openssl_certificate, fixed has_expired to check the cert expiration date (#53168)

2025-04-25 11:51:26 -07:00 · 2019-03-01 23:37:28 +00:00 · 2019-03-01 23:37:28 +00:00 · d5d92e4a70
commit d5d92e4a70
parent 1ba1f712fd
4 changed files with 57 additions and 6 deletions
--- a/lib/ansible/modules/crypto/openssl_certificate.py
+++ b/lib/ansible/modules/crypto/openssl_certificate.py
@ -229,7 +229,8 @@ options:

    has_expired:
        description:
-            - Checks if the certificate is expired/not expired at the time the module is executed.
+            - Checks if the certificate is expired/not expired at the time the module is executed. This only applies to
+              the C(assertonly) provider.
        type: bool
        default: no

@ -830,11 +831,18 @@ class AssertOnlyCertificate(Certificate):
                    )

        def _validate_has_expired():
-            if self.has_expired:
-                if self.has_expired != self.cert.has_expired():
-                    self.message.append(
-                        'Certificate expiration check failed (certificate expiration is %s, expected %s)' % (self.cert.has_expired(), self.has_expired)
-                    )
+            # The following 3 lines are the same as the current PyOpenSSL code for cert.has_expired().
+            # Older version of PyOpenSSL have a buggy implementation,
+            # to avoid issues with those we added the code from a more recent release here.
+
+            time_string = to_native(self.cert.get_notAfter())
+            not_after = datetime.datetime.strptime(time_string, "%Y%m%d%H%M%SZ")
+            cert_expired = not_after < datetime.datetime.utcnow()
+
+            if self.has_expired != cert_expired:
+                self.message.append(
+                    'Certificate expiration check failed (certificate expiration is %s, expected %s)' % (cert_expired, self.has_expired)
+                )

        def _validate_version():
            if self.version: