 18, "metadata": 18, "them": [18, 19, 20, 25, 26, 27, 28, 29, 32, 36, 44], "next": [18, 31], "remove_keyfil": 18, "filesystem": [18, 19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "remove_keyslot": 18, "slot": 18, "remove_passphras": 18, "sector_s": 18, "sector": 18, "lock": 18, "suffic": 18, "explicit": 18, "With": 18, "loop0": 18, "mycrypt": 18, "keyfile2": 18, "personallabelnam": 18, "03ecd578": 18, "fad4": 18, "4e6c": 18, "9348": 18, "842e3e8fa340": 18, "suppli": 18, "c1da9a58": 18, "2fde": 18, "4256": 18, "9d9f": 18, "6ab008b4dd1b": 18, "jan": 18, "pokorni": 18, "japokorn": 18, "regener": [19, 20, 25, 26, 27, 28, 32, 33, 36, 44, 45, 48], "ssh": [19, 20], "keygen": [19, 20], "attr": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "flag": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "look": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "man": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "page": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "chattr": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "lsattr": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "equival": [19, 20, 32, 48], "fed": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "chown": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "preserv": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "ignore_timestamp": [19, 44, 45, 48], "valid_from": 19, "valid_to": 19, "meet": 19, "chmod": [19, 20, 25, 27, 28, 29, 32, 36, 44], "rememb": [19, 20, 25, 27, 28, 29, 32, 36, 44], "octal": [19, 20, 25, 27, 28, 29, 32, 36, 44], "correctli": [19, 20, 25, 27, 28, 29, 32, 36, 44], "644": [19, 20, 25, 27, 28, 29, 32, 36, 44], "1777": [19, 20, 25, 27, 28, 29, 32, 36, 44], "convers": [19, 20, 25, 27, 28, 29, 32, 36, 44], "zero": [19, 20, 25, 27, 28, 29, 32, 36, 44], "0755": [19, 20, 25, 27, 28, 29, 32, 36, 44], "sometim": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "circumst": [19, 20, 25, 27, 28, 29, 32, 36, 44], "rule": [19, 20, 25, 27, 28, 29, 32, 36, 44], "decim": [19, 20, 25, 27, 28, 29, 32, 36, 44], "unexpect": [19, 20, 25, 27, 28, 29, 32, 36, 44], "rwx": [19, 20, 25, 27, 28, 29, 32, 36, 44], "rw": [19, 20, 25, 27, 28, 29, 32, 36, 44], "g": [19, 20, 23, 24, 25, 27, 28, 29, 30, 31, 32, 34, 35, 36, 42, 43, 44], "r": [19, 20, 24, 25, 27, 28, 29, 31, 32, 35, 36, 43, 44], "umask": [19, 20, 25, 27, 28, 29, 32, 36, 44], "newli": [19, 20, 25, 27, 28, 29, 32, 36, 44], "cve": [19, 20, 25, 27, 28, 29, 32, 36, 44], "1736": [19, 20, 25, 27, 28, 29, 32, 36, 44], "clear": 19, "shell": 19, "agent": 19, "permit": [19, 23, 24, 25, 26], "pty": 19, "alloc": 19, "rc": 19, "sshd": 19, "x11": 19, "address_list": 19, "comma": 19, "netmask": 19, "pair": [19, 25, 26, 48], "cidr": 19, "numer": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "confus": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "pkcs11_provid": 19, "resid": 19, "share": 19, "libpkcs11": 19, "signing_kei": 19, "princip": 19, "By": [19, 20, 25, 27, 28, 29, 32, 33, 36, 44, 48], "unread": 19, "partial_idempot": [19, 20, 32, 33], "valid_at": [19, 43, 44], "full_idempot": [19, 20, 32, 33], "compar": 19, "selevel": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "selinux": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "context": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "ml": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "mc": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "rang": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "_default": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "portion": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "polici": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "keyrevocationlist": 19, "again": [19, 46, 47], "serol": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "role": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "setyp": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "seuser": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "sha": 19, "refus": 19, "sha2": 19, "512": 19, "correspond": [19, 20, 32, 33, 39], "sshd_config": 19, "casignaturealgorithm": 19, "keyword": [19, 33, 43, 44], "prior": 19, "unsafe_writ": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "influenc": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "atom": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "prevent": [19, 20, 25, 27, 28, 29, 31, 32, 36, 44, 48], "inconsist": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "just": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "broken": [19, 20, 25, 27, 28, 29, 32, 33, 36, 44, 48], "docker": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "mount": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "insid": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "unsaf": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "manner": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "doesn": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "race": [19, 20, 25, 27, 28, 29, 32, 36, 44, 48], "use_ag": 19, "interpret": [19, 39, 43, 44, 45, 48], "utc": [19, 43, 44, 45, 47, 48], "mainli": 19, "timespec": [19, 43, 44, 45, 48], "NOT": [19, 33, 44, 45, 48], "absolut": [19, 24, 31, 35, 43, 44, 45, 47, 48], "yyyi": 19, "mm": 19, "ddthh": 19, "ss": 19, "hh": 19, "w": [19, 24, 31, 35, 43, 44, 45, 48], "32w1d2h": [19, 43, 44, 45, 48], "1970": 19, "01t00": 19, "earlier": [19, 44, 45], "express": 19, "comparison": 19, "forev": 19, "pub": [19, 20, 35], "week": [19, 43], "32w": 19, "2w": 19, "examplehost": 19, "21": 19, "2001": 19, "tmp": [19, 20, 37, 38], "bla": 19, "ca_public_kei": 19, "info": [19, 23, 24, 42, 43], "l": [19, 25, 26], "f": 19, "david": [19, 20], "kainz": [19, 20], "lolcub": [19, 20], "rsa1": 20, "ecdsa": [20, 37, 38], "opensshbin": 20, "decrypt": [20, 28], "private_key_format": 20, "pkcs1": [20, 29, 32, 33], "keypair": 20, "pkcs8": [20, 29, 32, 33], "conform": [20, 32, 33], "unknown": [20, 23, 24, 30, 31, 32, 33, 34, 35, 42, 43], "therefor": 20, "1024": 20, "2048": [20, 27, 28, 32, 33], "suffici": 20, "fip": 20, "186": 20, "three": [20, 43, 44, 45, 48], "384": 20, "521": 20, "fix": 20, "id_ssh_rsa": 20, "super_secret_password": 20, "id_ssh_dsa": 20, "r4yczxihvjedh2olfjvgi6y5xaytdcwk8vxkyzvyyfm": 20, "aaaab3nza": 20, "vel4e3xcw": 20, "name_encod": [23, 24, 30, 42, 43, 46, 47, 48], "idna": [23, 24, 30, 42, 43, 46, 47, 48], "key1": [23, 30, 42, 46], "value1": [23, 30, 42, 46], "key2": [23, 30, 42, 46], "value2": [23, 30, 42, 46], "idna2008": [23, 24, 30, 42, 43, 46, 47, 48], "idna2003": [23, 24, 30, 42, 43, 46, 47, 48], "unicod": [23, 24, 30, 42, 43, 46, 47, 48], "alt": [23, 30, 42], "authority_cert_issu": [23, 24, 25, 26, 42, 43], "idn": [23, 24, 42, 43, 46, 47, 48], "handl": [23, 24, 42, 43, 46, 47, 48], "authority_cert_serial_numb": [23, 24, 25, 26, 42, 43], "hexadecim": [23, 24, 41, 42, 43], "55": [23, 24, 25, 26, 42, 43], "66": [23, 24, 25, 26, 32, 33, 36, 42, 43], "77": [23, 24, 25, 26, 32, 33, 36, 42, 43], "88": [23, 24, 25, 26, 32, 33, 36, 42, 43], "99": [23, 24, 25, 26, 32, 33, 36, 42, 43], "aa": [23, 24, 25, 26, 30, 31, 34, 35, 42, 43], "bb": [23, 24, 25, 26, 42, 43], "cc": [23, 24, 25, 26, 32, 33, 36, 42, 43], "ee": [23, 24, 25, 26, 32, 33, 36, 42, 43], "pathlen": [23, 24, 42, 43], "extended_key_usag": [23, 24, 25, 26, 42, 43, 44], "biometr": [23, 24, 42, 43], "dvc": [23, 24, 42, 43, 44], "stamp": [23, 24, 42, 43], "extended_key_usage_crit": [23, 24, 25, 26, 42, 43], "extensions_by_oid": [23, 24, 42, 43, 44], "oid": [23, 24, 42, 43], "24": [23, 24, 32, 33, 36, 42, 43], "mamcaqu": [23, 24, 42, 43], "der": [23, 24, 42, 43, 46, 47, 48], "encipher": [23, 24, 25, 26, 42, 43, 44], "name_constraints_crit": [23, 24, 25, 26], "name_constraint": [23, 24], "name_constraints_exclud": [23, 24, 25, 26], "subtre": [23, 24, 25, 26], "name_constraints_permit": [23, 24, 25, 26], "somedomain": [23, 24, 25, 26], "ocsp_must_stapl": [23, 24, 25, 26, 42, 43], "ocsp": [23, 24, 25, 26, 42, 43], "stapl": [23, 24, 25, 26, 42, 43], "ocsp_must_staple_crit": [23, 24, 25, 26, 42, 43], "begin": [23, 24, 30, 31, 42, 43], "miicijanbgkqhkig9w0baqefaaocag8a": [23, 30, 42], "public_key_data": [23, 24, 42, 43], "ecc": [23, 24, 30, 31, 32, 33, 34, 35, 42, 43], "_valu": [23, 30, 34, 42], "public_key_typ": [23, 24, 42, 43], "expon": [23, 24, 30, 31, 34, 35, 42, 43], "exponent_s": [23, 24, 30, 31, 34, 35, 42, 43], "subgroup": [23, 24, 30, 31, 34, 35, 42, 43], "span": [23, 24, 30, 31, 34, 35, 42, 43], "prime": [23, 24, 30, 31, 34, 35, 42, 43], "modulu": [23, 24, 30, 31, 34, 35, 42, 43], "arithmet": [23, 24, 30, 31, 34, 35, 42, 43], "q": [23, 24, 30, 31, 34, 35, 42, 43], "divid": [23, 24, 30, 31, 34, 35, 42, 43], "coordin": [23, 24, 30, 31, 34, 35, 42, 43], "publicli": [23, 24, 30, 31, 34, 35, 42, 43], "whose": [23, 24, 30, 31, 34, 35, 42, 43, 45], "discret": [23, 24, 30, 31, 34, 35, 42, 43], "logarithm": [23, 24, 30, 31, 34, 35, 42, 43], "public_key_fingerprint": [23, 24, 30, 31, 42, 43], "comput": [23, 24, 30, 31, 34, 35, 42, 43], "d4": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "b3": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "6d": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "c8": [23, 24, 30, 31, 34, 35, 42, 43], "ce": [23, 24, 30, 31, 34, 35, 42, 43], "4e": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "f6": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "29": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "4d": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "92": [23, 24, 30, 31, 34, 35, 42, 43], "a3": [23, 24, 30, 31, 34, 35, 42, 43], "b0": [23, 24, 30, 31, 34, 35, 42, 43], "c2": [23, 24, 30, 31, 34, 35, 42, 43], "bd": [23, 24, 30, 31, 34, 35, 42, 43], "bf": [23, 24, 30, 31, 34, 35, 42, 43], "43": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "0f": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "51": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "95": [23, 24, 30, 31, 34, 35, 42, 43], "2f": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "sha512": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "f7": [23, 24, 30, 31, 34, 35, 42, 43], "f0": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "8b": [23, 24, 30, 31, 34, 35, 42, 43], "5f": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "f9": [23, 24, 30, 31, 34, 35, 42, 43], "61": [23, 24, 30, 31, 34, 35, 42, 43], "0a": [23, 24, 30, 31, 34, 35, 42, 43], "68": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "f1": [23, 24, 30, 31, 32, 33, 34, 35, 36, 42, 43], "signature_valid": [23, 24], "repeat": [23, 24, 28, 42, 43, 46, 47, 48], "emailaddress": [23, 24, 25, 26, 42, 43], "subject_alt_name_crit": [23, 24, 25, 26, 42, 43], "subject_ord": [23, 24, 25, 26, 42, 43, 44], "tupl": [23, 24, 25, 26, 42, 