ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-06-28 03:00:23 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

ACME certificate revocation: add support for new draft-14 error message (#43980)

Browse source 
* Adding support for new certificate-already-revoked error message in draft-14.

* Updating documentation.

* Fixing typo.
This commit is contained in:
Felix Fontein 2018-08-12 10:29:48 +02:00 committed by ansibot
parent 231961564a
commit 7f41f0168a
1 changed files with 20 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

32
lib/ansible/modules/web_infrastructure/acme_certificate_revoke.py
View file

@ -26,13 +26,11 @@ description:
L(Let's Encrypt,https://letsencrypt.org/)." L(Let's Encrypt,https://letsencrypt.org/)."
- "Note that exactly one of C(account_key_src), C(account_key_content), - "Note that exactly one of C(account_key_src), C(account_key_content),
C(private_key_src) or C(private_key_content) must be specified." C(private_key_src) or C(private_key_content) must be specified."
- "Also note that in general, trying to revoke an already revoked - "Also note that trying to revoke an already revoked certificate
certificate will lead to an error. The module tries to detect some should result in an unchanged status, even if the revocation reason
common error messages (for example, the ones issued by was different than the one specified here. Also, depending on the
L(Let's Encrypt,https://letsencrypt.org/)'s server, it can happen that some other error is returned if the
L(Boulder,https://github.com/letsencrypt/boulder/) software), but certificate has already been revoked."
this might stop working and probably will not work for other server
softwares."
extends_documentation_fragment: extends_documentation_fragment:
- acme - acme
options: options:
@ -193,12 +191,22 @@ def main():
# Step 2: sign revokation request with account key # Step 2: sign revokation request with account key
result, info = account.send_signed_request(endpoint, payload) result, info = account.send_signed_request(endpoint, payload)
if info['status'] != 200: if info['status'] != 200:
if module.params.get('acme_version') == 1: already_revoked = False
error_type = 'urn:acme:error:malformed' # Standarized error in draft 14 (https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.6)
if result.get('type') == 'urn:ietf:params:acme:error:alreadyRevoked':
already_revoked = True
else: else:
error_type = 'urn:ietf:params:acme:error:malformed' # Hack for Boulder errors
if result.get('type') == error_type and result.get('detail') == 'Certificate already revoked': if module.params.get('acme_version') == 1:
# Fallback: boulder returns this in case the certificate was already revoked. error_type = 'urn:acme:error:malformed'
else:
error_type = 'urn:ietf:params:acme:error:malformed'
if result.get('type') == error_type and result.get('detail') == 'Certificate already revoked':
# Fallback: boulder returns this in case the certificate was already revoked.
already_revoked = True
# If we know the certificate was already revoked, we don't fail,
# but successfully terminate while indicating no change
if already_revoked:
module.exit_json(changed=False) module.exit_json(changed=False)
raise ModuleFailException('Error revoking certificate: {0} {1}'.format(info['status'], result)) raise ModuleFailException('Error revoking certificate: {0} {1}'.format(info['status'], result))
module.exit_json(changed=True) module.exit_json(changed=True)