mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-23 05:10:22 -07:00
crypto modules: add missing option types (#52421)
* Add missing crypto option types. * Reorder argument_spec. * Reorder option docs.
This commit is contained in:
parent
9f82f3fd14
commit
1d8e9db4a9
18 changed files with 192 additions and 169 deletions
|
@ -49,6 +49,7 @@ options:
|
||||||
deactivated."
|
deactivated."
|
||||||
- "If the state is C(changed_key), the account must exist. The account
|
- "If the state is C(changed_key), the account must exist. The account
|
||||||
key will be changed; no other information will be touched."
|
key will be changed; no other information will be touched."
|
||||||
|
type: str
|
||||||
required: true
|
required: true
|
||||||
choices:
|
choices:
|
||||||
- present
|
- present
|
||||||
|
@ -57,8 +58,8 @@ options:
|
||||||
allow_creation:
|
allow_creation:
|
||||||
description:
|
description:
|
||||||
- "Whether account creation is allowed (when state is C(present))."
|
- "Whether account creation is allowed (when state is C(present))."
|
||||||
default: yes
|
|
||||||
type: bool
|
type: bool
|
||||||
|
default: yes
|
||||||
contact:
|
contact:
|
||||||
description:
|
description:
|
||||||
- "A list of contact URLs."
|
- "A list of contact URLs."
|
||||||
|
@ -67,25 +68,28 @@ options:
|
||||||
for what is allowed."
|
for what is allowed."
|
||||||
- "Must be specified when state is C(present). Will be ignored
|
- "Must be specified when state is C(present). Will be ignored
|
||||||
if state is C(absent) or C(changed_key)."
|
if state is C(absent) or C(changed_key)."
|
||||||
|
type: list
|
||||||
default: []
|
default: []
|
||||||
terms_agreed:
|
terms_agreed:
|
||||||
description:
|
description:
|
||||||
- "Boolean indicating whether you agree to the terms of service document."
|
- "Boolean indicating whether you agree to the terms of service document."
|
||||||
- "ACME servers can require this to be true."
|
- "ACME servers can require this to be true."
|
||||||
default: no
|
|
||||||
type: bool
|
type: bool
|
||||||
|
default: no
|
||||||
new_account_key_src:
|
new_account_key_src:
|
||||||
description:
|
description:
|
||||||
- "Path to a file containing the ACME account RSA or Elliptic Curve key to change to."
|
- "Path to a file containing the ACME account RSA or Elliptic Curve key to change to."
|
||||||
- "Same restrictions apply as to C(account_key_src)."
|
- "Same restrictions apply as to C(account_key_src)."
|
||||||
- "Mutually exclusive with C(new_account_key_content)."
|
- "Mutually exclusive with C(new_account_key_content)."
|
||||||
- "Required if C(new_account_key_content) is not used and state is C(changed_key)."
|
- "Required if C(new_account_key_content) is not used and state is C(changed_key)."
|
||||||
|
type: path
|
||||||
new_account_key_content:
|
new_account_key_content:
|
||||||
description:
|
description:
|
||||||
- "Content of the ACME account RSA or Elliptic Curve key to change to."
|
- "Content of the ACME account RSA or Elliptic Curve key to change to."
|
||||||
- "Same restrictions apply as to C(account_key_content)."
|
- "Same restrictions apply as to C(account_key_content)."
|
||||||
- "Mutually exclusive with C(new_account_key_src)."
|
- "Mutually exclusive with C(new_account_key_src)."
|
||||||
- "Required if C(new_account_key_src) is not used and state is C(changed_key)."
|
- "Required if C(new_account_key_src) is not used and state is C(changed_key)."
|
||||||
|
type: str
|
||||||
'''
|
'''
|
||||||
|
|
||||||
EXAMPLES = '''
|
EXAMPLES = '''
|
||||||
|
@ -137,17 +141,17 @@ def main():
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
account_key_src=dict(type='path', aliases=['account_key']),
|
account_key_src=dict(type='path', aliases=['account_key']),
|
||||||
account_key_content=dict(type='str', no_log=True),
|
account_key_content=dict(type='str', no_log=True),
|
||||||
account_uri=dict(required=False, type='str'),
|
account_uri=dict(type='str'),
|
||||||
acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
|
acme_directory=dict(type='str', default='https://acme-staging.api.letsencrypt.org/directory'),
|
||||||
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
|
acme_version=dict(type='int', default=1, choices=[1, 2]),
|
||||||
validate_certs=dict(required=False, default=True, type='bool'),
|
validate_certs=dict(type='bool', default=True),
|
||||||
terms_agreed=dict(required=False, default=False, type='bool'),
|
terms_agreed=dict(type='bool', default=False),
|
||||||
state=dict(required=True, choices=['absent', 'present', 'changed_key'], type='str'),
|
state=dict(type='str', required=True, choices=['absent', 'present', 'changed_key']),
|
||||||
allow_creation=dict(required=False, default=True, type='bool'),
|
allow_creation=dict(type='bool', default=True),
|
||||||
contact=dict(required=False, type='list', elements='str', default=[]),
|
contact=dict(type='list', elements='str', default=[]),
|
||||||
new_account_key_src=dict(type='path'),
|
new_account_key_src=dict(type='path'),
|
||||||
new_account_key_content=dict(type='str', no_log=True),
|
new_account_key_content=dict(type='str', no_log=True),
|
||||||
select_crypto_backend=dict(required=False, choices=['auto', 'openssl', 'cryptography'], default='auto', type='str'),
|
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'openssl', 'cryptography']),
|
||||||
),
|
),
|
||||||
required_one_of=(
|
required_one_of=(
|
||||||
['account_key_src', 'account_key_content'],
|
['account_key_src', 'account_key_content'],
|
||||||
|
|
|
@ -111,11 +111,11 @@ def main():
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
account_key_src=dict(type='path', aliases=['account_key']),
|
account_key_src=dict(type='path', aliases=['account_key']),
|
||||||
account_key_content=dict(type='str', no_log=True),
|
account_key_content=dict(type='str', no_log=True),
|
||||||
account_uri=dict(required=False, type='str'),
|
account_uri=dict(type='str'),
|
||||||
acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
|
acme_directory=dict(type='str', default='https://acme-staging.api.letsencrypt.org/directory'),
|
||||||
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
|
acme_version=dict(type='int', default=1, choices=[1, 2]),
|
||||||
validate_certs=dict(required=False, default=True, type='bool'),
|
validate_certs=dict(type='bool', default=True),
|
||||||
select_crypto_backend=dict(required=False, choices=['auto', 'openssl', 'cryptography'], default='auto', type='str'),
|
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'openssl', 'cryptography']),
|
||||||
),
|
),
|
||||||
required_one_of=(
|
required_one_of=(
|
||||||
['account_key_src', 'account_key_content'],
|
['account_key_src', 'account_key_content'],
|
||||||
|
|
|
@ -83,19 +83,21 @@ options:
|
||||||
used the M(acme_account) module to specify more than one contact
|
used the M(acme_account) module to specify more than one contact
|
||||||
for your account, this module will update your account and restrict
|
for your account, this module will update your account and restrict
|
||||||
it to the (at most one) contact email address specified here."
|
it to the (at most one) contact email address specified here."
|
||||||
|
type: str
|
||||||
agreement:
|
agreement:
|
||||||
description:
|
description:
|
||||||
- "URI to a terms of service document you agree to when using the
|
- "URI to a terms of service document you agree to when using the
|
||||||
ACME v1 service at C(acme_directory)."
|
ACME v1 service at C(acme_directory)."
|
||||||
- Default is latest gathered from C(acme_directory) URL.
|
- Default is latest gathered from C(acme_directory) URL.
|
||||||
- This option will only be used when C(acme_version) is 1.
|
- This option will only be used when C(acme_version) is 1.
|
||||||
|
type: str
|
||||||
terms_agreed:
|
terms_agreed:
|
||||||
description:
|
description:
|
||||||
- "Boolean indicating whether you agree to the terms of service document."