43, 46, 47, 48], "interact": [24, 31, 35, 43, 44, 45], "remot": [24, 31, 35, 43, 44, 45, 47, 48], "load": [24, 29, 31, 35, 43], "variant": [24, 31, 35, 43, 47], "dump": [24, 28, 31, 35, 43], "nmiicijanbgkqhkig9w0baqefaaocag8a": [24, 31, 43], "yani": [24, 25, 26, 31, 32, 33, 36, 43, 44, 45], "guenan": [24, 25, 26, 31, 32, 33, 36, 43, 44, 45], "spredzi": [24, 25, 26, 31, 32, 33, 36, 43, 44, 45], "seem": [25, 26, 44], "overwrit": [25, 27, 32, 44], "keyusag": [25, 26], "extendedkeyusag": [25, 26], "basicconstraint": [25, 26], "That": [25, 26, 39], "rid": [25, 26], "dirnam": [25, 26], "othernam": [25, 26], "ones": [25, 26, 27], "mostli": [25, 26], "overwrot": [25, 27, 28, 29, 32, 36, 44, 48], "accid": [25, 27, 28, 29, 32, 36, 44, 48], "basicconstraints_crit": [25, 26], "country_nam": [25, 26], "c": [25, 26], "countrynam": [25, 26], "create_subject_key_identifi": [25, 26], "crl_distribution_point": [25, 26], "distribut": [25, 26], "crl_issuer": [25, 26], "full_nam": [25, 26], "relative_nam": [25, 26], "key_compromis": [25, 26, 46, 47, 48], "ca_compromis": [25, 26, 46, 47, 48], "affiliation_chang": [25, 26, 46, 47, 48], "cessation_of_oper": [25, 26, 46, 47, 48], "certificate_hold": [25, 26, 46, 47, 48], "privilege_withdrawn": [25, 26, 46, 47, 48], "aa_compromis": [25, 26, 46, 47, 48], "email_address": [25, 26], "extkeyusag": [25, 26], "extkeyusage_crit": [25, 26], "extendedkeyusage_crit": [25, 26], "keyusage_crit": [25, 26], "locality_nam": [25, 26], "localitynam": [25, 26], "ocspmuststapl": [25, 26], "rfc7633": [25, 26], "ocspmuststaple_crit": [25, 26], "reject": [25, 26], "organizationnam": [25, 26, 42, 43, 46, 47, 48], "organizational_unit_nam": [25, 26], "organizationalunitnam": [25, 26], "privatekey_cont": [25, 26, 28, 36, 38, 44, 45, 48], "return_cont": [25, 27, 28, 32, 36, 44, 48], "state_or_province_nam": [25, 26], "st": [25, 26], "stateorprovincenam": [25, 26], "compon": [25, 26, 48], "subjectaltname_crit": [25, 26], "row": [25, 26, 48], "usecommonnameforsan": [25, 26], "fill": [25, 26], "2986": [25, 26], "unsupport": [25, 26], "inlin": [25, 26, 36, 45], "fr": 25, "dynam": 25, "with_dict": 25, "dns_server": 25, "special": 25, "digitalsignatur": [25, 26], "keyagr": [25, 26], "clientauth": [25, 26], "winrm": 25, "auth": 25, "311": 25, "utf8": 25, "pathlenconstraint": [25, 26], "privatekei": [25, 26, 28, 29, 32, 33, 36, 48], "behav": [26, 33, 45], "think": [26, 33, 45], "break": [26, 33, 45], "dh": 27, "param": 27, "detect": [27, 28], "Or": 27, "dhparam": 27, "thom": 27, "wigger": 27, "thomwigg": 27, "pyopenssl": 28, "iter_s": 28, "maciter_s": 28, "export": [28, 29, 32, 33], "certificate_path": [28, 37, 38], "encryption_level": 28, "compatibility2022": 28, "softwar": 28, "38": [28, 32, 33, 36], "friendly_nam": 28, "friendli": 28, "50000": 28, "other_certif": 28, "ca_certif": 28, "other_certificates_parse_al": 28, "pkcs12": 28, "mechan": 28, "safe": 28, "addition": 28, "backward": 28, "opt": 28, "p12": 28, "raclett": 28, "ca_bundl": 28, "bundl": [28, 40], "0600": [28, 29, 32], "regen": 28, "guillaum": 28, "delpierr": 28, "gdelpierr": 28, "dest_passphras": 29, "dest_path": 29, "src_content": 29, "src_path": 29, "src_passphras": 29, "return_private_key_data": [30, 31], "private_data": [30, 31], "public_data": [30, 31, 34, 35], "fake": 31, "key_is_consist": 31, "check_consist": 31, "potenti": 31, "side": 31, "attack": 31, "42": 31, "machin": [31, 44, 45], "can_load_kei": 31, "can_parse_kei": 31, "eddsa": [32, 33], "particular": 32, "maxim": [32, 33], "interoper": [32, 33], "secp384r1": [32, 33], "secp256r1": [32, 33], "iana": [32, 33], "registri": [32, 33], "secp224r1": [32, 33], "secp256k1": [32, 33], "secp521r1": [32, 33], "discourag": [32, 33], "secp192r1": [32, 33], "brainpoolp256r1": [32, 33], "brainpoolp384r1": [32, 33], "brainpoolp512r1": [32, 33], "sect163k1": [32, 33], "sect163r2": [32, 33], "sect233k1": [32, 33], "sect233r1": [32, 33], "sect283k1": [32, 33], "sect283r1": [32, 33], "sect409k1": [32, 33], "sect409r1": [32, 33], "sect571k1": [32, 33], "sect571r1": [32, 33], "tradit": [32, 33], "auto_ignor": [32, 33], "mismatch": [32, 33], "format_mismatch": [32, 33], "everyth": [32, 33, 48], "treat": [32, 43, 48], "appropri": 32, "care": 32, "shown": 32, "reference_appendic": 32, "faq": 32, "minim": [32, 33], "hashlib": [32, 33, 36], "md5": [32, 33, 36], "84": [32, 33, 36], "72": [32, 33, 36], "8d": [32, 33, 36], "b5": [32, 33, 36], "6c": [32, 33, 36], "37": [32, 33, 36], "83": [32, 33, 36], "f5": [32, 33, 36], "4c": [32, 33, 36], "sha1": [32, 33, 36], "7c": [32, 33, 36], "5d": [32, 33, 36], "eb": [32, 33, 36], "41": [32, 33, 36], "7e": [32, 33, 36], "1a": [32, 33, 36], "c7": [32, 33, 36], "f8": [32, 33, 36], "sha224": [32, 33, 36], "19": [32, 33, 36], "ac": [32, 33, 36], "ed": [32, 33, 36], "50": [32, 33, 36], "d3": [32, 33, 36], "06": [32, 33, 36, 44, 45], "5c": [32, 33, 36], "b2": [32, 33, 36], "91": [32, 33, 36], "52": [32, 33, 36], "8c": [32, 33, 36], "cb": [32, 33, 36], "d5": [32, 33, 36], "e9": [32, 33, 36], "9b": [32, 33, 36], "46": [32, 33, 36], "ab": [32, 33, 36], "70": [32, 33, 36], "cf": [32, 33, 36], "76": [32, 33, 36], "4f": [32, 33, 36], "57": [32, 33, 36], "6e": [32, 33, 36], "97": [32, 33, 36], "df": [32, 33, 36], "de": [32, 33, 36], "sha384": [32, 33, 36], "d9": [32, 33, 36], "40": [32, 33, 36], "59": [32, 33, 36], "c3": [32, 33, 36], "a2": [32, 33, 36], "e4": [32, 33, 36], "0b": [32, 33, 36], "1c": [32, 33, 36], "0c": [32, 33, 36], "9e": [32, 33, 36], "af": [32, 33, 36, 48], "da": [32, 33, 36], "2e": [32, 33, 36], "c0": [32, 33, 36], "9a": [32, 33, 36], "3a": [32, 33, 36], "3d": [32, 33, 36], "fd": [32, 33, 36], "5e": [32, 33, 36], "48": [32, 33, 36], "9f": [32, 33, 36], "fe": [32, 33, 36], "7f": [32, 33, 36], "3f": [32, 33, 36], "cd": [32, 33, 36], "a5": [32, 33, 36], "e7": [32, 33, 36], "13": [32, 33, 36, 48], "82": [32, 33, 36], "87": [32, 33, 36], "1f": [32, 33, 36], "28": [32, 33, 36], "53": [32, 33, 36], "86": [32, 33, 36], "69": [32, 33, 36], "35": [32, 33, 36], "1e": [32, 33, 36], "consol": 33, "relat": 33, "content_base64": 33, "return_current_kei": 33, "value_specified_in_no_log_paramet": 33, "async": 33, "reveal": 33, "TO": 33, "OR": 33, "IN": 33, "mozilla": 33, "sop": 33, "sops_encrypt": 33, "content_text": 33, "overwritten": 33, "set_fact": 33, "publickei": 36, "certificate_cont": [37, 45], "example_fil": [37, 38], "sig": [37, 38], "patrick": [37, 38], "pichler": [37, 38], "aveexi": [37, 38], "marku": [37, 38, 43, 44, 45], "teufelberg": [37, 38, 43, 44, 45], "markusteufelberg": [37, 38, 43, 44, 45], "255": 39, "unsign": 39, "neg": 41, "1234567": 41, "letter": 41, "upper": 41, "represent": [41, 48], "word": [42, 43, 47], "whole": [42, 43], "issuer_ord": [42, 43, 46, 47, 48], "issuer_uri": [42, 43], "20190413202428z": [42, 43, 44, 46, 47, 48], "20190331202428z": [42, 43, 44, 48], "ocsp_uri": [42, 43], "respond": [42, 43], "1234": [42, 43, 46, 47, 48], "sha256withrsaencrypt": [42, 43, 44, 46, 47, 48], "openssl_certificate_info": 43, "short": [43, 44], "redirect": [43, 44], "fqcn": [43, 44], "dict": 43, "pattern": [43, 44, 45, 47, 48], "yyyymmddhhmmssz": [43, 44, 45, 47, 48], "csr_path": [43, 44, 45], "tomorrow": 43, "point_1": 43, "point_2": 43, "3w": 43, "notion": [44, 45], "openssl_certif": 44, "intend": [44, 45], "tini": 44, "acme_accountkey_path": 44, "accountkei": 44, "acme_chain": 44, "acme_challenge_path": 44, "3chost": 44, "3e": 44, "80": 44, "job": 44, "entrust_cert_typ": [44, 45], "entrust_not_aft": [44, 45], "stop": [44, 45], "365": [44, 45], "cover": [44, 45], "entrust_requester_email": [44, 45], "entrust_requester_nam": [44, 45], "entrust_requester_phon": [44, 45], "better": [44, 45], "ownca_cont": [44, 45], "ownca_create_authority_key_identifi": [44, 45], "ownca_create_subject_key_identifi": [44, 45], "ski": [44, 45], "create_if_not_provid": [44, 45], "always_cr": [44, 45], "never_cr": [44, 45], "ownca_digest": [44, 45], "On": [44, 45], "maco": [44, 45], "onward": [44, 45], "825": [44, 45], "appl": [44, 45], "en": [44, 45], "ht210176": [44, 45], "3650d": [44, 45], "ownca_privatekey_cont": [44, 45], "resp": [44, 45], "ownca_vers": [44, 45], "nowadai": [44, 45], "almost": [44, 45], "emul": 44, "selfsigned_create_subject_key_identifi": [44, 45], "selfsigned_digest": [44, 45], "selfsigned_notaft": [44, 45], "selfsigned_notbefor": [44, 45], "selfsigned_vers": [44, 45], "minut": [44, 45, 48], "mandatori": [44, 45, 48], "dedic": [44, 45], "onc": [44, 45, 48], "ansible_ca": 44, "assertonli": 44, "invalid_at": 44, "valid_in": 44, "one_day_ten_hour": 44, "1d10h": 44, "fixed_timestamp": 44, "20200331202428z": 44, "ten_second": 44, "result_csr": 44, "result_privatekei": 44, "sha512withrsaencrypt": 44, "subject_strict": 44, "issuer_strict": 44, "has_expir": 44, "key_usage_strict": 44, "extended_key_usage_strict": 44, "subject_alt_name_strict": 44, "ownca_cert": 45, "ownca_privatekei": 45, "hunter2": 45, "the_csr": 45, "list_revoked_certif": [46, 47], "larg": [46, 47], "enumer": [46, 47], "last_upd": [46, 47, 48], "next_upd": [46, 47, 48], "revoked_certif": [46, 47, 48], "invalidity_d": [46, 47, 48], "suspect": [46, 47, 48], "compromis": [46, 47, 48], "becam": [46, 47, 48], "invalidity_date_crit": [46, 47, 48], "issuer_crit": [46, 47, 48], "remove_from_crl": [46, 47, 48], "reason_crit": [46, 47, 48], "revocation_d": [46, 47, 48], "crl_mode": 48, "interest": 48, "collis": 48, "combin": 48, "octet": 48, "66223": 48, "2345": 48, "20191013152910z": 48, "20191001000000z": 48, "20191010010203z": 48}, "objects": {}, "objtypes": {}, "objnames": {}, "titleterms": {"commun": [0, 1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "crypto": [0, 1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "acme_account_fact": 0, "acme_account_info": 1, "modul": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 17, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "retriev": [1, 8, 15, 16, 23, 30, 34, 42, 46, 47], "inform": [1, 23, 24, 30, 31, 34, 35, 42, 43, 46, 47], "acm": [1, 2, 3, 4, 5, 6], "account": [1, 2], "synopsi": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "requir": [1, 2, 3, 4, 5, 6, 7, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "paramet": [1, 2, 3, 4, 5, 6, 7, 11, 12, 14, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 42, 43, 44, 45, 46, 47, 48], "attribut": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 18, 19, 20, 24, 25, 26, 27, 28, 29, 31, 32, 33, 35, 36, 37, 38, 43, 44, 45, 47, 48], "note": [1, 2, 3, 4, 6, 11, 12, 14, 20, 25, 26, 37, 38, 43, 44, 45, 47, 48], "see": [1, 2, 3, 4, 5, 6, 11, 12, 14, 15, 16, 19, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 41, 42, 43, 44, 45, 46, 47, 48], "also": [1, 2, 3, 4, 5, 6, 11, 12, 14, 