Remove the deprecated tls-sni-02 challenge method. (#38137)

lib/ansible/modules/web_infrastructure/letsencrypt.py

@@ -23,14 +23,13 @@ description:
    - "Create and renew SSL certificates with Let's Encrypt. Let's Encrypt is a
       free, automated, and open certificate authority (CA), run for the
       public's benefit. For details see U(https://letsencrypt.org). The current
-      implementation supports the http-01, tls-sni-02 and dns-01 challenges."
+      implementation supports the http-01 and dns-01 challenges."
    - "To use this module, it has to be executed at least twice. Either as two
       different tasks in the same run or during multiple runs."
    - "Between these two tasks you have to fulfill the required steps for the
       chosen challenge by whatever means necessary. For http-01 that means
       creating the necessary challenge file on the destination webserver. For
-      dns-01 the necessary dns record has to be created. tls-sni-02 requires
+      dns-01 the necessary dns record has to be created.
-      you to create a SSL certificate with the appropriate subjectAlternativeNames.
       It is I(not) the responsibility of this module to perform these steps."
    - "For details on how to fulfill these challenges, you might have to read through
       U(https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8)"
@@ -109,7 +108,7 @@ options:
     version_added: "2.5"
   challenge:
     description: The challenge to be performed.
-    choices: [ 'http-01', 'dns-01', 'tls-sni-02']
+    choices: [ 'http-01', 'dns-01']
     default: 'http-01'
   csr:
     description:
@@ -937,25 +936,10 @@ class ACMEClient(object):
             token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge['token'])
             keyauthorization = self.account.get_keyauthorization(token)
 
-            # NOTE: tls-sni-01 is not supported by choice
-            # too complex to be useful and tls-sni-02 is an alternative
-            # as soon as it is implemented server side
             if type == 'http-01':
                 # https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.3
                 resource = '.well-known/acme-challenge/' + token
                 data[type] = {'resource': resource, 'resource_value': keyauthorization}
-            elif type == 'tls-sni-02':
-                # https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.4
-                token_digest = hashlib.sha256(token.encode('utf8')).hexdigest()
-                ka_digest = hashlib.sha256(keyauthorization.encode('utf8')).hexdigest()
-                len_token_digest = len(token_digest)
-                len_ka_digest = len(ka_digest)
-                resource = 'subjectAlternativeNames'
-                value = [
-                    "{0}.{1}.token.acme.invalid".format(token_digest[:len_token_digest // 2], token_digest[len_token_digest // 2:]),
-                    "{0}.{1}.ka.acme.invalid".format(ka_digest[:len_ka_digest // 2], ka_digest[len_ka_digest // 2:]),
-                ]
-                data[type] = {'resource': resource, 'resource_value': value}
             elif type == 'dns-01':
                 # https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.5
                 resource = '_acme-challenge'
@@ -1296,7 +1280,7 @@ def main():
             acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
             agreement=dict(required=False, type='str'),
             terms_agreed=dict(required=False, default=False, type='bool'),
-            challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01', 'tls-sni-02'], type='str'),
+            challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01'], type='str'),
             csr=dict(required=True, aliases=['src'], type='path'),
             data=dict(required=False, default=None, type='dict'),
             dest=dict(aliases=['cert'], type='path'),