|
- "Boolean indicating whether you agree to the terms of service document."
|
||||||
- "ACME servers can require this to be true."
|
- "ACME servers can require this to be true."
|
||||||
- This option will only be used when C(acme_version) is not 1.
|
- This option will only be used when C(acme_version) is not 1.
|
||||||
type: bool
|
type: bool
|
||||||
default: 'no'
|
default: no
|
||||||
version_added: "2.5"
|
version_added: "2.5"
|
||||||
modify_account:
|
modify_account:
|
||||||
description:
|
description:
|
||||||
|
@ -106,12 +108,13 @@ options:
|
||||||
using an old key if you changed the account key with M(acme_account)."
|
using an old key if you changed the account key with M(acme_account)."
|
||||||
- "If set to C(no), C(terms_agreed) and C(account_email) are ignored."
|
- "If set to C(no), C(terms_agreed) and C(account_email) are ignored."
|
||||||
type: bool
|
type: bool
|
||||||
default: 'yes'
|
default: yes
|
||||||
version_added: "2.6"
|
version_added: "2.6"
|
||||||
challenge:
|
challenge:
|
||||||
description: The challenge to be performed.
|
description: The challenge to be performed.
|
||||||
choices: [ 'http-01', 'dns-01', 'tls-alpn-01' ]
|
type: str
|
||||||
default: 'http-01'
|
default: 'http-01'
|
||||||
|
choices: [ 'http-01', 'dns-01', 'tls-alpn-01' ]
|
||||||
csr:
|
csr:
|
||||||
description:
|
description:
|
||||||
- "File containing the CSR for the new certificate."
|
- "File containing the CSR for the new certificate."
|
||||||
|
@ -123,6 +126,7 @@ options:
|
||||||
account key. This is a bad idea from a security point of view, and
|
account key. This is a bad idea from a security point of view, and
|
||||||
the CA should not accept the CSR. The ACME server should return an
|
the CA should not accept the CSR. The ACME server should return an
|
||||||
error in this case."
|
error in this case."
|
||||||
|
type: path
|
||||||
required: true
|
required: true
|
||||||
aliases: ['src']
|
aliases: ['src']
|
||||||
data:
|
data:
|
||||||
|
@ -140,23 +144,27 @@ options:
|
||||||
as it causes error messages to be come unusable, and C(data) does
|
as it causes error messages to be come unusable, and C(data) does
|
||||||
not contain any information which can be used without having
|
not contain any information which can be used without having
|
||||||
access to the account key or which are not public anyway."
|
access to the account key or which are not public anyway."
|
||||||
|
type: dict
|
||||||
dest:
|
dest:
|
||||||
description:
|
description:
|
||||||
- "The destination file for the certificate."
|
- "The destination file for the certificate."
|
||||||
- "Required if C(fullchain_dest) is not specified."
|
- "Required if C(fullchain_dest) is not specified."
|
||||||
|
type: path
|
||||||
aliases: ['cert']
|
aliases: ['cert']
|
||||||
fullchain_dest:
|
fullchain_dest:
|
||||||
description:
|
description:
|
||||||
- "The destination file for the full chain (i.e. certificate followed
|
- "The destination file for the full chain (i.e. certificate followed
|
||||||
by chain of intermediate certificates)."
|
by chain of intermediate certificates)."
|
||||||
- "Required if C(dest) is not specified."
|
- "Required if C(dest) is not specified."
|
||||||
|
type: path
|
||||||
version_added: 2.5
|
version_added: 2.5
|
||||||
aliases: ['fullchain']
|
aliases: ['fullchain']
|
||||||
chain_dest:
|
chain_dest:
|
||||||
description:
|
description:
|
||||||
- If specified, the intermediate certificate will be written to this file.
|
- If specified, the intermediate certificate will be written to this file.
|
||||||
aliases: ['chain']
|
type: path
|
||||||
version_added: 2.5
|
version_added: 2.5
|
||||||
|
aliases: ['chain']
|
||||||
remaining_days:
|
remaining_days:
|
||||||
description:
|
description:
|
||||||
- "The number of days the certificate must have left being valid.
|
- "The number of days the certificate must have left being valid.
|
||||||
|
@ -165,6 +173,7 @@ options:
|
||||||
include C(challenge_data)."
|
include C(challenge_data)."
|
||||||
- "To make sure that the certificate is renewed in any case, you can
|
- "To make sure that the certificate is renewed in any case, you can
|
||||||
use the C(force) option."
|
use the C(force) option."
|
||||||
|
type: int
|
||||||
default: 10
|
default: 10
|
||||||
deactivate_authzs:
|
deactivate_authzs:
|
||||||
description:
|
description:
|
||||||
|
@ -175,7 +184,7 @@ options:
|
||||||
without having to re-authenticate the domain. This can be a security
|
without having to re-authenticate the domain. This can be a security
|
||||||
concern."
|
concern."
|
||||||
type: bool
|
type: bool
|
||||||
default: 'no'
|
default: no
|
||||||
version_added: 2.6
|
version_added: 2.6
|
||||||
force:
|
force:
|
||||||
description:
|
description:
|
||||||
|
@ -184,7 +193,7 @@ options:
|
||||||
- This is especially helpful when having an updated CSR e.g. with
|
- This is especially helpful when having an updated CSR e.g. with
|
||||||
additional domains for which a new certificate is desired.
|
additional domains for which a new certificate is desired.
|
||||||
type: bool
|
type: bool
|
||||||
default: 'no'
|
default: no
|
||||||
version_added: 2.6
|
version_added: 2.6
|
||||||
'''
|
'''
|
||||||
|
|
||||||
|
@ -890,24 +899,24 @@ def main():
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
account_key_src=dict(type='path', aliases=['account_key']),
|
account_key_src=dict(type='path', aliases=['account_key']),
|
||||||
account_key_content=dict(type='str', no_log=True),
|
account_key_content=dict(type='str', no_log=True),
|
||||||
account_uri=dict(required=False, type='str'),
|
account_uri=dict(type='str'),
|
||||||
modify_account=dict(required=False, type='bool', default=True),
|
modify_account=dict(type='bool', default=True),
|
||||||
acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
|
acme_directory=dict(type='str', default='https://acme-staging.api.letsencrypt.org/directory'),
|
||||||
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
|
acme_version=dict(type='int', default=1, choices=[1, 2]),
|
||||||
validate_certs=dict(required=False, default=True, type='bool'),
|
validate_certs=dict(default=True, type='bool'),
|
||||||
account_email=dict(required=False, default=None, type='str'),
|
account_email=dict(type='str'),
|
||||||
agreement=dict(required=False, type='str'),
|
agreement=dict(type='str'),
|
||||||
terms_agreed=dict(required=False, default=False, type='bool'),
|
terms_agreed=dict(type='bool', default=False),
|
||||||
challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01', 'tls-alpn-01'], type='str'),
|
challenge=dict(type='str', default='http-01', choices=['http-01', 'dns-01', 'tls-alpn-01']),
|
||||||
csr=dict(required=True, aliases=['src'], type='path'),
|
csr=dict(type='path', required=True, aliases=['src']),
|
||||||
data=dict(required=False, default=None, type='dict'),
|
data=dict(type='dict'),
|
||||||
dest=dict(aliases=['cert'], type='path'),
|
dest=dict(type='path', aliases=['cert']),
|
||||||
fullchain_dest=dict(aliases=['fullchain'], type='path'),
|
fullchain_dest=dict(type='path', aliases=['fullchain']),
|
||||||
chain_dest=dict(required=False, default=None, aliases=['chain'], type='path'),
|
chain_dest=dict(type='path', aliases=['chain']),
|
||||||
remaining_days=dict(required=False, default=10, type='int'),
|
remaining_days=dict(type='int', default=10),
|
||||||
deactivate_authzs=dict(required=False, default=False, type='bool'),
|
deactivate_authzs=dict(type='bool', default=False),
|
||||||
force=dict(required=False, default=False, type='bool'),
|
force=dict(type='bool', default=False),
|
||||||
select_crypto_backend=dict(required=False, choices=['auto', 'openssl', 'cryptography'], default='auto', type='str'),
|
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'openssl', 'cryptography']),
|
||||||
),
|
),
|
||||||
required_one_of=(
|
required_one_of=(
|
||||||
['account_key_src', 'account_key_content'],
|
['account_key_src', 'account_key_content'],
|
||||||
|
|
|
@ -47,6 +47,7 @@ options:
|
||||||
certificate:
|
certificate:
|
||||||
description:
|
description:
|
||||||
- "Path to the certificate to revoke."
