Felix Fontein
GitHub
parent
640839fa7c
commit
dbda650bbd
|
|
@ -0,0 +1,84 @@
|
|||
==============================
|
||||
Community Crypto Release Notes
|
||||
==============================
|
||||
|
||||
.. contents:: Topics
|
||||
|
||||
|
||||
v1.0.0
|
||||
======
|
||||
|
||||
Release Summary
|
||||
---------------
|
||||
|
||||
This is the first proper release of the ``community.crypto`` collection. This changelog contains all changes to the modules in this collection that were added after the release of Ansible 2.9.0.
|
||||
|
||||
|
||||
Minor Changes
|
||||
-------------
|
||||
|
||||
- luks_device - accept ``passphrase``, ``new_passphrase`` and ``remove_passphrase``.
|
||||
- luks_device - add ``keysize`` parameter to set key size at LUKS container creation
|
||||
- luks_device - added support to use UUIDs, and labels with LUKS2 containers
|
||||
- luks_device - added the ``type`` option that allows user explicit define the LUKS container format version
|
||||
- openssh_keypair - instead of regenerating some broken or password protected keys, fail the module. Keys can still be regenerated by calling the module with ``force=yes``.
|
||||
- openssh_keypair - the ``regenerate`` option allows to configure the module's behavior when it should or needs to regenerate private keys.
|
||||
- openssl_* modules - the cryptography backend now properly supports ``dirName``, ``otherName`` and ``RID`` (Registered ID) names.
|
||||
- openssl_certificate - Add option for changing which ACME directory to use with acme-tiny. Set the default ACME directory to Let's Encrypt instead of using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time being, so no action should be neccessary.)
|
||||
- openssl_certificate - Change the required version of acme-tiny to >= 4.0.0
|
||||
- openssl_certificate - allow to provide content of some input files via the ``csr_content``, ``privatekey_content``, ``ownca_privatekey_content`` and ``ownca_content`` options.
|
||||
- openssl_certificate - allow to return the existing/generated certificate directly as ``certificate`` by setting ``return_content`` to ``yes``.
|
||||
- openssl_certificate_info - allow to provide certificate content via ``content`` option (https://github.com/ansible/ansible/issues/64776).
|
||||
- openssl_csr - Add support for specifying the SAN ``otherName`` value in the OpenSSL ASN.1 UTF8 string format, ``otherName:<OID>;UTF8:string value``.
|
||||
- openssl_csr - allow to provide private key content via ``private_key_content`` option.
|
||||
- openssl_csr - allow to return the existing/generated CSR directly as ``csr`` by setting ``return_content`` to ``yes``.
|
||||
- openssl_csr_info - allow to provide CSR content via ``content`` option.
|
||||
- openssl_dhparam - allow to return the existing/generated DH params directly as ``dhparams`` by setting ``return_content`` to ``yes``.
|
||||
- openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection can be overwritten with the ``select_crypto_backend`` option.
|
||||
- openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as ``pkcs12`` by setting ``return_content`` to ``yes``.
|
||||
- openssl_privatekey - add ``format`` and ``format_mismatch`` options.
|
||||
- openssl_privatekey - allow to return the existing/generated private key directly as ``privatekey`` by setting ``return_content`` to ``yes``.
|
||||
- openssl_privatekey - the ``regenerate`` option allows to configure the module's behavior when it should or needs to regenerate private keys.
|
||||
- openssl_privatekey_info - allow to provide private key content via ``content`` option.
|
||||
- openssl_publickey - allow to provide private key content via ``private_key_content`` option.
|
||||
- openssl_publickey - allow to return the existing/generated public key directly as ``publickey`` by setting ``return_content`` to ``yes``.
|
||||
|
||||
Deprecated Features
|
||||
-------------------
|
||||
|
||||
- openssl_csr - all values for the ``version`` option except ``1`` are deprecated. The value 1 denotes the current only standardized CSR version.
|
||||
|
||||
Removed Features (previously deprecated)
|
||||
----------------------------------------
|
||||
|
||||
- The ``letsencrypt`` module has been removed. Use ``acme_certificate`` instead.
|
||||
|
||||
Bugfixes
|
||||
--------
|
||||
|
||||
- ACME modules: fix bug in ACME v1 account update code
|
||||
- ACME modules: make sure some connection errors are handled properly
|
||||
- ACME modules: support Buypass' ACME v1 endpoint
|
||||
- acme_certificate - fix crash when module is used with Python 2.x.
