a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
community.crypto/changelogs/changelog.yaml

810 lines
46 KiB
YAML
Raw Normal View History

Release 1.0.0 (#82) * Add release notes. * Create changelog for 1.0.0.
2020-07-03 11:35:31 +00:00
ancestor: null
releases:
1.0.0:
changes:
bugfixes:
- 'ACME modules: fix bug in ACME v1 account update code'
- 'ACME modules: make sure some connection errors are handled properly'
- 'ACME modules: support Buypass'' ACME v1 endpoint'
- acme_certificate - fix crash when module is used with Python 2.x.
- acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account``
set to ``false``.
- 'ecs_certificate - Always specify header ``connection: keep-alive`` for ECS
API connections.'
- ecs_certificate - Fix formatting of contents of ``full_chain_path``.
- get_certificate - Fix cryptography backend when pyopenssl is unavailable (https://github.com/ansible/ansible/issues/67900)
- openssh_keypair - add logic to avoid breaking password protected keys.
- openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969).
- openssh_keypair - public key's file attributes (permissions, owner, group,
etc.) are now set to the same values as the private key.
- openssl_* modules - prevent crash on fingerprint determination in FIPS mode
(https://github.com/ansible/ansible/issues/67213).
- 'openssl_certificate - When provider is ``entrust``, use a ``connection: keep-alive``
header for ECS API connections.'
- openssl_certificate - ``provider`` option was documented as required, but
it was not checked whether it was provided. It is now only required when ``state``
is ``present``.
- openssl_certificate - fix ``assertonly`` provider certificate verification,
causing 'private key mismatch' and 'subject mismatch' errors.
- openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support
for ``cryptography`` backend. This probably needs at least cryptography 2.8,
since older versions have problems with signing certificates or CSRs with
such keys. (https://github.com/ansible/ansible/issues/59039, PR https://github.com/ansible/ansible/pull/63984)
- openssl_csr - a warning is issued if an unsupported value for ``version``
is used for the ``cryptography`` backend.
- openssl_csr - the module will now enforce that ``privatekey_path`` is specified
when ``state=present``.
- openssl_publickey - fix a module crash caused when pyOpenSSL is not installed
(https://github.com/ansible/ansible/issues/67035).
deprecated_features:
- openssl_csr - all values for the ``version`` option except ``1`` are deprecated.
The value 1 denotes the current only standardized CSR version.
minor_changes:
- luks_device - accept ``passphrase``, ``new_passphrase`` and ``remove_passphrase``.
- luks_device - add ``keysize`` parameter to set key size at LUKS container
creation
- luks_device - added support to use UUIDs, and labels with LUKS2 containers
- luks_device - added the ``type`` option that allows user explicit define the
LUKS container format version
- openssh_keypair - instead of regenerating some broken or password protected
keys, fail the module. Keys can still be regenerated by calling the module
with ``force=yes``.
- openssh_keypair - the ``regenerate`` option allows to configure the module's
behavior when it should or needs to regenerate private keys.
- openssl_* modules - the cryptography backend now properly supports ``dirName``,
``otherName`` and ``RID`` (Registered ID) names.
- openssl_certificate - Add option for changing which ACME directory to use
with acme-tiny. Set the default ACME directory to Let's Encrypt instead of
using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time
being, so no action should be neccessary.)
- openssl_certificate - Change the required version of acme-tiny to >= 4.0.0
- openssl_certificate - allow to provide content of some input files via the
``csr_content``, ``privatekey_content``, ``ownca_privatekey_content`` and
``ownca_content`` options.
- openssl_certificate - allow to return the existing/generated certificate directly
as ``certificate`` by setting ``return_content`` to ``yes``.
- openssl_certificate_info - allow to provide certificate content via ``content``
option (https://github.com/ansible/ansible/issues/64776).
- openssl_csr - Add support for specifying the SAN ``otherName`` value in the
OpenSSL ASN.1 UTF8 string format, ``otherName:<OID>;UTF8:string value``.
- openssl_csr - allow to provide private key content via ``private_key_content``
option.
- openssl_csr - allow to return the existing/generated CSR directly as ``csr``
by setting ``return_content`` to ``yes``.
- openssl_csr_info - allow to provide CSR content via ``content`` option.
- openssl_dhparam - allow to return the existing/generated DH params directly
as ``dhparams`` by setting ``return_content`` to ``yes``.
- openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection
can be overwritten with the ``select_crypto_backend`` option.
- openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as
``pkcs12`` by setting ``return_content`` to ``yes``.
- openssl_privatekey - add ``format`` and ``format_mismatch`` options.
- openssl_privatekey - allow to return the existing/generated private key directly
as ``privatekey`` by setting ``return_content`` to ``yes``.
- openssl_privatekey - the ``regenerate`` option allows to configure the module's
behavior when it should or needs to regenerate private keys.
- openssl_privatekey_info - allow to provide private key content via ``content``
option.
- openssl_publickey - allow to provide private key content via ``private_key_content``
option.
- openssl_publickey - allow to return the existing/generated public key directly
as ``publickey`` by setting ``return_content`` to ``yes``.
release_summary: 'This is the first proper release of the ``community.crypto``
collection. This changelog contains all changes to the modules in this collection
that were added after the release of Ansible 2.9.0.
'
removed_features:
- The ``letsencrypt`` module has been removed. Use ``acme_certificate`` instead.
fragments:
- 1.0.0.yml
- 52408-luks-device.yaml
- 58973-luks_device_add-type-option.yml
- 58973_luks_device-add-label-and-uuid-support.yml
- 60388-openssl_privatekey-format.yml
- 61522-luks-device-add-option-to-define-keysize.yml
- 61658-openssh_keypair-public-key-permissions.yml
- 61693-acme-buypass-acme-v1.yml
- 61738-ecs-certificate-invalid-chain.yaml
- 62218-fix-to-entrust-api.yml
- 62790-openssl_certificate_fix_assert.yml
- 62991-openssl_dhparam-cryptography-backend.yml
- 63140-acme-fix-fetch-url-status-codes.yaml
- 63432-openssl_csr-version.yml
- 63984-openssl-ed25519-ed448.yml
- 64436-openssh_keypair-add-password-protected-key-check.yml
- 64501-fix-python2.x-backward-compatibility.yaml
- 64648-acme_certificate-acmev1.yml
- 65017-openssh_keypair-idempotence.yml
- 65400-openssl-output.yml
- 65435-openssl_csr-privatekey_path-required.yml
- 65633-crypto-argspec-fixup.yml
- 66384-openssl-content.yml
- 67036-openssl_publickey-backend.yml
- 67038-openssl-openssh-key-regenerate.yml
- 67109-openssl_certificate-acme-directory.yaml
- 67515-openssl-fingerprint-fips.yml
- 67669-cryptography-names.yml
- 67901-get_certificate-fix-cryptography.yml
- letsencrypt.yml
- openssl_csr-otherName.yml
modules:
- description: Request validation of a domain with the Entrust Certificate Services
(ECS) API
name: ecs_domain
namespace: ''
- description: Generate Certificate Revocation Lists (CRLs)
name: x509_crl
namespace: ''
- description: Retrieve information on Certificate Revocation Lists (CRLs)
name: x509_crl_info
namespace: ''
release_date: '2020-07-03'
Release 1.1.0.
2020-08-18 14:45:57 +00:00
1.1.0:
changes:
bugfixes:
- acme_inspect - fix problem with Python 3.5 that JSON was not decoded (https://github.com/ansible-collections/community.crypto/issues/86).
- get_certificate - fix ``ca_cert`` option handling when ``proxy_host`` is used
(https://github.com/ansible-collections/community.crypto/pull/84).
- openssl_*, x509_* modules - fix handling of general names which refer to IP
networks and not IP addresses (https://github.com/ansible-collections/community.crypto/pull/92).
minor_changes:
- acme_account - add ``external_account_binding`` option to allow creation of
ACME accounts with External Account Binding (https://github.com/ansible-collections/community.crypto/issues/89).
- 'acme_certificate - allow new selector ``test_certificates: first`` for ``select_chain``
parameter (https://github.com/ansible-collections/community.crypto/pull/102).'
- cryptography backends - support arbitrary dotted OIDs (https://github.com/ansible-collections/community.crypto/issues/39).
- get_certificate - add support for SNI (https://github.com/ansible-collections/community.crypto/issues/69).
- luks_device - add support for encryption options on container creation (https://github.com/ansible-collections/community.crypto/pull/97).
- openssh_cert - add support for PKCS#11 tokens (https://github.com/ansible-collections/community.crypto/pull/95).
- openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness
for serial numbers, instead of a random number between 1000 and 99999. Please
note that this is not a high quality random number (https://github.com/ansible-collections/community.crypto/issues/76).
- openssl_csr - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46).
- openssl_csr_info - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46).
release_summary: 'Release for Ansible 2.10.0.
'
fragments:
- 1.1.0.yml
- 100-acme-account-external-account-binding.yml
- 102-acme-certificate-select-chain-first.yml
- 87-acme_inspect-python-3.5.yml
- 90-cryptography-oids.yml
- 90-openssl_certificate-pyopenssl-serial.yml
- 92-ip-networks.yml
- 92-openssl_csr-name-constraints.yml
- get_certificate-add_support_for_SNI.yml
- luks_device-add_encryption_option_on_create.yml
- openssh_cert-pkcs11.yml
modules:
- description: Sign data with openssl
name: openssl_signature
namespace: ''
- description: Verify signatures with openssl
name: openssl_signature_info
namespace: ''
release_date: '2020-08-18'
Release 1.1.1.
2020-09-14 20:21:54 +00:00
1.1.1:
changes:
bugfixes:
- meta/runtime.yml - convert Ansible version numbers for old names of modules
to collection version numbers (https://github.com/ansible-collections/community.crypto/pull/108).
- openssl_csr - improve handling of IDNA errors (https://github.com/ansible-collections/community.crypto/issues/105).
release_summary: Bugfixes for Ansible 2.10.0.
fragments:
- 1.1.1.yml
- 106-openssl_csr-idna-errors.yml
- 108-meta-runtime-versions.yml
release_date: '2020-09-14'
Release 1.2.0.
2020-10-13 12:17:30 +00:00
1.2.0:
changes:
bugfixes:
- openssl_pkcs12 - do not crash when reading PKCS#12 file which has no private
key and/or no main certificate (https://github.com/ansible-collections/community.crypto/issues/103).
minor_changes:
- acme_certificate - allow to pass CSR file as content with new option ``csr_content``
(https://github.com/ansible-collections/community.crypto/pull/115).