|
- "Path to the certificate to revoke."
|
||||||
|
type: path
|
||||||
required: yes
|
required: yes
|
||||||
account_key_src:
|
account_key_src:
|
||||||
description:
|
description:
|
||||||
|
@ -57,6 +58,7 @@ options:
|
||||||
private keys in PEM format can be used as well."
|
private keys in PEM format can be used as well."
|
||||||
- "Mutually exclusive with C(account_key_content)."
|
- "Mutually exclusive with C(account_key_content)."
|
||||||
- "Required if C(account_key_content) is not used."
|
- "Required if C(account_key_content) is not used."
|
||||||
|
type: path
|
||||||
account_key_content:
|
account_key_content:
|
||||||
description:
|
description:
|
||||||
- "Content of the ACME account RSA or Elliptic Curve key."
|
- "Content of the ACME account RSA or Elliptic Curve key."
|
||||||
|
@ -71,11 +73,13 @@ options:
|
||||||
temporary file. It can still happen that it is written to disk by
|
temporary file. It can still happen that it is written to disk by
|
||||||
Ansible in the process of moving the module with its argument to
|
Ansible in the process of moving the module with its argument to
|
||||||
the node where it is executed."
|
the node where it is executed."
|
||||||
|
type: str
|
||||||
private_key_src:
|
private_key_src:
|
||||||
description:
|
description:
|
||||||
- "Path to the certificate's private key."
|
- "Path to the certificate's private key."
|
||||||
- "Note that exactly one of C(account_key_src), C(account_key_content),
|
- "Note that exactly one of C(account_key_src), C(account_key_content),
|
||||||
C(private_key_src) or C(private_key_content) must be specified."
|
C(private_key_src) or C(private_key_content) must be specified."
|
||||||
|
type: path
|
||||||
private_key_content:
|
private_key_content:
|
||||||
description:
|
description:
|
||||||
- "Content of the certificate's private key."
|
- "Content of the certificate's private key."
|
||||||
|
@ -90,6 +94,7 @@ options:
|
||||||
temporary file. It can still happen that it is written to disk by
|
temporary file. It can still happen that it is written to disk by
|
||||||
Ansible in the process of moving the module with its argument to
|
Ansible in the process of moving the module with its argument to
|
||||||
the node where it is executed."
|
the node where it is executed."
|
||||||
|
type: str
|
||||||
revoke_reason:
|
revoke_reason:
|
||||||
description:
|
description:
|
||||||
- "One of the revocation reasonCodes defined in
|
- "One of the revocation reasonCodes defined in
|
||||||
|
@ -99,6 +104,7 @@ options:
|
||||||
C(5) (cessationOfOperation), C(6) (certificateHold),
|
C(5) (cessationOfOperation), C(6) (certificateHold),
|
||||||
C(8) (removeFromCRL), C(9) (privilegeWithdrawn),
|
C(8) (removeFromCRL), C(9) (privilegeWithdrawn),
|
||||||
C(10) (aACompromise)"
|
C(10) (aACompromise)"
|
||||||
|
type: int
|
||||||
'''
|
'''
|
||||||
|
|
||||||
EXAMPLES = '''
|
EXAMPLES = '''
|
||||||
|
@ -128,15 +134,15 @@ def main():
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
account_key_src=dict(type='path', aliases=['account_key']),
|
account_key_src=dict(type='path', aliases=['account_key']),
|
||||||
account_key_content=dict(type='str', no_log=True),
|
account_key_content=dict(type='str', no_log=True),
|
||||||
account_uri=dict(required=False, type='str'),
|
account_uri=dict(type='str'),
|
||||||
acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
|
acme_directory=dict(type='str', default='https://acme-staging.api.letsencrypt.org/directory'),
|
||||||
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
|
acme_version=dict(type='int', default=1, choices=[1, 2]),
|
||||||
validate_certs=dict(required=False, default=True, type='bool'),
|
validate_certs=dict(type='bool', default=True),
|
||||||
private_key_src=dict(type='path'),
|
private_key_src=dict(type='path'),
|
||||||
private_key_content=dict(type='str', no_log=True),
|
private_key_content=dict(type='str', no_log=True),
|
||||||
certificate=dict(required=True, type='path'),
|
certificate=dict(type='path', required=True),
|
||||||
revoke_reason=dict(required=False, type='int'),
|
revoke_reason=dict(type='int'),
|
||||||
select_crypto_backend=dict(required=False, choices=['auto', 'openssl', 'cryptography'], default='auto', type='str'),
|
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'openssl', 'cryptography']),
|
||||||
),
|
),
|
||||||
required_one_of=(
|
required_one_of=(
|
||||||
['account_key_src', 'account_key_content', 'private_key_src', 'private_key_content'],
|
['account_key_src', 'account_key_content', 'private_key_src', 'private_key_content'],
|
||||||
|
|
|
@ -39,22 +39,26 @@ options:
|
||||||
challenge:
|
challenge:
|
||||||
description:
|
description:
|
||||||
- "The challenge type."
|
- "The challenge type."
|
||||||
|
type: str
|
||||||
required: yes
|
required: yes
|
||||||
choices:
|
choices:
|
||||||
- tls-alpn-01
|
- tls-alpn-01
|
||||||
challenge_data:
|
challenge_data:
|
||||||
description:
|
description:
|
||||||
- "The C(challenge_data) entry provided by M(acme_certificate) for the challenge."
|
- "The C(challenge_data) entry provided by M(acme_certificate) for the challenge."
|
||||||
|
type: dict
|
||||||
required: yes
|
required: yes
|
||||||
private_key_src:
|
private_key_src:
|
||||||
description:
|
description:
|
||||||
- "Path to a file containing the private key file to use for this challenge
|
- "Path to a file containing the private key file to use for this challenge
|
||||||
certificate."
|
certificate."
|
||||||
- "Mutually exclusive with C(private_key_content)."
|
- "Mutually exclusive with C(private_key_content)."
|
||||||
|
type: path
|
||||||
private_key_content:
|
private_key_content:
|
||||||
description:
|
description:
|
||||||
- "Content of the private key to use for this challenge certificate."
|
- "Content of the private key to use for this challenge certificate."
|
||||||
- "Mutually exclusive with C(private_key_src)."
|
- "Mutually exclusive with C(private_key_src)."
|
||||||
|
type: str
|
||||||
'''
|
'''
|
||||||
|
|
||||||
EXAMPLES = '''
|
EXAMPLES = '''
|
||||||
|
@ -169,8 +173,8 @@ else:
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
challenge=dict(required=True, choices=['tls-alpn-01'], type='str'),
|
challenge=dict(type='str', required=True, choices=['tls-alpn-01']),
|
||||||
challenge_data=dict(required=True, type='dict'),
|
challenge_data=dict(type='dict', required=True),
|
||||||
private_key_src=dict(type='path'),
|
private_key_src=dict(type='path'),
|
||||||
private_key_content=dict(type='str', no_log=True),
|
private_key_content=dict(type='str', no_log=True),
|
||||||
),
|
),
|
||||||
|
|
|
@ -63,11 +63,12 @@ options:
|
||||||
and a regular GET request for ACME v1."
