<linkrel="next"title="community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol"href="acme_certificate_revoke_module.html"/>
<linkrel="prev"title="community.crypto.acme_account_info module – Retrieves information on ACME accounts"href="acme_account_info_module.html"/><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
</head>
<bodyclass="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_selfsigned.html">How to create self-signed certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_ownca.html">How to create a small CA</a></li>
</ul>
<ulclass="current">
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<liclass="toctree-l1 current"><aclass="current reference internal"href="#">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a><ul>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_filter.html">community.crypto.openssl_privatekey_info filter – Retrieve information from OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_filter.html">community.crypto.openssl_publickey_info filter – Retrieve information from OpenSSL public keys in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_filter.html">community.crypto.x509_certificate_info filter – Retrieve information from X.509 certificates in PEM format</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_crl_info_filter.html">community.crypto.x509_crl_info filter – Retrieve information from X.509 CRLs in PEM format</a></li>
<liclass="breadcrumb-item active">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</li>
<liclass="wy-breadcrumbs-aside">
<!-- User defined GitHub URL -->
<ahref="https://github.com/ansible-collections/community.crypto/edit/main/plugins/modules/acme_certificate.py?description=%23%23%23%23%23%20SUMMARY%0A%3C!—%20Your%20description%20here%20–%3E%0A%0A%0A%23%23%23%23%23%20ISSUE%20TYPE%0A-%20Docs%20Pull%20Request%0A%0A%2Blabel:%20docsite_pr"class="fa fa-github"> Edit on GitHub</a>
<h1>community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol<aclass="headerlink"href="#community-crypto-acme-certificate-module-create-ssl-tls-certificates-with-the-acme-protocol"title="Permalink to this heading"></a></h1>
<p>This module is part of the <aclass="reference external"href="https://galaxy.ansible.com/community/crypto">community.crypto collection</a> (version 2.11.0).</p>
You need further requirements to be able to use this module,
see <aclass="reference internal"href="#ansible-collections-community-crypto-acme-certificate-module-requirements"><spanclass="std std-ref">Requirements</span></a> for details.</p>
<p>To use it in a playbook, specify: <codeclass="code docutils literal notranslate"><spanclass="pre">community.crypto.acme_certificate</span></code>.</p>
<h2><aclass="toc-backref"href="#id1">Synopsis</a><aclass="headerlink"href="#synopsis"title="Permalink to this heading"></a></h2>
<ulclass="simple">
<li><p>Create and renew SSL/TLS certificates with a CA supporting the <aclass="reference external"href="https://tools.ietf.org/html/rfc8555">ACME protocol</a>, such as <aclass="reference external"href="https://letsencrypt.org/">Let’s Encrypt</a> or <aclass="reference external"href="https://www.buypass.com/">Buypass</a>. The current implementation supports the <codeclass="docutils literal notranslate"><spanclass="pre">http-01</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">dns-01</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code> challenges.</p></li>
<li><p>To use this module, it has to be executed twice. Either as two different tasks in the same run or during two runs. Note that the output of the first run needs to be recorded and passed to the second run as the module argument <codeclass="docutils literal notranslate"><spanclass="pre">data</span></code>.</p></li>
<li><p>Between these two tasks you have to fulfill the required steps for the chosen challenge by whatever means necessary. For <codeclass="docutils literal notranslate"><spanclass="pre">http-01</span></code> that means creating the necessary challenge file on the destination webserver. For <codeclass="docutils literal notranslate"><spanclass="pre">dns-01</span></code> the necessary dns record has to be created. For <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code> the necessary certificate has to be created and served. It is <em>not</em> the responsibility of this module to perform these steps.</p></li>
<li><p>For details on how to fulfill these challenges, you might have to read through <aclass="reference external"href="https://tools.ietf.org/html/rfc8555#section-8">the main ACME specification</a> and the <aclass="reference external"href="https://www.rfc-editor.org/rfc/rfc8737.html#section-3">TLS-ALPN-01 specification</a>. Also, consider the examples provided for this module.</p></li>
<li><p>The module includes experimental support for IP identifiers according to the <aclass="reference external"href="https://www.rfc-editor.org/rfc/rfc8738.html">RFC 8738</a>.</p></li>
</ul>
</section>
<sectionid="requirements">