15, 16, 19, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 41, 42, 43, 44, 45, 46, 47, 48], "exampl": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "return": [1, 2, 3, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "valu": [1, 2, 3, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "author": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "collect": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "link": [1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 18, 19, 20, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48], "acme_account": 2, "creat": [2, 3, 9, 10], "modifi": 2, "delet": 2, "acme_certif": 3, "ssl": [3, 11], "tl": [3, 5, 11], "certif": [3, 4, 5, 7, 9, 10, 11, 12, 14, 19, 23, 24, 25, 26, 42, 43, 44, 45, 47, 48], "protocol": [3, 4], "acme_certificate_revok": 4, "revok": 4, "acme_challenge_cert_help": 5, "prepar": 5, "challeng": 5, "alpn": 5, "01": 5, "acme_inspect": 6, "send": 6, "direct": 6, "request": [6, 11, 12, 23, 24, 25, 26], "an": [6, 36, 39, 41], "server": 6, "certificate_complete_chain": 7, "complet": 7, "chain": 7, "given": 7, "set": [7, 9], "untrust": 7, "root": 7, "crypto_info": 8, "cryptograph": 8, "capabl": 8, "how": [9, 10], "small": 9, "ca": 9, "up": 9, "us": 9, "sign": [9, 10, 23, 24, 25, 26, 38], "self": 10, "ecs_certif": 11, "entrust": [11, 12], "servic": [11, 12], "ec": [11, 12], "api": [11, 12], "ecs_domain": 12, "valid": 12, "domain": 12, "index": [13, 17], "all": 13, "environ": 13, "variabl": 13, "get_certif": 14, "get": 14, "from": [14, 15, 16, 23, 30, 34, 36, 42, 46], "host": [14, 19], "port": 14, "gpg_fingerprint": [15, 16], "filter": [15, 17, 23, 30, 34, 39, 40, 41, 42, 46], "gpg": [15, 16], "fingerprint": [15, 16], "public": [15, 16, 20, 34, 35, 36], "privat": [15, 16, 20, 29, 30, 31, 32, 33, 36], "kei": [15, 16, 20, 29, 30, 31, 32, 33, 34, 35, 36], "input": [15, 23, 30, 34, 39, 40, 41, 42, 46], "lookup": [16, 17], "file": [16, 40], "term": 16, "descript": 17, "scenario": 17, "guid": 17, "plugin": 17, "luks_devic": 18, "manag": 18, "encrypt": 18, "luk": 18, "devic": 18, "openssh_cert": 19, "gener": [19, 20, 25, 26, 27, 28, 32, 33, 36, 44, 45, 48], "openssh": [19, 20], "user": 19, "openssh_keypair": 20, "openssl_certificate_info": 21, "openssl_certif": 22, "openssl_csr_info": [23, 24], "openssl": [23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 43, 44, 45], "csr": [23, 24, 25, 26], "keyword": [23, 30, 42, 46], "provid": [24, 31, 35, 43], "openssl_csr": 25, "openssl_csr_pip": 26, "openssl_dhparam": 27, "diffi": 27, "hellman": 27, "openssl_pkcs12": 28, "pkc": 28, "12": 28, "archiv": 28, "openssl_privatekey_convert": 29, "convert": [29, 39, 41], "openssl_privatekey_info": [30, 31], "openssl_privatekei": 32, "openssl_privatekey_pip": 33, "without": 33, "disk": 33, "access": 33, "openssl_publickey_info": [34, 35], "pem": [34, 40, 42, 46], "format": [34, 42, 46], "openssl_publickei": 36, "its": 36, "openssl_signature_info": 37, "verifi": 37, "signatur": 37, "openssl_signatur": 38, "data": 38, "parse_seri": 39, "serial": 39, "number": [39, 41], "colon": [39, 41], "separ": [39, 41], "list": [39, 41, 47, 48], "hex": [39, 41], "integ": [39, 41], "split_pem": 40, "split": 40, "content": 40, "multipl": 40, "object": 40, "to_seri": 41, "x509_certificate_info": [42, 43], "x": [42, 43, 46], "509": [42, 43, 46], "x509_certif": 44, "check": [44, 45], "x509_certificate_pip": 45, "x509_crl_info": [46, 47], "crl": [46, 47, 48], "revoc": [47, 48], "x509_crl": 48}, "envversion": {"sphinx.domains.c": 3, "sphinx.domains.changeset": 1, "sphinx.domains.citation": 1, "sphinx.domains.cpp": 9, "sphinx.domains.index": 1, "sphinx.domains.javascript": 3, "sphinx.domains.math": 2, "sphinx.domains.python": 4, "sphinx.domains.rst": 2, "sphinx.domains.std": 2, "sphinx.ext.intersphinx": 1, "sphinx": 60}, "alltitles": {"community.crypto.acme_account_facts": [[0, "community-crypto-acme-account-facts"]], "community.crypto.acme_account_info module \u2013 Retrieves information on ACME accounts": [[1, "community-crypto-acme-account-info-module-retrieves-information-on-acme-accounts"]], "Synopsis": [[1, "synopsis"], [2, "synopsis"], [3, "synopsis"], [4, "synopsis"], [5, "synopsis"], [6, "synopsis"], [7, "synopsis"], [8, "synopsis"], [11, "synopsis"], [12, "synopsis"], [14, "synopsis"], [15, "synopsis"], [16, "synopsis"], [18, "synopsis"], [19, "synopsis"], [20, "synopsis"], [23, "synopsis"], [24, "synopsis"], [25, "synopsis"], [26, "synopsis"], [27, "synopsis"], [28, "synopsis"], [29, "synopsis"], [30, "synopsis"], [31, "synopsis"], [32, "synopsis"], [33, "synopsis"], [34, "synopsis"], [35, "synopsis"], [36, "synopsis"], [37, "synopsis"], [38, "synopsis"], [39, "synopsis"], [40, "synopsis"], [41, "synopsis"], [42, "synopsis"], [43, "synopsis"], [44, "synopsis"], [45, "synopsis"], [46, "synopsis"], [47, "synopsis"], [48, "synopsis"]], "Requirements": [[1, "requirements"], [2, "requirements"], [3, "requirements"], [4, "requirements"], [5, "requirements"], [6, "requirements"], [7, "requirements"], [11, "requirements"], [12, "requirements"], [14, "requirements"], [15, "requirements"], [16, "requirements"], [18, "requirements"], [19, "requirements"], [20, "requirements"], [23, "requirements"], [24, "requirements"], [25, "requirements"], [26, "requirements"], [27, "requirements"], [28, "requirements"], [29, "requirements"], [30, "requirements"], [31, "requirements"], [32, "requirements"], [33, "requirements"], [35, "requirements"], [36, "requirements"], [37, "requirements"], [38, "requirements"], [42, "requirements"], [43, "requirements"], [44, "requirements"], [45, "requirements"], [46, "requirements"], [47, "requirements"], [48, "requirements"]], "Parameters": [[1, "parameters"], [2, "parameters"], [3, "parameters"], [4, "parameters"], [5, "parameters"], [6, "parameters"], [7, "parameters"], [11, "parameters"], [12, "parameters"], [14, "parameters"], [18, "parameters"], [19, "parameters"], [20, "parameters"], [24, "parameters"], [25, "parameters"], [26, "parameters"], [27, "parameters"], [28, "parameters"], [29, "parameters"], [31, "parameters"], [32, "parameters"], [33, "parameters"], [35, "parameters"], [36, "parameters"], [37, "parameters"], [38, "parameters"], [43, "parameters"], [44, "parameters"], [45, "parameters"], [47, "parameters"], [48, "parameters"]], "Attributes": [[1, "attributes"], [2, "attributes"], [3, "attributes"], [4, "attributes"], [5, "attributes"], [6, "attributes"], [7, "attributes"], [8, "attributes"], [11, "attributes"], [12, "attributes"], [14, "attributes"], [18, "attributes"], [19, "attributes"], [20, "attributes"], [24, "attributes"], [25, "attributes"], [26, "attributes"], [27, "attributes"], [28, "attributes"], [29, "attributes"], [31, "attributes"], [32, "attributes"], [33, "attributes"], [35, "attributes"], [36, "attributes"], [37, "attributes"], [38, "attributes"], [43, "attributes"], [44, "attributes"], [45, "attributes"], [47, "attributes"], [48, "attributes"]], "Notes": [[1, "notes"], [2, "notes"], [3, "notes"], [4, "notes"], [6, "notes"], [11, "notes"], [12, "notes"], [14, "notes"], [20, "notes"], [25, "notes"], [26, "notes"], [37, "notes"], [38, "notes"], [43, "notes"], [44, "notes"], [45, "notes"], [47, "notes"], [48, "notes"]], "See Also": [[1, "see-also"], [2, "see-also"], [3, "see-also"], [4, "see-also"], [5, "see-also"], [6, "see-also"], [11, "see-also"], [12, "see-also"], [14, "see-also"], [15, "see-also"], [16, "see-also"], [19, "see-also"], [23, "see-also"], [24, "see-also"], [25, "see-also"], [26, "see-also"], [27, "see-also"], [28, "see-also"], [29, "see-also"], [30, "see-also"], [31, "see-also"], [32, "see-also"], [33, "see-also"], [34, "see-also"], [35, "see-also"], [36, "see-also"], [37, "see-also"], [38, "see-also"], [39, "see-also"], [41, "see-also"], [42, "see-also"], [43, "see-also"], [44, "see-also"], [45, "see-also"], [46, "see-also"], [47, "see-also"], [48, "see-also"]], "Examples": [[1, "examples"], [2, "examples"], [3, "examples"], [4, "examples"], [5, "examples"], [6, "examples"], [7, "examples"], [8, "examples"], [11, "examples"], [12, "examples"], [14, "examples"], [15, "examples"], [16, "examples"], [18, "examples"], [19, "examples"], [20, "examples"], [23, "examples"], [24, "examples"], [25, "examples"], [26, "examples"], [27, "examples"], [28, "examples"], [29, "examples"], [30, "examples"], [31, "examples"], [32, "examples"], [33, "examples"], [34, "examples"], [35, "examples"], [36, "examples"], [37, "examples"], [38, "examples"], [39, "examples"], [40, "examples"], [41, "examples"], [42, "examples"], [43, "examples"], [44, "examples"], [45, "examples"], [46, "examples"], [47, "examples"], [48, "examples"]], "Return Values": [[1, "return-values"], [2, "return-values"], [3, "return-values"], [5, "return-values"], [6, "return-values"], [7, "return-values"], [8, "return-values"], [11, "return-values"], [12, "return-values"], [14, "return-values"], [18, "return-values"], [19, "return-values"], [20, "return-values"], [24, "return-values"], [25, "return-values"], [26, "return-values"], [27, "return-values"], [28, "return-values"], [29, "return-values"], [31, "return-values"], [32, "return-values"], [33, "return-values"], [35, "return-values"], [36, "return-values"], [37, "return-values"], [38, "return-values"], [43, "return-values"], [44, "return-values"], [45, "return-values"], [47, "return-values"], [48, "return-values"]], "Authors": [[1, "authors"], [2, "authors"], [3, "authors"], [4, "authors"], [5, "authors"], [6, "authors"], [7, "authors"], [8, "authors"], [11, "authors"], [12, "authors"], [14, "authors"], [15, "authors"], [16, "authors"], [18, "authors"], [19, "authors"], [20, "authors"], [23, "authors"], [24, "authors"], [25, "authors"], [26, "authors"], [27, "authors"], [28, "authors"], [29, "authors"], [30, "authors"], [31, "authors"], [32, "authors"], [33, "authors"], [34, "authors"], [35, "authors"], [36, "authors"], [37, "authors"], [38, "authors"], [39, "authors"], [40, "authors"], [41, "authors"], [42, "authors"], [43, "authors"], [44, "authors"], [45, "authors"], [46, "authors"], [47, "authors"], [48, "authors"]], "Collection links": [[1, "collection-links"], [2, "collection-links"], [3, "collection-links"], [4, "collection-links"], [5, "collection-links"], [6, "collection-links"], [7, "collection-links"], [8, "collection-links"], [11, "collection-links"], [12, "collection-links"], [14, "collection-links"], [15, "collection-links"], [16, "collection-links"], [18, "collection-links"], [19, "collection-links"], [20, "collection-links"], [23, "collection-links"], [24, "collection-links"], [25, "collection-links"], [26, "collection-links"], [27, "collection-links"], [28, "collection-links"], [29, "collection-links"], [30, "collection-links"], [31, "collection-links"], [32, "collection-links"], [33, "collection-links"], [34, "collection-links"], [35, "collection-links"], [36, "collection-links"], [37, "collection-links"], [38, "collection-links"], [39, "collection-links"], [40, "collection-links"], [41, "collection-links"], [42, "collection-links"], [43, "collection-links"], [44, "collection-links"], [45, "collection-links"], [46, "collection-links"], [47, "collection-links"], [48, "collection-links"]], "community.crypto.acme_account