|
and a regular GET request for ACME v1."
|
||||||
- "The value C(directory-only) only retrieves the directory, without doing
|
- "The value C(directory-only) only retrieves the directory, without doing
|
||||||
a request."
|
a request."
|
||||||
|
type: str
|
||||||
|
default: get
|
||||||
choices:
|
choices:
|
||||||
- get
|
- get
|
||||||
- post
|
- post
|
||||||
- directory-only
|
- directory-only
|
||||||
default: get
|
|
||||||
content:
|
content:
|
||||||
description:
|
description:
|
||||||
- "An encoded JSON object which will be sent as the content if I(method)
|
- "An encoded JSON object which will be sent as the content if I(method)
|
||||||
|
@ -259,15 +260,15 @@ def main():
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
account_key_src=dict(type='path', aliases=['account_key']),
|
account_key_src=dict(type='path', aliases=['account_key']),
|
||||||
account_key_content=dict(type='str', no_log=True),
|
account_key_content=dict(type='str', no_log=True),
|
||||||
account_uri=dict(required=False, type='str'),
|
account_uri=dict(type='str'),
|
||||||
acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
|
acme_directory=dict(type='str', default='https://acme-staging.api.letsencrypt.org/directory'),
|
||||||
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
|
acme_version=dict(type='int', default=1, choices=[1, 2]),
|
||||||
validate_certs=dict(required=False, default=True, type='bool'),
|
validate_certs=dict(type='bool', default=True),
|
||||||
url=dict(required=False, type='str'),
|
url=dict(type='str'),
|
||||||
method=dict(required=False, type='str', choices=['get', 'post', 'directory-only'], default='get'),
|
method=dict(type='str', choices=['get', 'post', 'directory-only'], default='get'),
|
||||||
content=dict(required=False, type='str'),
|
content=dict(type='str'),
|
||||||
fail_on_acme_error=dict(required=False, type='bool', default=True),
|
fail_on_acme_error=dict(type='bool', default=True),
|
||||||
select_crypto_backend=dict(required=False, choices=['auto', 'openssl', 'cryptography'], default='auto', type='str'),
|
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'openssl', 'cryptography']),
|
||||||
),
|
),
|
||||||
mutually_exclusive=(
|
mutually_exclusive=(
|
||||||
['account_key_src', 'account_key_content'],
|
['account_key_src', 'account_key_content'],
|
||||||
|
|
|
@ -33,13 +33,12 @@ requirements:
|
||||||
- "cryptography >= 1.5"
|
- "cryptography >= 1.5"
|
||||||
options:
|
options:
|
||||||
input_chain:
|
input_chain:
|
||||||
required: yes
|
|
||||||
description:
|
description:
|
||||||
- A concatenated set of certificates in PEM format forming a chain.
|
- A concatenated set of certificates in PEM format forming a chain.
|
||||||
- The module will try to complete this chain.
|
- The module will try to complete this chain.
|
||||||
root_certificates:
|
type: str
|
||||||
required: yes
|
required: yes
|
||||||
type: list
|
root_certificates:
|
||||||
description:
|
description:
|
||||||
- "A list of filenames or directories."
|
- "A list of filenames or directories."
|
||||||
- "A filename is assumed to point to a file containing one or more certificates
|
- "A filename is assumed to point to a file containing one or more certificates
|
||||||
|
@ -49,19 +48,20 @@ options:
|
||||||
subdirectories will be scanned and tried to be parsed as concatenated
|
subdirectories will be scanned and tried to be parsed as concatenated
|
||||||
certificates in PEM format."
|
certificates in PEM format."
|
||||||
- "Symbolic links will be followed."
|
- "Symbolic links will be followed."
|
||||||
|
type: list
|
||||||
|
required: yes
|
||||||
intermediate_certificates:
|
intermediate_certificates:
|
||||||
required: no
|
description:
|
||||||
|
- "A list of filenames or directories."
|
||||||
|
- "A filename is assumed to point to a file containing one or more certificates
|
||||||
|
in PEM format. All certificates in this file will be added to the set of
|
||||||
|
root certificates."
|
||||||
|
- "If a directory name is given, all files in the directory and its
|
||||||
|
subdirectories will be scanned and tried to be parsed as concatenated
|
||||||
|
certificates in PEM format."
|
||||||
|
- "Symbolic links will be followed."
|
||||||
type: list
|
type: list
|
||||||
default: []
|
default: []
|
||||||
description:
|
|
||||||
- "A list of filenames or directories."
|
|
||||||
- "A filename is assumed to point to a file containing one or more certificates
|
|
||||||
in PEM format. All certificates in this file will be added to the set of
|
|
||||||
root certificates."
|
|
||||||
- "If a directory name is given, all files in the directory and its
|
|
||||||
subdirectories will be scanned and tried to be parsed as concatenated
|
|
||||||
certificates in PEM format."
|
|
||||||
- "Symbolic links will be followed."
|
|
||||||
'''
|
'''
|
||||||
|
|
||||||
|
|
||||||
|
@ -284,9 +284,9 @@ def format_cert(cert):
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
input_chain=dict(required=True, type='str'),
|
input_chain=dict(type='str', required=True),
|
||||||
root_certificates=dict(required=True, type='list', elements='path'),
|
root_certificates=dict(type='list', required=True, elements='path'),
|
||||||
intermediate_certificates=dict(required=False, type='list', elements='path', default=[]),
|
intermediate_certificates=dict(type='list', default=[], elements='path'),
|
||||||
),
|
),
|
||||||
supports_check_mode=True,
|
supports_check_mode=True,
|
||||||
)
|
)
|
||||||
|
|
|
@ -22,20 +22,22 @@ options:
|
||||||
host:
|
host:
|
||||||
description:
|
description:
|
||||||
- The host to get the cert for (IP is fine)
|
- The host to get the cert for (IP is fine)
|
||||||
required: True
|
type: str
|
||||||
|
required: true
|
||||||
ca_certs:
|
ca_certs:
|
||||||
description:
|
description:
|
||||||
- A PEM file containing a list of root certificates; if present, the cert will be validated against these root certs.
|
- A PEM file containing a list of root certificates; if present, the cert will be validated against these root certs.
|
||||||
- Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it.
|
- Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it.
|
||||||
required: False
|
type: path
|
||||||
port:
|
port:
|
||||||
description:
|
description:
|
||||||
- The port to connect to
|
- The port to connect to
|
||||||
required: True
|
type: int
|
||||||
|
required: true
|
||||||
timeout:
|
timeout:
|
||||||
description:
|
description:
|
||||||
- The timeout in seconds
|
- The timeout in seconds
|
||||||
required: False
|
type: int
|
||||||
default: 10
|
default: 10
|
||||||
|
|
||||||
notes:
|
notes:
|
||||||
|
@ -128,10 +130,10 @@ else:
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
ca_certs=dict(required=False, type='path', default=None),
|
ca_certs=dict(type='path'),
|
||||||
host=dict(required=True),
|
host=dict(type='str', required=True),
|
||||||
port=dict(required=True, type='int'),
|
port=dict(type='int', required=True),
|
||||||
timeout=dict(required=False, type='int', default=10),
|
timeout=dict(type='int', default=10),
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -47,9 +47,9 @@ options:
|
||||||
does not exist it will be created.
|
does not exist it will be created.
|
||||||
Requires I(device) and I(keyfile) options to be provided. If
|
Requires I(device) and I(keyfile) options to be provided. If
|
||||||
container does already exist I(device) or I(name) will suffice."
|
container does already exist I(device) or I(name) will suffice."