<spanid="ansible-collections-community-crypto-acme-certificate-module-requirements"></span><h2><aclass="toc-backref"href="#id2">Requirements</a><aclass="headerlink"href="#requirements"title="Permalink to this heading"></a></h2>
<p>The below requirements are needed on the host that executes this module.</p>
<ulclass="simple">
<li><p>either openssl or <aclass="reference external"href="https://cryptography.io/">cryptography</a>>= 1.5</p></li>
<li><p>ipaddress</p></li>
</ul>
</section>
<sectionid="parameters">
<h2><aclass="toc-backref"href="#id3">Parameters</a><aclass="headerlink"href="#parameters"title="Permalink to this heading"></a></h2>
<aclass="ansibleOptionLink"href="#parameter-account_email"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The email address associated with this account.</p>
<p>It will be used for certificate expiration warnings.</p>
<p>Note that when <codeclass="docutils literal notranslate"><spanclass="pre">modify_account</span></code> is not set to <codeclass="docutils literal notranslate"><spanclass="pre">false</span></code> and you also used the <aclass="reference internal"href="acme_account_module.html#ansible-collections-community-crypto-acme-account-module"><spanclass="std std-ref">community.crypto.acme_account</span></a> module to specify more than one contact for your account, this module will update your account and restrict it to the (at most one) contact email address specified here.</p>
<aclass="ansibleOptionLink"href="#parameter-account_key_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the ACME account RSA or Elliptic Curve key.</p>
<p>Mutually exclusive with <codeclass="docutils literal notranslate"><spanclass="pre">account_key_src</span></code>.</p>
<p>Required if <codeclass="docutils literal notranslate"><spanclass="pre">account_key_src</span></code> is not used.</p>
<p><strong>Warning:</strong> the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key — it can be used to change the account key, or to revoke your certificates without knowing their private keys —, this might not be acceptable.</p>
<p>In case <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> is used, the content is not written into a temporary file. It can still happen that it is written to disk by Ansible in the process of moving the module with its argument to the node where it is executed.</p>
<aclass="ansibleOptionLink"href="#parameter-account_key_passphrase"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<p><spanclass="ansible-option-versionadded">added in community.crypto 1.6.0</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Phassphrase to use to decode the account key.</p>
<p><strong>Note:</strong> this is not supported by the <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span></code> backend, only by the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend.</p>
<aclass="ansibleOptionLink"href="#parameter-account_key_src"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: account_key</span></p>
<td><divclass="ansible-option-cell"><p>Path to a file containing the ACME account RSA or Elliptic Curve key.</p>
<p>Private keys can be created with the <aclass="reference internal"href="openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module"><spanclass="std std-ref">community.crypto.openssl_privatekey</span></a> or <aclass="reference internal"href="openssl_privatekey_pipe_module.html#ansible-collections-community-crypto-openssl-privatekey-pipe-module"><spanclass="std std-ref">community.crypto.openssl_privatekey_pipe</span></a> modules. If the requisite (cryptography) is not available, keys can also be created directly with the <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span></code> command line tool: RSA keys can be created with <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span><spanclass="pre">genrsa</span><spanclass="pre">...</span></code>. Elliptic curve keys can be created with <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span><spanclass="pre">ecparam</span><spanclass="pre">-genkey</span><spanclass="pre">...</span></code>. Any other tool creating private keys in PEM format can be used as well.</p>
<p>Mutually exclusive with <codeclass="docutils literal notranslate"><spanclass="pre">account_key_content</span></code>.</p>
<p>Required if <codeclass="docutils literal notranslate"><spanclass="pre">account_key_content</span></code> is not used.</p>
<aclass="ansibleOptionLink"href="#parameter-account_uri"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>If specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails.</p>
<aclass="ansibleOptionLink"href="#parameter-acme_directory"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span> / <spanclass="ansible-option-required">required</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The ACME directory to use. This is the entry point URL to access the ACME CA server API.</p>
<p>For safety reasons the default is set to the Let’s Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates.</p>
