<linkrel="prev"title="community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API"href="ecs_domain_module.html"/><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
</head>
<bodyclass="wy-body-for-nav"><!-- extra body elements for Ansible beyond RTD Sphinx Theme -->
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_selfsigned.html">How to create self-signed certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="docsite/guide_ownca.html">How to create a small CA</a></li>
</ul>
<ulclass="current">
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_module.html">community.crypto.acme_account module – Create, modify or delete ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <codeclass="docutils literal notranslate"><spanclass="pre">tls-alpn-01</span></code></a></li>
<liclass="toctree-l1"><aclass="reference internal"href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="certificate_complete_chain_module.html">community.crypto.certificate_complete_chain module – Complete certificate chain given a set of untrusted and root certificates</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
<liclass="toctree-l1 current"><aclass="current reference internal"href="#">community.crypto.get_certificate module – Get a certificate from a host:port</a><ul>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_csr_info_module.html">community.crypto.openssl_csr_info module – Provide information of OpenSSL Certificate Signing Requests (CSR)</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_info_module.html">community.crypto.openssl_privatekey_info module – Provide information for OpenSSL private keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_privatekey_pipe_module.html">community.crypto.openssl_privatekey_pipe module – Generate OpenSSL private keys without disk access</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_module.html">community.crypto.openssl_publickey module – Generate an OpenSSL public key from its private key.</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_publickey_info_module.html">community.crypto.openssl_publickey_info module – Provide information for OpenSSL public keys</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_module.html">community.crypto.openssl_signature module – Sign data with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="openssl_signature_info_module.html">community.crypto.openssl_signature_info module – Verify signatures with openssl</a></li>
<liclass="toctree-l1"><aclass="reference internal"href="x509_certificate_info_module.html">community.crypto.x509_certificate_info module – Provide information of OpenSSL X.509 certificates</a></li>
<liclass="breadcrumb-item active">community.crypto.get_certificate module – Get a certificate from a host:port</li>
<liclass="wy-breadcrumbs-aside">
<!-- User defined GitHub URL -->
<ahref="https://github.com/ansible-collections/community.crypto/edit/main/plugins/modules/get_certificate.py?description=%23%23%23%23%23%20SUMMARY%0A%3C!—%20Your%20description%20here%20–%3E%0A%0A%0A%23%23%23%23%23%20ISSUE%20TYPE%0A-%20Docs%20Pull%20Request%0A%0A%2Blabel:%20docsite_pr"class="fa fa-github"> Edit on GitHub</a>
<h1>community.crypto.get_certificate module – Get a certificate from a host:port<aclass="headerlink"href="#community-crypto-get-certificate-module-get-a-certificate-from-a-host-port"title="Permalink to this heading"></a></h1>
<p>This module is part of the <aclass="reference external"href="https://galaxy.ansible.com/community/crypto">community.crypto collection</a> (version 2.10.0).</p>
You need further requirements to be able to use this module,
see <aclass="reference internal"href="#ansible-collections-community-crypto-get-certificate-module-requirements"><spanclass="std std-ref">Requirements</span></a> for details.</p>
<p>To use it in a playbook, specify: <codeclass="code docutils literal notranslate"><spanclass="pre">community.crypto.get_certificate</span></code>.</p>
<h2><aclass="toc-backref"href="#id1">Synopsis</a><aclass="headerlink"href="#synopsis"title="Permalink to this heading"></a></h2>
<ulclass="simple">
<li><p>Makes a secure connection and returns information about the presented certificate</p></li>
<li><p>The module uses the cryptography Python library.</p></li>
<li><p>Support SNI (<aclass="reference external"href="https://en.wikipedia.org/wiki/Server_Name_Indication">Server Name Indication</a>) only with python >= 2.7.</p></li>
</ul>
</section>
<sectionid="requirements">
<spanid="ansible-collections-community-crypto-get-certificate-module-requirements"></span><h2><aclass="toc-backref"href="#id2">Requirements</a><aclass="headerlink"href="#requirements"title="Permalink to this heading"></a></h2>
<p>The below requirements are needed on the host that executes this module.</p>
<ulclass="simple">
<li><p>python >= 2.7 when using <codeclass="docutils literal notranslate"><spanclass="pre">proxy_host</span></code></p></li>
<li><p>cryptography >= 1.6</p></li>
</ul>
</section>
<sectionid="parameters">
<h2><aclass="toc-backref"href="#id3">Parameters</a><aclass="headerlink"href="#parameters"title="Permalink to this heading"></a></h2>
<aclass="ansibleOptionLink"href="#parameter-ca_cert"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">path</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>A PEM file containing one or more root certificates; if present, the cert will be validated against these root certs.</p>
<p>Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it.</p>
<aclass="ansibleOptionLink"href="#parameter-host"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span> / <spanclass="ansible-option-required">required</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The host to get the cert for (IP is fine)</p>
<aclass="ansibleOptionLink"href="#parameter-port"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span> / <spanclass="ansible-option-required">required</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The port to connect to</p>
<aclass="ansibleOptionLink"href="#parameter-proxy_host"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Proxy host used when get a certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-proxy_port"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Proxy port used when get a certificate.</p>
<aclass="ansibleOptionLink"href="#parameter-select_crypto_backend"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Determines which crypto backend to use.</p>
<p>The default choice is <codeclass="docutils literal notranslate"><spanclass="pre">auto</span></code>, which tries to use <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> if available.</p>