|
||||
- acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account`` set to ``false``.
|
||||
- ecs_certificate - Always specify header ``connection: keep-alive`` for ECS API connections.
|
||||
- ecs_certificate - Fix formatting of contents of ``full_chain_path``.
|
||||
- get_certificate - Fix cryptography backend when pyopenssl is unavailable (https://github.com/ansible/ansible/issues/67900)
|
||||
- openssh_keypair - add logic to avoid breaking password protected keys.
|
||||
- openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969).
|
||||
- openssh_keypair - public key's file attributes (permissions, owner, group, etc.) are now set to the same values as the private key.
|
||||
- openssl_* modules - prevent crash on fingerprint determination in FIPS mode (https://github.com/ansible/ansible/issues/67213).
|
||||
- openssl_certificate - When provider is ``entrust``, use a ``connection: keep-alive`` header for ECS API connections.
|
||||
- openssl_certificate - ``provider`` option was documented as required, but it was not checked whether it was provided. It is now only required when ``state`` is ``present``.
|
||||
- openssl_certificate - fix ``assertonly`` provider certificate verification, causing 'private key mismatch' and 'subject mismatch' errors.
|
||||
- openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support for ``cryptography`` backend. This probably needs at least cryptography 2.8, since older versions have problems with signing certificates or CSRs with such keys. (https://github.com/ansible/ansible/issues/59039, PR https://github.com/ansible/ansible/pull/63984)
|
||||
- openssl_csr - a warning is issued if an unsupported value for ``version`` is used for the ``cryptography`` backend.
|
||||
- openssl_csr - the module will now enforce that ``privatekey_path`` is specified when ``state=present``.
|
||||
- openssl_publickey - fix a module crash caused when pyOpenSSL is not installed (https://github.com/ansible/ansible/issues/67035).
|
||||
|
||||
New Modules
|
||||
-----------
|
||||
|
||||
- ecs_domain - Request validation of a domain with the Entrust Certificate Services (ECS) API
|
||||
- x509_crl - Generate Certificate Revocation Lists (CRLs)
|
||||
- x509_crl_info - Retrieve information on Certificate Revocation Lists (CRLs)
|
||||
|
|
@ -0,0 +1,142 @@
|
|||
ancestor: null
|
||||
releases:
|
||||
1.0.0:
|
||||
changes:
|
||||
bugfixes:
|
||||
- 'ACME modules: fix bug in ACME v1 account update code'
|
||||
- 'ACME modules: make sure some connection errors are handled properly'
|
||||
- 'ACME modules: support Buypass'' ACME v1 endpoint'
|
||||
- acme_certificate - fix crash when module is used with Python 2.x.
|
||||
- acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account``
|
||||
set to ``false``.
|
||||
- 'ecs_certificate - Always specify header ``connection: keep-alive`` for ECS
|
||||
API connections.'
|
||||
- ecs_certificate - Fix formatting of contents of ``full_chain_path``.
|
||||
- get_certificate - Fix cryptography backend when pyopenssl is unavailable (https://github.com/ansible/ansible/issues/67900)
|
||||
- openssh_keypair - add logic to avoid breaking password protected keys.
|
||||
- openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969).
|
||||
- openssh_keypair - public key's file attributes (permissions, owner, group,
|
||||
etc.) are now set to the same values as the private key.
|
||||
- openssl_* modules - prevent crash on fingerprint determination in FIPS mode
|
||||
(https://github.com/ansible/ansible/issues/67213).
|
||||
- 'openssl_certificate - When provider is ``entrust``, use a ``connection: keep-alive``
|
||||
header for ECS API connections.'
|
||||
- openssl_certificate - ``provider`` option was documented as required, but
|
||||
it was not checked whether it was provided. It is now only required when ``state``
|
||||
is ``present``.
|
||||
- openssl_certificate - fix ``assertonly`` provider certificate verification,
|
||||
causing 'private key mismatch' and 'subject mismatch' errors.
