a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Implement profile option. (#835)

pull/757/head
Felix Fontein 2025-01-12 10:24:24 +01:00 committed by GitHub
parent 029e009db1
commit 2419e6c6ad
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changelogs/fragments/835-acme-profiles.yml Normal file
View File

@ -0,0 +1,4 @@
minor_changes:
- "acme_certificate - allow to chose a profile for certificate generation, in case the CA supports this using
Internet-Draft `draft-aaron-acme-profiles <https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/>`__
(https://github.com/ansible-collections/community.crypto/pull/835)."

4
plugins/module_utils/acme/orders.py
View File

@ -65,7 +65,7 @@ class Order(object):
return result
@classmethod
def create(cls, client, identifiers, replaces_cert_id=None):
def create(cls, client, identifiers, replaces_cert_id=None, profile=None):
'''
Start a new certificate order (ACME v2 protocol).
https://tools.ietf.org/html/rfc8555#section-7.4
@ -81,6 +81,8 @@ class Order(object):
}
if replaces_cert_id is not None:
new_order["replaces"] = replaces_cert_id
if profile is not None:
new_order["profile"] = profile
result, info = client.send_signed_request(
client.directory['newOrder'], new_order, error_msg='Failed to start new order', expected_status_codes=[201])
return cls.from_json(client, result, info['location'])

19
plugins/modules/acme_certificate.py
View File

@ -263,6 +263,14 @@ options:
- always
default: never
version_added: 2.20.0
profile:
description:
- Chose a specific profile for certificate selection. The available profiles depend on the CA.
- See L(a blog post by Let's Encrypt, https://letsencrypt.org/2025/01/09/acme-profiles/) and
L(draft-aaron-acme-profiles-00, https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/)
for more information.
type: str
version_added: 2.24.0
"""
EXAMPLES = r"""
@ -604,6 +612,7 @@ class ACMECertificateClient(object):
self.all_chains = None
self.select_chain_matcher = []
self.include_renewal_cert_id = module.params['include_renewal_cert_id']
self.profile = module.params['profile']
if self.module.params['select_chain']:
for criterium_idx, criterium in enumerate(self.module.params['select_chain']):
@ -614,6 +623,13 @@ class ACMECertificateClient(object):
except ValueError as exc:
self.module.warn('Error while parsing criterium: {error}. Ignoring criterium.'.format(error=exc))
if self.profile is not None:
meta_profiles = (self.directory.get('meta') or {}).get('profiles') or {}
if not meta_profiles:
raise ModuleFailException(msg='The ACME CA does not support profiles.')
if self.profile not in meta_profiles:
raise ModuleFailException(msg='The ACME CA does not support selected profile {0!r}.'.format(self.profile))
# Make sure account exists
modify_account = module.params['modify_account']
if modify_account or self.version > 1:
@ -696,7 +712,7 @@ class ACMECertificateClient(object):
cert_info=cert_info,
none_if_required_information_is_missing=True,
)
self.order = Order.create(self.client, self.identifiers, replaces_cert_id)
self.order = Order.create(self.client, self.identifiers, replaces_cert_id, profile=self.profile)
self.order_uri = self.order.url
self.order.load_authorizations(self.client)
self.authorizations.update(self.order.authorizations)
@ -882,6 +898,7 @@ def main():
authority_key_identifier=dict(type='str'),
)),
include_renewal_cert_id=dict(type='str', choices=['never', 'when_ari_supported', 'always'], default='never'),
profile=dict(type='str'),
)
argument_spec.update(
required_one_of=[