|
||||||
|
type: str
|
||||||
default: present
|
default: present
|
||||||
choices: [present, absent, opened, closed]
|
choices: [present, absent, opened, closed]
|
||||||
type: str
|
|
||||||
name:
|
name:
|
||||||
description:
|
description:
|
||||||
- "Sets container name when I(state=opened). Can be used
|
- "Sets container name when I(state=opened). Can be used
|
||||||
|
@ -407,15 +407,12 @@ class ConditionsHandler(Handler):
|
||||||
def run_module():
|
def run_module():
|
||||||
# available arguments/parameters that a user can pass
|
# available arguments/parameters that a user can pass
|
||||||
module_args = dict(
|
module_args = dict(
|
||||||
state=dict(type='str',
|
state=dict(type='str', default='present', choices=['present', 'absent', 'opened', 'closed']),
|
||||||
choices=['present', 'absent', 'opened', 'closed'],
|
device=dict(type='str'),
|
||||||
required=False,
|
name=dict(type='str'),
|
||||||
default='present'),
|
keyfile=dict(type='path'),
|
||||||
device=dict(type='str', required=False),
|
new_keyfile=dict(type='path'),
|
||||||
name=dict(type='str', required=False),
|
remove_keyfile=dict(type='path')
|
||||||
keyfile=dict(type='path', required=False),
|
|
||||||
new_keyfile=dict(type='path', required=False),
|
|
||||||
remove_keyfile=dict(type='path', required=False)
|
|
||||||
)
|
)
|
||||||
|
|
||||||
# seed the result dict in the object
|
# seed the result dict in the object
|
||||||
|
|
|
@ -26,69 +26,65 @@ requirements:
|
||||||
- "ssh-keygen"
|
- "ssh-keygen"
|
||||||
options:
|
options:
|
||||||
state:
|
state:
|
||||||
required: false
|
|
||||||
default: "present"
|
|
||||||
choices: [ 'present', 'absent' ]
|
|
||||||
description:
|
description:
|
||||||
- Whether the host or user certificate should exist or not, taking action if the state is different from what is stated.
|
- Whether the host or user certificate should exist or not, taking action if the state is different from what is stated.
|
||||||
|
type: str
|
||||||
|
default: "present"
|
||||||
|
choices: [ 'present', 'absent' ]
|
||||||
type:
|
type:
|
||||||
required: true
|
|
||||||
choices: ['host', 'user']
|
|
||||||
description:
|
description:
|
||||||
- Whether the module should generate a host or a user certificate.
|
- Whether the module should generate a host or a user certificate.
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
choices: ['host', 'user']
|
||||||
force:
|
force:
|
||||||
required: false
|
|
||||||
default: false
|
|
||||||
type: bool
|
|
||||||
description:
|
description:
|
||||||
- Should the certificate be regenerated even if it already exists and is valid.
|
- Should the certificate be regenerated even if it already exists and is valid.
|
||||||
|
type: bool
|
||||||
|
default: false
|
||||||
path:
|
path:
|
||||||
required: true
|
|
||||||
type: path
|
|
||||||
description:
|
description:
|
||||||
- Path of the file containing the certificate.
|
- Path of the file containing the certificate.
|
||||||
signing_key:
|
|
||||||
required: true
|
|
||||||
type: path
|
type: path
|
||||||
|
required: true
|
||||||
|
signing_key:
|
||||||
description:
|
description:
|
||||||
- The path to the private openssh key that is used for signing the public key in order to generate the certificate.
|
- The path to the private openssh key that is used for signing the public key in order to generate the certificate.
|
||||||
public_key:
|
|
||||||
required: true
|
|
||||||
type: path
|
type: path
|
||||||
|
required: true
|
||||||
|
public_key:
|
||||||
description:
|
description:
|
||||||
- The path to the public key that will be signed with the signing key in order to generate the certificate.
|
- The path to the public key that will be signed with the signing key in order to generate the certificate.
|
||||||
valid_from:
|
type: path
|
||||||
required: true
|
required: true
|
||||||
type: str
|
valid_from:
|
||||||
description:
|
description:
|
||||||
- "The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp.
|
- "The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp.
|
||||||
Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | always)
|
Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | always)
|
||||||
where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
|
where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
|
||||||
Note that if using relative time this module is NOT idempotent."
|
Note that if using relative time this module is NOT idempotent."
|
||||||
valid_to:
|
|
||||||
required: true
|
|
||||||
type: str
|
type: str
|
||||||
|
required: true
|
||||||
|
valid_to:
|
||||||
description:
|
description:
|
||||||
- "The point in time the certificate is valid to. Time can be specified either as relative time or as absolute timestamp.
|
- "The point in time the certificate is valid to. Time can be specified either as relative time or as absolute timestamp.
|
||||||
Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | forever)
|
Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | forever)
|
||||||
where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
|
where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
|
||||||
Note that if using relative time this module is NOT idempotent."
|
Note that if using relative time this module is NOT idempotent."
|
||||||
valid_at:
|
|
||||||
required: false
|
|
||||||
type: str
|
type: str
|
||||||
|
required: true
|
||||||
|
valid_at:
|
||||||
description:
|
description:
|
||||||
- "Check if the certificate is valid at a certain point in time. If it is not the certificate will be regenerated.
|
- "Check if the certificate is valid at a certain point in time. If it is not the certificate will be regenerated.
|
||||||
Time will always be interpreted as UTC. Mainly to be used with relative timespec for I(valid_from) and / or I(valid_to).
|
Time will always be interpreted as UTC. Mainly to be used with relative timespec for I(valid_from) and / or I(valid_to).
|
||||||
Note that if using relative time this module is NOT idempotent."
|
Note that if using relative time this module is NOT idempotent."
|
||||||
|
type: str
|
||||||
principals:
|
principals:
|
||||||
required: false
|
|
||||||
type: list
|
|
||||||
description:
|
description:
|
||||||
- "Certificates may be limited to be valid for a set of principal (user/host) names.
|
- "Certificates may be limited to be valid for a set of principal (user/host) names.
|
||||||
By default, generated certificates are valid for all users or hosts."
|
By default, generated certificates are valid for all users or hosts."
|
||||||
options:
|
|
||||||
required: false
|
|
||||||
type: list
|
type: list
|
||||||
|
options:
|
||||||
description:
|
description:
|
||||||
- "Specify certificate options when signing a key. The option that are valid for user certificates are:"
|
- "Specify certificate options when signing a key. The option that are valid for user certificates are:"
|
||||||
- "C(clear): Clear all enabled permissions. This is useful for clearing the default set of permissions so permissions may be added individually."
|
- "C(clear): Clear all enabled permissions. This is useful for clearing the default set of permissions so permissions may be added individually."
|
||||||
|
@ -107,12 +103,11 @@ options:
|
||||||
- "C(source-address=address_list): Restrict the source addresses from which the certificate is considered valid.
|
- "C(source-address=address_list): Restrict the source addresses from which the certificate is considered valid.
|
||||||
The C(address_list) is a comma-separated list of one or more address/netmask pairs in CIDR format."
|
The C(address_list) is a comma-separated list of one or more address/netmask pairs in CIDR format."
|
||||||
- "At present, no options are valid for host keys."
|
- "At present, no options are valid for host keys."
|
||||||
|
type: list
|
||||||
identifier:
|
identifier:
|
||||||
required: false
|
|
||||||
type: str
|
|
||||||
description:
|
description:
|
||||||
- Specify the key identity when signing a public key. The identifier that is logged by the server when the certificate is used for authentication.
|
- Specify the key identity when signing a public key. The identifier that is logged by the server when the certificate is used for authentication.
|
||||||
|
type: str
|
||||||
|
|
||||||
extends_documentation_fragment: files
|
extends_documentation_fragment: files
|
||||||
'''
|
'''
|
||||||
|
|
|
@ -28,40 +28,40 @@ requirements:
|
||||||
- "ssh-keygen"
|
- "ssh-keygen"
|
||||||
options:
|
options:
|
||||||
state:
|
state:
|
||||||
required: false
|
|
||||||
default: present
|
|
||||||
choices: [ present, absent ]
|
|
||||||
description:
|
description:
|
||||||
- Whether the private and public keys should exist or not, taking action if the state is different from what is stated.