- x509_certificate_info - add ``fingerprints`` return value which returns certificate
fingerprints (https://github.com/ansible-collections/community.crypto/pull/121).
release_summary: Please note that this release fixes a security issue (CVE-2020-25646).
security_fixes:
- openssl_csr - the option ``privatekey_content`` was not marked as ``no_log``,
resulting in it being dumped into the system log by default, and returned
in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
- openssl_privatekey_info - the option ``content`` was not marked as ``no_log``,
resulting in it being dumped into the system log by default, and returned
in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
- openssl_publickey - the option ``privatekey_content`` was not marked as ``no_log``,
resulting in it being dumped into the system log by default, and returned
in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
- openssl_signature - the option ``privatekey_content`` was not marked as ``no_log``,
resulting in it being dumped into the system log by default, and returned
in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
- x509_certificate - the options ``privatekey_content`` and ``ownca_privatekey_content``
were not marked as ``no_log``, resulting in it being dumped into the system
log by default, and returned in the registered results in the ``invocation``
field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
- x509_crl - the option ``privatekey_content`` was not marked as ``no_log``,
resulting in it being dumped into the system log by default, and returned
in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
fragments:
- 1.2.0.yml
- 109-openssl_pkcs12-crash-no-cert-key.yml
- 115-acme_certificate-csr_content.yml
- 121-x509_certificate_info-fingerprints.yml
- cve-2020-25646.yml
release_date: '2020-10-13'
Release 1.3.0.
2020-11-24 18:40:52 +00:00
1.3.0:
changes:
bugfixes:
- openssl_pkcs12 - report the correct state when ``action`` is ``parse`` (https://github.com/ansible-collections/community.crypto/issues/143).
- support code - improve handling of certificate and certificate signing request
(CSR) loading with the ``cryptography`` backend when errors occur (https://github.com/ansible-collections/community.crypto/issues/138,
https://github.com/ansible-collections/community.crypto/pull/139).
- x509_certificate - fix ``entrust`` provider, which was broken since community.crypto
0.1.0 due to a feature added before the collection move (https://github.com/ansible-collections/community.crypto/pull/135).
minor_changes:
- openssh_cert - add module parameter ``use_agent`` to enable using signing
keys stored in ssh-agent (https://github.com/ansible-collections/community.crypto/issues/116).
- openssl_csr - refactor module to allow code re-use by openssl_csr_pipe (https://github.com/ansible-collections/community.crypto/pull/123).
- openssl_privatekey - refactor module to allow code re-use by openssl_privatekey_pipe
(https://github.com/ansible-collections/community.crypto/pull/119).
- openssl_privatekey - the elliptic curve ``secp192r1`` now triggers a security
warning. Elliptic curves of at least 224 bits should be used for new keys;
see `here <https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec.html#elliptic-curves>`_
(https://github.com/ansible-collections/community.crypto/pull/132).
- x509_certificate - for the ``selfsigned`` provider, a CSR is not required
anymore. If no CSR is provided, the module behaves as if a minimal CSR which
only contains the public key has been provided (https://github.com/ansible-collections/community.crypto/issues/32,
https://github.com/ansible-collections/community.crypto/pull/129).
- x509_certificate - refactor module to allow code re-use by x509_certificate_pipe
(https://github.com/ansible-collections/community.crypto/pull/135).
release_summary: 'Contains new modules ``openssl_privatekey_pipe``, ``openssl_csr_pipe``
and ``x509_certificate_pipe`` which allow to create or update private keys,
CSRs and X.509 certificates without having to write them to disk.
'
fragments:
- 1.3.0.yml
- 117-openssh_cert-use-ssh-agent.yml
- 129-x509_certificate-no-csr-selfsigned.yml
- 132-openssl_privatekey-ecc-order.yml
- 135-x509_certificate-entrust.yml
- 139-improve-error-handling.yml
- 145-add-check-for-parsed-pkcs12-files.yml
- privatekey-csr-certificate-refactoring.yml
modules:
- description: Generate OpenSSL Certificate Signing Request (CSR)
name: openssl_csr_pipe
namespace: ''
- description: Generate OpenSSL private keys without disk access
name: openssl_privatekey_pipe
namespace: ''
- description: Generate and/or check OpenSSL certificates
name: x509_certificate_pipe
namespace: ''
release_date: '2020-11-24'
Release 1.4.0.
2021-01-26 11:38:36 +00:00
1.4.0:
changes:
bugfixes:
- acme_certificate - error when requested challenge type is not found for non-valid
challenges, instead of hanging on step 2 (https://github.com/ansible-collections/community.crypto/issues/171,
https://github.com/ansible-collections/community.crypto/pull/173).
minor_changes:
- The ACME module_utils has been relicensed back from the Simplified BSD License
(https://opensource.org/licenses/BSD-2-Clause) to the GPLv3+ (same license
used by most other code in this collection). This undoes a licensing change
when the original GPLv3+ licensed code was moved to module_utils in https://github.com/ansible/ansible/pull/40697
(https://github.com/ansible-collections/community.crypto/pull/165).
