acme_certificate: fix crash when using fullchain_dest (#324) (#325)

* Fix crash when using fullchain_dest. * Adjust changelog. * Update plugins/module_utils/acme/backend_cryptography.py Co-authored-by: Ajpantuso <ajpantuso@gmail.com> Co-authored-by: Ajpantuso <ajpantuso@gmail.com> (cherry picked from commit 51b6bb210d) Co-authored-by: Felix Fontein <felix@fontein.de>
2021-11-05 09:35:10 +01:00 · 2021-11-05 09:35:10 +01:00 · 73afe8e742
parent db67b8a857
commit 73afe8e742
3 changed files with 20 additions and 1 deletions
--- a/changelogs/fragments/324-acme_certificate-fullchain.yml
+++ b/changelogs/fragments/324-acme_certificate-fullchain.yml
@ -0,0 +1,2 @@
+bugfixes:
+  - "acme_certificate - avoid passing multiple certificates to ``cryptography``'s X.509 certificate loader when ``fullchain_dest`` is used. Doing so potentially produces an error when cryptography 36.0.0 is used (https://github.com/ansible-collections/community.crypto/pull/324)."
--- a/plugins/module_utils/acme/backend_cryptography.py
+++ b/plugins/module_utils/acme/backend_cryptography.py
@ -14,7 +14,7 @@ import datetime
 import os
 import sys

-from ansible.module_utils.common.text.converters import to_bytes, to_native
+from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text

 from ansible_collections.community.crypto.plugins.module_utils.acme.backends import (
    CryptoBackend,
@ -41,6 +41,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
    cryptography_name_to_oid,
 )

+from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
+    extract_first_pem,
+)
+
 try:
    import cryptography
    import cryptography.hazmat.backends
@ -357,6 +361,9 @@ class CryptographyBackend(CryptoBackend):
        if cert_content is None:
            return -1

+        # Make sure we have at most one PEM. Otherwise cryptography 36.0.0 will barf.
+        cert_content = to_bytes(extract_first_pem(to_text(cert_content)) or '')
+
        try:
            cert = cryptography.x509.load_pem_x509_certificate(cert_content, _cryptography_backend)
        except Exception as e:
--- a/plugins/module_utils/crypto/pem.py
+++ b/plugins/module_utils/crypto/pem.py
@ -72,3 +72,13 @@ def split_pem_list(text, keep_inbetween=False):
                    result.append(''.join(current))
                    current = [] if keep_inbetween else None
    return result
+
+
+def extract_first_pem(text):
+    '''
+    Given one PEM or multiple concatenated PEM objects, return only the first one, or None if there is none.
+    '''
+    all_pems = split_pem_list(text)
+    if not all_pems:
+        return None
+    return all_pems[0]