module \u2013 Create, modify or delete ACME accounts": [[2, "community-crypto-acme-account-module-create-modify-or-delete-acme-accounts"]], "community.crypto.acme_certificate module \u2013 Create SSL/TLS certificates with the ACME protocol": [[3, "community-crypto-acme-certificate-module-create-ssl-tls-certificates-with-the-acme-protocol"]], "community.crypto.acme_certificate_revoke module \u2013 Revoke certificates with the ACME protocol": [[4, "community-crypto-acme-certificate-revoke-module-revoke-certificates-with-the-acme-protocol"]], "community.crypto.acme_challenge_cert_helper module \u2013 Prepare certificates required for ACME challenges such as tls-alpn-01": [[5, "community-crypto-acme-challenge-cert-helper-module-prepare-certificates-required-for-acme-challenges-such-as-tls-alpn-01"]], "community.crypto.acme_inspect module \u2013 Send direct requests to an ACME server": [[6, "community-crypto-acme-inspect-module-send-direct-requests-to-an-acme-server"]], "community.crypto.certificate_complete_chain module \u2013 Complete certificate chain given a set of untrusted and root certificates": [[7, "community-crypto-certificate-complete-chain-module-complete-certificate-chain-given-a-set-of-untrusted-and-root-certificates"]], "community.crypto.crypto_info module \u2013 Retrieve cryptographic capabilities": [[8, "community-crypto-crypto-info-module-retrieve-cryptographic-capabilities"]], "How to create a small CA": [[9, "how-to-create-a-small-ca"]], "Set up the CA": [[9, "set-up-the-ca"]], "Use the CA to sign a certificate": [[9, "use-the-ca-to-sign-a-certificate"]], "How to create self-signed certificates": [[10, "how-to-create-self-signed-certificates"]], "community.crypto.ecs_certificate module \u2013 Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API": [[11, "community-crypto-ecs-certificate-module-request-ssl-tls-certificates-with-the-entrust-certificate-services-ecs-api"]], "community.crypto.ecs_domain module \u2013 Request validation of a domain with the Entrust Certificate Services (ECS) API": [[12, "community-crypto-ecs-domain-module-request-validation-of-a-domain-with-the-entrust-certificate-services-ecs-api"]], "Index of all Collection Environment Variables": [[13, "index-of-all-collection-environment-variables"]], "community.crypto.get_certificate module \u2013 Get a certificate from a host:port": [[14, "community-crypto-get-certificate-module-get-a-certificate-from-a-host-port"]], "community.crypto.gpg_fingerprint filter \u2013 Retrieve a GPG fingerprint from a GPG public or private key": [[15, "community-crypto-gpg-fingerprint-filter-retrieve-a-gpg-fingerprint-from-a-gpg-public-or-private-key"]], "Input": [[15, "input"], [23, "input"], [30, "input"], [34, "input"], [39, "input"], [40, "input"], [41, "input"], [42, "input"], [46, "input"]], "Return Value": [[15, "return-value"], [16, "return-value"], [23, "return-value"], [30, "return-value"], [34, "return-value"], [39, "return-value"], [40, "return-value"], [41, "return-value"], [42, "return-value"], [46, "return-value"]], "community.crypto.gpg_fingerprint lookup \u2013 Retrieve a GPG fingerprint from a GPG public or private key file": [[16, "community-crypto-gpg-fingerprint-lookup-retrieve-a-gpg-fingerprint-from-a-gpg-public-or-private-key-file"]], "Terms": [[16, "terms"]], "Community.Crypto": [[17, "community-crypto"]], "Description": [[17, "description"]], "Communication": [[17, "communication"]], "Scenario Guides": [[17, "scenario-guides"]], "Plugin Index": [[17, "plugin-index"]], "Modules": [[17, "modules"]], "Filter Plugins": [[17, "filter-plugins"]], "Lookup Plugins": [[17, "lookup-plugins"]], "community.crypto.luks_device module \u2013 Manage encrypted (LUKS) devices": [[18, "community-crypto-luks-device-module-manage-encrypted-luks-devices"]], "community.crypto.openssh_cert module \u2013 Generate OpenSSH host or user certificates.": [[19, "community-crypto-openssh-cert-module-generate-openssh-host-or-user-certificates"]], "community.crypto.openssh_keypair module \u2013 Generate OpenSSH private and public keys": [[20, "community-crypto-openssh-keypair-module-generate-openssh-private-and-public-keys"]], "community.crypto.openssl_certificate_info": [[21, "community-crypto-openssl-certificate-info"]], "community.crypto.openssl_certificate": [[22, "community-crypto-openssl-certificate"]], "community.crypto.openssl_csr_info filter \u2013 Retrieve information from OpenSSL Certificate Signing Requests (CSR)": [[23, "community-crypto-openssl-csr-info-filter-retrieve-information-from-openssl-certificate-signing-requests-csr"]], "Keyword parameters": [[23, "keyword-parameters"], [30, "keyword-parameters"], [42, "keyword-parameters"], [46, "keyword-parameters"]], "community.crypto.openssl_csr_info module \u2013 Provide information of OpenSSL Certificate Signing Requests (CSR)": [[24, "community-crypto-openssl-csr-info-module-provide-information-of-openssl-certificate-signing-requests-csr"]], "community.crypto.openssl_csr module \u2013 Generate OpenSSL Certificate Signing Request (CSR)": [[25, "community-crypto-openssl-csr-module-generate-openssl-certificate-signing-request-csr"]], "community.crypto.openssl_csr_pipe module \u2013 Generate OpenSSL Certificate Signing Request (CSR)": [[26, "community-crypto-openssl-csr-pipe-module-generate-openssl-certificate-signing-request-csr"]], "community.crypto.openssl_dhparam module \u2013 Generate OpenSSL Diffie-Hellman Parameters": [[27, "community-crypto-openssl-dhparam-module-generate-openssl-diffie-hellman-parameters"]], "community.crypto.openssl_pkcs12 module \u2013 Generate OpenSSL PKCS#12 archive": [[28, "community-crypto-openssl-pkcs12-module-generate-openssl-pkcs-12-archive"]], "community.crypto.openssl_privatekey_convert module \u2013 Convert OpenSSL private keys": [[29, "community-crypto-openssl-privatekey-convert-module-convert-openssl-private-keys"]], "community.crypto.openssl_privatekey_info filter \u2013 Retrieve information from OpenSSL private keys": [[30, "community-crypto-openssl-privatekey-info-filter-retrieve-information-from-openssl-private-keys"]], "community.crypto.openssl_privatekey_info module \u2013 Provide information for OpenSSL private keys": [[31, "community-crypto-openssl-privatekey-info-module-provide-information-for-openssl-private-keys"]], "community.crypto.openssl_privatekey module \u2013 Generate OpenSSL private keys": [[32, "community-crypto-openssl-privatekey-module-generate-openssl-private-keys"]], "community.crypto.openssl_privatekey_pipe module \u2013 Generate OpenSSL private keys without disk access": [[33, "community-crypto-openssl-privatekey-pipe-module-generate-openssl-private-keys-without-disk-access"]], "community.crypto.openssl_publickey_info filter \u2013 Retrieve information from OpenSSL public keys in PEM format": [[34, "community-crypto-openssl-publickey-info-filter-retrieve-information-from-openssl-public-keys-in-pem-format"]], "community.crypto.openssl_publickey_info module \u2013 Provide information for OpenSSL public keys": [[35, "community-crypto-openssl-publickey-info-module-provide-information-for-openssl-public-keys"]], "community.crypto.openssl_publickey module \u2013 Generate an OpenSSL public key from its private key.": [[36, "community-crypto-openssl-publickey-module-generate-an-openssl-public-key-from-its-private-key"]], "community.crypto.openssl_signature_info module \u2013 Verify signatures with openssl": [[37, "community-crypto-openssl-signature-info-module-verify-signatures-with-openssl"]], "community.crypto.openssl_signature module \u2013 Sign data with openssl": [[38, "community-crypto-openssl-signature-module-sign-data-with-openssl"]], "community.crypto.parse_serial filter \u2013 Convert a serial number as a colon-separated list of hex numbers to an integer": [[39, "community-crypto-parse-serial-filter-convert-a-serial-number-as-a-colon-separated-list-of-hex-numbers-to-an-integer"]], "community.crypto.split_pem filter \u2013 Split PEM file contents into multiple objects": [[40, "community-crypto-split-pem-filter-split-pem-file-contents-into-multiple-objects"]], "community.crypto.to_serial filter \u2013 Convert an integer to a colon-separated list of hex numbers": [[41, "community-crypto-to-serial-filter-convert-an-integer-to-a-colon-separated-list-of-hex-numbers"]], "community.crypto.x509_certificate_info filter \u2013 Retrieve information from X.509 certificates in PEM format": [[42, "community-crypto-x509-certificate-info-filter-retrieve-information-from-x-509-certificates-in-pem-format"]], "community.crypto.x509_certificate_info module \u2013 Provide information of OpenSSL X.509 certificates": [[43, "community-crypto-x509-certificate-info-module-provide-information-of-openssl-x-509-certificates"]], "community.crypto.x509_certificate module \u2013 Generate and/or check OpenSSL certificates": [[44, "community-crypto-x509-certificate-module-generate-and-or-check-openssl-certificates"]], "community.crypto.x509_certificate_pipe module \u2013 Generate and/or check OpenSSL certificates": [[45, "community-crypto-x509-certificate-pipe-module-generate-and-or-check-openssl-certificates"]], "community.crypto.x509_crl_info filter \u2013 Retrieve information from X.509 CRLs in PEM format": [[46, "community-crypto-x509-crl-info-filter-retrieve-information-from-x-509-crls-in-pem-format"]], "community.crypto.x509_crl_info module \u2013 Retrieve information on Certificate Revocation Lists (CRLs)": [[47, "community-crypto-x509-crl-info-module-retrieve-information-on-certificate-revocation-lists-crls"]], "community.crypto.x509_crl module \u2013 Generate Certificate Revocation Lists (CRLs)": [[48, "community-crypto-x509-crl-module-generate-certificate-revocation-lists-crls"]]}, "indexentries": {}})
\ No newline at end of file
diff --git a/tag/2.18.0/split_pem_filter.html b/tag/2.18.0/split_pem_filter.html
new file mode 100644
index 000000000..24e5fc169
--- /dev/null
+++ b/tag/2.18.0/split_pem_filter.html
@@ -0,0 +1,297 @@
+
+
+
+
+
+
+
+
+ Note
+This filter plugin is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
To use it in a playbook, specify: community.crypto.split_pem.