- The ``crypto/identify.py`` module_utils has been renamed to ``crypto/pem.py``
(https://github.com/ansible-collections/community.crypto/pull/166).
- luks_device - ``new_keyfile``, ``new_passphrase``, ``remove_keyfile`` and
``remove_passphrase`` are now idempotent (https://github.com/ansible-collections/community.crypto/issues/19,
https://github.com/ansible-collections/community.crypto/pull/168).
- luks_device - allow to configure PBKDF (https://github.com/ansible-collections/community.crypto/pull/163).
- openssl_csr, openssl_csr_pipe - allow to specify CRL distribution endpoints
with ``crl_distribution_points`` (https://github.com/ansible-collections/community.crypto/issues/147,
https://github.com/ansible-collections/community.crypto/pull/167).
- openssl_pkcs12 - allow to specify certificate bundles in ``other_certificates``
by using new option ``other_certificates_parse_all`` (https://github.com/ansible-collections/community.crypto/issues/149,
https://github.com/ansible-collections/community.crypto/pull/166).
release_summary: Release with several new features and bugfixes.
fragments:
- 1.4.0.yml
- 163-luks-pbkdf.yml
- 166-openssl_pkcs12-certificate-bundles.yml
- 167-openssl_csr-crl-distribution-points.yml
- 168-luks_device-add-remove-idempotence.yml
- 173-acme_certificate-wrong-challenge.yml
- acme-module-utils-relicense.yml
release_date: '2021-01-26'
Release 1.5.0.
2021-03-08 05:54:42 +00:00
1.5.0:
changes:
bugfixes:
- openssl_csr - no longer fails when comparing CSR without basic constraint
when ``basic_constraints`` is specified (https://github.com/ansible-collections/community.crypto/issues/179,
https://github.com/ansible-collections/community.crypto/pull/180).
deprecated_features:
- acme_account_info - when ``retrieve_orders=url_list``, ``orders`` will no
longer be returned in community.crypto 2.0.0. Use ``order_uris`` instead (https://github.com/ansible-collections/community.crypto/pull/178).
minor_changes:
- acme_account_info - when ``retrieve_orders`` is not ``ignore`` and the ACME
server allows to query orders, the new return value ``order_uris`` is always
populated with a list of URIs (https://github.com/ansible-collections/community.crypto/pull/178).
- luks_device - allow to specify sector size for LUKS2 containers with new ``sector_size``
parameter (https://github.com/ansible-collections/community.crypto/pull/193).
release_summary: Regular feature and bugfix release. Deprecates a return value.
fragments:
- 1.5.0.yml
- 178-acme_account_info-orders-urls.yml
- 179-openssl-csr-basic-constraint.yml
- 193-luks_device-sector_size.yml
release_date: '2021-03-08'
Release 1.6.0.
2021-03-22 11:55:25 +00:00
1.6.0:
changes:
bugfixes:
- action_module plugin helper - make compatible with latest changes in ansible-core
2.11.0b3 (https://github.com/ansible-collections/community.crypto/pull/202).
- openssl_privatekey_pipe - make compatible with latest changes in ansible-core
2.11.0b3 (https://github.com/ansible-collections/community.crypto/pull/202).
deprecated_features:
- acme module_utils - the ``acme`` module_utils (``ansible_collections.community.crypto.plugins.module_utils.acme``)
is deprecated and will be removed in community.crypto 2.0.0. Use the new Python
modules in the ``acme`` package instead (``ansible_collections.community.crypto.plugins.module_utils.acme.xxx``)
(https://github.com/ansible-collections/community.crypto/pull/184).
minor_changes:
- acme module_utils - the ``acme`` module_utils has been split up into several
Python modules (https://github.com/ansible-collections/community.crypto/pull/184).
- acme_* modules - codebase refactor which should not be visible to end-users
(https://github.com/ansible-collections/community.crypto/pull/184).
- acme_* modules - support account key passphrases for ``cryptography`` backend
(https://github.com/ansible-collections/community.crypto/issues/197, https://github.com/ansible-collections/community.crypto/pull/207).
- acme_certificate_revoke - support revoking by private keys that are passphrase
protected for ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/pull/207).
- acme_challenge_cert_helper - add ``private_key_passphrase`` parameter (https://github.com/ansible-collections/community.crypto/pull/207).
release_summary: Fixes compatibility issues with the latest ansible-core 2.11
beta, and contains a lot of internal refactoring for the ACME modules and
support for private key passphrases for them.
fragments:
- 1.6.0.yml
- 184-acme-refactor.yml
- 202-actionmodule-plugin-utils-ansible-core-2.11.yml
- 207-acme-account-key-passphrase.yml
release_date: '2021-03-22'
Release 1.6.1.
2021-04-11 13:47:23 +00:00
1.6.1:
changes:
bugfixes:
- acme_* modules - fix wrong usages of ``ACMEProtocolException`` (https://github.com/ansible-collections/community.crypto/pull/216,
https://github.com/ansible-collections/community.crypto/pull/217).
release_summary: Bugfix release.
fragments:
- 1.6.1.yml
- 217-acme-exceptions.yml
release_date: '2021-04-11'
Release 1.6.2.