|
- Whether the private and public keys should exist or not, taking action if the state is different from what is stated.
|
||||||
|
type: str
|
||||||
|
default: present
|
||||||
|
choices: [ present, absent ]
|
||||||
size:
|
size:
|
||||||
required: false
|
|
||||||
description:
|
description:
|
||||||
- "Specifies the number of bits in the private key to create. For RSA keys, the minimum size is 1024 bits and the default is 4096 bits.
|
- "Specifies the number of bits in the private key to create. For RSA keys, the minimum size is 1024 bits and the default is 4096 bits.
|
||||||
Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
|
Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
|
||||||
For ECDSA keys, size determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits.
|
For ECDSA keys, size determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits.
|
||||||
Attempting to use bit lengths other than these three values for ECDSA keys will cause this module to fail.
|
Attempting to use bit lengths other than these three values for ECDSA keys will cause this module to fail.
|
||||||
Ed25519 keys have a fixed length and the size will be ignored."
|
Ed25519 keys have a fixed length and the size will be ignored."
|
||||||
|
type: int
|
||||||
type:
|
type:
|
||||||
required: false
|
|
||||||
default: rsa
|
|
||||||
choices: ['rsa', 'dsa', 'rsa1', 'ecdsa', 'ed25519']
|
|
||||||
description:
|
description:
|
||||||
- "The algorithm used to generate the SSH private key. C(rsa1) is for protocol version 1.
|
- "The algorithm used to generate the SSH private key. C(rsa1) is for protocol version 1.
|
||||||
C(rsa1) is deprecated and may not be supported by every version of ssh-keygen."
|
C(rsa1) is deprecated and may not be supported by every version of ssh-keygen."
|
||||||
|
type: str
|
||||||
|
default: rsa
|
||||||
|
choices: ['rsa', 'dsa', 'rsa1', 'ecdsa', 'ed25519']
|
||||||
force:
|
force:
|
||||||
required: false
|
|
||||||
default: false
|
|
||||||
type: bool
|
|
||||||
description:
|
description:
|
||||||
- Should the key be regenerated even if it already exists
|
- Should the key be regenerated even if it already exists
|
||||||
|
type: bool
|
||||||
|
default: false
|
||||||
path:
|
path:
|
||||||
required: true
|
|
||||||
description:
|
description:
|
||||||
- Name of the files containing the public and private key. The file containing the public key will have the extension C(.pub).
|
- Name of the files containing the public and private key. The file containing the public key will have the extension C(.pub).
|
||||||
|
type: path
|
||||||
|
required: true
|
||||||
comment:
|
comment:
|
||||||
required: false
|
|
||||||
description:
|
description:
|
||||||
- Provides a new comment to the public key. When checking if the key is in the correct state this will be ignored.
|
- Provides a new comment to the public key. When checking if the key is in the correct state this will be ignored.
|
||||||
|
type: str
|
||||||
|
|
||||||
extends_documentation_fragment: files
|
extends_documentation_fragment: files
|
||||||
'''
|
'''
|
||||||
|
@ -260,11 +260,11 @@ def main():
|
||||||
# Define Ansible Module
|
# Define Ansible Module
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
state=dict(default='present', choices=['present', 'absent'], type='str'),
|
state=dict(type='str', default='present', choices=['present', 'absent']),
|
||||||
size=dict(type='int'),
|
size=dict(type='int'),
|
||||||
type=dict(default='rsa', choices=['rsa', 'dsa', 'rsa1', 'ecdsa', 'ed25519'], type='str'),
|
type=dict(type='str', default='rsa', choices=['rsa', 'dsa', 'rsa1', 'ecdsa', 'ed25519']),
|
||||||
force=dict(default=False, type='bool'),
|
force=dict(type='bool', default=False),
|
||||||
path=dict(required=True, type='path'),
|
path=dict(type='path', required=True),
|
||||||
comment=dict(type='str'),
|
comment=dict(type='str'),
|
||||||
),
|
),
|
||||||
supports_check_mode=True,
|
supports_check_mode=True,
|
||||||
|
|
|
@ -40,8 +40,8 @@ options:
|
||||||
description:
|
description:
|
||||||
- Whether the certificate should exist or not, taking action if the state is different from what is stated.
|
- Whether the certificate should exist or not, taking action if the state is different from what is stated.
|
||||||
type: str
|
type: str
|
||||||
choices: [ absent, present ]
|
|
||||||
default: present
|
default: present
|
||||||
|
choices: [ absent, present ]
|
||||||
|
|
||||||
path:
|
path:
|
||||||
description:
|
description:
|
||||||
|
@ -53,8 +53,8 @@ options:
|
||||||
description:
|
description:
|
||||||
- Name of the provider to use to generate/retrieve the OpenSSL certificate.
|
- Name of the provider to use to generate/retrieve the OpenSSL certificate.
|
||||||
- The C(assertonly) provider will not generate files and fail if the certificate file is missing.
|
- The C(assertonly) provider will not generate files and fail if the certificate file is missing.
|
||||||
required: true
|
|
||||||
type: str
|
type: str
|
||||||
|
required: true
|
||||||
choices: [ acme, assertonly, ownca, selfsigned ]
|
choices: [ acme, assertonly, ownca, selfsigned ]
|
||||||
|
|
||||||
force:
|
force:
|
||||||
|
@ -312,6 +312,7 @@ options:
|
||||||
type: bool
|
type: bool
|
||||||
default: no
|
default: no
|
||||||
aliases: [ subjectAltName_strict ]
|
aliases: [ subjectAltName_strict ]
|
||||||
|
|
||||||
extends_documentation_fragment: files
|
extends_documentation_fragment: files
|
||||||
notes:
|
notes:
|
||||||
- All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
|
- All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
|
||||||
|
@ -1051,7 +1052,7 @@ class AcmeCertificate(Certificate):
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
state=dict(type='str', choices=['present', 'absent'], default='present'),
|
state=dict(type='str', default='present', choices=['present', 'absent']),
|
||||||
path=dict(type='path', required=True),
|
path=dict(type='path', required=True),
|
||||||
provider=dict(type='str', choices=['acme', 'assertonly', 'ownca', 'selfsigned']),
|
provider=dict(type='str', choices=['acme', 'assertonly', 'ownca', 'selfsigned']),
|
||||||
force=dict(type='bool', default=False,),
|
force=dict(type='bool', default=False,),
|
||||||
|
@ -1082,10 +1083,8 @@ def main():
|
||||||
# provider: selfsigned
|
# provider: selfsigned
|
||||||
selfsigned_version=dict(type='int', default=3),
|
selfsigned_version=dict(type='int', default=3),
|
||||||
selfsigned_digest=dict(type='str', default='sha256'),
|
selfsigned_digest=dict(type='str', default='sha256'),
|
||||||
selfsigned_not_before=dict(
|
selfsigned_not_before=dict(type='str', default='+0s', aliases=['selfsigned_notBefore']),
|
||||||
type='str', default='+0s', aliases=['selfsigned_notBefore']),
|
selfsigned_not_after=dict(type='str', default='+3650d', aliases=['selfsigned_notAfter']),
|
||||||
selfsigned_not_after=dict(
|
|
||||||
type='str', default='+3650d', aliases=['selfsigned_notAfter']),
|
|
||||||
|
|
||||||
# provider: ownca
|
# provider: ownca
|
||||||
ownca_path=dict(type='path'),
|
ownca_path=dict(type='path'),
|
||||||
|
|
|
@ -31,9 +31,8 @@ options:
|
||||||
description:
|
description:
|
||||||
- Whether the certificate signing request should exist or not, taking action if the state is different from what is stated.
|
- Whether the certificate signing request should exist or not, taking action if the state is different from what is stated.
|
||||||
type: str
|
type: str
|
||||||
required: false
|
|
||||||
choices: [ absent, present ]
|
|
||||||
default: present
|
default: present
|
||||||
|
choices: [ absent, present ]
|
||||||
digest:
|
digest:
|
||||||
description:
|
description:
|
||||||
- The digest used when signing the certificate signing request with the private key.