New in community.crypto 2.10.0
+ +Split PEM file contents into multiple PEM objects. Comments or invalid parts are ignored.
This describes the input of the filter, the value before | community.crypto.split_pem.
Parameter |
+Comments |
+
|---|---|
| + | The PEM contents to split. + |
+
- name: Print all CA certificates
+ ansible.builtin.debug:
+ msg: '{{ item }}'
+ loop: >-
+ {{ lookup('ansible.builtin.file', '/path/to/ca-bundle.pem') | community.crypto.split_pem }}
+Key |
+Description |
+
|---|---|
| + | A list of PEM file contents. +Returned: success + |
+
+ Note
+This filter plugin is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
To use it in a playbook, specify: community.crypto.to_serial.
New in community.crypto 2.18.0
+ +Converts an integer to a colon-separated list of hex numbers of the form 00:11:22:33.
This describes the input of the filter, the value before | community.crypto.to_serial.
Parameter |
+Comments |
+
|---|---|
| + | The non-negative integer to convert. + |
+
See also
+Convert an integer to a colon-separated list of hex numbers.
+- name: Convert integer to serial number
+ ansible.builtin.debug:
+ msg: "{{ 1234567 | community.crypto.to_serial }}"
+Key |
+Description |
+
|---|---|
| + | A colon-separated list of hexadecimal numbers. +Letters are upper-case, and all numbers have exactly two digits. +The string is never empty. The representation of Returned: success + |
+
+ Note
+This filter plugin is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this filter plugin,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.x509_certificate_info.
New in community.crypto 2.10.0
+ +Provided a X.509 certificate in PEM format, retrieve information.
This is a filter version of the community.crypto.x509_certificate_info module.
The below requirements are needed on the local controller node that executes this filter.
+If name_encoding is set to another value than ignore, the idna Python library needs to be installed.
This describes the input of the filter, the value before | community.crypto.x509_certificate_info.
Parameter |
+Comments |
+
|---|---|
| + | The content of the X.509 certificate in PEM format. + |
+
This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following
+example: input | community.crypto.x509_certificate_info(key1=value1, key2=value2, ...)
Parameter |
+Comments |
+
|---|---|
| + | How to encode names (DNS names, URIs, email addresses) in return values. +
Note that Choices: +
|
+
See also
+Provide information of OpenSSL X.509 certificates.
+Convert an integer to a colon-separated list of hex numbers.
+- name: Show the Subject Alt Names of the certificate
+ ansible.builtin.debug:
+ msg: >-
+ {{
+ (
+ lookup('ansible.builtin.file', '/path/to/cert.pem')
+ | community.crypto.x509_certificate_info
+ ).subject_alt_name | join(', ')
+ }}
+Key |
+Description |
+
|---|---|
| + | Information on the certificate. +Returned: success + |
+
| + | The certificate’s authority cert issuer as a list of general names. +Is See Returned: success +Sample: |
+
| + | The certificate’s authority cert serial number. +Is This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success +Sample: |
+
| + | The certificate’s authority key identifier. +The identifier is returned in hexadecimal, with Is Returned: success +Sample: |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | Whether the certificate is expired (in other words, Returned: success + |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | Returns a dictionary for every extension OID. +Returned: success +Sample: |
+
| + | Whether the extension is critical. +Returned: success + |
+
| + | The Base64 encoded value (in DER format) of the extension. +Note that depending on the Returned: success +Sample: |
+
| + | Fingerprints of the DER-encoded form of the whole certificate. +For every hash algorithm available, the fingerprint is computed. +Returned: success +Sample: |
+
| + | The certificate’s issuer. +Note that for repeated values, only the last one will be returned. +Returned: success +Sample: |
+
| + | The certificate’s issuer as an ordered list of tuples. +Returned: success +Sample: |
+
| + | The Issuer URI, if included in the certificate. Will be Returned: success + |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + |
Returned: success +Sample: |
+
| + |
Returned: success +Sample: |
+
| + |
Returned: success + |
+
| + | Whether the Returned: success + |
+
| + | The OCSP responder URI, if included in the certificate. Will be Returned: success + |
+
| + | Certificate’s public key in PEM format. +Returned: success +Sample: |
+
| + | Public key data. Depends on the public key’s type. +Returned: success + |
+
| + | The curve’s name for ECC. +Returned: When |
+
| + | The RSA key’s public exponent. +Returned: When |
+
| + | The maximum number of bits of a private key. This is basically the bit size of the subgroup used. +Returned: When |
+
| + | The This is the element spanning the subgroup of the multiplicative group of the prime field used. +Returned: When |
+
| + | The RSA key’s modulus. +Returned: When |
+
| + | The This is the prime modulus upon which arithmetic takes place. +Returned: When |
+
| + | The This is a prime that divides Returned: When |
+
| + | Bit size of modulus (RSA) or prime number (DSA). +Returned: When |
+
| + | The Returned: When |
+
| + | For For Returned: When |
+
| + | Fingerprints of certificate’s public key. +For every hash algorithm available, the fingerprint is computed. +Returned: success +Sample: |
+
| + | The certificate’s public key’s type. +One of Will start with Returned: success +Sample: |
+
| + | The certificate’s serial number. +This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success +Sample: |
+
| + | The signature algorithm used to sign the certificate. +Returned: success +Sample: |
+
| + | The certificate’s subject as a dictionary. +Note that for repeated values, only the last one will be returned. +Returned: success +Sample: |
+
| + | Entries in the See Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | The certificate’s subject key identifier. +The identifier is returned in hexadecimal, with Is Returned: success +Sample: |
+
| + | The certificate’s subject as an ordered list of tuples. +Returned: success +Sample: |
+
| + | The certificate version. +Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.x509_certificate_info.
This module allows one to query information on OpenSSL certificates.
It uses the cryptography python library to interact with OpenSSL.
Note that this module was called openssl_certificate_info when included directly in Ansible up to version 2.9. When moved to the collection community.crypto, it was renamed to community.crypto.x509_certificate_info. From Ansible 2.10 on, it can still be used by the old short name (or by ansible.builtin.openssl_certificate_info), which redirects to community.crypto.x509_certificate_info. When using FQCNs or when using the collections keyword, the new name community.crypto.x509_certificate_info should be used to avoid a deprecation warning.
The below requirements are needed on the host that executes this module.
+If name_encoding is set to another value than ignore, the idna Python library needs to be installed.
cryptography >= 1.6
Parameter |
+Comments |
+
|---|---|
| + | + |
| + | How to encode names (DNS names, URIs, email addresses) in return values. +
Note that Choices: +
|
+
| + | + |
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
| + | A dict of names mapping to time specifications. Every time specified here will be checked whether the certificate is valid at this point. See the Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is |
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+All timestamp values are provided in ASN.1 TIME format, in other words, following the YYYYMMDDHHMMSSZ pattern. They are all in UTC.
See also
+Generate and/or check OpenSSL certificates.
+Generate and/or check OpenSSL certificates.
+A filter variant of this module.
+Convert an integer to a colon-separated list of hex numbers.
+- name: Generate a Self Signed OpenSSL certificate
+ community.crypto.x509_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ csr_path: /etc/ssl/csr/ansible.com.csr
+ provider: selfsigned
+
+
+# Get information on the certificate
+
+- name: Get information on generated certificate
+ community.crypto.x509_certificate_info:
+ path: /etc/ssl/crt/ansible.com.crt
+ register: result
+
+- name: Dump information
+ ansible.builtin.debug:
+ var: result
+
+
+# Check whether the certificate is valid or not valid at certain times, fail
+# if this is not the case. The first task (x509_certificate_info) collects
+# the information, and the second task (assert) validates the result and
+# makes the playbook fail in case something is not as expected.
+
+- name: Test whether that certificate is valid tomorrow and/or in three weeks
+ community.crypto.x509_certificate_info:
+ path: /etc/ssl/crt/ansible.com.crt
+ valid_at:
+ point_1: "+1d"
+ point_2: "+3w"
+ register: result
+
+- name: Validate that certificate is valid tomorrow, but not in three weeks
+ ansible.builtin.assert:
+ that:
+ - result.valid_at.point_1 # valid in one day
+ - not result.valid_at.point_2 # not valid in three weeks
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | The certificate’s authority cert issuer as a list of general names. +Is See Returned: success +Sample: |
+
| + | The certificate’s authority cert serial number. +Is This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success +Sample: |
+
| + | The certificate’s authority key identifier. +The identifier is returned in hexadecimal, with Is Returned: success +Sample: |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | Whether the certificate is expired (in other words, Returned: success + |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | Returns a dictionary for every extension OID. +Returned: success +Sample: |
+
| + | Whether the extension is critical. +Returned: success + |
+
| + | The Base64 encoded value (in DER format) of the extension. +Note that depending on the Returned: success +Sample: |
+
| + | Fingerprints of the DER-encoded form of the whole certificate. +For every hash algorithm available, the fingerprint is computed. +Returned: success +Sample: |
+
| + | The certificate’s issuer. +Note that for repeated values, only the last one will be returned. +Returned: success +Sample: |
+
| + | The certificate’s issuer as an ordered list of tuples. +Returned: success +Sample: |
+
| + | The Issuer URI, if included in the certificate. Will be Returned: success + |
+
| + | Entries in the Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + |
Returned: success +Sample: |
+
| + |
Returned: success +Sample: |
+
| + |
Returned: success + |
+
| + | Whether the Returned: success + |
+
| + | The OCSP responder URI, if included in the certificate. Will be Returned: success + |
+
| + | Certificate’s public key in PEM format. +Returned: success +Sample: |
+
| + | Public key data. Depends on the public key’s type. +Returned: success + |
+
| + | The curve’s name for ECC. +Returned: When |
+
| + | The RSA key’s public exponent. +Returned: When |
+
| + | The maximum number of bits of a private key. This is basically the bit size of the subgroup used. +Returned: When |
+
| + | The This is the element spanning the subgroup of the multiplicative group of the prime field used. +Returned: When |
+
| + | The RSA key’s modulus. +Returned: When |
+
| + | The This is the prime modulus upon which arithmetic takes place. +Returned: When |
+
| + | The This is a prime that divides Returned: When |
+
| + | Bit size of modulus (RSA) or prime number (DSA). +Returned: When |
+
| + | The Returned: When |
+
| + | For For Returned: When |
+
| + | Fingerprints of certificate’s public key. +For every hash algorithm available, the fingerprint is computed. +Returned: success +Sample: |
+
| + | The certificate’s public key’s type. +One of Will start with Returned: success +Sample: |
+
| + | The certificate’s serial number. +This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success +Sample: |
+
| + | The signature algorithm used to sign the certificate. +Returned: success +Sample: |
+
| + | The certificate’s subject as a dictionary. +Note that for repeated values, only the last one will be returned. +Returned: success +Sample: |
+
| + | Entries in the See Returned: success +Sample: |
+
| + | Whether the Returned: success + |
+
| + | The certificate’s subject key identifier. +The identifier is returned in hexadecimal, with Is Returned: success +Sample: |
+
| + | The certificate’s subject as an ordered list of tuples. +Returned: success +Sample: |
+
| + | For every time stamp provided in the Returned: success + |
+
| + | The certificate version. +Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.x509_certificate.