2021-04-28 05:53:36 +00:00
1.6.2:
changes:
bugfixes:
- acme_* modules - avoid crashing for ACME servers where the ``meta`` directory
key is not present (https://github.com/ansible-collections/community.crypto/issues/220,
https://github.com/ansible-collections/community.crypto/pull/221).
release_summary: Bugfix release. Fixes compatibility issue of ACME modules with
step-ca.
fragments:
- 1.6.2.yml
- 221-acme-meta.yml
release_date: '2021-04-28'
Release 1.7.0.
2021-06-02 16:18:45 +00:00
1.7.0:
changes:
bugfixes:
- openssh_keypair - fix ``check_mode`` to populate return values for existing
keypairs (https://github.com/ansible-collections/community.crypto/issues/113,
https://github.com/ansible-collections/community.crypto/pull/230).
- various modules - prevent crashes when modules try to set attributes on not
yet existing files in check mode. This will be fixed in ansible-core 2.12,
but it is not backported to every Ansible version we support (https://github.com/ansible-collections/community.crypto/issue/242,
https://github.com/ansible-collections/community.crypto/pull/243).
- x509_certificate - fix crash when ``assertonly`` provider is used and some
error conditions should be reported (https://github.com/ansible-collections/community.crypto/issues/240,
https://github.com/ansible-collections/community.crypto/pull/241).
minor_changes:
- cryptography_openssh module utils - new module_utils for managing asymmetric
keypairs and OpenSSH formatted/encoded asymmetric keypairs (https://github.com/ansible-collections/community.crypto/pull/213).
- openssh_keypair - added ``backend`` parameter for selecting between the cryptography
library or the OpenSSH binary for the execution of actions performed by ``openssh_keypair``
(https://github.com/ansible-collections/community.crypto/pull/236).
- openssh_keypair - added ``passphrase`` parameter for encrypting/decrypting
OpenSSH private keys (https://github.com/ansible-collections/community.crypto/pull/225).
- openssl_csr - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
https://github.com/ansible-collections/community.crypto/pull/150).
- openssl_csr_info - now returns ``public_key_type`` and ``public_key_data``
(https://github.com/ansible-collections/community.crypto/pull/233).
- openssl_csr_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/204).
- openssl_csr_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
https://github.com/ansible-collections/community.crypto/pull/150).
- openssl_pkcs12 - added option ``select_crypto_backend`` and a ``cryptography``
backend. This requires cryptography 3.0 or newer, and does not support the
``iter_size`` and ``maciter_size`` options (https://github.com/ansible-collections/community.crypto/pull/234).
- openssl_privatekey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
https://github.com/ansible-collections/community.crypto/pull/150).
- openssl_privatekey_info - refactor module to allow code re-use for diff mode
(https://github.com/ansible-collections/community.crypto/pull/205).
- openssl_privatekey_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
https://github.com/ansible-collections/community.crypto/pull/150).
- openssl_publickey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
https://github.com/ansible-collections/community.crypto/pull/150).
- x509_certificate - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
https://github.com/ansible-collections/community.crypto/pull/150).
- x509_certificate_info - now returns ``public_key_type`` and ``public_key_data``
(https://github.com/ansible-collections/community.crypto/pull/233).
- x509_certificate_info - refactor module to allow code re-use for diff mode
(https://github.com/ansible-collections/community.crypto/pull/206).
- x509_certificate_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
https://github.com/ansible-collections/community.crypto/pull/150).
- x509_crl - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38,
https://github.com/ansible-collections/community.crypto/pull/150).
- x509_crl_info - add ``list_revoked_certificates`` option to avoid enumerating
all revoked certificates (https://github.com/ansible-collections/community.crypto/pull/232).
- x509_crl_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/203).
release_summary: Regular feature and bugfix release.
fragments:
- 1.7.0.yml
- 150-diff.yml
- 203-x509_crl_info.yml
- 204-openssl_csr_info.yml
- 205-openssl_privatekey_info.yml
- 206-x509_certificate_info.yml
- 213-cryptography-openssh-module-utils.yml
- 225-openssh-keypair-passphrase.yml
- 230-openssh_keypair-check_mode-return-values.yml
- 232-x509_crl_info-list_revoked_certificates.yml
- 233-public-key-info.yml
- 234-openssl_pkcs12-cryptography.yml
- 236-openssh_keypair-backends.yml
- 241-x509_certificate-assertonly.yml
- 243-permission-check-crash.yml
modules:
- description: Provide information for OpenSSL public keys
name: openssl_publickey_info
namespace: ''
release_date: '2021-06-02'
Release 1.7.1.
2021-06-11 21:05:56 +00:00
1.7.1:
changes:
bugfixes:
- openssl_pkcs12 - fix crash when loading passphrase-protected PKCS#12 files
with ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/issues/247,
https://github.com/ansible-collections/community.crypto/pull/248).
release_summary: Bugfix release.
fragments:
- 1.7.1.yml
- 248-openssl_pkcs12-passphrase-fix.yml
release_date: '2021-06-11'
Release 1.8.0.
2021-08-10 15:06:23 +00:00
1.8.0:
changes:
bugfixes:
- openssh_cert - fixed certificate generation to restore original certificate
if an error is encountered (https://github.com/ansible-collections/community.crypto/pull/255).
