From 5366b9e5bae9e3a6ebd4673092089a84d0d130ac Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 14 Jan 2025 23:49:24 +0100 Subject: [PATCH] Improve ACME tests; add acme_ari_info tests; use ARI and profiles features in acme_certificate tests (#841) * Fix description. * Add basic acme_ari_info test. * Refactoring. * Extend acme_certificate tests. --- .../modules/acme_certificate_renewal_info.py | 6 ++ .../targets/acme_account/tasks/impl.yml | 38 ++++++------ .../targets/acme_account_info/tasks/impl.yml | 14 ++--- .../integration/targets/acme_ari_info/aliases | 10 ++++ .../targets/acme_ari_info/meta/main.yml | 8 +++ .../targets/acme_ari_info/tasks/impl.yml | 59 +++++++++++++++++++ .../targets/acme_ari_info/tasks/main.yml | 44 ++++++++++++++ .../acme_ari_info/tasks/obtain-cert.yml | 1 + .../targets/acme_ari_info/tests/validate.yml | 17 ++++++ .../targets/acme_certificate/tasks/impl.yml | 19 +++--- .../tasks/impl.yml | 20 +++---- .../acme_certificate_order/tasks/impl.yml | 20 +++---- .../tasks/impl.yml | 22 +++---- .../tasks/main.yml | 9 +-- .../tests/validate.yml | 18 +++--- .../acme_certificate_revoke/tasks/impl.yml | 6 +- .../targets/acme_inspect/tasks/impl.yml | 20 +++---- .../targets/setup_acme/tasks/main.yml | 19 +++++- .../targets/setup_acme/tasks/obtain-cert.yml | 5 +- .../x509_certificate-acme/tasks/impl.yml | 4 +- 20 files changed, 258 insertions(+), 101 deletions(-) create mode 100644 tests/integration/targets/acme_ari_info/aliases create mode 100644 tests/integration/targets/acme_ari_info/meta/main.yml create mode 100644 tests/integration/targets/acme_ari_info/tasks/impl.yml create mode 100644 tests/integration/targets/acme_ari_info/tasks/main.yml create mode 120000 tests/integration/targets/acme_ari_info/tasks/obtain-cert.yml create mode 100644 tests/integration/targets/acme_ari_info/tests/validate.yml diff --git a/plugins/modules/acme_certificate_renewal_info.py b/plugins/modules/acme_certificate_renewal_info.py index d9f811b1..2a0c575e 100644 --- a/plugins/modules/acme_certificate_renewal_info.py +++ b/plugins/modules/acme_certificate_renewal_info.py @@ -24,6 +24,12 @@ extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.info_module - community.crypto.attributes.idempotent_not_modify_state +attributes: + idempotent: + support: partial + details: + - The module is not idempotent if O(now) is a relative timestamp, or is not specified. + - If O(use_ari=true), the module is not idempotent if O(ari_algorithm=standard). options: certificate_path: description: diff --git a/tests/integration/targets/acme_account/tasks/impl.yml b/tests/integration/targets/acme_account/tasks/impl.yml index 5d008fd2..7ba8890c 100644 --- a/tests/integration/targets/acme_account/tasks/impl.yml +++ b/tests/integration/targets/acme_account/tasks/impl.yml @@ -34,7 +34,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present allow_creation: false @@ -46,7 +46,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present allow_creation: true @@ -62,7 +62,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present allow_creation: true @@ -76,7 +76,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present allow_creation: true @@ -95,7 +95,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_content: "{{ slurp.content | b64decode }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present # allow_creation: false @@ -110,7 +110,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_content: "{{ slurp.content | b64decode }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present # allow_creation: false @@ -124,7 +124,7 @@ account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_uri: "{{ account_created.account_uri }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present # allow_creation: false @@ -138,7 +138,7 @@ account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_uri: "{{ account_created.account_uri ~ '12345thisdoesnotexist' }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present contact: [] @@ -150,7 +150,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present # allow_creation: false @@ -164,7 +164,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present # allow_creation: false @@ -176,7 +176,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present # allow_creation: false @@ -188,7 +188,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false new_account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" @@ -204,7 +204,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false new_account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" @@ -219,7 +219,7 @@ account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: absent check_mode: true @@ -232,7 +232,7 @@ account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: absent register: account_deactivate @@ -243,7 +243,7 @@ account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: absent register: account_deactivate_idempotent @@ -254,7 +254,7 @@ account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present allow_creation: false @@ -266,7 +266,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present allow_creation: false @@ -278,7 +278,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/{{ item.account }}.