mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
36a790dcde
* New cryptography backend for openssl_certificate load_* functions in module_utils/crypto.py now have a backend paramter which when set to 'cryptography' will return cryptography objects so they can be used for both pyopenssl and cryptography backends. Added a select_message_digest function too returning a cryptography digest hash from `cryptography.hazmat.primitives.hashes` Added new classes for Cryptography backend * Run test with various backends. * Prefixing tests. * Make sure we have the correct backend available. * Linting (flake8). * Moved cryptography import to separate try/except * Make sure certificate is actually valid at some time in the past. * Improve error handling. * Trying to fix validation for cryptography backend. * Fixed issue with keyUsage test in assertonly * Fixed CI/Lint issues * Fix private key problem for OwnCA. * Cryptography backend doesn't support v2 certs. * issue an expired cert with command when using cryptography backend * Added warning when backend is auto and v2 cert is requested * Bumped min cryptography version to 1.6 * Correctly check for failure when backend is cryptography and cert is v2 * Use self.backend where possible * Use secp521r1 EC when testing on CentOS6 * Fixed pylint issue * AcmeCertificate support for both backends * Review fixes * Fixed missing '(' when raising error * Fixed date_fmt loop * Updated docs and requirements with cryptography * Add openssl_certificate to changelog.
48 lines
2 KiB
YAML
48 lines
2 KiB
YAML
---
|
|
- name: (Expired, {{select_crypto_backend}}) Generate privatekey
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/has_expired_privatekey.pem'
|
|
|
|
- name: (Expired, {{select_crypto_backend}}) Generate CSR
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/has_expired_csr.csr'
|
|
privatekey_path: '{{ output_dir }}/has_expired_privatekey.pem'
|
|
subject:
|
|
commonName: www.example.com
|
|
|
|
- name: (Expired, {{select_crypto_backend}}) Generate expired selfsigned certificate
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/has_expired_cert.pem'
|
|
csr_path: '{{ output_dir }}/has_expired_csr.csr'
|
|
privatekey_path: '{{ output_dir }}/has_expired_privatekey.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
selfsigned_not_after: "-1s"
|
|
selfsigned_not_before: "-100s"
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
when: select_crypto_backend == 'pyopenssl' # cryptography won't allow creating expired certificates
|
|
|
|
- name: (Expired, {{select_crypto_backend}}) Generate expired selfsigned certificate
|
|
command: "openssl x509 -req -days -1 -in {{ output_dir }}/has_expired_csr.csr -signkey {{ output_dir }}/has_expired_privatekey.pem -out {{ output_dir }}/has_expired_cert.pem"
|
|
when: select_crypto_backend == 'cryptography' # So we create it with 'command'
|
|
|
|
- name: "(Expired) Check task fails because cert is expired (has_expired: false)"
|
|
openssl_certificate:
|
|
provider: assertonly
|
|
path: "{{ output_dir }}/has_expired_cert.pem"
|
|
has_expired: false
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
ignore_errors: true
|
|
register: expired_cert_check
|
|
|
|
- name: (Expired, {{select_crypto_backend}}) Ensure previous task failed
|
|
assert:
|
|
that: expired_cert_check is failed
|
|
|
|
- name: "(Expired) Check expired cert check is ignored (has_expired: true)"
|
|
openssl_certificate:
|
|
provider: assertonly
|
|
path: "{{ output_dir }}/has_expired_cert.pem"
|
|
has_expired: true
|
|
select_crypto_backend: '{{ select_crypto_backend }}'
|
|
register: expired_cert_skip
|