- openssh_keypair - fixed a bug that prevented custom file attributes being
applied to public keys (https://github.com/ansible-collections/community.crypto/pull/257).
minor_changes:
- Avoid internal ansible-core module_utils in favor of equivalent public API
available since at least Ansible 2.9 (https://github.com/ansible-collections/community.crypto/pull/253).
- openssh certificate module utils - new module_utils for parsing OpenSSH certificates
(https://github.com/ansible-collections/community.crypto/pull/246).
- openssh_cert - added ``regenerate`` option to validate additional certificate
parameters which trigger regeneration of an existing certificate (https://github.com/ansible-collections/community.crypto/pull/256).
- openssh_cert - adding ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/255).
release_summary: Regular bugfix and feature release.
fragments:
- 1.8.0.yml
- 246-openssh-certificate-module-utils.yml
- 255-openssh_cert-adding-diff-support.yml
- 256-openssh_cert-adding-idempotency-option.yml
- 257-openssh-keypair-fix-pubkey-permissions.yml
- ansible-core-_text.yml
release_date: '2021-08-10'
Release 1.9.0.
2021-08-30 18:12:47 +00:00
1.9.0:
changes:
bugfixes:
- keypair_backend module utils - simplify code to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263).
- openssh_keypair - fixed ``cryptography`` backend to preserve original file
permissions when regenerating a keypair requires existing files to be overwritten
(https://github.com/ansible-collections/community.crypto/pull/260).
- openssh_keypair - fixed error handling to restore original keypair if regeneration
fails (https://github.com/ansible-collections/community.crypto/pull/260).
- x509_crl - restore inherited function signature to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263).
minor_changes:
- get_certificate - added ``starttls`` option to retrieve certificates from
servers which require clients to request an encrypted connection (https://github.com/ansible-collections/community.crypto/pull/264).
- openssh_keypair - added ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/260).
release_summary: Regular feature release.
fragments:
- 1.9.0.yml
- 260-openssh_keypair-diff-support.yml
- 263-sanity.yml
- 264-get_certificate-add-starttls-option.yml
release_date: '2021-08-30'
Add non-existing 1.9.1 release.
2021-08-30 20:00:39 +00:00
1.9.1:
changes:
release_summary: Accidental 1.9.1 release. Identical to 1.9.0.
release_date: '2021-08-30'
Release 1.9.10.
2022-02-01 04:49:00 +00:00
1.9.10:
changes:
bugfixes:
- luks_devices - set ``LANG`` and similar environment variables to avoid translated
output, which can break some of the module's functionality like key management
(https://github.com/ansible-collections/community.crypto/pull/388, https://github.com/ansible-collections/community.crypto/issues/385).
release_summary: Regular bugfix release.
fragments:
- 1.9.10.yml
- 388-luks_device-i18n.yml
release_date: '2022-02-01'
Release 1.9.11.
2022-02-05 20:28:22 +00:00
1.9.11:
changes:
bugfixes:
- openssh_cert - fixed false ``changed`` status for ``host`` certificates when
using ``full_idempotence`` (https://github.com/ansible-collections/community.crypto/issues/395,
https://github.com/ansible-collections/community.crypto/pull/396).
release_summary: Bugfix release.
fragments:
- 1.9.11.yml
- 396-openssh_cert-host-cert-idempotence-fix.yml
release_date: '2022-02-05'
Release 1.9.12.
2022-02-21 20:48:14 +00:00
1.9.12:
changes:
bugfixes:
- certificate_complete_chain - allow multiple potential intermediate certificates
to have the same subject (https://github.com/ansible-collections/community.crypto/issues/399,
https://github.com/ansible-collections/community.crypto/pull/403).
- x509_certificate - for the ``ownca`` provider, check whether the CA private
key actually belongs to the CA certificate. This fix only covers the ``cryptography``
backend, not the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/407).
- x509_certificate - regenerate certificate when the CA's public key changes
for ``provider=ownca``. This fix only covers the ``cryptography`` backend,
not the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/407).
- x509_certificate - regenerate certificate when the CA's subject changes for
``provider=ownca`` (https://github.com/ansible-collections/community.crypto/issues/400,
https://github.com/ansible-collections/community.crypto/pull/402).
- x509_certificate - regenerate certificate when the private key changes for
``provider=selfsigned``. This fix only covers the ``cryptography`` backend,
not the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/407).
known_issues:
- x509_certificate - when using the ``ownca`` provider with the ``pyopenssl``
backend, changing the CA's public key does not cause regeneration of the certificate
(https://github.com/ansible-collections/community.crypto/pull/407).
- x509_certificate - when using the ``ownca`` provider with the ``pyopenssl``
backend, it is possible to specify a CA private key which is not related to
the CA certificate (https://github.com/ansible-collections/community.crypto/pull/407).
- x509_certificate - when using the ``selfsigned`` provider with the ``pyopenssl``
backend, changing the private key does not cause regeneration of the certificate
(https://github.com/ansible-collections/community.crypto/pull/407).
release_summary: Regular bugfix release.
fragments:
- 1.9.12.yml
- 402-x509_certificate-ownca-subject.yml
- 403-certificate_complete_chain-same-subject.yml
- 407-x509_certificate-signature.yml
release_date: '2022-02-21'
Release 1.9.13.
