Improve ACME tests; add acme_ari_info tests; use ARI and profiles features in acme_certificate tests (#841)

* Fix description.

* Add basic acme_ari_info test.

* Refactoring.

* Extend acme_certificate tests.

plugins/modules/acme_certificate_renewal_info.py

@@ -24,6 +24,12 @@ extends_documentation_fragment:
   - community.crypto.attributes
   - community.crypto.attributes.info_module
   - community.crypto.attributes.idempotent_not_modify_state
+attributes:
+  idempotent:
+    support: partial
+    details:
+      - The module is not idempotent if O(now) is a relative timestamp, or is not specified.
+      - If O(use_ari=true), the module is not idempotent if O(ari_algorithm=standard).
 options:
   certificate_path:
     description:

tests/integration/targets/acme_account/tasks/impl.yml

@@ -34,7 +34,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     allow_creation: false
@@ -46,7 +46,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     allow_creation: true
@@ -62,7 +62,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     allow_creation: true
@@ -76,7 +76,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     allow_creation: true
@@ -95,7 +95,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_content: "{{ slurp.content | b64decode }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     # allow_creation: false
@@ -110,7 +110,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_content: "{{ slurp.content | b64decode }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     # allow_creation: false
@@ -124,7 +124,7 @@
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_created.account_uri }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     # allow_creation: false
@@ -138,7 +138,7 @@
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_created.account_uri ~ '12345thisdoesnotexist' }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     contact: []
@@ -150,7 +150,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     # allow_creation: false
@@ -164,7 +164,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     # allow_creation: false
@@ -176,7 +176,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     # allow_creation: false
@@ -188,7 +188,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     new_account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -204,7 +204,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     new_account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -219,7 +219,7 @@
     account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: absent
   check_mode: true
@@ -232,7 +232,7 @@
     account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: absent
   register: account_deactivate
@@ -243,7 +243,7 @@
     account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: absent
   register: account_deactivate_idempotent
@@ -254,7 +254,7 @@
     account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     allow_creation: false
@@ -266,7 +266,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     allow_creation: false
@@ -278,7 +278,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/{{ item.account }}.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     allow_creation: true

tests/integration/targets/acme_account_info/tasks/impl.yml

@@ -28,7 +28,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
   register: account_not_created
 
@@ -37,7 +37,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     allow_creation: true
@@ -50,7 +50,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
   register: account_created
 
@@ -64,7 +64,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_content: "{{ slurp.content | b64decode }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     state: present
     allow_creation: false
@@ -75,7 +75,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     account_uri: "{{ account_created.account_uri }}"
   register: account_modified
@@ -85,7 +85,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     account_uri: "{{ account_created.account_uri }}test1234doesnotexists"
   register: account_not_exist
@@ -95,7 +95,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     account_uri: "{{ account_created.account_uri }}"
   ignore_errors: true

tests/integration/targets/acme_ari_info/aliases

@@ -0,0 +1,10 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/generic/1
+azp/posix/1
+cloud/acme
+
+# For some reason connecting to helper containers does not work on the Alpine VMs
+skip/alpine

tests/integration/targets/acme_ari_info/meta/main.yml

@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_acme
+  - setup_remote_tmp_dir