<p>For Let’s Encrypt, all staging endpoints can be found here: <aclass="reference external"href="https://letsencrypt.org/docs/staging-environment/">https://letsencrypt.org/docs/staging-environment/</a>. For Buypass, all endpoints can be found here: <aclass="reference external"href="https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints">https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints</a></p>
<p>For <strong>Let’s Encrypt</strong>, the production directory URL for ACME v2 is <aclass="reference external"href="https://acme-v02.api.letsencrypt.org/directory">https://acme-v02.api.letsencrypt.org/directory</a>.</p>
<p>For <strong>Buypass</strong>, the production directory URL for ACME v2 and v1 is <aclass="reference external"href="https://api.buypass.com/acme/directory">https://api.buypass.com/acme/directory</a>.</p>
<p>For <strong>ZeroSSL</strong>, the production directory URL for ACME v2 is <aclass="reference external"href="https://acme.zerossl.com/v2/DV90">https://acme.zerossl.com/v2/DV90</a>.</p>
<p>For <strong>Sectigo</strong>, the production directory URL for ACME v2 is <aclass="reference external"href="https://acme-qa.secure.trust-provider.com/v2/DV">https://acme-qa.secure.trust-provider.com/v2/DV</a>.</p>
<p>The notes for this module contain a list of ACME services this module has been tested against.</p>
<aclass="ansibleOptionLink"href="#parameter-acme_version"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span> / <spanclass="ansible-option-required">required</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The ACME version of the endpoint.</p>
<p>Must be <codeclass="docutils literal notranslate"><spanclass="pre">1</span></code> for the classic Let’s Encrypt and Buypass ACME endpoints, or <codeclass="docutils literal notranslate"><spanclass="pre">2</span></code> for standardized ACME v2 endpoints.</p>
<p>The value <codeclass="docutils literal notranslate"><spanclass="pre">1</span></code> is deprecated since community.crypto 2.0.0 and will be removed from community.crypto 3.0.0.</p>
<aclass="ansibleOptionLink"href="#parameter-agreement"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>URI to a terms of service document you agree to when using the ACME v1 service at <codeclass="docutils literal notranslate"><spanclass="pre">acme_directory</span></code>.</p>
<p>Default is latest gathered from <codeclass="docutils literal notranslate"><spanclass="pre">acme_directory</span></code> URL.</p>
<p>This option will only be used when <codeclass="docutils literal notranslate"><spanclass="pre">acme_version</span></code> is 1.</p>
<aclass="ansibleOptionLink"href="#parameter-chain_dest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: chain</span></p>
<aclass="ansibleOptionLink"href="#parameter-challenge"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The challenge to be performed.</p>
<aclass="ansibleOptionLink"href="#parameter-csr"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: src</span></p>
<td><divclass="ansible-option-cell"><p>File containing the CSR for the new certificate.</p>
<p>Can be created with <aclass="reference internal"href="openssl_csr_module.html#ansible-collections-community-crypto-openssl-csr-module"><spanclass="std std-ref">community.crypto.openssl_csr</span></a> or <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span><spanclass="pre">req</span><spanclass="pre">...</span></code>.</p>
<p>The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed.</p>
<p><em>Note</em>: the private key used to create the CSR <em>must not</em> be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case.</p>
<p>Precisely one of <em>csr</em> or <em>csr_content</em> must be specified.</p>
<aclass="ansibleOptionLink"href="#parameter-csr_content"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<p><spanclass="ansible-option-versionadded">added in community.crypto 1.2.0</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Content of the CSR for the new certificate.</p>
<p>Can be created with <aclass="reference internal"href="openssl_csr_pipe_module.html#ansible-collections-community-crypto-openssl-csr-pipe-module"><spanclass="std std-ref">community.crypto.openssl_csr_pipe</span></a> or <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span><spanclass="pre">req</span><spanclass="pre">...</span></code>.</p>
<p>The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed.</p>
<p><em>Note</em>: the private key used to create the CSR <em>must not</em> be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case.</p>
<p>Precisely one of <em>csr</em> or <em>csr_content</em> must be specified.</p>
<aclass="ansibleOptionLink"href="#parameter-data"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">dictionary</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The data to validate ongoing challenges. This must be specified for the second run of the module only.</p>