|
||||
- openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support
|
||||
for ``cryptography`` backend. This probably needs at least cryptography 2.8,
|
||||
since older versions have problems with signing certificates or CSRs with
|
||||
such keys. (https://github.com/ansible/ansible/issues/59039, PR https://github.com/ansible/ansible/pull/63984)
|
||||
- openssl_csr - a warning is issued if an unsupported value for ``version``
|
||||
is used for the ``cryptography`` backend.
|
||||
- openssl_csr - the module will now enforce that ``privatekey_path`` is specified
|
||||
when ``state=present``.
|
||||
- openssl_publickey - fix a module crash caused when pyOpenSSL is not installed
|
||||
(https://github.com/ansible/ansible/issues/67035).
|
||||
deprecated_features:
|
||||
- openssl_csr - all values for the ``version`` option except ``1`` are deprecated.
|
||||
The value 1 denotes the current only standardized CSR version.
|
||||
minor_changes:
|
||||
- luks_device - accept ``passphrase``, ``new_passphrase`` and ``remove_passphrase``.
|
||||
- luks_device - add ``keysize`` parameter to set key size at LUKS container
|
||||
creation
|
||||
- luks_device - added support to use UUIDs, and labels with LUKS2 containers
|
||||
- luks_device - added the ``type`` option that allows user explicit define the
|
||||
LUKS container format version
|
||||
- openssh_keypair - instead of regenerating some broken or password protected
|
||||
keys, fail the module. Keys can still be regenerated by calling the module
|
||||
with ``force=yes``.
|
||||
- openssh_keypair - the ``regenerate`` option allows to configure the module's
|
||||
behavior when it should or needs to regenerate private keys.
|
||||
- openssl_* modules - the cryptography backend now properly supports ``dirName``,
|
||||
``otherName`` and ``RID`` (Registered ID) names.
|
||||
- openssl_certificate - Add option for changing which ACME directory to use
|
||||
with acme-tiny. Set the default ACME directory to Let's Encrypt instead of
|
||||
using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time
|
||||
being, so no action should be neccessary.)
|
||||
- openssl_certificate - Change the required version of acme-tiny to >= 4.0.0
|
||||
- openssl_certificate - allow to provide content of some input files via the
|
||||
``csr_content``, ``privatekey_content``, ``ownca_privatekey_content`` and
|
||||
``ownca_content`` options.
|
||||
- openssl_certificate - allow to return the existing/generated certificate directly
|
||||
as ``certificate`` by setting ``return_content`` to ``yes``.
|
||||
- openssl_certificate_info - allow to provide certificate content via ``content``
|
||||
option (https://github.com/ansible/ansible/issues/64776).
|
||||
- openssl_csr - Add support for specifying the SAN ``otherName`` value in the
|
||||
OpenSSL ASN.1 UTF8 string format, ``otherName:<OID>;UTF8:string value``.
|
||||
- openssl_csr - allow to provide private key content via ``private_key_content``
|
||||
option.
|
||||
- openssl_csr - allow to return the existing/generated CSR directly as ``csr``
|
||||
by setting ``return_content`` to ``yes``.
|
||||
- openssl_csr_info - allow to provide CSR content via ``content`` option.
|
||||
- openssl_dhparam - allow to return the existing/generated DH params directly
|
||||
as ``dhparams`` by setting ``return_content`` to ``yes``.
|
||||
- openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection
|
||||
can be overwritten with the ``select_crypto_backend`` option.
|
||||
- openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as
|
||||
``pkcs12`` by setting ``return_content`` to ``yes``.
|
||||
- openssl_privatekey - add ``format`` and ``format_mismatch`` options.
|
||||
- openssl_privatekey - allow to return the existing/generated private key directly
|
||||
as ``privatekey`` by setting ``return_content`` to ``yes``.
|
||||
- openssl_privatekey - the ``regenerate`` option allows to configure the module's
|
||||
behavior when it should or needs to regenerate private keys.
|
||||
- openssl_privatekey_info - allow to provide private key content via ``content``
|
||||
option.
|
||||
- openssl_publickey - allow to provide private key content via ``private_key_content``
|
||||
option.
|
||||
- openssl_publickey - allow to return the existing/generated public key directly
|
||||
as ``publickey`` by setting ``return_content`` to ``yes``.
|
||||
release_summary: 'This is the first proper release of the ``community.crypto``
|
||||
collection. This changelog contains all changes to the modules in this collection
|
||||
that were added after the release of Ansible 2.9.0.