|
- The digest used when signing the certificate signing request with the private key.
|
||||||
|
@ -127,8 +126,8 @@ options:
|
||||||
C(subject_alt_name) with C(DNS:) prefix if no SAN is specified.
|
C(subject_alt_name) with C(DNS:) prefix if no SAN is specified.
|
||||||
type: bool
|
type: bool
|
||||||
default: yes
|
default: yes
|
||||||
aliases: [ useCommonNameForSAN ]
|
|
||||||
version_added: '2.8'
|
version_added: '2.8'
|
||||||
|
aliases: [ useCommonNameForSAN ]
|
||||||
key_usage:
|
key_usage:
|
||||||
description:
|
description:
|
||||||
- This defines the purpose (e.g. encipherment, signature, certificate signing)
|
- This defines the purpose (e.g. encipherment, signature, certificate signing)
|
||||||
|
@ -155,21 +154,21 @@ options:
|
||||||
description:
|
description:
|
||||||
- Indicates basic constraints, such as if the certificate is a CA.
|
- Indicates basic constraints, such as if the certificate is a CA.
|
||||||
type: list
|
type: list
|
||||||
aliases: [ basicConstraints ]
|
|
||||||
version_added: '2.5'
|
version_added: '2.5'
|
||||||
|
aliases: [ basicConstraints ]
|
||||||
basic_constraints_critical:
|
basic_constraints_critical:
|
||||||
description:
|
description:
|
||||||
- Should the basicConstraints extension be considered as critical.
|
- Should the basicConstraints extension be considered as critical.
|
||||||
type: bool
|
type: bool
|
||||||
aliases: [ basicConstraints_critical ]
|
|
||||||
version_added: '2.5'
|
version_added: '2.5'
|
||||||
|
aliases: [ basicConstraints_critical ]
|
||||||
ocsp_must_staple:
|
ocsp_must_staple:
|
||||||
description:
|
description:
|
||||||
- Indicates that the certificate should contain the OCSP Must Staple
|
- Indicates that the certificate should contain the OCSP Must Staple
|
||||||
extension (U(https://tools.ietf.org/html/rfc7633)).
|
extension (U(https://tools.ietf.org/html/rfc7633)).
|
||||||
type: bool
|
type: bool
|
||||||
aliases: [ ocspMustStaple ]
|
|
||||||
version_added: '2.5'
|
version_added: '2.5'
|
||||||
|
aliases: [ ocspMustStaple ]
|
||||||
ocsp_must_staple_critical:
|
ocsp_must_staple_critical:
|
||||||
description:
|
description:
|
||||||
- Should the OCSP Must Staple extension be considered as critical
|
- Should the OCSP Must Staple extension be considered as critical
|
||||||
|
@ -178,8 +177,8 @@ options:
|
||||||
are required to reject such certificates
|
are required to reject such certificates
|
||||||
(see U(https://tools.ietf.org/html/rfc7633#section-4)).
|
(see U(https://tools.ietf.org/html/rfc7633#section-4)).
|
||||||
type: bool
|
type: bool
|
||||||
aliases: [ ocspMustStaple_critical ]
|
|
||||||
version_added: '2.5'
|
version_added: '2.5'
|
||||||
|
aliases: [ ocspMustStaple_critical ]
|
||||||
select_crypto_backend:
|
select_crypto_backend:
|
||||||
description:
|
description:
|
||||||
- Determines which crypto backend to use.
|
- Determines which crypto backend to use.
|
||||||
|
@ -187,8 +186,8 @@ options:
|
||||||
- If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
|
- If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
|
||||||
- If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
|
- If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
|
||||||
type: str
|
type: str
|
||||||
choices: [ auto, cryptography, pyopenssl ]
|
|
||||||
default: auto
|
default: auto
|
||||||
|
choices: [ auto, cryptography, pyopenssl ]
|
||||||
version_added: '2.8'
|
version_added: '2.8'
|
||||||
extends_documentation_fragment:
|
extends_documentation_fragment:
|
||||||
- files
|
- files
|
||||||
|
|
|
@ -29,8 +29,8 @@ options:
|
||||||
- Whether the parameters should exist or not,
|
- Whether the parameters should exist or not,
|
||||||
taking action if the state is different from what is stated.
|
taking action if the state is different from what is stated.
|
||||||
type: str
|
type: str
|
||||||
choices: [ absent, present ]
|
|
||||||
default: present
|
default: present
|
||||||
|
choices: [ absent, present ]
|
||||||
size:
|
size:
|
||||||
description:
|
description:
|
||||||
- Size (in bits) of the generated DH-params.
|
- Size (in bits) of the generated DH-params.
|
||||||
|
|
|
@ -26,8 +26,9 @@ options:
|
||||||
action:
|
action:
|
||||||
description:
|
description:
|
||||||
- C(export) or C(parse) a PKCS#12.
|
- C(export) or C(parse) a PKCS#12.
|
||||||
choices: [ export, parse ]
|
type: str
|
||||||
default: export
|
default: export
|
||||||
|
choices: [ export, parse ]
|
||||||
ca_certificates:
|
ca_certificates:
|
||||||
description:
|
description:
|
||||||
- List of CA certificate to include.
|
- List of CA certificate to include.
|
||||||
|
@ -65,7 +66,7 @@ options:
|
||||||
description:
|
description:
|
||||||
- Filename to write the PKCS#12 file to.
|
- Filename to write the PKCS#12 file to.
|
||||||
type: path
|
type: path
|
||||||
required: True
|
required: true
|
||||||
privatekey_passphrase:
|
privatekey_passphrase:
|
||||||
description:
|
description:
|
||||||
- Passphrase source to decrypt any input private keys with.
|
- Passphrase source to decrypt any input private keys with.
|
||||||
|
@ -80,6 +81,7 @@ options:
|
||||||
All parameters except C(path) are ignored when state is C(absent).
|
All parameters except C(path) are ignored when state is C(absent).
|
||||||
choices: [ absent, present ]
|
choices: [ absent, present ]
|
||||||
default: present
|
default: present
|
||||||
|
type: str
|
||||||
src:
|
src:
|
||||||
description:
|
description:
|
||||||
- PKCS#12 file path to parse.
|
- PKCS#12 file path to parse.
|
||||||
|
|
|
@ -37,8 +37,8 @@ options:
|
||||||
description:
|
description:
|
||||||
- Whether the private key should exist or not, taking action if the state is different from what is stated.
|
- Whether the private key should exist or not, taking action if the state is different from what is stated.
|
||||||
type: str
|
type: str
|
||||||
choices: [ absent, present ]
|
|
||||||
default: present
|
default: present
|
||||||
|
choices: [ absent, present ]
|
||||||
size:
|
size:
|
||||||
description:
|
description:
|
||||||
- Size (in bits) of the TLS/SSL key to generate.
|
- Size (in bits) of the TLS/SSL key to generate.
|
||||||
|
@ -50,9 +50,9 @@ options:
|
||||||
- Note that C(ECC) requires the C(cryptography) backend.
|
- Note that C(ECC) requires the C(cryptography) backend.
|
||||||
- Depending on the curve, you need a newer version of the cryptography backend.
|
- Depending on the curve, you need a newer version of the cryptography backend.
|
||||||
type: str
|
type: str
|
||||||
|
default: RSA
|
||||||
#choices: [ DSA, ECC, RSA, X448, X25519 ]
|
#choices: [ DSA, ECC, RSA, X448, X25519 ]
|
||||||
choices: [ DSA, ECC, RSA ]
|
choices: [ DSA, ECC, RSA ]
|
||||||
default: RSA
|
|
||||||
curve:
|
curve:
|
||||||
description:
|
description:
|
||||||
- Note that not all curves are supported by all versions of C(cryptography).
|
- Note that not all curves are supported by all versions of C(cryptography).