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present allow_creation: true diff --git a/tests/integration/targets/acme_account_info/tasks/impl.yml b/tests/integration/targets/acme_account_info/tasks/impl.yml index f1d53abe..d621603d 100644 --- a/tests/integration/targets/acme_account_info/tasks/impl.yml +++ b/tests/integration/targets/acme_account_info/tasks/impl.yml @@ -28,7 +28,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false register: account_not_created @@ -37,7 +37,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present allow_creation: true @@ -50,7 +50,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false register: account_created @@ -64,7 +64,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_content: "{{ slurp.content | b64decode }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false state: present allow_creation: false @@ -75,7 +75,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false account_uri: "{{ account_created.account_uri }}" register: account_modified @@ -85,7 +85,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false account_uri: "{{ account_created.account_uri }}test1234doesnotexists" register: account_not_exist @@ -95,7 +95,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false account_uri: "{{ account_created.account_uri }}" ignore_errors: true diff --git a/tests/integration/targets/acme_ari_info/aliases b/tests/integration/targets/acme_ari_info/aliases new file mode 100644 index 00000000..b7f6d4f4 --- /dev/null +++ b/tests/integration/targets/acme_ari_info/aliases @@ -0,0 +1,10 @@ +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +azp/generic/1 +azp/posix/1 +cloud/acme + +# For some reason connecting to helper containers does not work on the Alpine VMs +skip/alpine diff --git a/tests/integration/targets/acme_ari_info/meta/main.yml b/tests/integration/targets/acme_ari_info/meta/main.yml new file mode 100644 index 00000000..2e8ad10b --- /dev/null +++ b/tests/integration/targets/acme_ari_info/meta/main.yml @@ -0,0 +1,8 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +dependencies: + - setup_acme + - setup_remote_tmp_dir diff --git a/tests/integration/targets/acme_ari_info/tasks/impl.yml b/tests/integration/targets/acme_ari_info/tasks/impl.yml new file mode 100644 index 00000000..53c6168c --- /dev/null +++ b/tests/integration/targets/acme_ari_info/tasks/impl.yml @@ -0,0 +1,59 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +## SET UP ACCOUNT KEYS ######################################################################## +- block: + - name: Generate account keys + openssl_privatekey: + path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" + type: "{{ item.type }}" + size: "{{ item.size | default(omit) }}" + curve: "{{ item.curve | default(omit) }}" + force: true + loop: "{{ account_keys }}" + + vars: + account_keys: + - name: account-ec256 + type: ECC + curve: secp256r1 +## CREATE ACCOUNTS AND OBTAIN CERTIFICATES #################################################### +- name: Obtain cert 1 + include_tasks: obtain-cert.yml + vars: + certgen_title: Certificate 1 for renewal check + certificate_name: cert-1 + key_type: rsa + rsa_bits: "{{ default_rsa_key_size }}" + subject_alt_name: "DNS:example.com" + subject_alt_name_critical: false + account_key: account-ec256 + challenge: http-01 + modify_account: true + deactivate_authzs: false + force: true + remaining_days: "{{ omit }}" + terms_agreed: true + account_email: "example@example.org" +## OBTAIN CERTIFICATE INFOS ################################################################### +- name: Dump OpenSSL x509 info + command: + cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text +- name: Obtain certificate information + x509_certificate_info: + path: "{{ remote_tmp_dir }}/cert-1.pem" + register: cert_1_info +- name: Read certificate + slurp: + src: '{{ remote_tmp_dir }}/cert-1.pem' + register: slurp_cert_1 +- name: Obtain certificate information + acme_ari_info: + select_crypto_backend: "{{ select_crypto_backend }}" + certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" + acme_version: 2 + acme_directory: "{{ acme_directory_url }}" + validate_certs: false + register: cert_1 diff --git a/tests/integration/targets/acme_ari_info/tasks/main.yml b/tests/integration/targets/acme_ari_info/tasks/main.yml new file mode 100644 index 00000000..75b7d374 --- /dev/null +++ b/tests/integration/targets/acme_ari_info/tasks/main.yml @@ -0,0 +1,44 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +#################################################################### +# WARNING: These are designed specifically for Ansible tests # +# and should not be used as examples of how to write Ansible roles # +#################################################################### + +- vars: + acme_certificate_profile: "{{ 'default' if acme_supports_profiles else omit }}" + when: acme_supports_ari + block: + - block: + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl + + - import_tasks: ../tests/validate.yml + + # Old 0.9.8 versions have insufficient CLI support for signing with EC keys + when: openssl_version.stdout is version('1.0.0', '>=') + + - name: Remove output directory + file: + path: "{{ remote_tmp_dir }}" + state: absent + + - name: Re-create output directory + file: + path: "{{ remote_tmp_dir }}" + state: directory + + - block: + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography + + - import_tasks: ../tests/validate.yml + + when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_ari_info/tasks/obtain-cert.yml b/tests/integration/targets/acme_ari_info/tasks/obtain-cert.yml new file mode 120000 index 00000000..532df945 --- /dev/null +++ b/tests/integration/targets/acme_ari_info/tasks/obtain-cert.yml @@ -0,0 +1 @@ +../../setup_acme/tasks/obtain-cert.yml \ No newline at end of file diff --git a/tests/integration/targets/acme_ari_info/tests/validate.yml b/tests/integration/targets/acme_ari_info/tests/validate.yml new file mode 100644 index 00000000..19d446c0 --- /dev/null +++ b/tests/integration/targets/acme_ari_info/tests/validate.yml @@ -0,0 +1,17 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Validate results + assert: + that: + - cert_1 is not changed + - cert_1.renewal_info.explanationURL is string or cert_1.renewal_info.explanationURL is not defined + - cert_1.renewal_info.retryAfter is string or cert_1.renewal_info.retryAfter is not defined + - cert_1.renewal_info.suggestedWindow.start is string + - cert_1.renewal_info.suggestedWindow.end is string + - >- + (cert_1.renewal_info.suggestedWindow.start | ansible.builtin.to_datetime('%Y-%m-%dT%H:%M:%SZ')) + < + (cert_1.renewal_info.suggestedWindow.end | ansible.builtin.to_datetime('%Y-%m-%dT%H:%M:%SZ')) diff --git a/tests/integration/targets/acme_certificate/tasks/impl.yml b/tests/integration/targets/acme_certificate/tasks/impl.yml index f885c62a..18dda9d5 100644 --- a/tests/integration/targets/acme_certificate/tasks/impl.yml +++ b/tests/integration/targets/acme_certificate/tasks/impl.yml @@ -30,7 +30,7 @@ acme_account: select_crypto_backend: "{{ select_crypto_backend }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" state: absent @@ -42,7 +42,7 @@ acme_account: select_crypto_backend: "{{ select_crypto_backend }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false account_key_content: "{{ slurp.content | b64decode }}" state: present @@ -55,7 +55,7 @@ acme_account: select_crypto_backend: "{{ select_crypto_backend }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-rsa.pem" state: present @@ -170,6 +170,7 @@ remaining_days: 1 terms_agreed: false account_email: "" + acme_certificate_profile: "{{ 'default' if acme_supports_profiles else omit }}" acme_expected_root_number: 2 select_chain: - test_certificates: last @@ -239,6 +240,8 @@ terms_agreed: false account_email: "" use_csr_content: true + acme_certificate_profile: "{{ '6days' if acme_supports_profiles else omit }}" + acme_certificate_include_renewal_cert_id: when_ari_supported - name: Store obtain results for cert 5c set_fact: cert_5_recreate_2: "{{ challenge_data is changed }}" @@ -467,7 +470,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false retrieve_orders: ignore register: account_orders_not @@ -476,7 +479,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false retrieve_orders: url_list register: account_orders_urls @@ -485,7 +488,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false retrieve_orders: url_list register: account_orders_urls2 @@ -494,7 +497,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false retrieve_orders: object_list register: account_orders_full @@ -503,7 +506,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false retrieve_orders: object_list register: account_orders_full2 diff --git a/tests/integration/targets/acme_certificate_deactivate_authz/tasks/impl.yml