It implements a notion of provider (one of selfsigned, ownca, acme, and entrust) for your certificate.
It uses the cryptography python library to interact with OpenSSL.
Note that this module was called openssl_certificate when included directly in Ansible up to version 2.9. When moved to the collection community.crypto, it was renamed to community.crypto.x509_certificate. From Ansible 2.10 on, it can still be used by the old short name (or by ansible.builtin.openssl_certificate), which redirects to community.crypto.x509_certificate. When using FQCNs or when using the collections keyword, the new name community.crypto.x509_certificate should be used to avoid a deprecation warning.
Please note that the module regenerates existing certificate if it does not match the module’s options, or if it seems to be corrupt. If you are concerned that this could overwrite your existing certificate, consider using the backup option.
The ownca provider is intended for generating an OpenSSL certificate signed with your own CA (Certificate Authority) certificate (self-signed certificate).
This module allows one to (re)generate OpenSSL certificates.
The below requirements are needed on the host that executes this module.
+acme-tiny >= 4.0.0 (if using the acme provider)
cryptography >= 1.6 (if using selfsigned or ownca provider)
Parameter |
+Comments |
+
|---|---|
| + | The path to the accountkey for the This is only used by the |
+
| + | Include the intermediate certificate to the generated certificate +This is only used by the Note that this is only available for older versions of Choices: +
|
+
| + | The path to the ACME challenge directory that is served on http://%3CHOST%3E:80/.well-known/acme-challenge/ +This is only used by the |
+
| + | The ACME directory to use. You can use any directory that supports the ACME protocol, such as Buypass or Let’s Encrypt. +Let’s Encrypt recommends using their staging server while developing jobs. https://letsencrypt.org/docs/staging-environment/. +Default: |
+
| + | The attributes the resulting filesystem object should have. +To get supported flags look at the man page for chattr on the target system. +This string should contain the attributes in the same order as the one displayed by lsattr. +The |
+
| + | Create a backup file including a timestamp so you can get the original certificate back if you overwrote it with a new one by accident. +Choices: +
|
+
| + | Content of the Certificate Signing Request (CSR) used to generate this certificate. +This is mutually exclusive with |
+
| + | Path to the Certificate Signing Request (CSR) used to generate this certificate. +This is mutually exclusive with |
+
| + | The path to the private key of the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. +This is only used by the This is required if the provider is |
+
| + | The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. +This is only used by the This is required if the provider is |
+
| + | The key (password) for authentication to the Entrust Certificate Services (ECS) API. +This is only used by the This is required if the provider is |
+
| + | The path to the specification file defining the Entrust Certificate Services (ECS) API configuration. +You can use this to keep a local copy of the specification to avoid downloading it every time the module is used. +This is only used by the Default: |
+
| + | The username for authentication to the Entrust Certificate Services (ECS) API. +This is only used by the This is required if the provider is |
+
| + | Specify the type of certificate requested. +This is only used by the Choices: +
|
+
| + | The point in time at which the certificate stops being valid. +Time can be specified either as relative time or as an absolute timestamp. +A valid absolute time format is A valid relative time format is Time will always be interpreted as UTC. +Note that only the date (day, month, year) is supported for specifying the expiry date of the issued certificate. +The full date-time is adjusted to EST (GMT -5:00) before issuance, which may result in a certificate with an expiration date one day earlier than expected if a relative time is used. +The minimum certificate lifetime is 90 days, and maximum is three years. +If this value is not specified, the certificate will stop being valid 365 days the date of issue. +This is only used by the Please note that this value is not covered by the Default: |
+
| + | The email of the requester of the certificate (for tracking purposes). +This is only used by the This is required if the provider is |
+
| + | The name of the requester of the certificate (for tracking purposes). +This is only used by the This is required if the provider is |
+
| + | The phone number of the requester of the certificate (for tracking purposes). +This is only used by the This is required if the provider is |
+
| + | Generate the certificate, even if it already exists. +Choices: +
|
+
| + | Name of the group that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. + |
+
| + | Whether the “not before” and “not after” timestamps should be ignored for idempotency checks. +It is better to keep the default value Choices: +
|
+
| + | The permissions the resulting filesystem object should have. +For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must give Ansible enough information to parse them correctly. For consistent results, quote octal numbers (for example, Giving Ansible a number without following either of these rules will end up with a decimal number which will have unexpected results. +As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
+
| + | Content of the CA (Certificate Authority) certificate. +This is only used by the This is mutually exclusive with |
+
| + | Create a Authority Key Identifier from the CA’s certificate. If the CSR provided a authority key identifier, it is ignored. +The Authority Key Identifier is generated from the CA certificate’s Subject Key Identifier, if available. If it is not available, the CA certificate’s public key will be used. +This is only used by the Note that this is only supported if the Choices: +
|
+
| + | Whether to create the Subject Key Identifier (SKI) from the public key. +A value of A value of A value of This is only used by the Note that this is only supported if the Choices: +
|
+
| + | The digest algorithm to be used for the This is only used by the Default: |
+
| + | The point in time at which the certificate stops being valid. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is If this value is not specified, the certificate will stop being valid 10 years from now. +Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see https://support.apple.com/en-us/HT210176 for more details. +Default: |
+
| + | The point in time the certificate is valid from. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is If this value is not specified, the certificate will start being valid from now. +Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the Default: |
+
| + | Remote absolute path of the CA (Certificate Authority) certificate. +This is only used by the This is mutually exclusive with |
+
| + | Content of the CA (Certificate Authority) private key to use when signing the certificate. +This is only used by the This is mutually exclusive with |
+
| + | The passphrase for the This is only used by the |
+
| + | Path to the CA (Certificate Authority) private key to use when signing the certificate. +This is only used by the This is mutually exclusive with |
+
| + | The version of the Nowadays it should almost always be This is only used by the Default: |
+
| + | Name of the user that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. +Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. + |
+
| + | Remote absolute path where the generated certificate file should be created or is already located. + |
+
| + | Content of the private key to use when signing the certificate. +This is mutually exclusive with |
+
| + | The passphrase for the This is required if the private key is password protected. + |
+
| + | Path to the private key to use when signing the certificate. +This is mutually exclusive with |
+
| + | Name of the provider to use to generate/retrieve the OpenSSL certificate. Please see the examples on how to emulate it with community.crypto.x509_certificate_info, community.crypto.openssl_csr_info, community.crypto.openssl_privatekey_info and ansible.builtin.assert. +The Required if Choices: +
|
+
| + | If set to Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
| + | The level part of the SELinux filesystem object context. +This is the MLS/MCS attribute, sometimes known as the When set to |
+
| + | Whether to create the Subject Key Identifier (SKI) from the public key. +A value of A value of A value of This is only used by the Note that this is only supported if the Choices: +
|
+
| + | Digest algorithm to be used when self-signing the certificate. +This is only used by the Default: |
+
| + | The point in time at which the certificate stops being valid. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is If this value is not specified, the certificate will stop being valid 10 years from now. +Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see https://support.apple.com/en-us/HT210176 for more details. +Default: |
+
| + | The point in time the certificate is valid from. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is If this value is not specified, the certificate will start being valid from now. +Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the Default: |
+
| + | Version of the Nowadays it should almost always be This is only used by the Default: |
+
| + | The role part of the SELinux filesystem object context. +When set to |
+
| + | The type part of the SELinux filesystem object context. +When set to |
+
| + | The user part of the SELinux filesystem object context. +By default it uses the When set to |
+
| + | Whether the certificate should exist or not, taking action if the state is different from what is stated. +Choices: +
|
+
| + | Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. +By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. +This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). +IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. +Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
Note
+All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
Date specified should be UTC. Minutes and seconds are mandatory.
For security reason, when you use ownca provider, you should NOT run community.crypto.x509_certificate on a target machine, but on a dedicated CA machine. It is recommended not to store the CA private key on the target machine. Once signed, the certificate can be moved to the target machine.
For the selfsigned provider, csr_path and csr_content are optional. If not provided, a certificate without any information (Subject, Subject Alternative Names, Key Usage, etc.) is created.
See also
+Generate and/or check OpenSSL certificates.
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Diffie-Hellman Parameters.
+Generate OpenSSL PKCS#12 archive.
+Generate OpenSSL private keys.
+Generate OpenSSL private keys without disk access.
+Generate an OpenSSL public key from its private key.
+- name: Generate a Self Signed OpenSSL certificate
+ community.crypto.x509_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ csr_path: /etc/ssl/csr/ansible.com.csr
+ provider: selfsigned
+
+- name: Generate an OpenSSL certificate signed with your own CA certificate
+ community.crypto.x509_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ csr_path: /etc/ssl/csr/ansible.com.csr
+ ownca_path: /etc/ssl/crt/ansible_CA.crt
+ ownca_privatekey_path: /etc/ssl/private/ansible_CA.pem
+ provider: ownca
+
+- name: Generate a Let's Encrypt Certificate
+ community.crypto.x509_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ csr_path: /etc/ssl/csr/ansible.com.csr
+ provider: acme
+ acme_accountkey_path: /etc/ssl/private/ansible.com.pem
+ acme_challenge_path: /etc/ssl/challenges/ansible.com/
+
+- name: Force (re-)generate a new Let's Encrypt Certificate
+ community.crypto.x509_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ csr_path: /etc/ssl/csr/ansible.com.csr
+ provider: acme
+ acme_accountkey_path: /etc/ssl/private/ansible.com.pem
+ acme_challenge_path: /etc/ssl/challenges/ansible.com/
+ force: true
+
+- name: Generate an Entrust certificate via the Entrust Certificate Services (ECS) API
+ community.crypto.x509_certificate:
+ path: /etc/ssl/crt/ansible.com.crt
+ csr_path: /etc/ssl/csr/ansible.com.csr
+ provider: entrust
+ entrust_requester_name: Jo Doe
+ entrust_requester_email: jdoe@ansible.com
+ entrust_requester_phone: 555-555-5555
+ entrust_cert_type: STANDARD_SSL
+ entrust_api_user: apiusername
+ entrust_api_key: a^lv*32!cd9LnT
+ entrust_api_client_cert_path: /etc/ssl/entrust/ecs-client.crt
+ entrust_api_client_cert_key_path: /etc/ssl/entrust/ecs-key.crt
+ entrust_api_specification_path: /etc/ssl/entrust/api-docs/cms-api-2.1.0.yaml
+
+# The following example shows how to emulate the behavior of the removed
+# "assertonly" provider with the x509_certificate_info, openssl_csr_info,
+# openssl_privatekey_info and assert modules:
+
+- name: Get certificate information
+ community.crypto.x509_certificate_info:
+ path: /etc/ssl/crt/ansible.com.crt
+ # for valid_at, invalid_at and valid_in
+ valid_at:
+ one_day_ten_hours: "+1d10h"
+ fixed_timestamp: 20200331202428Z
+ ten_seconds: "+10"
+ register: result
+
+- name: Get CSR information
+ community.crypto.openssl_csr_info:
+ # Verifies that the CSR signature is valid; module will fail if not
+ path: /etc/ssl/csr/ansible.com.csr
+ register: result_csr
+
+- name: Get private key information
+ community.crypto.openssl_privatekey_info:
+ path: /etc/ssl/csr/ansible.com.key
+ register: result_privatekey
+
+- name: Check conditions on certificate, CSR, and private key
+ ansible.builtin.assert:
+ that:
+ # When private key was specified for assertonly, this was checked:
+ - result.public_key == result_privatekey.public_key
+ # When CSR was specified for assertonly, this was checked:
+ - result.public_key == result_csr.public_key
+ - result.subject_ordered == result_csr.subject_ordered
+ - result.extensions_by_oid == result_csr.extensions_by_oid
+ # signature_algorithms check
+ - "result.signature_algorithm == 'sha256WithRSAEncryption' or result.signature_algorithm == 'sha512WithRSAEncryption'"
+ # subject and subject_strict
+ - "result.subject.commonName == 'ansible.com'"
+ - "result.subject | length == 1" # the number must be the number of entries you check for
+ # issuer and issuer_strict
+ - "result.issuer.commonName == 'ansible.com'"
+ - "result.issuer | length == 1" # the number must be the number of entries you check for
+ # has_expired
+ - not result.expired
+ # version
+ - result.version == 3
+ # key_usage and key_usage_strict
+ - "'Data Encipherment' in result.key_usage"
+ - "result.key_usage | length == 1" # the number must be the number of entries you check for
+ # extended_key_usage and extended_key_usage_strict
+ - "'DVCS' in result.extended_key_usage"
+ - "result.extended_key_usage | length == 1" # the number must be the number of entries you check for
+ # subject_alt_name and subject_alt_name_strict
+ - "'dns:ansible.com' in result.subject_alt_name"
+ - "result.subject_alt_name | length == 1" # the number must be the number of entries you check for
+ # not_before and not_after
+ - "result.not_before == '20190331202428Z'"
+ - "result.not_after == '20190413202428Z'"
+ # valid_at, invalid_at and valid_in
+ - "result.valid_at.one_day_ten_hours" # for valid_at
+ - "not result.valid_at.fixed_timestamp" # for invalid_at
+ - "result.valid_at.ten_seconds" # for valid_in
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Name of backup file created. +Returned: changed and if Sample: |
+
| + | The (current or generated) certificate’s content. +Returned: if |
+
| + | Path to the generated certificate. +Returned: changed or success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.x509_certificate_pipe.