2022-03-04 06:38:05 +00:00
1.9.13:
changes:
bugfixes:
- luks_device - fix parsing of ``lsblk`` output when device name ends with ``crypt``
(https://github.com/ansible-collections/community.crypto/issues/409, https://github.com/ansible-collections/community.crypto/pull/410).
release_summary: Regular bugfix release.
fragments:
- 1.9.13.yml
- 410-luks_device-lsblk-parsing.yml
release_date: '2022-03-04'
Release 1.9.14.
2022-05-09 18:29:24 +00:00
1.9.14:
changes:
bugfixes:
- Make collection more robust when PyOpenSSL is used with an incompatible cryptography
version (https://github.com/ansible-collections/community.crypto/pull/446).
- openssh_* modules - fix exception handling to report traceback to users for
enhanced traceability (https://github.com/ansible-collections/community.crypto/pull/417).
- x509_crl - fix crash when ``issuer`` for a revoked certificate is specified
(https://github.com/ansible-collections/community.crypto/pull/441).
release_summary: Regular bugfix release.
fragments:
- 1.9.14.yml
- 417-openssh_modules-fix-exception-reporting.yml
- 441-x509-crl-cert-issuer.yml
- 446-fix.yml
release_date: '2022-05-09'
Release 1.9.15.
2022-05-16 10:26:27 +00:00
1.9.15:
changes:
bugfixes:
- Include ``PSF-license.txt`` file for ``plugins/module_utils/_version.py``.
release_summary: Maintenance release.
fragments:
- 1.9.15.yml
- psf-license.yml
release_date: '2022-05-16'
Release 1.9.16.
2022-06-02 10:27:44 +00:00
1.9.16:
changes:
bugfixes:
- Include ``simplified_bsd.txt`` license file for the ECS module utils.
- certificate_complete_chain - do not stop execution if an unsupported signature
algorithm is encountered; warn instead (https://github.com/ansible-collections/community.crypto/pull/457).
release_summary: Maintenance and bugfix release.
fragments:
- 1.9.16.yml
- 457-certificate_complete_chain-unsupported-algorithm.yml
- simplified-bsd-license.yml
release_date: '2022-06-02'
Release 1.9.17.
2022-06-17 06:23:20 +00:00
1.9.17:
changes:
bugfixes:
- Include ``Apache-2.0.txt`` file for ``plugins/module_utils/crypto/_obj2txt.py``
and ``plugins/module_utils/crypto/_objects_data.py``.
- openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees
must be a non-empty list or None' if only one of ``name_constraints_permitted``
and ``name_constraints_excluded`` is provided (https://github.com/ansible-collections/community.crypto/issues/481).
- x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473,
https://github.com/ansible-collections/community.crypto/pull/474).
release_summary: Bugfix release.
fragments:
- 1.9.17.yml
- 474-x509_crl-ed25519-ed448.yml
- 481-fix-excluded_subtrees-must-be-a-non-empty-list-or-None.yml
- apache-license.yml
release_date: '2022-06-17'
Release 1.9.18.
2022-07-09 11:17:40 +00:00
1.9.18:
changes:
bugfixes:
- openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying
to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486,
https://github.com/ansible-collections/community.crypto/pull/487).
release_summary: Bugfix release.
fragments:
- 1.9.18.yml
- 487-openssl_pkcs12-other-certs-crash.yml
release_date: '2022-07-09'
Release 1.9.19.
2022-11-01 19:53:52 +00:00
1.9.19:
changes:
bugfixes:
- openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core
(https://github.com/ansible-collections/community.crypto/pull/515).
release_summary: Bugfix release.
fragments:
- 1.9.19.yml
- 515-action-module-compat.yml
release_date: '2022-11-01'
Fix changelog from last time.
2021-09-14 05:13:25 +00:00
1.9.2:
changes:
release_summary: Bugfix release to fix the changelog. No other change compared
to 1.9.0.
fragments:
- 1.9.2.yml
release_date: '2021-08-30'
Release 1.9.20.
2023-01-01 07:14:32 +00:00
1.9.20:
changes:
bugfixes:
- openssl_publickey_info - do not crash with internal error when public key
cannot be parsed (https://github.com/ansible-collections/community.crypto/pull/551).
release_summary: Bugfix release.
fragments:
- 1.9.20.yml
- 551-publickey-info.yml
release_date: '2023-01-01'
Release 1.9.21.
2023-04-16 17:47:19 +00:00
1.9.21:
changes:
bugfixes:
- action plugin helper - fix handling of deprecations for ansible-core 2.14.2
(https://github.com/ansible-collections/community.crypto/pull/572).
- openssl_csr, openssl_csr_pipe - prevent invalid values for ``crl_distribution_points``
that do not have one of ``full_name``, ``relative_name``, and ``crl_issuer``
(https://github.com/ansible-collections/community.crypto/pull/560).
release_summary: Bugfix release.
fragments:
- 1.9.21.yml
- 560-openssl_csr-crl_distribution_points.yml
- 572-action-module.yml
release_date: '2023-04-16'
Release 1.9.3.
2021-09-14 06:15:32 +00:00
1.9.3:
changes:
bugfixes:
- openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used
to compare strings with the cryptography backend. This fixes idempotency problems
with non-ASCII letters on Python 2 (https://github.com/ansible-collections/community.crypto/issues/270,
https://github.com/ansible-collections/community.crypto/pull/271).
release_summary: Regular bugfix release.
fragments:
- 1.9.3.yml
- 271-openssl_csr-utf8.yml
release_date: '2021-09-14'
Release 1.9.4.
2021-09-28 15:17:41 +00:00
1.9.4:
changes:
bugfixes:
- acme_* modules - fix commands composed for OpenSSL backend to retrieve information
on CSRs and certificates from stdin to use ``/dev/stdin`` instead of ``-``.
This is needed for OpenSSL 1.0.1 and 1.0.2, apparently (https://github.com/ansible-collections/community.crypto/pull/279).
- acme_challenge_cert_helper - only return exception when cryptography is not
installed, not when a too old version of it is installed. This prevents Ansible's
callback to crash (https://github.com/ansible-collections/community.crypto/pull/281).
release_summary: Regular bugfix release.
fragments:
- 1.9.4.yml
- 279-acme-openssl.yml
- 282-acme_challenge_cert_helper-error.yml
release_date: '2021-09-28'
Release 1.9.5.
2021-10-06 11:08:43 +00:00
1.9.5:
changes:
bugfixes:
- get_certificate - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294).
- openssl_csr_info - fix compatibility with the cryptography 35.0.0 release
(https://github.com/ansible-collections/community.crypto/pull/294).
- openssl_csr_info - fix compatibility with the cryptography 35.0.0 release
in PyOpenSSL backend (https://github.com/ansible-collections/community.crypto/pull/300).
- openssl_pkcs12 - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/296).
- x509_certificate_info - fix compatibility with the cryptography 35.0.0 release
(https://github.com/ansible-collections/community.crypto/pull/294).
- x509_certificate_info - fix compatibility with the cryptography 35.0.0 release
in PyOpenSSL backend (https://github.com/ansible-collections/community.crypto/pull/300).
release_summary: Bugfix release to fully support cryptography 35.0.0.
fragments:
- 1.9.5.yml
- 294-cryptography-35.0.0.yml
- 296-openssl_pkcs12-cryptography-35.yml
- 300-pyopenssl-cryptography-35.yml
release_date: '2021-10-06'
Release 1.9.6.
2021-10-30 15:48:48 +00:00
1.9.6:
changes:
bugfixes:
- cryptography backend - improve Unicode handling for Python 2 (https://github.com/ansible-collections/community.crypto/pull/313).
release_summary: Regular bugfix release.
fragments:
- 1.9.6.yml
- 313-unicode-names.yml
release_date: '2021-10-30'
Release 1.9.7.
2021-11-22 10:41:02 +00:00
1.9.7:
changes:
bugfixes:
- acme_certificate - avoid passing multiple certificates to ``cryptography``'s
X.509 certificate loader when ``fullchain_dest`` is used (https://github.com/ansible-collections/community.crypto/pull/324).
- get_certificate, openssl_csr_info, x509_certificate_info - add fallback code
for extension parsing that works with cryptography 36.0.0 and newer. This
code re-serializes de-serialized extensions and thus can return slightly different
values if the extension in the original CSR resp. certificate was not canonicalized
correctly. This code is currently used as a fallback if the existing code
stops working, but we will switch it to be the main code in a future release
(https://github.com/ansible-collections/community.crypto/pull/331).
- luks_device - now also runs a built-in LUKS signature cleaner on ``state=absent``
to make sure that also the secondary LUKS2 header is wiped when older versions
of wipefs are used (https://github.com/ansible-collections/community.crypto/issues/326,
https://github.com/ansible-collections/community.crypto/pull/327).
- openssl_pkcs12 - use new PKCS#12 deserialization infrastructure from cryptography
36.0.0 if available (https://github.com/ansible-collections/community.crypto/pull/302).
minor_changes:
- acme_* modules - fix usage of ``fetch_url`` with changes in latest ansible-core
``devel`` branch (https://github.com/ansible-collections/community.crypto/pull/339).
release_summary: Bugfix release with extra forward compatibility for newer versions
of cryptography.
fragments:
- 1.9.7.yml
- 302-openssl_pkcs12-cryptography-36.0.0.yml
- 324-acme_certificate-fullchain.yml
- 327-luks_device-wipe.yml
- 331-cryptography-extensions.yml
- fetch_url-devel.yml
release_date: '2021-11-22'
Release 1.9.8.
2021-12-13 19:20:05 +00:00
1.9.8:
changes:
release_summary: Documentation fix release. No actual code changes.
fragments:
- 1.9.8.yml
release_date: '2021-12-13'
Release 1.9.9.
2022-01-11 06:04:43 +00:00
1.9.9:
changes:
bugfixes:
- Various modules and plugins - use vendored version of ``distutils.version``
instead of the deprecated Python standard library ``distutils`` (https://github.com/ansible-collections/community.crypto/pull/353).
- certificate_complete_chain - do not append root twice if the chain already
ends with a root certificate (https://github.com/ansible-collections/community.crypto/pull/360).
- certificate_complete_chain - do not hang when infinite loop is found (https://github.com/ansible-collections/community.crypto/issues/355,
https://github.com/ansible-collections/community.crypto/pull/360).
fragments:
- 353-distutils.version.yml
- 360-certificate_complete_chain-loop.yml
release_date: '2022-01-11'