|
||||
|
||||
'
|
||||
removed_features:
|
||||
- The ``letsencrypt`` module has been removed. Use ``acme_certificate`` instead.
|
||||
fragments:
|
||||
- 1.0.0.yml
|
||||
- 52408-luks-device.yaml
|
||||
- 58973-luks_device_add-type-option.yml
|
||||
- 58973_luks_device-add-label-and-uuid-support.yml
|
||||
- 60388-openssl_privatekey-format.yml
|
||||
- 61522-luks-device-add-option-to-define-keysize.yml
|
||||
- 61658-openssh_keypair-public-key-permissions.yml
|
||||
- 61693-acme-buypass-acme-v1.yml
|
||||
- 61738-ecs-certificate-invalid-chain.yaml
|
||||
- 62218-fix-to-entrust-api.yml
|
||||
- 62790-openssl_certificate_fix_assert.yml
|
||||
- 62991-openssl_dhparam-cryptography-backend.yml
|
||||
- 63140-acme-fix-fetch-url-status-codes.yaml
|
||||
- 63432-openssl_csr-version.yml
|
||||
- 63984-openssl-ed25519-ed448.yml
|
||||
- 64436-openssh_keypair-add-password-protected-key-check.yml
|
||||
- 64501-fix-python2.x-backward-compatibility.yaml
|
||||
- 64648-acme_certificate-acmev1.yml
|
||||
- 65017-openssh_keypair-idempotence.yml
|
||||
- 65400-openssl-output.yml
|
||||
- 65435-openssl_csr-privatekey_path-required.yml
|
||||
- 65633-crypto-argspec-fixup.yml
|
||||
- 66384-openssl-content.yml
|
||||
- 67036-openssl_publickey-backend.yml
|
||||
- 67038-openssl-openssh-key-regenerate.yml
|
||||
- 67109-openssl_certificate-acme-directory.yaml
|
||||
- 67515-openssl-fingerprint-fips.yml
|
||||
- 67669-cryptography-names.yml
|
||||
- 67901-get_certificate-fix-cryptography.yml
|
||||
- letsencrypt.yml
|
||||
- openssl_csr-otherName.yml
|
||||
modules:
|
||||
- description: Request validation of a domain with the Entrust Certificate Services
|
||||
(ECS) API
|
||||
name: ecs_domain
|
||||
namespace: ''
|
||||
- description: Generate Certificate Revocation Lists (CRLs)
|
||||
name: x509_crl
|
||||
namespace: ''
|
||||
- description: Retrieve information on Certificate Revocation Lists (CRLs)
|
||||
name: x509_crl_info
|
||||
namespace: ''
|
||||
release_date: '2020-07-03'
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
minor_changes:
|
||||
- luks_device - accept ``passphrase``, ``new_passphrase`` and ``remove_passphrase``.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
minor_changes:
|
||||
- luks_device - added the ``type`` option that allows user explicit define the LUKS container format version
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
minor_changes:
|
||||
- luks_device - added support to use UUIDs, and labels with LUKS2 containers
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
minor_changes:
|
||||
- "openssl_privatekey - add ``format`` and ``format_mismatch`` options."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
minor_changes:
|
||||
- luks_device - add ``keysize`` parameter to set key size at LUKS container creation
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- "openssh_keypair - public key's file attributes (permissions, owner, group, etc.) are now set to the same values as the private key."
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
bugfixes:
|
||||
- "ACME modules: support Buypass' ACME v1 endpoint"
|
||||
- "ACME modules: fix bug in ACME v1 account update code"
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- ecs_certificate - Fix formatting of contents of ``full_chain_path``.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
bugfixes:
|
||||
- "openssl_certificate - When provider is ``entrust``, use a ``connection: keep-alive`` header for ECS API connections."
|
||||
- "ecs_certificate - Always specify header ``connection: keep-alive`` for ECS API connections."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- "openssl_certificate - fix ``assertonly`` provider certificate verification, causing 'private key mismatch' and 'subject mismatch' errors."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
minor_changes:
|
||||
- "openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection can be overwritten with the ``select_crypto_backend`` option."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- "ACME modules: make sure some connection errors are handled properly"
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
deprecated_features:
|
||||
- "openssl_csr - all values for the ``version`` option except ``1`` are deprecated. The value 1 denotes the current only standardized CSR version."
|
||||
bugfixes:
|
||||
- "openssl_csr - a warning is issued if an unsupported value for ``version`` is used for the ``cryptography`` backend."