tests/integration/targets/acme_ari_info/tasks/impl.yml

@@ -0,0 +1,59 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+## SET UP ACCOUNT KEYS ########################################################################
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
+      type: "{{ item.type }}"
+      size: "{{ item.size | default(omit) }}"
+      curve: "{{ item.curve | default(omit) }}"
+      force: true
+    loop: "{{ account_keys }}"
+
+  vars:
+    account_keys:
+      - name: account-ec256
+        type: ECC
+        curve: secp256r1
+## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
+- name: Obtain cert 1
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 1 for renewal check
+    certificate_name: cert-1
+    key_type: rsa
+    rsa_bits: "{{ default_rsa_key_size }}"
+    subject_alt_name: "DNS:example.com"
+    subject_alt_name_critical: false
+    account_key: account-ec256
+    challenge: http-01
+    modify_account: true
+    deactivate_authzs: false
+    force: true
+    remaining_days: "{{ omit }}"
+    terms_agreed: true
+    account_email: "example@example.org"
+## OBTAIN CERTIFICATE INFOS ###################################################################
+- name: Dump OpenSSL x509 info
+  command:
+    cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
+- name: Obtain certificate information
+  x509_certificate_info:
+    path: "{{ remote_tmp_dir }}/cert-1.pem"
+  register: cert_1_info
+- name: Read certificate
+  slurp:
+    src: '{{ remote_tmp_dir }}/cert-1.pem'
+  register: slurp_cert_1
+- name: Obtain certificate information
+  acme_ari_info:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
+    acme_version: 2
+    acme_directory: "{{ acme_directory_url }}"
+    validate_certs: false
+  register: cert_1

tests/integration/targets/acme_ari_info/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- vars:
+    acme_certificate_profile: "{{ 'default' if acme_supports_profiles else omit }}"
+  when: acme_supports_ari
+  block:
+    - block:
+      - name: Running tests with OpenSSL backend
+        include_tasks: impl.yml
+        vars:
+          select_crypto_backend: openssl
+
+      - import_tasks: ../tests/validate.yml
+
+      # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
+      when: openssl_version.stdout is version('1.0.0', '>=')
+
+    - name: Remove output directory
+      file:
+        path: "{{ remote_tmp_dir }}"
+        state: absent
+
+    - name: Re-create output directory
+      file:
+        path: "{{ remote_tmp_dir }}"
+        state: directory
+
+    - block:
+      - name: Running tests with cryptography backend
+        include_tasks: impl.yml
+        vars:
+          select_crypto_backend: cryptography
+
+      - import_tasks: ../tests/validate.yml
+
+      when: cryptography_version.stdout is version('1.5', '>=')

tests/integration/targets/acme_ari_info/tasks/obtain-cert.yml

@@ -0,0 +1 @@
+../../setup_acme/tasks/obtain-cert.yml

tests/integration/targets/acme_ari_info/tests/validate.yml

@@ -0,0 +1,17 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Validate results
+  assert:
+    that:
+      - cert_1 is not changed
+      - cert_1.renewal_info.explanationURL is string or cert_1.renewal_info.explanationURL is not defined
+      - cert_1.renewal_info.retryAfter is string or cert_1.renewal_info.retryAfter is not defined
+      - cert_1.renewal_info.suggestedWindow.start is string
+      - cert_1.renewal_info.suggestedWindow.end is string
+      - >-
+        (cert_1.renewal_info.suggestedWindow.start | ansible.builtin.to_datetime('%Y-%m-%dT%H:%M:%SZ'))
+        <
+        (cert_1.renewal_info.suggestedWindow.end | ansible.builtin.to_datetime('%Y-%m-%dT%H:%M:%SZ'))

tests/integration/targets/acme_certificate/tasks/impl.yml

@@ -30,7 +30,7 @@
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
     state: absent
@@ -42,7 +42,7 @@
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     account_key_content: "{{ slurp.content | b64decode }}"
     state: present
@@ -55,7 +55,7 @@
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-rsa.pem"
     state: present
@@ -170,6 +170,7 @@
     remaining_days: 1
     terms_agreed: false
     account_email: ""
+    acme_certificate_profile: "{{ 'default' if acme_supports_profiles else omit }}"
     acme_expected_root_number: 2
     select_chain:
       - test_certificates: last
@@ -239,6 +240,8 @@
     terms_agreed: false
     account_email: ""
     use_csr_content: true
+    acme_certificate_profile: "{{ '6days' if acme_supports_profiles else omit }}"
+    acme_certificate_include_renewal_cert_id: when_ari_supported
 - name: Store obtain results for cert 5c
   set_fact:
     cert_5_recreate_2: "{{ challenge_data is changed }}"
@@ -467,7 +470,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     retrieve_orders: ignore
   register: account_orders_not
@@ -476,7 +479,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     retrieve_orders: url_list
   register: account_orders_urls
@@ -485,7 +488,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     retrieve_orders: url_list
   register: account_orders_urls2
@@ -494,7 +497,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     retrieve_orders: object_list
   register: account_orders_full
@@ -503,7 +506,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     retrieve_orders: object_list
   register: account_orders_full2

tests/integration/targets/acme_certificate_deactivate_authz/tasks/impl.yml

@@ -29,7 +29,7 @@
       acme_certificate:
         select_crypto_backend: "{{ select_crypto_backend }}"
         acme_version: 2
-        acme_directory: https://{{ acme_host }}:14000/dir
+        acme_directory: "{{ acme_directory_url }}"
         validate_certs: false
         account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
         modify_account: true
@@ -43,7 +43,7 @@
 
 - name: Inspect order
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
@@ -57,7 +57,7 @@
 
 - name: Deactivate order (check mode)
   acme_certificate_deactivate_authz:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
@@ -68,7 +68,7 @@
 
 - name: Inspect order again
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
@@ -82,7 +82,7 @@
 
 - name: Deactivate order
   acme_certificate_deactivate_authz:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
@@ -92,7 +92,7 @@
 
 - name: Inspect order again
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
@@ -106,7 +106,7 @@
 
 - name: Deactivate order (check mode, idempotent)
   acme_certificate_deactivate_authz:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
@@ -117,7 +117,7 @@
 
 - name: Inspect order again
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
@@ -131,7 +131,7 @@
 
 - name: Deactivate order (idempotent)
   acme_certificate_deactivate_authz:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
@@ -141,7 +141,7 @@
 
 - name: Inspect order again
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"

tests/integration/targets/acme_certificate_order/tasks/impl.yml

@@ -21,7 +21,7 @@
 
 - name: Create ACME account
   acme_account:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -48,7 +48,7 @@
 
 - name: Create certificate order
   acme_certificate_order_create:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -82,7 +82,7 @@
 
 - name: Get order information
   acme_certificate_order_info:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -131,7 +131,7 @@
 
 - name: Let the challenge be validated
   community.crypto.acme_certificate_order_validate:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -153,7 +153,7 @@
 
 - name: Get order information
   acme_certificate_order_info:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -191,7 +191,7 @@
 
 - name: Let the challenge be validated (idempotent)
   community.crypto.acme_certificate_order_validate:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -208,7 +208,7 @@
 
 - name: Retrieve the cert and intermediate certificate
   community.crypto.acme_certificate_order_finalize:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -250,7 +250,7 @@
 
 - name: Get order information
   acme_certificate_order_info:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -286,7 +286,7 @@
 
 - name: Retrieve the cert and intermediate certificate (idempotent)
   community.crypto.acme_certificate_order_finalize:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -314,7 +314,7 @@
 
 - name: Get order information
   acme_certificate_order_info:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"

tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml

@@ -54,7 +54,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
   register: cert_1_renewal_1
 - name: Obtain certificate information (2/11)
@@ -62,7 +62,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     remaining_days: 1000
     remaining_percentage: 0.5
@@ -72,7 +72,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     certificate_content: "{{ slurp_cert_1.content | b64decode }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     now: +1800d
   register: cert_1_renewal_3
@@ -81,7 +81,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     now: +1800d
     remaining_days: 30
@@ -92,7 +92,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     now: +1800d
     remaining_days: 30
@@ -103,7 +103,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     now: +1800d
     remaining_days: 10
@@ -114,7 +114,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     now: +1830d
   register: cert_1_renewal_7
@@ -122,7 +122,7 @@
   acme_certificate_renewal_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     now: +1830d
   register: cert_1_renewal_8
@@ -131,7 +131,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     certificate_path: "{{ remote_tmp_dir }}/cert-does-not-exist.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
   register: cert_1_renewal_9
 - name: Create broken file
@@ -145,7 +145,7 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
   register: cert_1_renewal_10
   ignore_errors: true
@@ -155,6 +155,6 @@
     select_crypto_backend: "{{ select_crypto_backend }}"
     certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
   register: cert_1_renewal_11

tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml

@@ -9,15 +9,8 @@
 ####################################################################
 
 - vars:
-    # ARI and profiles have been added in https://github.com/ansible/ansible/pull/TODO
+    acme_certificate_profile: "{{ 'default' if acme_supports_profiles else omit }}"
-    # See also https://github.com/ansible/acme-test-container/pull/25
-    supports_ari: "{{ ansible_version.full is version('2.19', '>=') }}"
-    supports_profile: "{{ ansible_version.full is version('2.19', '>=') }}"
-
-    acme_certificate_profile: "{{ 'default' if supports_profile else omit }}"
-
   block:
-
     - block:
       - name: Running tests with OpenSSL backend
         include_tasks: impl.yml

tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml

@@ -61,7 +61,7 @@
           - cert_1_renewal_11.cert_id is not defined
           - cert_1_renewal_11.exists == true
           - cert_1_renewal_11.parsable == false
-      when: not supports_ari
+      when: not acme_supports_ari
 
     - name: Validate results without ARI
       assert:
@@ -81,24 +81,24 @@
           - cert_1_renewal_6.msg.startswith("The remaining percentage 3.0% of the certificate's lifespan was reached on ")
           - cert_1_renewal_6.supports_ari == false
           - cert_1_renewal_7.supports_ari == false
-      when: not supports_ari
+      when: not acme_supports_ari
 
     - name: Validate results with ARI
       assert:
         that:
-          - cert_1_renewal_1.supports_ari == supports_ari
+          - cert_1_renewal_1.supports_ari == true
-          - cert_1_renewal_2.supports_ari == supports_ari
+          - cert_1_renewal_2.supports_ari == true
           - cert_1_renewal_3.should_renew == true
           - cert_1_renewal_3.msg == 'The suggested renewal interval provided by ARI is in the past'
-          - cert_1_renewal_3.supports_ari == supports_ari
+          - cert_1_renewal_3.supports_ari == true
           - cert_1_renewal_4.should_renew == true
           - cert_1_renewal_4.msg == 'The suggested renewal interval provided by ARI is in the past'
-          - cert_1_renewal_4.supports_ari == supports_ari
+          - cert_1_renewal_4.supports_ari == true
           - cert_1_renewal_5.should_renew == true
           - cert_1_renewal_5.msg == 'The suggested renewal interval provided by ARI is in the past'
-          - cert_1_renewal_5.supports_ari == supports_ari
+          - cert_1_renewal_5.supports_ari == true
           - cert_1_renewal_6.should_renew == true
           - cert_1_renewal_6.msg == 'The suggested renewal interval provided by ARI is in the past'
-          - cert_1_renewal_6.supports_ari == supports_ari
+          - cert_1_renewal_6.supports_ari == true
           - cert_1_renewal_7.supports_ari == false
-      when: supports_ari
+      when: acme_supports_ari

tests/integration/targets/acme_certificate_revoke/tasks/impl.yml

@@ -87,7 +87,7 @@
     account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
     certificate: "{{ remote_tmp_dir }}/cert-1.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
   ignore_errors: true
   register: cert_1_revoke
@@ -98,7 +98,7 @@
     private_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     certificate: "{{ remote_tmp_dir }}/cert-2.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
   ignore_errors: true
   register: cert_2_revoke
@@ -112,7 +112,7 @@
     account_key_content: "{{ slurp_account_key.content | b64decode }}"
     certificate: "{{ remote_tmp_dir }}/cert-3-fullchain.pem"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
   ignore_errors: true
   register: cert_3_revoke

tests/integration/targets/acme_inspect/tasks/impl.yml

@@ -24,7 +24,7 @@
 
 - name: Get directory
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     method: directory-only
@@ -34,7 +34,7 @@
 
 - name: Create an account
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -49,7 +49,7 @@
 
 - name: Get account information
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -62,7 +62,7 @@
 
 - name: Update account contacts
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -82,7 +82,7 @@
 
 - name: Create certificate order
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -106,7 +106,7 @@
 
 - name: Get order information
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -119,7 +119,7 @@
 
 - name: Get authzs for order
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -133,7 +133,7 @@
 
 - name: Get HTTP-01 challenge for authz
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -147,7 +147,7 @@
 
 - name: Activate HTTP-01 challenge manually
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
@@ -162,7 +162,7 @@
 
 - name: Get HTTP-01 challenge results
   acme_inspect:
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     acme_version: 2
     validate_certs: false
     account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"

tests/integration/targets/setup_acme/tasks/main.yml

@@ -8,5 +8,20 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
 
-- debug:
+- name: Set ACME server information
-    msg: "ACME test container IP is {{ acme_host }}; OpenSSL version is {{ openssl_version.stdout }}; cryptography version is {{ cryptography_version.stdout }}"
+  set_fact:
+    # ARI and profiles have been added in https://github.com/ansible/ansible/pull/84547
+    # See also https://github.com/ansible/acme-test-container/pull/25
+    acme_supports_ari: "{{ ansible_version.full is version('2.19', '>=') }}"
+    acme_supports_profiles: "{{ ansible_version.full is version('2.19', '>=') }}"
+    acme_directory_url: "https://{{ acme_host }}:14000/dir"
+
+- name: Print ACME server information
+  debug:
+    msg: |-
+      ACME test container IP is {{ acme_host }}
+      ACME directory: {{ acme_directory_url }}
+      ACME server supports ARI: {{ acme_supports_ari }}
+      ACME server supports profiles: {{ acme_supports_profiles }}
+      OpenSSL version is {{ openssl_version.stdout }}
+      cryptography version is {{ cryptography_version.stdout }}

tests/integration/targets/setup_acme/tasks/obtain-cert.yml

@@ -32,7 +32,7 @@
   acme_certificate:
     select_crypto_backend: "{{ select_crypto_backend }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     account_key: "{{ (remote_tmp_dir ~ '/' ~ account_key ~ '.pem') if account_key_content is not defined else omit }}"
     account_key_content: "{{ account_key_content | default(omit) }}"
@@ -50,6 +50,7 @@
     terms_agreed: "{{ terms_agreed }}"
     account_email: "{{ account_email }}"
     profile: "{{ acme_certificate_profile | default(omit) }}"
+    include_renewal_cert_id: "{{ acme_certificate_include_renewal_cert_id | default(omit) }}"
   register: challenge_data
 - name: ({{ certgen_title }}) Print challenge data
   debug:
@@ -111,7 +112,7 @@
   acme_certificate:
     select_crypto_backend: "{{ select_crypto_backend }}"
     acme_version: 2
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
     validate_certs: false
     account_key: "{{ (remote_tmp_dir ~ '/' ~ account_key ~ '.pem') if account_key_content is not defined else omit }}"
     account_key_content: "{{ account_key_content | default(omit) }}"

tests/integration/targets/x509_certificate-acme/tasks/impl.yml

@@ -34,7 +34,7 @@
     csr_path: '{{ remote_tmp_dir }}/cert-1.csr'
     acme_accountkey_path: '{{ remote_tmp_dir }}/account.key'
     acme_challenge_path: '{{ remote_tmp_dir }}/challenges/'
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
   environment:
     PATH: '{{ lookup("env", "PATH") }}:{{ remote_tmp_dir }}'
 
@@ -56,7 +56,7 @@
     csr_path: '{{ remote_tmp_dir }}/cert-2.csr'
     acme_accountkey_path: '{{ remote_tmp_dir }}/account.key'
     acme_challenge_path: '{{ remote_tmp_dir }}/challenges/'
-    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_directory: "{{ acme_directory_url }}"
   environment:
     PATH: '{{ lookup("env", "PATH") }}:{{ remote_tmp_dir }}'