b/tests/integration/targets/acme_certificate_deactivate_authz/tasks/impl.yml index 28a88968..4389dfc0 100644 --- a/tests/integration/targets/acme_certificate_deactivate_authz/tasks/impl.yml +++ b/tests/integration/targets/acme_certificate_deactivate_authz/tasks/impl.yml @@ -29,7 +29,7 @@ acme_certificate: select_crypto_backend: "{{ select_crypto_backend }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" modify_account: true @@ -43,7 +43,7 @@ - name: Inspect order acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" @@ -57,7 +57,7 @@ - name: Deactivate order (check mode) acme_certificate_deactivate_authz: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" @@ -68,7 +68,7 @@ - name: Inspect order again acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" @@ -82,7 +82,7 @@ - name: Deactivate order acme_certificate_deactivate_authz: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" @@ -92,7 +92,7 @@ - name: Inspect order again acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" @@ -106,7 +106,7 @@ - name: Deactivate order (check mode, idempotent) acme_certificate_deactivate_authz: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" @@ -117,7 +117,7 @@ - name: Inspect order again acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" @@ -131,7 +131,7 @@ - name: Deactivate order (idempotent) acme_certificate_deactivate_authz: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" @@ -141,7 +141,7 @@ - name: Inspect order again acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" diff --git a/tests/integration/targets/acme_certificate_order/tasks/impl.yml b/tests/integration/targets/acme_certificate_order/tasks/impl.yml index a3b224f0..54a954c6 100644 --- a/tests/integration/targets/acme_certificate_order/tasks/impl.yml +++ b/tests/integration/targets/acme_certificate_order/tasks/impl.yml @@ -21,7 +21,7 @@ - name: Create ACME account acme_account: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -48,7 +48,7 @@ - name: Create certificate order acme_certificate_order_create: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -82,7 +82,7 @@ - name: Get order information acme_certificate_order_info: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -131,7 +131,7 @@ - name: Let the challenge be validated community.crypto.acme_certificate_order_validate: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -153,7 +153,7 @@ - name: Get order information acme_certificate_order_info: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -191,7 +191,7 @@ - name: Let the challenge be validated (idempotent) community.crypto.acme_certificate_order_validate: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -208,7 +208,7 @@ - name: Retrieve the cert and intermediate certificate community.crypto.acme_certificate_order_finalize: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -250,7 +250,7 @@ - name: Get order information acme_certificate_order_info: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -286,7 +286,7 @@ - name: Retrieve the cert and intermediate certificate (idempotent) community.crypto.acme_certificate_order_finalize: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -314,7 +314,7 @@ - name: Get order information acme_certificate_order_info: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" diff --git a/tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml b/tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml index 143b286b..c868f7a4 100644 --- a/tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml +++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml @@ -54,7 +54,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false register: cert_1_renewal_1 - name: Obtain certificate information (2/11) @@ -62,7 +62,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false remaining_days: 1000 remaining_percentage: 0.5 @@ -72,7 +72,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" certificate_content: "{{ slurp_cert_1.content | b64decode }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false now: +1800d register: cert_1_renewal_3 @@ -81,7 +81,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false now: +1800d remaining_days: 30 @@ -92,7 +92,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false now: +1800d remaining_days: 30 @@ -103,7 +103,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false now: +1800d remaining_days: 10 @@ -114,7 +114,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false now: +1830d register: cert_1_renewal_7 @@ -122,7 +122,7 @@ acme_certificate_renewal_info: select_crypto_backend: "{{ select_crypto_backend }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false now: +1830d register: cert_1_renewal_8 @@ -131,7 +131,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" certificate_path: "{{ remote_tmp_dir }}/cert-does-not-exist.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false register: cert_1_renewal_9 - name: Create broken file @@ -145,7 +145,7 @@ select_crypto_backend: "{{ select_crypto_backend }}" certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false register: cert_1_renewal_10 ignore_errors: true @@ -155,6 +155,6 @@ select_crypto_backend: "{{ select_crypto_backend }}" certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false register: cert_1_renewal_11 diff --git a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml index f7e9714c..35ca6485 100644 --- a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml @@ -9,15 +9,8 @@ #################################################################### - vars: - # ARI and profiles have been added in https://github.com/ansible/ansible/pull/TODO - # See also https://github.com/ansible/acme-test-container/pull/25 - supports_ari: "{{ ansible_version.full is version('2.19', '>=') }}" - supports_profile: "{{ ansible_version.full is version('2.19', '>=') }}" - - acme_certificate_profile: "{{ 'default' if supports_profile else omit }}" - + acme_certificate_profile: "{{ 'default' if acme_supports_profiles else omit }}" block: - - block: - name: Running tests with OpenSSL backend include_tasks: impl.yml diff --git a/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml b/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml index ac8bce5e..fb5beb89 100644 --- a/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml +++ b/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml @@ -61,7 +61,7 @@ - cert_1_renewal_11.cert_id is not defined - cert_1_renewal_11.exists == true - cert_1_renewal_11.parsable == false - when: not supports_ari + when: not acme_supports_ari - name: Validate results without ARI assert: @@ -81,24 +81,24 @@ - cert_1_renewal_6.msg.startswith("The remaining percentage 3.0% of the certificate's lifespan was reached on ") - cert_1_renewal_6.supports_ari == false - cert_1_renewal_7.supports_ari == false - when: not supports_ari + when: not acme_supports_ari - name: Validate results with ARI assert: that: - - cert_1_renewal_1.supports_ari == supports_ari - - cert_1_renewal_2.supports_ari == supports_ari + - cert_1_renewal_1.supports_ari == true + - cert_1_renewal_2.supports_ari == true - cert_1_renewal_3.should_renew == true - cert_1_renewal_3.msg == 'The suggested renewal interval provided by ARI is in the past' - - cert_1_renewal_3.supports_ari == supports_ari + - cert_1_renewal_3.supports_ari == true - cert_1_renewal_4.should_renew == true - cert_1_renewal_4.msg == 'The suggested renewal interval provided by ARI is in the past' - - cert_1_renewal_4.supports_ari == supports_ari + - cert_1_renewal_4.supports_ari == true - cert_1_renewal_5.should_renew == true - cert_1_renewal_5.msg == 'The suggested renewal interval provided by ARI is in the past' - - cert_1_renewal_5.supports_ari == supports_ari + - cert_1_renewal_5.supports_ari == true - cert_1_renewal_6.should_renew == true - cert_1_renewal_6.msg == 'The suggested renewal interval provided by ARI is in the past' - - cert_1_renewal_6.supports_ari == supports_ari + - cert_1_renewal_6.supports_ari == true - cert_1_renewal_7.supports_ari == false - when: supports_ari + when: acme_supports_ari diff --git a/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml b/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml index c04d7d01..4d777af1 100644 --- a/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml +++ b/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml @@ -87,7 +87,7 @@ account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" certificate: "{{ remote_tmp_dir }}/cert-1.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false ignore_errors: true register: cert_1_revoke @@ -98,7 +98,7 @@ private_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" certificate: "{{ remote_tmp_dir }}/cert-2.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false ignore_errors: true register: cert_2_revoke @@ -112,7 +112,7 @@ account_key_content: "{{ slurp_account_key.content | b64decode }}" certificate: "{{ remote_tmp_dir }}/cert-3-fullchain.pem" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false ignore_errors: true register: cert_3_revoke diff --git a/tests/integration/targets/acme_inspect/tasks/impl.yml b/tests/integration/targets/acme_inspect/tasks/impl.yml index d8750188..feede906 100644 --- a/tests/integration/targets/acme_inspect/tasks/impl.yml +++ b/tests/integration/targets/acme_inspect/tasks/impl.yml @@ -24,7 +24,7 @@ - name: Get directory acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false method: directory-only @@ -34,7 +34,7 @@ - name: Create an account acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -49,7 +49,7 @@ - name: Get account information acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -62,7 +62,7 @@ - name: Update account contacts acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -82,7 +82,7 @@ - name: Create certificate order acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -106,7 +106,7 @@ - name: Get order information acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -119,7 +119,7 @@ - name: Get authzs for order acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -133,7 +133,7 @@ - name: Get HTTP-01 challenge for authz acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -147,7 +147,7 @@ - name: Activate HTTP-01 challenge manually acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" @@ -162,7 +162,7 @@ - name: Get HTTP-01 challenge results acme_inspect: - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" acme_version: 2 validate_certs: false account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" diff --git a/tests/integration/targets/setup_acme/tasks/main.yml b/tests/integration/targets/setup_acme/tasks/main.yml index d8d70cb9..a9288723 100644 --- a/tests/integration/targets/setup_acme/tasks/main.yml +++ b/tests/integration/targets/setup_acme/tasks/main.yml @@ -8,5 +8,20 @@ # and should not be used as examples of how to write Ansible roles # #################################################################### -- debug: - msg: "ACME test container IP is {{ acme_host }}; OpenSSL version is {{ openssl_version.stdout }}; cryptography version is {{ cryptography_version.stdout }}" +- name: Set ACME server information + set_fact: + # ARI and profiles have been added in https://github.com/ansible/ansible/pull/84547 + # See also https://github.com/ansible/acme-test-container/pull/25 + acme_supports_ari: "{{ ansible_version.full is version('2.19', '>=') }}" + acme_supports_profiles: "{{ ansible_version.full is version('2.19', '>=') }}" + acme_directory_url: "https://{{ acme_host }}:14000/dir" + +- name: Print ACME server information + debug: + msg: |- + ACME test container IP is {{ acme_host }} + ACME directory: {{ acme_directory_url }} + ACME server supports ARI: {{ acme_supports_ari }} + ACME server supports profiles: {{ acme_supports_profiles }} + OpenSSL version is {{ openssl_version.stdout }} + cryptography version is {{ cryptography_version.stdout }} diff --git a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml index 9990b0db..41b5f0af 100644 --- a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml +++ b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml @@ -32,7 +32,7 @@ acme_certificate: select_crypto_backend: "{{ select_crypto_backend }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false account_key: "{{ (remote_tmp_dir ~ '/' ~ account_key ~ '.pem') if account_key_content is not defined else omit }}" account_key_content: "{{ account_key_content | default(omit) }}" @@ -50,6 +50,7 @@ terms_agreed: "{{ terms_agreed }}" account_email: "{{ account_email }}" profile: "{{ acme_certificate_profile | default(omit) }}" + include_renewal_cert_id: "{{ acme_certificate_include_renewal_cert_id | default(omit) }}" register: challenge_data - name: ({{ certgen_title }}) Print challenge data debug: @@ -111,7 +112,7 @@ acme_certificate: select_crypto_backend: "{{ select_crypto_backend }}" acme_version: 2 - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" validate_certs: false account_key: "{{ (remote_tmp_dir ~ '/' ~ account_key ~ '.pem') if account_key_content is not defined else omit }}" account_key_content: "{{ account_key_content | default(omit) }}" diff --git a/tests/integration/targets/x509_certificate-acme/tasks/impl.yml b/tests/integration/targets/x509_certificate-acme/tasks/impl.yml index 08e113d2..c83c19ee 100644 --- a/tests/integration/targets/x509_certificate-acme/tasks/impl.yml +++ b/tests/integration/targets/x509_certificate-acme/tasks/impl.yml @@ -34,7 +34,7 @@ csr_path: '{{ remote_tmp_dir }}/cert-1.csr' acme_accountkey_path: '{{ remote_tmp_dir }}/account.key' acme_challenge_path: '{{ remote_tmp_dir }}/challenges/' - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" environment: PATH: '{{ lookup("env", "PATH") }}:{{ remote_tmp_dir }}' @@ -56,7 +56,7 @@ csr_path: '{{ remote_tmp_dir }}/cert-2.csr' acme_accountkey_path: '{{ remote_tmp_dir }}/account.key' acme_challenge_path: '{{ remote_tmp_dir }}/challenges/' - acme_directory: https://{{ acme_host }}:14000/dir + acme_directory: "{{ acme_directory_url }}" environment: PATH: '{{ lookup("env", "PATH") }}:{{ remote_tmp_dir }}'