<p>The value that must be used here will be provided by a previous use of this module. See the examples for more details.</p>
<p>Note that for ACME v2, only the <codeclass="docutils literal notranslate"><spanclass="pre">order_uri</span></code> entry of <codeclass="docutils literal notranslate"><spanclass="pre">data</span></code> will be used. For ACME v1, <codeclass="docutils literal notranslate"><spanclass="pre">data</span></code> must be non-empty to indicate the second stage is active; all needed data will be taken from the CSR.</p>
<p><em>Note</em>: the <codeclass="docutils literal notranslate"><spanclass="pre">data</span></code> option was marked as <codeclass="docutils literal notranslate"><spanclass="pre">no_log</span></code> up to Ansible 2.5. From Ansible 2.6 on, it is no longer marked this way as it causes error messages to be come unusable, and <codeclass="docutils literal notranslate"><spanclass="pre">data</span></code> does not contain any information which can be used without having access to the account key or which are not public anyway.</p>
<aclass="ansibleOptionLink"href="#parameter-deactivate_authzs"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Deactivate authentication objects (authz) after issuing a certificate, or when issuing the certificate failed.</p>
<p>Authentication objects are bound to an account key and remain valid for a certain amount of time, and can be used to issue certificates without having to re-authenticate the domain. This can be a security concern.</p>
<aclass="ansibleOptionLink"href="#parameter-dest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: cert</span></p>
<aclass="ansibleOptionLink"href="#parameter-force"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Enforces the execution of the challenge and validation, even if an existing certificate is still valid for more than <codeclass="docutils literal notranslate"><spanclass="pre">remaining_days</span></code>.</p>
<p>This is especially helpful when having an updated CSR, for example with additional domains for which a new certificate is desired.</p>
<aclass="ansibleOptionLink"href="#parameter-fullchain_dest"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-aliases">aliases: fullchain</span></p>
<td><divclass="ansible-option-cell"><p>The destination file for the full chain (that is, a certificate followed by chain of intermediate certificates).</p>
<p>Required if <codeclass="docutils literal notranslate"><spanclass="pre">dest</span></code> is not specified.</p>
<aclass="ansibleOptionLink"href="#parameter-modify_account"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Boolean indicating whether the module should create the account if necessary, and update its contact data.</p>
<p>Set to <codeclass="docutils literal notranslate"><spanclass="pre">false</span></code> if you want to use the <aclass="reference internal"href="acme_account_module.html#ansible-collections-community-crypto-acme-account-module"><spanclass="std std-ref">community.crypto.acme_account</span></a> module to manage your account instead, and to avoid accidental creation of a new account using an old key if you changed the account key with <aclass="reference internal"href="acme_account_module.html#ansible-collections-community-crypto-acme-account-module"><spanclass="std std-ref">community.crypto.acme_account</span></a>.</p>
<p>If set to <codeclass="docutils literal notranslate"><spanclass="pre">false</span></code>, <codeclass="docutils literal notranslate"><spanclass="pre">terms_agreed</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">account_email</span></code> are ignored.</p>
<aclass="ansibleOptionLink"href="#parameter-remaining_days"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The number of days the certificate must have left being valid. If <codeclass="docutils literal notranslate"><spanclass="pre">cert_days</span><spanclass="pre"><</span><spanclass="pre">remaining_days</span></code>, then it will be renewed. If the certificate is not renewed, module return values will not include <codeclass="docutils literal notranslate"><spanclass="pre">challenge_data</span></code>.</p>
<p>To make sure that the certificate is renewed in any case, you can use the <codeclass="docutils literal notranslate"><spanclass="pre">force</span></code> option.</p>
<aclass="ansibleOptionLink"href="#parameter-request_timeout"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
<p><spanclass="ansible-option-versionadded">added in community.crypto 2.3.0</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The time Ansible should wait for a response from the ACME API.</p>
<p>This timeout is applied to all HTTP(S) requests (HEAD, GET, POST).</p>
<aclass="ansibleOptionLink"href="#parameter-retrieve_all_alternates"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>When set to <codeclass="docutils literal notranslate"><spanclass="pre">true</span></code>, will retrieve all alternate trust chains offered by the ACME CA. These will not be written to disk, but will be returned together with the main chain as <codeclass="docutils literal notranslate"><spanclass="pre">all_chains</span></code>. See the documentation for the <codeclass="docutils literal notranslate"><spanclass="pre">all_chains</span></code> return value for details.</p>