|
||||||
|
@ -108,8 +108,8 @@ options:
|
||||||
- If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
|
- If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
|
||||||
- If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
|
- If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
|
||||||
type: str
|
type: str
|
||||||
choices: [ auto, cryptography, pyopenssl ]
|
|
||||||
default: auto
|
default: auto
|
||||||
|
choices: [ auto, cryptography, pyopenssl ]
|
||||||
version_added: "2.8"
|
version_added: "2.8"
|
||||||
extends_documentation_fragment:
|
extends_documentation_fragment:
|
||||||
- files
|
- files
|
||||||
|
@ -551,25 +551,25 @@ def main():
|
||||||
|
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
state=dict(default='present', choices=['present', 'absent'], type='str'),
|
state=dict(type='str', default='present', choices=['present', 'absent']),
|
||||||
size=dict(default=4096, type='int'),
|
size=dict(type='int', default=4096),
|
||||||
type=dict(default='RSA', choices=[
|
type=dict(type='str', default='RSA', choices=[
|
||||||
'RSA', 'DSA', 'ECC',
|
'RSA', 'DSA', 'ECC',
|
||||||
# x25519 is missing serialization functions: https://github.com/pyca/cryptography/issues/4386
|
# x25519 is missing serialization functions: https://github.com/pyca/cryptography/issues/4386
|
||||||
# x448 is also missing it: https://github.com/pyca/cryptography/pull/4580#issuecomment-437913340
|
# x448 is also missing it: https://github.com/pyca/cryptography/pull/4580#issuecomment-437913340
|
||||||
# 'X448', 'X25519',
|
# 'X448', 'X25519',
|
||||||
], type='str'),
|
]),
|
||||||
curve=dict(choices=[
|
curve=dict(type='str', choices=[
|
||||||
'secp384r1', 'secp521r1', 'secp224r1', 'secp192r1', 'secp256k1',
|
'secp384r1', 'secp521r1', 'secp224r1', 'secp192r1', 'secp256k1',
|
||||||
'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1',
|
'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1',
|
||||||
'sect571k1', 'sect409k1', 'sect283k1', 'sect233k1', 'sect163k1',
|
'sect571k1', 'sect409k1', 'sect283k1', 'sect233k1', 'sect163k1',
|
||||||
'sect571r1', 'sect409r1', 'sect283r1', 'sect233r1', 'sect163r2',
|
'sect571r1', 'sect409r1', 'sect283r1', 'sect233r1', 'sect163r2',
|
||||||
], type='str'),
|
]),
|
||||||
force=dict(default=False, type='bool'),
|
force=dict(type='bool', default=False),
|
||||||
path=dict(required=True, type='path'),
|
path=dict(type='path', required=True),
|
||||||
passphrase=dict(type='str', no_log=True),
|
passphrase=dict(type='str', no_log=True),
|
||||||
cipher=dict(type='str'),
|
cipher=dict(type='str'),
|
||||||
select_crypto_backend=dict(required=False, choices=['auto', 'pyopenssl', 'cryptography'], default='auto', type='str'),
|
select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'),
|
||||||
),
|
),
|
||||||
supports_check_mode=True,
|
supports_check_mode=True,
|
||||||
add_file_common_args=True,
|
add_file_common_args=True,
|
||||||
|
|
|
@ -30,8 +30,8 @@ options:
|
||||||
description:
|
description:
|
||||||
- Whether the public key should exist or not, taking action if the state is different from what is stated.
|
- Whether the public key should exist or not, taking action if the state is different from what is stated.
|
||||||
type: str
|
type: str
|
||||||
choices: [ absent, present ]
|
|
||||||
default: present
|
default: present
|
||||||
|
choices: [ absent, present ]
|
||||||
force:
|
force:
|
||||||
description:
|
description:
|
||||||
- Should the key be regenerated even it it already exists.
|
- Should the key be regenerated even it it already exists.
|
||||||
|
@ -41,8 +41,8 @@ options:
|
||||||
description:
|
description:
|
||||||
- The format of the public key.
|
- The format of the public key.
|
||||||
type: str
|
type: str
|
||||||
choices: [ OpenSSH, PEM ]
|
|
||||||
default: PEM
|
default: PEM
|
||||||
|
choices: [ OpenSSH, PEM ]
|
||||||
version_added: "2.4"
|
version_added: "2.4"
|
||||||
path:
|
path:
|
||||||
description:
|
description:
|
||||||
|
|
|
@ -33,6 +33,7 @@ options:
|
||||||
private keys in PEM format can be used as well."
|
private keys in PEM format can be used as well."
|
||||||
- "Mutually exclusive with C(account_key_content)."
|
- "Mutually exclusive with C(account_key_content)."
|
||||||
- "Required if C(account_key_content) is not used."
|
- "Required if C(account_key_content) is not used."
|
||||||
|
type: path
|
||||||
aliases: [ account_key ]
|
aliases: [ account_key ]
|
||||||
account_key_content:
|
account_key_content:
|
||||||
description:
|
description:
|
||||||
|
@ -48,18 +49,21 @@ options:
|
||||||
temporary file. It can still happen that it is written to disk by
|
temporary file. It can still happen that it is written to disk by
|
||||||
Ansible in the process of moving the module with its argument to
|
Ansible in the process of moving the module with its argument to
|
||||||
the node where it is executed."
|
the node where it is executed."
|
||||||
|
type: str
|
||||||
version_added: "2.5"
|
version_added: "2.5"
|
||||||
account_uri:
|
account_uri:
|
||||||
description:
|
description:
|
||||||
- "If specified, assumes that the account URI is as given. If the
|
- "If specified, assumes that the account URI is as given. If the
|
||||||
account key does not match this account, or an account with this
|
account key does not match this account, or an account with this
|
||||||
URI does not exist, the module fails."
|
URI does not exist, the module fails."
|
||||||
|
type: str
|
||||||
version_added: "2.7"
|
version_added: "2.7"
|
||||||
acme_version:
|
acme_version:
|
||||||
description:
|
description:
|
||||||
- "The ACME version of the endpoint."
|
- "The ACME version of the endpoint."
|
||||||
- "Must be 1 for the classic Let's Encrypt ACME endpoint, or 2 for the
|
- "Must be 1 for the classic Let's Encrypt ACME endpoint, or 2 for the
|
||||||
new standardized ACME v2 endpoint."
|
new standardized ACME v2 endpoint."
|
||||||
|
type: int
|
||||||
default: 1
|
default: 1
|
||||||
choices: [1, 2]
|
choices: [1, 2]
|
||||||
version_added: "2.5"
|
version_added: "2.5"
|
||||||
|
@ -78,6 +82,7 @@ options:
|
||||||
- "I(Warning): So far, the module has only been tested against Let's Encrypt
|
- "I(Warning): So far, the module has only been tested against Let's Encrypt
|
||||||
(staging and production) and against the
|
(staging and production) and against the
|
||||||
L(Pebble testing server,https://github.com/letsencrypt/Pebble)."
|
L(Pebble testing server,https://github.com/letsencrypt/Pebble)."
|
||||||
|
type: str
|
||||||
default: https://acme-staging.api.letsencrypt.org/directory
|
default: https://acme-staging.api.letsencrypt.org/directory
|
||||||
validate_certs:
|
validate_certs:
|
||||||
description:
|
description:
|
||||||
|
@ -85,7 +90,7 @@ options:
|
||||||
- "I(Warning): Should I(only ever) be set to C(no) for testing purposes,
|
- "I(Warning): Should I(only ever) be set to C(no) for testing purposes,
|
||||||
for example when testing against a local Pebble server."
|
for example when testing against a local Pebble server."
|
||||||
type: bool
|
type: bool
|
||||||
default: 'yes'
|
default: yes
|
||||||
version_added: "2.5"
|
version_added: "2.5"
|
||||||
select_crypto_backend:
|
select_crypto_backend:
|
||||||
description:
|
description:
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue