mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-24 05:40:23 -07:00
Letsencrypt: add account management module (#37275)
* Removed superfluous space. * Separating account init code from ACMEAccount constructor. * Extracted module utils and docs fragment. * Added new letsencrypt_account module. * Ignore pre-1.0.0 versions of OpenSSL. * Added account key rollover. * Renaming letsencrypt_account -> acme_account * Simplifying check for updating contact information. * Rewriting docstring for ACMEDirectory. * Changing license according to permissions given by individual authors in https://github.com/ansible/ansible/pull/37275. * Updating BOTMETA. * Preparing for change of ACME protocol currently discussed in ietf-wg-acme/acme. * Updating documentation.
This commit is contained in:
parent
2fc23fdc18
commit
dec392793b
9 changed files with 1042 additions and 523 deletions
|
@ -42,58 +42,13 @@ description:
|
|||
- "At least one of C(dest) and C(fullchain_dest) must be specified."
|
||||
- "Note: this module was called C(letsencrypt) before Ansible 2.6. The usage
|
||||
did not change."
|
||||
requirements:
|
||||
- "python >= 2.6"
|
||||
- openssl
|
||||
extends_documentation_fragment:
|
||||
- letsencrypt
|
||||
options:
|
||||
account_key_src:
|
||||
description:
|
||||
- "Path to a file containing the ACME account RSA or Elliptic Curve
|
||||
key."
|
||||
- "RSA keys can be created with C(openssl rsa ...). Elliptic curve keys can
|
||||
be created with C(openssl ecparam -genkey ...)."
|
||||
- "Mutually exclusive with C(account_key_content)."
|
||||
- "Required if C(account_key_content) is not used."
|
||||
aliases: [ account_key ]
|
||||
account_key_content:
|
||||
description:
|
||||
- "Content of the ACME account RSA or Elliptic Curve key."
|
||||
- "Mutually exclusive with C(account_key_src)."
|
||||
- "Required if C(account_key_src) is not used."
|
||||
- "Warning: the content will be written into a temporary file, which will
|
||||
be deleted by Ansible when the module completes. Since this is an
|
||||
important private key — it can be used to change the account key,
|
||||
or to revoke your certificates without knowing their private keys
|
||||
—, this might not be acceptable."
|
||||
version_added: "2.5"
|
||||
account_email:
|
||||
description:
|
||||
- "The email address associated with this account."
|
||||
- "It will be used for certificate expiration warnings."
|
||||
acme_directory:
|
||||
description:
|
||||
- "The ACME directory to use. This is the entry point URL to access
|
||||
CA server API."
|
||||
- "For safety reasons the default is set to the Let's Encrypt staging
|
||||
server (for the ACME v1 protocol). This will create technically correct,
|
||||
but untrusted certificates."
|
||||
- "For Let's Encrypt, all staging endpoints can be found here:
|
||||
U(https://letsencrypt.org/docs/staging-environment/)"
|
||||
- "For Let's Encrypt, the production directory URL for ACME v1 is
|
||||
U(https://acme-v01.api.letsencrypt.org/directory), and the production
|
||||
directory URL for ACME v2 is U(https://acme-v02.api.letsencrypt.org/directory)."
|
||||
- "I(Warning): So far, the module has only been tested against Let's Encrypt
|
||||
(staging and production) and against the Pebble testing server
|
||||
(U(https://github.com/letsencrypt/Pebble))."
|
||||
default: https://acme-staging.api.letsencrypt.org/directory
|
||||
acme_version:
|
||||
description:
|
||||
- "The ACME version of the endpoint."
|
||||
- "Must be 1 for the classic Let's Encrypt ACME endpoint, or 2 for the
|
||||
new standardized ACME v2 endpoint."
|
||||
default: 1
|
||||
choices: [1, 2]
|
||||
version_added: "2.5"
|
||||
agreement:
|
||||
description:
|
||||
- "URI to a terms of service document you agree to when using the
|
||||
|
@ -160,14 +115,6 @@ options:
|
|||
If the certificate is not renewed, module return values will not
|
||||
include C(challenge_data)."
|
||||
default: 10
|
||||
validate_certs:
|
||||
description:
|
||||
- Whether calls to the ACME directory will validate TLS certificates.
|
||||
- I(Warning:) Should I(only ever) be set to C(no) for testing purposes,
|
||||
for example when testing against a local Pebble server.
|
||||
type: bool
|
||||
default: 'yes'
|
||||
version_added: 2.5
|
||||
deactivate_authzs:
|
||||
description:
|
||||
- "Deactivate authentication objects (authz) after issuing a certificate,
|
||||
|
@ -175,7 +122,7 @@ options:
|
|||
- "Authentication objects are bound to an account key and remain valid
|
||||
for a certain amount of time, and can be used to issue certificates
|
||||
without having to re-authenticate the domain. This can be a security
|
||||
concern. "
|
||||
concern."
|
||||
type: bool
|
||||
default: 'no'
|
||||
version_added: 2.6
|
||||
|
@ -344,78 +291,21 @@ account_uri:
|
|||
version_added: "2.5"
|
||||
'''
|
||||
|
||||
from ansible.module_utils.letsencrypt import (
|
||||
ModuleFailException, fetch_url, write_file, nopad_b64, simple_get, ACMEAccount
|
||||
)
|
||||
|
||||
import base64
|
||||
import binascii
|
||||
import copy
|
||||
import hashlib
|
||||
import json
|
||||
import locale
|
||||
import os
|
||||
import re
|
||||
import shutil
|
||||
import tempfile
|
||||
import textwrap
|
||||
import time
|
||||
import traceback
|
||||
from datetime import datetime
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils._text import to_native, to_text, to_bytes
|
||||
from ansible.module_utils.urls import fetch_url as _fetch_url
|
||||
|
||||
|
||||
class ModuleFailException(Exception):
|
||||
'''
|
||||
If raised, module.fail_json() will be called with the given parameters after cleanup.
|
||||
'''
|
||||
def __init__(self, msg, **args):
|
||||
super(ModuleFailException, self).__init__(self, msg)
|
||||
self.msg = msg
|
||||
self.module_fail_args = args
|
||||
|
||||
def do_fail(self, module):
|
||||
module.fail_json(msg=self.msg, other=self.module_fail_args)
|
||||
|
||||
|
||||
def _lowercase_fetch_url(*args, **kwargs):
|
||||
'''
|
||||
Add lowercase representations of the header names as dict keys
|
||||
|
||||
'''
|
||||
response, info = _fetch_url(*args, **kwargs)
|
||||
|
||||
info.update(dict((header.lower(), value) for (header, value) in info.items()))
|
||||
return response, info
|
||||
|
||||
|
||||
fetch_url = _lowercase_fetch_url
|
||||
|
||||
|
||||
def nopad_b64(data):
|
||||
return base64.urlsafe_b64encode(data).decode('utf8').replace("=", "")
|
||||
|
||||
|
||||
def simple_get(module, url):
|
||||
resp, info = fetch_url(module, url, method='GET')
|
||||
|
||||
result = {}
|
||||
try:
|
||||
content = resp.read()
|
||||
except AttributeError:
|
||||
content = info.get('body')
|
||||
|
||||
if content:
|
||||
if info['content-type'].startswith('application/json'):
|
||||
try:
|
||||
result = module.from_json(content.decode('utf8'))
|
||||
except ValueError:
|
||||
raise ModuleFailException("Failed to parse the ACME response: {0} {1}".format(url, content))
|
||||
else:
|
||||
result = content
|
||||
|
||||
if info['status'] >= 400:
|
||||
raise ModuleFailException("ACME request failed: CODE: {0} RESULT: {1}".format(info['status'], result))
|
||||
return result
|
||||
from ansible.module_utils._text import to_text, to_bytes
|
||||
|
||||
|
||||
def get_cert_days(module, cert_file):
|
||||
|
@ -441,408 +331,6 @@ def get_cert_days(module, cert_file):
|
|||
return (not_after - now).days
|
||||
|
||||
|
||||
# function source: network/basics/uri.py
|
||||
def write_file(module, dest, content):
|
||||
'''
|
||||
Write content to destination file dest, only if the content
|
||||
has changed.
|
||||
'''
|
||||
changed = False
|
||||
# create a tempfile
|
||||
fd, tmpsrc = tempfile.mkstemp(text=False)
|
||||
f = os.fdopen(fd, 'wb')
|
||||
try:
|
||||
f.write(content)
|
||||
except Exception as err:
|
||||
try:
|
||||
f.close()
|
||||
except Exception as e:
|
||||
pass
|
||||
os.remove(tmpsrc)
|
||||
raise ModuleFailException("failed to create temporary content file: %s" % to_native(err), exception=traceback.format_exc())
|
||||
f.close()
|
||||
checksum_src = None
|
||||
checksum_dest = None
|
||||
# raise an error if there is no tmpsrc file
|
||||
if not os.path.exists(tmpsrc):
|
||||
try:
|
||||
os.remove(tmpsrc)
|
||||
except Exception as e:
|
||||
pass
|
||||
raise ModuleFailException("Source %s does not exist" % (tmpsrc))
|
||||
if not os.access(tmpsrc, os.R_OK):
|
||||
os.remove(tmpsrc)
|
||||
raise ModuleFailException("Source %s not readable" % (tmpsrc))
|
||||
checksum_src = module.sha1(tmpsrc)
|
||||
# check if there is no dest file
|
||||
if os.path.exists(dest):
|
||||
# raise an error if copy has no permission on dest
|
||||
if not os.access(dest, os.W_OK):
|
||||
os.remove(tmpsrc)
|
||||
raise ModuleFailException("Destination %s not writable" % (dest))
|
||||
if not os.access(dest, os.R_OK):
|
||||
os.remove(tmpsrc)
|
||||
raise ModuleFailException("Destination %s not readable" % (dest))
|
||||
checksum_dest = module.sha1(dest)
|
||||
else:
|
||||
if not os.access(os.path.dirname(dest), os.W_OK):
|
||||
os.remove(tmpsrc)
|
||||
raise ModuleFailException("Destination dir %s not writable" % (os.path.dirname(dest)))
|
||||
if checksum_src != checksum_dest:
|
||||
try:
|
||||
shutil.copyfile(tmpsrc, dest)
|
||||
changed = True
|
||||
except Exception as err:
|
||||
os.remove(tmpsrc)
|
||||
raise ModuleFailException("failed to copy %s to %s: %s" % (tmpsrc, dest, to_native(err)), exception=traceback.format_exc())
|
||||
os.remove(tmpsrc)
|
||||
return changed
|
||||
|
||||
|
||||
class ACMEDirectory(object):
|
||||
'''
|
||||
The ACME server directory. Gives access to the available resources
|
||||
and the Replay-Nonce for a given URI. This only works for
|
||||
URIs that permit GET requests (so normally not the ones that
|
||||
require authentication).
|
||||
https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-7.1.1
|
||||
'''
|
||||
|
||||
def __init__(self, module):
|
||||
self.module = module
|
||||
self.directory_root = module.params['acme_directory']
|
||||
self.version = module.params['acme_version']
|
||||
|
||||
self.directory = simple_get(self.module, self.directory_root)
|
||||
|
||||
# Check whether self.version matches what we expect
|
||||
if self.version == 1:
|
||||
for key in ('new-reg', 'new-authz', 'new-cert'):
|
||||
if key not in self.directory:
|
||||
raise ModuleFailException("ACME directory does not seem to follow protocol ACME v1")
|
||||
if self.version == 2:
|
||||
for key in ('newNonce', 'newAccount', 'newOrder'):
|
||||
if key not in self.directory:
|
||||
raise ModuleFailException("ACME directory does not seem to follow protocol ACME v2")
|
||||
|
||||
def __getitem__(self, key):
|
||||
return self.directory[key]
|
||||
|
||||
def get_nonce(self, resource=None):
|
||||
url = self.directory_root if self.version == 1 else self.directory['newNonce']
|
||||
if resource is not None:
|
||||
url = resource
|
||||
dummy, info = fetch_url(self.module, url, method='HEAD')
|
||||
if info['status'] not in (200, 204):
|
||||
raise ModuleFailException("Failed to get replay-nonce, got status {0}".format(info['status']))
|
||||
return info['replay-nonce']
|
||||
|
||||
|
||||
class ACMEAccount(object):
|
||||
'''
|
||||
ACME account object. Handles the authorized communication with the
|
||||
ACME server. Provides access to account bound information like
|
||||
the currently active authorizations and valid certificates
|
||||
'''
|
||||
|
||||
def __init__(self, module):
|
||||
self.module = module
|
||||
self.version = module.params['acme_version']
|
||||
# account_key path and content are mutually exclusive
|
||||
self.key = module.params['account_key_src']
|
||||
self.key_content = module.params['account_key_content']
|
||||
self.email = module.params['account_email']
|
||||
self.directory = ACMEDirectory(module)
|
||||
self.agreement = module.params.get('agreement')
|
||||
self.terms_agreed = module.params.get('terms_agreed')
|
||||
|
||||
self.uri = None
|
||||
self.changed = False
|
||||
|
||||
self._openssl_bin = module.get_bin_path('openssl', True)
|
||||
|
||||
# Create a key file from content, key (path) and key content are mutually exclusive
|
||||
if self.key_content is not None:
|
||||
fd, tmpsrc = tempfile.mkstemp()
|
||||
module.add_cleanup_file(tmpsrc) # Ansible will delete the file on exit
|
||||
f = os.fdopen(fd, 'wb')
|
||||
try:
|
||||
f.write(self.key_content.encode('utf-8'))
|
||||
self.key = tmpsrc
|
||||
except Exception as err:
|
||||
try:
|
||||
f.close()
|
||||
except Exception as e:
|
||||
pass
|
||||
raise ModuleFailException("failed to create temporary content file: %s" % to_native(err), exception=traceback.format_exc())
|
||||
f.close()
|
||||
|
||||
error, self.key_data = self._parse_account_key(self.key)
|
||||
if error:
|
||||
raise ModuleFailException("error while parsing account key: %s" % error)
|
||||
self.jwk = self.key_data['jwk']
|
||||
self.jws_header = {
|
||||
"alg": self.key_data['alg'],
|
||||
"jwk": self.jwk,
|
||||
}
|
||||
self.init_account()
|
||||
|
||||
def get_keyauthorization(self, token):
|
||||
'''
|
||||
Returns the key authorization for the given token
|
||||
https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.1
|
||||
'''
|
||||
accountkey_json = json.dumps(self.jwk, sort_keys=True, separators=(',', ':'))
|
||||
thumbprint = nopad_b64(hashlib.sha256(accountkey_json.encode('utf8')).digest())
|
||||
return "{0}.{1}".format(token, thumbprint)
|
||||
|
||||
def _parse_account_key(self, key):
|
||||
'''
|
||||
Parses an RSA or Elliptic Curve key file in PEM format and returns a pair
|
||||
(error, key_data).
|
||||
'''
|
||||
account_key_type = None
|
||||
with open(key, "rt") as f:
|
||||
for line in f:
|
||||
m = re.match(r"^\s*-{5,}BEGIN\s+(EC|RSA)\s+PRIVATE\s+KEY-{5,}\s*$", line)
|
||||
if m is not None:
|
||||
account_key_type = m.group(1).lower()
|
||||
break
|
||||
if account_key_type is None:
|
||||
# This happens for example if openssl_privatekey created this key
|
||||
# (as opposed to the OpenSSL binary). For now, we assume this is
|
||||
# an RSA key.
|
||||
# FIXME: add some kind of auto-detection
|
||||
account_key_type = "rsa"
|
||||
if account_key_type not in ("rsa", "ec"):
|
||||
return 'unknown key type "%s"' % account_key_type, {}
|
||||
|
||||
openssl_keydump_cmd = [self._openssl_bin, account_key_type, "-in", key, "-noout", "-text"]
|
||||
dummy, out, dummy = self.module.run_command(openssl_keydump_cmd, check_rc=True)
|
||||
|
||||
if account_key_type == 'rsa':
|
||||
pub_hex, pub_exp = re.search(
|
||||
r"modulus:\n\s+00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)",
|
||||
to_text(out, errors='surrogate_or_strict'), re.MULTILINE | re.DOTALL).groups()
|
||||
pub_exp = "{0:x}".format(int(pub_exp))
|
||||
if len(pub_exp) % 2:
|
||||
pub_exp = "0{0}".format(pub_exp)
|
||||
|
||||
return None, {
|
||||
'type': 'rsa',
|
||||
'alg': 'RS256',
|
||||
'jwk': {
|
||||
"kty": "RSA",
|
||||
"e": nopad_b64(binascii.unhexlify(pub_exp.encode("utf-8"))),
|
||||
"n": nopad_b64(binascii.unhexlify(re.sub(r"(\s|:)", "", pub_hex).encode("utf-8"))),
|
||||
},
|
||||
'hash': 'sha256',
|
||||
}
|
||||
elif account_key_type == 'ec':
|
||||
pub_data = re.search(
|
||||
r"pub:\s*\n\s+04:([a-f0-9\:\s]+?)\nASN1 OID: (\S+)(?:\nNIST CURVE: (\S+))?",
|
||||
to_text(out, errors='surrogate_or_strict'), re.MULTILINE | re.DOTALL)
|
||||
if pub_data is None:
|
||||
return 'cannot parse elliptic curve key', {}
|
||||
pub_hex = binascii.unhexlify(re.sub(r"(\s|:)", "", pub_data.group(1)).encode("utf-8"))
|
||||
asn1_oid_curve = pub_data.group(2).lower()
|
||||
nist_curve = pub_data.group(3).lower() if pub_data.group(3) else None
|
||||
if asn1_oid_curve == 'prime256v1' or nist_curve == 'p-256':
|
||||
bits = 256
|
||||
alg = 'ES256'
|
||||
hash = 'sha256'
|
||||
point_size = 32
|
||||
curve = 'P-256'
|
||||
elif asn1_oid_curve == 'secp384r1' or nist_curve == 'p-384':
|
||||
bits = 384
|
||||
alg = 'ES384'
|
||||
hash = 'sha384'
|
||||
point_size = 48
|
||||
curve = 'P-384'
|
||||
elif asn1_oid_curve == 'secp521r1' or nist_curve == 'p-521':
|
||||
# Not yet supported on Let's Encrypt side, see
|
||||
# https://github.com/letsencrypt/boulder/issues/2217
|
||||
bits = 521
|
||||
alg = 'ES512'
|
||||
hash = 'sha512'
|
||||
point_size = 66
|
||||
curve = 'P-521'
|
||||
else:
|
||||
return 'unknown elliptic curve: %s / %s' % (asn1_oid_curve, nist_curve), {}
|
||||
bytes = (bits + 7) // 8
|
||||
if len(pub_hex) != 2 * bytes:
|
||||
return 'bad elliptic curve point (%s / %s)' % (asn1_oid_curve, nist_curve), {}
|
||||
return None, {
|
||||
'type': 'ec',
|
||||
'alg': alg,
|
||||
'jwk': {
|
||||
"kty": "EC",
|
||||
"crv": curve,
|
||||
"x": nopad_b64(pub_hex[:bytes]),
|
||||
"y": nopad_b64(pub_hex[bytes:]),
|
||||
},
|
||||
'hash': hash,
|
||||
'point_size': point_size,
|
||||
}
|
||||
|
||||
def send_signed_request(self, url, payload):
|
||||
'''
|
||||
Sends a JWS signed HTTP POST request to the ACME server and returns
|
||||
the response as dictionary
|
||||
https://tools.ietf.org/html/draft-ietf-acme-acme-10#section-6.2
|
||||
'''
|
||||
failed_tries = 0
|
||||
while True:
|
||||
protected = copy.deepcopy(self.jws_header)
|
||||
protected["nonce"] = self.directory.get_nonce()
|
||||
if self.version != 1:
|
||||
protected["url"] = url
|
||||
|
||||
try:
|
||||
payload64 = nopad_b64(self.module.jsonify(payload).encode('utf8'))
|
||||
protected64 = nopad_b64(self.module.jsonify(protected).encode('utf8'))
|
||||
except Exception as e:
|
||||
raise ModuleFailException("Failed to encode payload / headers as JSON: {0}".format(e))
|
||||
|
||||
openssl_sign_cmd = [self._openssl_bin, "dgst", "-{0}".format(self.key_data['hash']), "-sign", self.key]
|
||||
sign_payload = "{0}.{1}".format(protected64, payload64).encode('utf8')
|
||||
dummy, out, dummy = self.module.run_command(openssl_sign_cmd, data=sign_payload, check_rc=True, binary_data=True)