<p>If set to <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code>, will try to use the <aclass="reference external"href="https://cryptography.io/">cryptography</a> library.</p>
<aclass="ansibleOptionLink"href="#parameter-server_name"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<p><spanclass="ansible-option-versionadded">added in community.crypto 1.4.0</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Server name used for SNI (<aclass="reference external"href="https://en.wikipedia.org/wiki/Server_Name_Indication">Server Name Indication</a>) when hostname is an IP or is different from server name.</p>
<aclass="ansibleOptionLink"href="#parameter-starttls"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<p><spanclass="ansible-option-versionadded">added in community.crypto 1.9.0</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Requests a secure connection for protocols which require clients to initiate encryption.</p>
<p>Only available for <codeclass="docutils literal notranslate"><spanclass="pre">mysql</span></code> currently.</p>
<aclass="ansibleOptionLink"href="#parameter-timeout"title="Permalink to this option"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">integer</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The timeout in seconds</p>
<td><divclass="ansible-option-cell"><p>Can run in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code> and return changed status prediction without modifying target.</p>
<td><divclass="ansible-option-cell"><p>Will return details on what has changed (or possibly needs changing in <codeclass="docutils literal notranslate"><spanclass="pre">check_mode</span></code>), when in diff mode.</p>
</div></td>
</tr>
</tbody>
</table>
</section>
<sectionid="notes">
<h2><aclass="toc-backref"href="#id5">Notes</a><aclass="headerlink"href="#notes"title="Permalink to this heading"></a></h2>
<divclass="admonition note">
<pclass="admonition-title">Note</p>
<ulclass="simple">
<li><p>When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.</p></li>
</ul>
</div>
</section>
<sectionid="examples">
<h2><aclass="toc-backref"href="#id6">Examples</a><aclass="headerlink"href="#examples"title="Permalink to this heading"></a></h2>
<divclass="highlight-yaml+jinja notranslate"><divclass="highlight"><pre><span></span><spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Get the cert from an RDP port</span><spanclass="w"></span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">Get a cert from an https port</span><spanclass="w"></span>
<spanclass="p p-Indicator">-</span><spanclass="w"></span><spanclass="nt">name</span><spanclass="p">:</span><spanclass="w"></span><spanclass="l l-Scalar l-Scalar-Plain">How many days until cert expires</span><spanclass="w"></span>
<h2><aclass="toc-backref"href="#id7">Return Values</a><aclass="headerlink"href="#return-values"title="Permalink to this heading"></a></h2>
<p>Common return values are documented <aclass="reference external"href="https://docs.ansible.com/ansible/devel/reference_appendices/common_return_values.html#common-return-values"title="(in Ansible vdevel)"><spanclass="xref std std-ref">here</span></a>, the following are the fields unique to this module:</p>
<aclass="ansibleOptionLink"href="#return-cert"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The certificate retrieved from the port</p>
<aclass="ansibleOptionLink"href="#return-expired"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Boolean indicating if the cert is expired</p>
<aclass="ansibleOptionLink"href="#return-extensions"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">list</span> / <spanclass="ansible-option-elements">elements=dictionary</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Extensions applied to the cert</p>
<aclass="ansibleOptionLink"href="#return-extensions/asn1_data"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>The Base64 encoded ASN.1 content of the extension.</p>
<p><strong>Note</strong> that depending on the <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code> version used, it is not possible to extract the ASN.1 content of the extension, but only to provide the re-encoded content of the extension in case it was parsed by <codeclass="docutils literal notranslate"><spanclass="pre">cryptography</span></code>. This should usually result in exactly the same value, except if the original extension value was malformed.</p>
<aclass="ansibleOptionLink"href="#return-extensions/critical"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">boolean</span></p>
</div></td>
<td><divclass="ansible-option-indent-desc"></div><divclass="ansible-option-cell"><p>Whether the extension is critical.</p>
<aclass="ansibleOptionLink"href="#return-extensions/name"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
<aclass="ansibleOptionLink"href="#return-issuer"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">dictionary</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Information about the issuer of the cert</p>
<aclass="ansibleOptionLink"href="#return-not_after"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Expiration date of the cert</p>
<aclass="ansibleOptionLink"href="#return-not_before"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Issue date of the cert</p>
<aclass="ansibleOptionLink"href="#return-serial_number"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The serial number of the cert</p>
<aclass="ansibleOptionLink"href="#return-signature_algorithm"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The algorithm used to sign the cert</p>
<aclass="ansibleOptionLink"href="#return-subject"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">dictionary</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>Information about the subject of the cert (OU, CN, etc)</p>
<aclass="ansibleOptionLink"href="#return-version"title="Permalink to this return value"></a><pclass="ansible-option-type-line"><spanclass="ansible-option-type">string</span></p>
</div></td>
<td><divclass="ansible-option-cell"><p>The version number of the certificate</p>
<ahref="https://github.com/ansible-collections/community.crypto/issues/new?assignees=&labels=&template=bug_report.md"aria-role="button"target="_blank"rel="noopener external">Submit a bug report</a>
<ahref="https://github.com/ansible-collections/community.crypto/issues/new?assignees=&labels=&template=feature_request.md"aria-role="button"target="_blank"rel="noopener external">Request a feature</a>
<ahref="ecs_domain_module.html"class="btn btn-neutral float-left"title="community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API"accesskey="p"rel="prev"><spanclass="fa fa-arrow-circle-left"aria-hidden="true"></span> Previous</a>