<aclass="ansibleOptionLink"href="#parameter-select_chain"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">list</span> / <spanclass="ansible-option-elements">elements=dictionary</span></p>
<p><spanclass="ansible-option-versionadded">added in community.crypto 1.0.0</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Allows to specify criteria by which an (alternate) trust chain can be selected.</p>
<p>The list of criteria will be processed one by one until a chain is found matching a criterium. If such a chain is found, it will be used by the module instead of the default chain.</p>
<p>If a criterium matches multiple chains, the first one matching will be returned. The order is determined by the ordering of the <codeclass="docutils literal notranslate"><spanclass="pre">Link</span></code> headers returned by the ACME server and might not be deterministic.</p>
<p>Every criterium can consist of multiple different conditions, like <em>issuer</em> and <em>subject</em>. For the criterium to match a chain, all conditions must apply to the same certificate in the chain.</p>
<p>This option can only be used with the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> backend.</p>
<aclass="ansibleOptionLink"href="#parameter-select_chain/authority_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>Checks for the AuthorityKeyIdentifier extension. This is an identifier based on the private key of the issuer of the intermediate certificate.</p>
<p>The identifier must be of the form <codeclass="docutils literal notranslate"><spanclass="pre">C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-select_chain/issuer"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">dictionary</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>Allows to specify parts of the issuer of a certificate in the chain must have to be selected.</p>
<p>If <em>issuer</em> is empty, any certificate will match.</p>
<p>An example value would be <codeclass="docutils literal notranslate"><spanclass="pre">{"commonName":</span><spanclass="pre">"My</span><spanclass="pre">Preferred</span><spanclass="pre">CA</span><spanclass="pre">Root"}</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-select_chain/subject"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">dictionary</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>Allows to specify parts of the subject of a certificate in the chain must have to be selected.</p>
<p>If <em>subject</em> is empty, any certificate will match.</p>
<p>An example value would be <codeclass="docutils literal notranslate"><spanclass="pre">{"CN":</span><spanclass="pre">"My</span><spanclass="pre">Preferred</span><spanclass="pre">CA</span><spanclass="pre">Intermediate"}</span></code></p>
<aclass="ansibleOptionLink"href="#parameter-select_chain/subject_key_identifier"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>Checks for the SubjectKeyIdentifier extension. This is an identifier based on the private key of the intermediate certificate.</p>
<p>The identifier must be of the form <codeclass="docutils literal notranslate"><spanclass="pre">A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1</span></code>.</p>
<aclass="ansibleOptionLink"href="#parameter-select_chain/test_certificates"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>Determines which certificates in the chain will be tested.</p>
<p><em>all</em> tests all certificates in the chain (excluding the leaf, which is identical in all chains).</p>
<p><em>first</em> only tests the first certificate in the chain, that is the one which signed the leaf.</p>
<p><em>last</em> only tests the last certificate in the chain, that is the one furthest away from the leaf. Its issuer is the root certificate of this chain.</p>
<aclass="ansibleOptionLink"href="#parameter-select_crypto_backend"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Determines which crypto backend to use.</p>
<p>The default choice is <codeclass="docutils literal notranslate"><spanclass="pre">auto</span></code>, which tries to use <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> if available, and falls back to <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span></code>.</p>
<p>If set to <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span></code>, will try to use the <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span></code> binary.</p>
<p>If set to <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code>, will try to use the <aclass="reference external"href="https://cryptography.io/">cryptography</a> library.</p>
<aclass="ansibleOptionLink"href="#parameter-terms_agreed"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Boolean indicating whether you agree to the terms of service document.</p>