New in community.crypto 1.3.0
+ +It implements a notion of provider (one of selfsigned, ownca, entrust) for your certificate.
It uses the cryptography python library to interact with OpenSSL.
The ownca provider is intended for generating an OpenSSL certificate signed with your own CA (Certificate Authority) certificate (self-signed certificate).
This module allows one to (re)generate OpenSSL certificates.
The below requirements are needed on the host that executes this module.
+cryptography >= 1.6 (if using selfsigned or ownca provider)
Parameter |
+Comments |
+
|---|---|
| + | The existing certificate. + |
+
| + | Content of the Certificate Signing Request (CSR) used to generate this certificate. +This is mutually exclusive with |
+
| + | Path to the Certificate Signing Request (CSR) used to generate this certificate. +This is mutually exclusive with |
+
| + | The path to the private key of the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. +This is only used by the This is required if the provider is |
+
| + | The path to the client certificate used to authenticate to the Entrust Certificate Services (ECS) API. +This is only used by the This is required if the provider is |
+
| + | The key (password) for authentication to the Entrust Certificate Services (ECS) API. +This is only used by the This is required if the provider is |
+
| + | The path to the specification file defining the Entrust Certificate Services (ECS) API configuration. +You can use this to keep a local copy of the specification to avoid downloading it every time the module is used. +This is only used by the Default: |
+
| + | The username for authentication to the Entrust Certificate Services (ECS) API. +This is only used by the This is required if the provider is |
+
| + | Specify the type of certificate requested. +This is only used by the Choices: +
|
+
| + | The point in time at which the certificate stops being valid. +Time can be specified either as relative time or as an absolute timestamp. +A valid absolute time format is A valid relative time format is Time will always be interpreted as UTC. +Note that only the date (day, month, year) is supported for specifying the expiry date of the issued certificate. +The full date-time is adjusted to EST (GMT -5:00) before issuance, which may result in a certificate with an expiration date one day earlier than expected if a relative time is used. +The minimum certificate lifetime is 90 days, and maximum is three years. +If this value is not specified, the certificate will stop being valid 365 days the date of issue. +This is only used by the Please note that this value is not covered by the Default: |
+
| + | The email of the requester of the certificate (for tracking purposes). +This is only used by the This is required if the provider is |
+
| + | The name of the requester of the certificate (for tracking purposes). +This is only used by the This is required if the provider is |
+
| + | The phone number of the requester of the certificate (for tracking purposes). +This is only used by the This is required if the provider is |
+
| + | Generate the certificate, even if it already exists. +Choices: +
|
+
| + | Whether the “not before” and “not after” timestamps should be ignored for idempotency checks. +It is better to keep the default value Choices: +
|
+
| + | Content of the CA (Certificate Authority) certificate. +This is only used by the This is mutually exclusive with |
+
| + | Create a Authority Key Identifier from the CA’s certificate. If the CSR provided a authority key identifier, it is ignored. +The Authority Key Identifier is generated from the CA certificate’s Subject Key Identifier, if available. If it is not available, the CA certificate’s public key will be used. +This is only used by the Note that this is only supported if the Choices: +
|
+
| + | Whether to create the Subject Key Identifier (SKI) from the public key. +A value of A value of A value of This is only used by the Note that this is only supported if the Choices: +
|
+
| + | The digest algorithm to be used for the This is only used by the Default: |
+
| + | The point in time at which the certificate stops being valid. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is If this value is not specified, the certificate will stop being valid 10 years from now. +Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see https://support.apple.com/en-us/HT210176 for more details. +Default: |
+
| + | The point in time the certificate is valid from. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is If this value is not specified, the certificate will start being valid from now. +Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the Default: |
+
| + | Remote absolute path of the CA (Certificate Authority) certificate. +This is only used by the This is mutually exclusive with |
+
| + | Content of the CA (Certificate Authority) private key to use when signing the certificate. +This is only used by the This is mutually exclusive with |
+
| + | The passphrase for the This is only used by the |
+
| + | Path to the CA (Certificate Authority) private key to use when signing the certificate. +This is only used by the This is mutually exclusive with |
+
| + | The version of the Nowadays it should almost always be This is only used by the Default: |
+
| + | Content of the private key to use when signing the certificate. +This is mutually exclusive with |
+
| + | The passphrase for the This is required if the private key is password protected. + |
+
| + | Path to the private key to use when signing the certificate. +This is mutually exclusive with |
+
| + | Name of the provider to use to generate/retrieve the OpenSSL certificate. +The Choices: +
|
+
| + | Determines which crypto backend to use. +The default choice is If set to Choices: +
|
+
| + | Whether to create the Subject Key Identifier (SKI) from the public key. +A value of A value of A value of This is only used by the Note that this is only supported if the Choices: +
|
+
| + | Digest algorithm to be used when self-signing the certificate. +This is only used by the Default: |
+
| + | The point in time at which the certificate stops being valid. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is If this value is not specified, the certificate will stop being valid 10 years from now. +Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer. Please see https://support.apple.com/en-us/HT210176 for more details. +Default: |
+
| + | The point in time the certificate is valid from. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is If this value is not specified, the certificate will start being valid from now. +Note that this value is not used to determine whether an existing certificate should be regenerated. This can be changed by setting the This is only used by the Default: |
+
| + | Version of the Nowadays it should almost always be This is only used by the Default: |
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +Currently in check mode, private keys will not be (re-)generated, only the changed status is set. This will change in community.crypto 3.0.0. +From community.crypto 3.0.0 on, the module will ignore check mode and always behave as if check mode is not active. If you think this breaks your use-case of this module, please create an issue in the community.crypto repository. + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
Date specified should be UTC. Minutes and seconds are mandatory.
For security reason, when you use ownca provider, you should NOT run community.crypto.x509_certificate on a target machine, but on a dedicated CA machine. It is recommended not to store the CA private key on the target machine. Once signed, the certificate can be moved to the target machine.
For the selfsigned provider, csr_path and csr_content are optional. If not provided, a certificate without any information (Subject, Subject Alternative Names, Key Usage, etc.) is created.
See also
+Generate and/or check OpenSSL certificates.
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Certificate Signing Request (CSR).
+Generate OpenSSL Diffie-Hellman Parameters.
+Generate OpenSSL PKCS#12 archive.
+Generate OpenSSL private keys.
+Generate OpenSSL private keys without disk access.
+Generate an OpenSSL public key from its private key.
+- name: Generate a Self Signed OpenSSL certificate
+ community.crypto.x509_certificate_pipe:
+ provider: selfsigned
+ privatekey_path: /etc/ssl/private/ansible.com.pem
+ csr_path: /etc/ssl/csr/ansible.com.csr
+ register: result
+- name: Print the certificate
+ ansible.builtin.debug:
+ var: result.certificate
+
+# In the following example, both CSR and certificate file are stored on the
+# machine where ansible-playbook is executed, while the OwnCA data (certificate,
+# private key) are stored on the remote machine.
+
+- name: (1/2) Generate an OpenSSL Certificate with the CSR provided inline
+ community.crypto.x509_certificate_pipe:
+ provider: ownca
+ content: "{{ lookup('ansible.builtin.file', '/etc/ssl/csr/www.ansible.com.crt') }}"
+ csr_content: "{{ lookup('ansible.builtin.file', '/etc/ssl/csr/www.ansible.com.csr') }}"
+ ownca_cert: /path/to/ca_cert.crt
+ ownca_privatekey: /path/to/ca_cert.key
+ ownca_privatekey_passphrase: hunter2
+ register: result
+
+- name: (2/2) Store certificate
+ ansible.builtin.copy:
+ dest: /etc/ssl/csr/www.ansible.com.crt
+ content: "{{ result.certificate }}"
+ delegate_to: localhost
+ when: result is changed
+
+# In the following example, the certificate from another machine is signed by
+# our OwnCA whose private key and certificate are only available on this
+# machine (where ansible-playbook is executed), without having to write
+# the certificate file to disk on localhost. The CSR could have been
+# provided by community.crypto.openssl_csr_pipe earlier, or also have been
+# read from the remote machine.
+
+- name: (1/3) Read certificate's contents from remote machine
+ ansible.builtin.slurp:
+ src: /etc/ssl/csr/www.ansible.com.crt
+ register: certificate_content
+
+- name: (2/3) Generate an OpenSSL Certificate with the CSR provided inline
+ community.crypto.x509_certificate_pipe:
+ provider: ownca
+ content: "{{ certificate_content.content | b64decode }}"
+ csr_content: "{{ the_csr }}"
+ ownca_cert: /path/to/ca_cert.crt
+ ownca_privatekey: /path/to/ca_cert.key
+ ownca_privatekey_passphrase: hunter2
+ delegate_to: localhost
+ register: result
+
+- name: (3/3) Store certificate
+ ansible.builtin.copy:
+ dest: /etc/ssl/csr/www.ansible.com.crt
+ content: "{{ result.certificate }}"
+ when: result is changed
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | The (current or generated) certificate’s content. +Returned: changed or success + |
+
+ Note
+This filter plugin is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this filter plugin,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.x509_crl_info.
New in community.crypto 2.10.0
+ +Provided a X.509 crl in PEM format, retrieve information.
This is a filter version of the community.crypto.x509_crl_info module.
The below requirements are needed on the local controller node that executes this filter.
+If name_encoding is set to another value than ignore, the idna Python library needs to be installed.
This describes the input of the filter, the value before | community.crypto.x509_crl_info.
Parameter |
+Comments |
+
|---|---|
| + | The content of the X.509 CRL in PEM format. + |
+
This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following
+example: input | community.crypto.x509_crl_info(key1=value1, key2=value2, ...)
Parameter |
+Comments |
+
|---|---|
| + | If set to This is useful when retrieving information on large CRL files. Enumerating all revoked certificates can take some time, including serializing the result as JSON, sending it to the Ansible controller, and decoding it again. +Choices: +
|
+
| + | How to encode names (DNS names, URIs, email addresses) in return values. +
Note that Choices: +
|
+
See also
+Retrieve information on Certificate Revocation Lists (CRLs).