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
bugfixes:
|
||||
- "openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support for ``cryptography`` backend.
|
||||
This probably needs at least cryptography 2.8, since older versions have problems with signing certificates
|
||||
or CSRs with such keys. (https://github.com/ansible/ansible/issues/59039, PR https://github.com/ansible/ansible/pull/63984)"
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
bugfixes:
|
||||
- openssh_keypair - add logic to avoid breaking password protected keys.
|
||||
minor_changes:
|
||||
- openssh_keypair - instead of regenerating some broken or password protected keys, fail the module. Keys can still be regenerated by calling the module with ``force=yes``.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- "acme_certificate - fix crash when module is used with Python 2.x."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- "acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account`` set to ``false``."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- "openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969)."
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
minor_changes:
|
||||
- "openssl_certificate - allow to return the existing/generated certificate directly as ``certificate`` by setting ``return_content`` to ``yes``."
|
||||
- "openssl_csr - allow to return the existing/generated CSR directly as ``csr`` by setting ``return_content`` to ``yes``."
|
||||
- "openssl_dhparam - allow to return the existing/generated DH params directly as ``dhparams`` by setting ``return_content`` to ``yes``."
|
||||
- "openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as ``pkcs12`` by setting ``return_content`` to ``yes``."
|
||||
- "openssl_privatekey - allow to return the existing/generated private key directly as ``privatekey`` by setting ``return_content`` to ``yes``."
|
||||
- "openssl_publickey - allow to return the existing/generated public key directly as ``publickey`` by setting ``return_content`` to ``yes``."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- "openssl_csr - the module will now enforce that ``privatekey_path`` is specified when ``state=present``."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- "openssl_certificate - ``provider`` option was documented as required, but it was not checked whether it was provided. It is now only required when ``state`` is ``present``."
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
minor_changes:
|
||||
- "openssl_certificate_info - allow to provide certificate content via ``content`` option (https://github.com/ansible/ansible/issues/64776)."
|
||||
- "openssl_csr_info - allow to provide CSR content via ``content`` option."
|
||||
- "openssl_privatekey_info - allow to provide private key content via ``content`` option."
|
||||
- "openssl_certificate - allow to provide content of some input files via the ``csr_content``, ``privatekey_content``, ``ownca_privatekey_content`` and ``ownca_content`` options."
|
||||
- "openssl_csr - allow to provide private key content via ``private_key_content`` option."
|
||||
- "openssl_publickey - allow to provide private key content via ``private_key_content`` option."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- "openssl_publickey - fix a module crash caused when pyOpenSSL is not installed (https://github.com/ansible/ansible/issues/67035)."
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
minor_changes:
|
||||
- "openssh_keypair - the ``regenerate`` option allows to configure the module's behavior when it should or needs to regenerate private keys."
|
||||
- "openssl_privatekey - the ``regenerate`` option allows to configure the module's behavior when it should or needs to regenerate private keys."
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
minor_changes:
|
||||
- "openssl_certificate - Add option for changing which ACME directory to use with acme-tiny. Set the default ACME directory to Let's Encrypt instead of using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time being, so no action should be neccessary.)"
|
||||
- "openssl_certificate - Change the required version of acme-tiny to >= 4.0.0"
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- "openssl_* modules - prevent crash on fingerprint determination in FIPS mode (https://github.com/ansible/ansible/issues/67213)."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
minor_changes:
|
||||
- "openssl_* modules - the cryptography backend now properly supports ``dirName``, ``otherName`` and ``RID`` (Registered ID) names."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
bugfixes:
|
||||
- get_certificate - Fix cryptography backend when pyopenssl is unavailable (https://github.com/ansible/ansible/issues/67900)
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
removed_features:
|
||||
- "The ``letsencrypt`` module has been removed. Use ``acme_certificate`` instead."
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
minor_changes:
|
||||
- openssl_csr - Add support for specifying the SAN ``otherName`` value in the OpenSSL ASN.1 UTF8 string format, ``otherName:<OID>;UTF8:string value``.
|
||||
Loading…
Reference in New Issue