<p>ACME servers can require this to be true.</p>
<p>This option will only be used when <codeclass="docutils literal notranslate"><spanclass="pre">acme_version</span></code> is not 1.</p>
<aclass="ansibleOptionLink"href="#parameter-validate_certs"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Whether calls to the ACME directory will validate TLS certificates.</p>
<p><strong>Warning:</strong> Should <strong>only ever</strong> be set to <codeclass="docutils literal notranslate"><spanclass="pre">false</span></code> for testing purposes, for example when testing against a local Pebble server.</p>
<td><divclass="ansible-option-cell"><p>Use <codeclass="docutils literal notranslate"><spanclass="pre">group/acme</span></code> or <codeclass="docutils literal notranslate"><spanclass="pre">group/community.crypto.acme</span></code> in <codeclass="docutils literal notranslate"><spanclass="pre">module_defaults</span></code> to set defaults for this module.</p>
<td><divclass="ansible-option-cell"><p>Can run in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code> and return changed status prediction without modifying target.</p>
<td><divclass="ansible-option-cell"><p>Will return details on what has changed (or possibly needs changing in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code>), when in diff mode.</p>
<td><divclass="ansible-option-cell"><p>Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption.</p>
</div></td>
</tr>
</tbody>
</table>
</section>
<sectionid="notes">
<h2><aclass="toc-backref"href="#id5">Notes</a><aclass="headerlink"href="#notes"title="Permalink to this heading"></a></h2>
<divclass="admonition note">
<pclass="admonition-title">Note</p>
<ulclass="simple">
<li><p>At least one of <codeclass="docutils literal notranslate"><spanclass="pre">dest</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">fullchain_dest</span></code> must be specified.</p></li>
<li><p>This module includes basic account management functionality. If you want to have more control over your ACME account, use the <aclass="reference internal"href="acme_account_module.html#ansible-collections-community-crypto-acme-account-module"><spanclass="std std-ref">community.crypto.acme_account</span></a> module and disable account management for this module using the <codeclass="docutils literal notranslate"><spanclass="pre">modify_account</span></code> option.</p></li>
<li><p>This module was called <codeclass="docutils literal notranslate"><spanclass="pre">letsencrypt</span></code> before Ansible 2.6. The usage did not change.</p></li>
<li><p>If a new enough version of the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> library is available (see Requirements for details), it will be used instead of the <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span></code> binary. This can be explicitly disabled or enabled with the <codeclass="docutils literal notranslate"><spanclass="pre">select_crypto_backend</span></code> option. Note that using the <codeclass="docutils literal notranslate"><spanclass="pre">openssl</span></code> binary will be slower and less secure, as private key contents always have to be stored on disk (see <codeclass="docutils literal notranslate"><spanclass="pre">account_key_content</span></code>).</p></li>
<li><p>Although the defaults are chosen so that the module can be used with the <aclass="reference external"href="https://letsencrypt.org/">Let’s Encrypt</a> CA, the module can in principle be used with any CA providing an ACME endpoint, such as <aclass="reference external"href="https://www.buypass.com/ssl/products/acme">Buypass Go SSL</a>.</p></li>
<li><p>So far, the ACME modules have only been tested by the developers against Let’s Encrypt (staging and production), Buypass (staging and production), ZeroSSL (production), and <aclass="reference external"href="https://github.com/letsencrypt/Pebble">Pebble testing server</a>. We have got community feedback that they also work with Sectigo ACME Service for InCommon. If you experience problems with another ACME server, please <aclass="reference external"href="https://github.com/ansible-collections/community.crypto/issues/new/choose">create an issue</a> to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.</p></li>
</ul>
</div>
</section>
<sectionid="see-also">
<h2><aclass="toc-backref"href="#id6">See Also</a><aclass="headerlink"href="#see-also"title="Permalink to this heading"></a></h2>
<divclass="admonition seealso">
<pclass="admonition-title">See also</p>
<dlclass="simple">
<dt><aclass="reference external"href="https://letsencrypt.org/docs/">The Let’s Encrypt documentation</a></dt><dd><p>Documentation for the Let’s Encrypt Certification Authority. Provides useful information for example on rate limits.</p>
</dd>
<dt><aclass="reference external"href="https://www.buypass.com/ssl/products/acme">Buypass Go SSL</a></dt><dd><p>Documentation for the Buypass Certification Authority. Provides useful information for example on rate limits.</p>