+Convert an integer to a colon-separated list of hex numbers.
+- name: Show the Organization Name of the CRL's subject
+ ansible.builtin.debug:
+ msg: >-
+ {{
+ (
+ lookup('ansible.builtin.file', '/path/to/cert.pem')
+ | community.crypto.x509_crl_info
+ ).issuer.organizationName
+ }}
+Key |
+Description |
+
|---|---|
| + | Information on the CRL. +Returned: success + |
+
| + | The signature algorithm used to sign the CRL. +Returned: success +Sample: |
+
| + | Whether the CRL is in PEM format ( Returned: success +Can only return: +
Sample: |
+
| + | The CRL’s issuer. +Note that for repeated values, only the last one will be returned. +See Returned: success +Sample: |
+
| + | The CRL’s issuer as an ordered list of tuples. +Returned: success +Sample: |
+
| + | The point in time from which this CRL can be trusted as ASN.1 TIME. +Returned: success +Sample: |
+
| + | The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME. +Returned: success +Sample: |
+
| + | List of certificates to be revoked. +Returned: success if |
+
| + | The point in time it was known/suspected that the private key was compromised +or that the certificate otherwise became invalid as ASN.1 TIME. +Returned: success +Sample: |
+
| + | Whether the invalidity date extension is critical. +Returned: success +Sample: |
+
| + | The certificate’s issuer. +See Returned: success +Sample: |
+
| + | Whether the certificate issuer extension is critical. +Returned: success +Sample: |
+
| + | The value for the revocation reason extension. +Returned: success +Can only return: +
Sample: |
+
| + | Whether the revocation reason extension is critical. +Returned: success +Sample: |
+
| + | The point in time the certificate was revoked as ASN.1 TIME. +Returned: success +Sample: |
+
| + | Serial number of the certificate. +This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.x509_crl_info.
New in community.crypto 1.0.0
+ +This module allows one to retrieve information on Certificate Revocation Lists (CRLs).
The below requirements are needed on the host that executes this module.
+If name_encoding is set to another value than ignore, the idna Python library needs to be installed.
cryptography >= 1.2
Parameter |
+Comments |
+
|---|---|
| + | + |
| + | If set to This is useful when retrieving information on large CRL files. Enumerating all revoked certificates can take some time, including serializing the result as JSON, sending it to the Ansible controller, and decoding it again. +Choices: +
|
+
| + | How to encode names (DNS names, URIs, email addresses) in return values. +
Note that Choices: +
|
+
| + | + |
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full +This action does not modify state. + |
+Can run in |
+
| + | Support: N/A +This action does not modify state. + |
+Will return details on what has changed (or possibly needs changing in |
+
Note
+All timestamp values are provided in ASN.1 TIME format, in other words, following the YYYYMMDDHHMMSSZ pattern. They are all in UTC.
See also
+Generate Certificate Revocation Lists (CRLs).
+A filter variant of this module.
+Convert an integer to a colon-separated list of hex numbers.
+- name: Get information on CRL
+ community.crypto.x509_crl_info:
+ path: /etc/ssl/my-ca.crl
+ register: result
+
+- name: Print the information
+ ansible.builtin.debug:
+ msg: "{{ result }}"
+
+- name: Get information on CRL without list of revoked certificates
+ community.crypto.x509_crl_info:
+ path: /etc/ssl/very-large.crl
+ list_revoked_certificates: false
+ register: result
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | The signature algorithm used to sign the CRL. +Returned: success +Sample: |
+
| + | Whether the CRL is in PEM format ( Returned: success +Can only return: +
Sample: |
+
| + | The CRL’s issuer. +Note that for repeated values, only the last one will be returned. +See Returned: success +Sample: |
+
| + | The CRL’s issuer as an ordered list of tuples. +Returned: success +Sample: |
+
| + | The point in time from which this CRL can be trusted as ASN.1 TIME. +Returned: success +Sample: |
+
| + | The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME. +Returned: success +Sample: |
+
| + | List of certificates to be revoked. +Returned: success if |
+
| + | The point in time it was known/suspected that the private key was compromised +or that the certificate otherwise became invalid as ASN.1 TIME. +Returned: success +Sample: |
+
| + | Whether the invalidity date extension is critical. +Returned: success +Sample: |
+
| + | The certificate’s issuer. +See Returned: success +Sample: |
+
| + | Whether the certificate issuer extension is critical. +Returned: success +Sample: |
+
| + | The value for the revocation reason extension. +Returned: success +Can only return: +
Sample: |
+
| + | Whether the revocation reason extension is critical. +Returned: success +Sample: |
+
| + | The point in time the certificate was revoked as ASN.1 TIME. +Returned: success +Sample: |
+
| + | Serial number of the certificate. +This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success +Sample: |
+
+ Note
+This module is part of the community.crypto collection (version 2.18.0).
+It is not included in ansible-core.
+To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
+You need further requirements to be able to use this module,
+see Requirements for details.
To use it in a playbook, specify: community.crypto.x509_crl.
New in community.crypto 1.0.0
+ +This module allows one to (re)generate or update Certificate Revocation Lists (CRLs).
Certificates on the revocation list can be either specified by serial number and (optionally) their issuer, or as a path to a certificate file in PEM format.
The below requirements are needed on the host that executes this module.
+If name_encoding is set to another value than ignore, the idna Python library needs to be installed.
cryptography >= 1.2
Parameter |
+Comments |
+
|---|---|
| + | The attributes the resulting filesystem object should have. +To get supported flags look at the man page for chattr on the target system. +This string should contain the attributes in the same order as the one displayed by lsattr. +The |
+
| + | Create a backup file including a timestamp so you can get the original CRL back if you overwrote it with a new one by accident. +Choices: +
|
+
| + | Defines how to process entries of existing CRLs. +If set to If set to The default value is This parameter was called Choices: +
|
+
| + | Digest algorithm to be used when signing the CRL. +Default: |
+
| + | Should the CRL be forced to be regenerated. +Choices: +
|
+
| + | Whether the CRL file should be in PEM or DER format. +If an existing CRL file does match everything but Choices: +
|
+
| + | Name of the group that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. + |
+
| + | Whether the timestamps Use this in combination with relative timestamps for these values to get idempotency. +Choices: +
|
+
| + | Key/value pairs that will be present in the issuer name field of the CRL. +If you need to specify more than one value with the same key, use a list as value. +If the order of the components is important, use One of Mutually exclusive with |
+
| + | A list of dictionaries, where every dictionary must contain one key/value pair. This key/value pair will be present in the issuer name field of the CRL. +If you want to specify more than one value with the same key in a row, you can use a list as value. +One of Mutually exclusive with |
+
| + | The point in time from which this CRL can be trusted. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is Note that if using relative time this module is NOT idempotent, except when Default: |
+
| + | + |
| + | How to encode names (DNS names, URIs, email addresses) in return values. +
Note that Choices: +
|
+
| + | The absolute latest point in time by which this Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is Note that if using relative time this module is NOT idempotent, except when Required if |
+
| + | Name of the user that should own the filesystem object, as would be fed to chown. +When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. +Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. + |
+
| + | Remote absolute path where the generated CRL file should be created or is already located. + |
+
| + | The content of the CA’s private key to use when signing the CRL. +Either |
+
| + | The passphrase for the This is required if the private key is password protected. + |
+
| + | Path to the CA’s private key to use when signing the CRL. +Either |
+
| + | If set to Choices: +
|
+
| + | List of certificates to be revoked. +Required if |
+
| + | Content of a certificate in PEM format. +The serial number and issuer will be extracted from the certificate. +Mutually exclusive with |
+
| + | The point in time it was known/suspected that the private key was compromised or that the certificate otherwise became invalid. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is Note that if using relative time this module is NOT idempotent. This will NOT change when |
+
| + | Whether the invalidity date extension should be critical. +Choices: +
|
+
| + | The certificate’s issuer. +Example: |
+
| + | Whether the certificate issuer extension should be critical. +Choices: +
|
+
| + | Path to a certificate in PEM format. +The serial number and issuer will be extracted from the certificate. +Mutually exclusive with |
+
| + | The value for the revocation reason extension. +Choices: +
|
+
| + | Whether the revocation reason extension should be critical. +Choices: +
|
+
| + | The point in time the certificate was revoked. +Time can be specified either as relative time or as absolute timestamp. +Time will always be interpreted as UTC. +Valid format is Note that if using relative time this module is NOT idempotent, except when Default: |
+
| + | Serial number of the certificate. +Mutually exclusive with This option accepts integers or hex octet strings, depending on the value of If If You can use the filters community.crypto.parse_serial and community.crypto.to_serial to convert these two representations. + |
+
| + | The level part of the SELinux filesystem object context. +This is the MLS/MCS attribute, sometimes known as the When set to |
+
| + | This option determines which values will be accepted for If set to If set to Choices: +
|
+
| + | The role part of the SELinux filesystem object context. +When set to |
+
| + | The type part of the SELinux filesystem object context. +When set to |
+
| + | The user part of the SELinux filesystem object context. +By default it uses the When set to |
+
| + | Whether the CRL file should exist or not, taking action if the state is different from what is stated. +Choices: +
|
+
| + | Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. +By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. +This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). +IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. +Choices: +
|
+
Attribute |
+Support |
+Description |
+
|---|---|---|
| + | Support: full + |
+Can run in |
+
| + | Support: full + |
+Will return details on what has changed (or possibly needs changing in |
+
| + | Support: full + |
+Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. + |
+
Note
+All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
Date specified should be UTC. Minutes and seconds are mandatory.
See also
+Convert a serial number as a colon-separated list of hex numbers to an integer.
+Convert an integer to a colon-separated list of hex numbers.
+- name: Generate a CRL
+ community.crypto.x509_crl:
+ path: /etc/ssl/my-ca.crl
+ privatekey_path: /etc/ssl/private/my-ca.pem
+ issuer:
+ CN: My CA
+ last_update: "+0s"
+ next_update: "+7d"
+ revoked_certificates:
+ - serial_number: 1234
+ revocation_date: 20190331202428Z
+ issuer:
+ CN: My CA
+ - serial_number: 2345
+ revocation_date: 20191013152910Z
+ reason: affiliation_changed
+ invalidity_date: 20191001000000Z
+ - path: /etc/ssl/crt/revoked-cert.pem
+ revocation_date: 20191010010203Z
+Common return values are documented here, the following are the fields unique to this module:
+Key |
+Description |
+
|---|---|
| + | Name of backup file created. +Returned: changed and if Sample: |
+
| + | The (current or generated) CRL’s content. +Will be the CRL itself if Returned: if |
+
| + | The signature algorithm used to sign the CRL. +Returned: success +Sample: |
+
| + | Path to the generated CRL. +Returned: changed or success +Sample: |
+
| + | Whether the CRL is in PEM format ( Returned: success +Can only return: +
Sample: |
+
| + | The CRL’s issuer. +Note that for repeated values, only the last one will be returned. +See Returned: success +Sample: |
+
| + | The CRL’s issuer as an ordered list of tuples. +Returned: success +Sample: |
+
| + | The point in time from which this CRL can be trusted as ASN.1 TIME. +Returned: success +Sample: |
+
| + | The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME. +Returned: success +Sample: |
+
| + | Path to the private CA key. +Returned: changed or success +Sample: |
+
| + | List of certificates to be revoked. +Returned: success + |
+
| + | The point in time it was known/suspected that the private key was compromised +or that the certificate otherwise became invalid as ASN.1 TIME. +Returned: success +Sample: |
+
| + | Whether the invalidity date extension is critical. +Returned: success +Sample: |
+
| + | The certificate’s issuer. +See Returned: success +Sample: |
+
| + | Whether the certificate issuer extension is critical. +Returned: success +Sample: |
+
| + | The value for the revocation reason extension. +Returned: success +Can only return: +
Sample: |
+
| + | Whether the revocation reason extension is critical. +Returned: success +Sample: |
+
| + | The point in time the certificate was revoked as ASN.1 TIME. +Returned: success +Sample: |
+
| + | Serial number of the certificate. +This return value is an integer. If you need the serial numbers as a colon-separated hex string, such as Returned: success +Sample: |
+