|
||||
|
||||
if self.key_data['type'] == 'ec':
|
||||
dummy, der_out, dummy = self.module.run_command(
|
||||
[self._openssl_bin, "asn1parse", "-inform", "DER"],
|
||||
data=out, binary_data=True)
|
||||
expected_len = 2 * self.key_data['point_size']
|
||||
sig = re.findall(
|
||||
r"prim:\s+INTEGER\s+:([0-9A-F]{1,%s})\n" % expected_len,
|
||||
to_text(der_out, errors='surrogate_or_strict'))
|
||||
if len(sig) != 2:
|
||||
raise ModuleFailException(
|
||||
"failed to generate Elliptic Curve signature; cannot parse DER output: {0}".format(
|
||||
to_text(der_out, errors='surrogate_or_strict')))
|
||||
sig[0] = (expected_len - len(sig[0])) * '0' + sig[0]
|
||||
sig[1] = (expected_len - len(sig[1])) * '0' + sig[1]
|
||||
out = binascii.unhexlify(sig[0]) + binascii.unhexlify(sig[1])
|
||||
|
||||
data = {
|
||||
"protected": protected64,
|
||||
"payload": payload64,
|
||||
"signature": nopad_b64(to_bytes(out)),
|
||||
}
|
||||
if self.version == 1:
|
||||
data["header"] = self.jws_header
|
||||
data = self.module.jsonify(data)
|
||||
|
||||
headers = {
|
||||
'Content-Type': 'application/jose+json',
|
||||
}
|
||||
resp, info = fetch_url(self.module, url, data=data, headers=headers, method='POST')
|
||||
result = {}
|
||||
try:
|
||||
content = resp.read()
|
||||
except AttributeError:
|
||||
content = info.get('body')
|
||||
|
||||
if content:
|
||||
if info['content-type'].startswith('application/json') or 400 <= info['status'] < 600:
|
||||
try:
|
||||
result = self.module.from_json(content.decode('utf8'))
|
||||
# In case of badNonce error, try again (up to 5 times)
|
||||
# (https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-6.6)
|
||||
if (400 <= info['status'] < 600 and
|
||||
result.get('type') == 'urn:ietf:params:acme:error:badNonce' and
|
||||
failed_tries <= 5):
|
||||
failed_tries += 1
|
||||
continue
|
||||
except ValueError:
|
||||
raise ModuleFailException("Failed to parse the ACME response: {0} {1}".format(url, content))
|
||||
else:
|
||||
result = content
|
||||
|
||||
return result, info
|
||||
|
||||
def _new_reg(self, contact=None):
|
||||
'''
|
||||
Registers a new ACME account. Returns True if the account was
|
||||
created and False if it already existed (e.g. it was not newly
|
||||
created)
|
||||
https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-7.3
|
||||
'''
|
||||
contact = [] if contact is None else contact
|
||||
|
||||
if self.uri is not None:
|
||||
return True
|
||||
|
||||
if self.version == 1:
|
||||
new_reg = {
|
||||
'resource': 'new-reg',
|
||||
'contact': contact
|
||||
}
|
||||
if self.agreement:
|
||||
new_reg['agreement'] = self.agreement
|
||||
else:
|
||||
new_reg['agreement'] = self.directory['meta']['terms-of-service']
|
||||
url = self.directory['new-reg']
|
||||
else:
|
||||
new_reg = {
|
||||
'contact': contact
|
||||
}
|
||||
if self.terms_agreed:
|
||||
new_reg['termsOfServiceAgreed'] = True
|
||||
url = self.directory['newAccount']
|
||||
|
||||
result, info = self.send_signed_request(url, new_reg)
|
||||
if 'location' in info:
|
||||
self.uri = info['location']
|
||||
if self.version != 1:
|
||||
self.jws_header.pop('jwk')
|
||||
self.jws_header['kid'] = self.uri
|
||||
|
||||
if info['status'] in [200, 201]:
|
||||
# Account did not exist
|
||||
self.changed = True
|
||||
return True
|
||||
elif info['status'] == 409:
|
||||
# Account did exist
|
||||
return False
|
||||
else:
|
||||
raise ModuleFailException("Error registering: {0} {1}".format(info['status'], result))
|
||||
|
||||
def init_account(self):
|
||||
'''
|
||||
Create or update an account on the ACME server. As the only way
|
||||
(without knowing an account URI) to test if an account exists
|
||||
is to try and create one with the provided account key, this
|
||||
method will always result in an account being present (except
|
||||
on error situations). If the account already exists, it will
|
||||
update the contact information.