</dd>
<dt><aclass="reference external"href="https://tools.ietf.org/html/rfc8555">Automatic Certificate Management Environment (ACME)</a></dt><dd><p>The specification of the ACME protocol (RFC 8555).</p>
</dd>
<dt><aclass="reference external"href="https://www.rfc-editor.org/rfc/rfc8737.html-05">ACME TLS ALPN Challenge Extension</a></dt><dd><p>The specification of the <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code> challenge (RFC 8737).</p>
<dt><aclass="reference internal"href="openssl_privatekey_module.html#ansible-collections-community-crypto-openssl-privatekey-module"><spanclass="std std-ref">community.crypto.openssl_privatekey</span></a></dt><dd><p>Can be used to create private keys (both for certificates and accounts).</p>
</dd>
<dt><aclass="reference internal"href="openssl_privatekey_pipe_module.html#ansible-collections-community-crypto-openssl-privatekey-pipe-module"><spanclass="std std-ref">community.crypto.openssl_privatekey_pipe</span></a></dt><dd><p>Can be used to create private keys without writing it to disk (both for certificates and accounts).</p>
</dd>
<dt><aclass="reference internal"href="openssl_csr_module.html#ansible-collections-community-crypto-openssl-csr-module"><spanclass="std std-ref">community.crypto.openssl_csr</span></a></dt><dd><p>Can be used to create a Certificate Signing Request (CSR).</p>
</dd>
<dt><aclass="reference internal"href="openssl_csr_pipe_module.html#ansible-collections-community-crypto-openssl-csr-pipe-module"><spanclass="std std-ref">community.crypto.openssl_csr_pipe</span></a></dt><dd><p>Can be used to create a Certificate Signing Request (CSR) without writing it to disk.</p>
</dd>
<dt><aclass="reference internal"href="certificate_complete_chain_module.html#ansible-collections-community-crypto-certificate-complete-chain-module"><spanclass="std std-ref">community.crypto.certificate_complete_chain</span></a></dt><dd><p>Allows to find the root certificate for the returned fullchain.</p>
</dd>
<dt><aclass="reference internal"href="acme_certificate_revoke_module.html#ansible-collections-community-crypto-acme-certificate-revoke-module"><spanclass="std std-ref">community.crypto.acme_certificate_revoke</span></a></dt><dd><p>Allows to revoke certificates.</p>
</dd>
<dt><aclass="reference internal"href="acme_account_module.html#ansible-collections-community-crypto-acme-account-module"><spanclass="std std-ref">community.crypto.acme_account</span></a></dt><dd><p>Allows to create, modify or delete an ACME account.</p>
</dd>
<dt><aclass="reference internal"href="acme_inspect_module.html#ansible-collections-community-crypto-acme-inspect-module"><spanclass="std std-ref">community.crypto.acme_inspect</span></a></dt><dd><p>Allows to debug problems.</p>
</dd>
</dl>
</div>
</section>
<sectionid="examples">
<h2><aclass="toc-backref"href="#id7">Examples</a><aclass="headerlink"href="#examples"title="Permalink to this heading"></a></h2>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Create a challenge for sample.com using a account key from a variable.</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Create a challenge for sample.com using a account key from hashi vault.</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Create a challenge for sample.com using a account key file.</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Let the challenge be validated and retrieve the cert and intermediate certificate</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Create a challenge for sample.com using a account key file.</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Let the challenge be validated and retrieve the cert and intermediate certificate</span>
<spanclass="w"></span><spanclass="nt">when</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">sample_com_challenge is changed</span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Let the challenge be validated and retrieve the cert and intermediate certificate</span>
<spanclass="w"></span><spanclass="nt">when</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">sample_com_challenge is changed</span>
<h2><aclass="toc-backref"href="#id8">Return Values</a><aclass="headerlink"href="#return-values"title="Permalink to this heading"></a></h2>
<p>Common return values are documented <aclass="reference external"href="https://docs.ansible.com/ansible/devel/reference_appendices/common_return_values.html#common-return-values"title="(in Ansible vdevel)"><spanclass="xref std std-ref">here</span></a>, the following are the fields unique to this module:</p>
<aclass="ansibleOptionLink"href="#return-account_uri"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#return-all_chains"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">list</span> / <spanclass="ansible-option-elements">elements=dictionary</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>When <em>retrieve_all_alternates</em> is set to <codeclass="docutils literal notranslate"><spanclass="pre">true</span></code>, the module will query the ACME server for alternate chains. This return value will contain a list of all chains returned, the first entry being the main chain returned by the server.</p>
<p>See <aclass="reference external"href="https://tools.ietf.org/html/rfc8555#section-7.4.2">Section 7.4.2 of RFC8555</a> for details.</p>
<pclass="ansible-option-line"><spanclass="ansible-option-returned-bold">Returned:</span> when certificate was retrieved and <em>retrieve_all_alternates</em> is set to <codeclass="docutils literal notranslate"><spanclass="pre">true</span></code></p>
<aclass="ansibleOptionLink"href="#return-all_chains/cert"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>The leaf certificate itself, in PEM format.</p>
<aclass="ansibleOptionLink"href="#return-all_chains/chain"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>The certificate chain, excluding the root, as concatenated PEM certificates.</p>
<aclass="ansibleOptionLink"href="#return-all_chains/full_chain"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>The certificate chain, excluding the root, but including the leaf certificate, as concatenated PEM certificates.</p>
<aclass="ansibleOptionLink"href="#return-authorizations"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">dictionary</span></p>
<p>Maps an identifier to ACME authorization objects. See <aclass="reference external"href="https://tools.ietf.org/html/rfc8555#section-7.1.4">https://tools.ietf.org/html/rfc8555#section-7.1.4</a>.</p>
<aclass="ansibleOptionLink"href="#return-cert_days"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The number of days the certificate remains valid.</p>
<aclass="ansibleOptionLink"href="#return-challenge_data"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">list</span> / <spanclass="ansible-option-elements">elements=dictionary</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Per identifier / challenge type challenge data.</p>
<p>Since Ansible 2.8.5, only challenges which are not yet valid are returned.</p>
<aclass="ansibleOptionLink"href="#return-challenge_data/record"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>The full DNS record’s name for the challenge.</p>
<pclass="ansible-option-line"><spanclass="ansible-option-returned-bold">Returned:</span> changed and challenge is <codeclass="docutils literal notranslate"><spanclass="pre">dns-01</span></code></p>
<aclass="ansibleOptionLink"href="#return-challenge_data/resource"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>The challenge resource that must be created for validation.</p>
<aclass="ansibleOptionLink"href="#return-challenge_data/resource_original"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>The original challenge resource including type identifier for <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code> challenges.</p>
<pclass="ansible-option-line"><spanclass="ansible-option-returned-bold">Returned:</span> changed and challenge is <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></p>
<aclass="ansibleOptionLink"href="#return-challenge_data/resource_value"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>The value the resource has to produce for the validation.</p>
<p>For <codeclass="docutils literal notranslate"><spanclass="pre">http-01</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">dns-01</span></code> challenges, the value can be used as-is.</p>
<p>For <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code> challenges, note that this return value contains a Base64 encoded version of the correct binary blob which has to be put into the acmeValidation x509 extension; see <aclass="reference external"href="https://www.rfc-editor.org/rfc/rfc8737.html#section-3">https://www.rfc-editor.org/rfc/rfc8737.html#section-3</a> for details. To do this, you might need the <codeclass="docutils literal notranslate"><spanclass="pre">b64decode</span></code> Jinja filter to extract the binary blob from this return value.</p>
<aclass="ansibleOptionLink"href="#return-challenge_data_dns"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">dictionary</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>List of TXT values per DNS record, in case challenge is <codeclass="docutils literal notranslate"><spanclass="pre">dns-01</span></code>.</p>
<p>Since Ansible 2.8.5, only challenges which are not yet valid are returned.</p>
<aclass="ansibleOptionLink"href="#return-finalization_uri"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#return-order_uri"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>ACME order URI.</p>
<ahref="https://github.com/ansible-collections/community.crypto/issues/new?assignees=&labels=&template=bug_report.md"aria-role="button"target="_blank"rel="noopener external">Submit a bug report</a>
<ahref="https://github.com/ansible-collections/community.crypto/issues/new?assignees=&labels=&template=feature_request.md"aria-role="button"target="_blank"rel="noopener external">Request a feature</a>
