1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

ACME certificate revocation: add support for new draft-14 error message (#43980)

* Adding support for new certificate-already-revoked error message in draft-14.

* Updating documentation.

* Fixing typo.
This commit is contained in:
Felix Fontein 2018-08-12 10:29:48 +02:00 committed by ansibot
parent 231961564a
commit 7f41f0168a

View file

@ -26,13 +26,11 @@ description:
L(Let's Encrypt,https://letsencrypt.org/)."
- "Note that exactly one of C(account_key_src), C(account_key_content),
C(private_key_src) or C(private_key_content) must be specified."
- "Also note that in general, trying to revoke an already revoked
certificate will lead to an error. The module tries to detect some
common error messages (for example, the ones issued by
L(Let's Encrypt,https://letsencrypt.org/)'s
L(Boulder,https://github.com/letsencrypt/boulder/) software), but
this might stop working and probably will not work for other server
softwares."
- "Also note that trying to revoke an already revoked certificate
should result in an unchanged status, even if the revocation reason
was different than the one specified here. Also, depending on the
server, it can happen that some other error is returned if the
certificate has already been revoked."
extends_documentation_fragment:
- acme
options:
@ -193,12 +191,22 @@ def main():
# Step 2: sign revokation request with account key
result, info = account.send_signed_request(endpoint, payload)
if info['status'] != 200:
if module.params.get('acme_version') == 1:
error_type = 'urn:acme:error:malformed'
already_revoked = False
# Standarized error in draft 14 (https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.6)
if result.get('type') == 'urn:ietf:params:acme:error:alreadyRevoked':
already_revoked = True
else:
error_type = 'urn:ietf:params:acme:error:malformed'
if result.get('type') == error_type and result.get('detail') == 'Certificate already revoked':
# Fallback: boulder returns this in case the certificate was already revoked.
# Hack for Boulder errors
if module.params.get('acme_version') == 1:
error_type = 'urn:acme:error:malformed'
else:
error_type = 'urn:ietf:params:acme:error:malformed'
if result.get('type') == error_type and result.get('detail') == 'Certificate already revoked':
# Fallback: boulder returns this in case the certificate was already revoked.
already_revoked = True
# If we know the certificate was already revoked, we don't fail,
# but successfully terminate while indicating no change
if already_revoked:
module.exit_json(changed=False)
raise ModuleFailException('Error revoking certificate: {0} {1}'.format(info['status'], result))
module.exit_json(changed=True)