|
||||
https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-7.3
|
||||
'''
|
||||
|
||||
contact = []
|
||||
if self.email:
|
||||
contact.append('mailto:' + self.email)
|
||||
|
||||
# if this is not a new registration (e.g. existing account)
|
||||
if not self._new_reg(contact):
|
||||
# pre-existing account, get account data...
|
||||
result, dummy = self.send_signed_request(self.uri, {'resource': 'reg'})
|
||||
|
||||
# ...and check if update is necessary
|
||||
do_update = False
|
||||
if 'contact' in result:
|
||||
if contact != result['contact']:
|
||||
do_update = True
|
||||
elif len(contact) > 0:
|
||||
do_update = True
|
||||
|
||||
if do_update:
|
||||
upd_reg = result
|
||||
upd_reg['contact'] = contact
|
||||
result, dummy = self.send_signed_request(self.uri, upd_reg)
|
||||
self.changed = True
|
||||
|
||||
|
||||
class ACMEClient(object):
|
||||
'''
|
||||
ACME client class. Uses an ACME account object and a CSR to
|
||||
|
@ -863,10 +351,20 @@ class ACMEClient(object):
|
|||
self.data = module.params['data']
|
||||
self.authorizations = None
|
||||
self.cert_days = -1
|
||||
self.changed = self.account.changed
|
||||
self.order_uri = self.data.get('order_uri') if self.data else None
|
||||
self.finalize_uri = self.data.get('finalize_uri') if self.data else None
|
||||
|
||||
# Make sure account exists
|
||||
contact = []
|
||||
if module.params['account_email']:
|
||||
contact.append('mailto:' + module.params['account_email'])
|
||||
self.changed = self.account.init_account(
|
||||
contact,
|
||||
agreement=module.params.get('agreement'),
|
||||
terms_agreed=module.params.get('terms_agreed')
|
||||
)
|
||||
|
||||
# Extract list of domains from CSR
|
||||
if not os.path.exists(self.csr):
|
||||
raise ModuleFailException("CSR %s not found" % (self.csr))
|
||||
|
||||
|
@ -1279,9 +777,10 @@ def main():
|
|||
argument_spec=dict(
|
||||
account_key_src=dict(type='path', aliases=['account_key']),
|
||||
account_key_content=dict(type='str', no_log=True),
|
||||
account_email=dict(required=False, default=None, type='str'),
|
||||
acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
|
||||
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
|
||||
validate_certs=dict(required=False, default=True, type='bool'),
|
||||
account_email=dict(required=False, default=None, type='str'),
|
||||
agreement=dict(required=False, type='str'),
|
||||
terms_agreed=dict(required=False, default=False, type='bool'),
|
||||
challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01'], type='str'),
|
||||
|
@ -1291,7 +790,6 @@ def main():
|
|||
fullchain_dest=dict(aliases=['fullchain'], type='path'),
|
||||
chain_dest=dict(required=False, default=None, aliases=['chain'], type='path'),
|
||||
remaining_days=dict(required=False, default=10, type='int'),
|
||||
validate_certs=dict(required=False, default=True, type='bool'),
|
||||
deactivate_authzs=dict(required=False, default=False, type='bool'),
|
||||
force=dict(required=False, default=False, type='bool'),
|
||||
),
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue