a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

deploy: 2ed7f69b83

gh-pages
felixfontein 2024-12-28 15:20:22 +00:00
parent 2f1380327e
commit ec9102a982
5 changed files with 35 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pr/828/acme_certificate_module.html
View File

@ -749,7 +749,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
<span class="w"> </span><span class="nt">cert</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/httpd/ssl/sample.com.crt</span>
<span class="w"> </span><span class="nt">challenge</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dns-01</span>
<span class="w"> </span><span class="nt">acme_directory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://acme-v01.api.letsencrypt.org/directory</span>
<span class="w"> </span><span class="c1"># Renew if the certificate is at least 30 days old</span>
<span class="w"> </span><span class="c1"># Renew if the certificate is at least 30 days old</span>
<span class="w"> </span><span class="nt">remaining_days</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">60</span>
<span class="w"> </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sample_com_challenge</span>
@ -810,14 +810,14 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
<span class="w"> </span><span class="nt">challenge</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tls-alpn-01</span>
<span class="w"> </span><span class="nt">remaining_days</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">60</span>
<span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w"> </span><span class="c1"># We use Let&#39;s Encrypt&#39;s ACME v2 endpoint</span>
<span class="w"> </span><span class="c1"># We use Let&#39;s Encrypt&#39;s ACME v2 endpoint</span>
<span class="w"> </span><span class="nt">acme_directory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://acme-v02.api.letsencrypt.org/directory</span>
<span class="w"> </span><span class="nt">acme_version</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2</span>
<span class="w"> </span><span class="c1"># The following makes sure that if a chain with /CN=DST Root CA X3 in its issuer is provided</span>
<span class="w"> </span><span class="c1"># as an alternative, it will be selected. These are the roots cross-signed by IdenTrust.</span>
<span class="w"> </span><span class="c1"># As long as Let&#39;s Encrypt provides alternate chains with the cross-signed root(s) when</span>
<span class="w"> </span><span class="c1"># switching to their own ISRG Root X1 root, this will use the chain ending with a cross-signed</span>
<span class="w"> </span><span class="c1"># root. This chain is more compatible with older TLS clients.</span>
<span class="w"> </span><span class="c1"># The following makes sure that if a chain with /CN=DST Root CA X3 in its issuer is provided</span>
<span class="w"> </span><span class="c1"># as an alternative, it will be selected. These are the roots cross-signed by IdenTrust.</span>
<span class="w"> </span><span class="c1"># As long as Let&#39;s Encrypt provides alternate chains with the cross-signed root(s) when</span>
<span class="w"> </span><span class="c1"># switching to their own ISRG Root X1 root, this will use the chain ending with a cross-signed</span>
<span class="w"> </span><span class="c1"># root. This chain is more compatible with older TLS clients.</span>
<span class="w"> </span><span class="nt">select_chain</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">test_certificates</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">last</span>
<span class="w"> </span><span class="nt">issuer</span><span class="p">:</span>

18
pr/828/acme_challenge_cert_helper_module.html
View File

@ -327,15 +327,15 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
<span class="w"> </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">sample_com_challenge_certs</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Install challenge certificates</span>
<span class="c1"># We need to set up HTTPS such that for the domain,</span>
<span class="c1"># regular_certificate is delivered for regular connections,</span>
<span class="c1"># except if ALPN selects the &quot;acme-tls/1&quot;; then, the</span>
<span class="c1"># challenge_certificate must be delivered.</span>
<span class="c1"># This can for example be achieved with very new versions</span>
<span class="c1"># of NGINX; search for ssl_preread and</span>
<span class="c1"># ssl_preread_alpn_protocols for information on how to</span>
<span class="c1"># route by ALPN protocol.</span>
<span class="w"> </span><span class="s">&#39;...&#39;</span><span class="p p-Indicator">:</span>
<span class="w"> </span><span class="c1"># We need to set up HTTPS such that for the domain,</span>
<span class="w"> </span><span class="c1"># regular_certificate is delivered for regular connections,</span>
<span class="w"> </span><span class="c1"># except if ALPN selects the &quot;acme-tls/1&quot;; then, the</span>
<span class="w"> </span><span class="c1"># challenge_certificate must be delivered.</span>
<span class="w"> </span><span class="c1"># This can for example be achieved with very new versions</span>
<span class="w"> </span><span class="c1"># of NGINX; search for ssl_preread and</span>
<span class="w"> </span><span class="c1"># ssl_preread_alpn_protocols for information on how to</span>
<span class="w"> </span><span class="c1"># route by ALPN protocol.</span>
<span class="w"> </span><span class="nt">...</span><span class="p">:</span>
<span class="w"> </span><span class="nt">domain</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">item.domain</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w"> </span><span class="nt">challenge_certificate</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">item.challenge_certificate</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="w"> </span><span class="nt">regular_certificate</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">item.regular_certificate</span> <span class="cp">}}</span><span class="s">&quot;</span>

8
pr/828/acme_inspect_module.html
View File

@ -457,8 +457,8 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
<span class="w"> </span><span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">post</span>
<span class="w"> </span><span class="nt">content</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;{&quot;termsOfServiceAgreed&quot;:true}&#39;</span>
<span class="w"> </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">account_creation</span>
<span class="c1"># account_creation.headers.location contains the account URI</span>
<span class="c1"># if creation was successful</span>
<span class="w"> </span><span class="c1"># account_creation.headers.location contains the account URI</span>
<span class="w"> </span><span class="c1"># if creation was successful</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Get account information</span>
<span class="w"> </span><span class="nt">community.crypto.acme_inspect</span><span class="p">:</span>
@ -480,8 +480,8 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
<span class="w"> </span><span class="nt">content</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;</span><span class="cp">{{</span> <span class="nv">account_info</span> <span class="o">|</span> <span class="nf">to_json</span> <span class="cp">}}</span><span class="s">&#39;</span>
<span class="w"> </span><span class="nt">vars</span><span class="p">:</span>
<span class="w"> </span><span class="nt">account_info</span><span class="p">:</span>
<span class="w"> </span><span class="c1"># For valid values, see</span>
<span class="w"> </span><span class="c1"># https://tools.ietf.org/html/rfc8555#section-7.3</span>
<span class="w"> </span><span class="c1"># For valid values, see</span>
<span class="w"> </span><span class="c1"># https://tools.ietf.org/html/rfc8555#section-7.3</span>
<span class="w"> </span><span class="nt">contact</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mailto:me@example.com</span>

2
pr/828/openssl_privatekey_pipe_module.html
View File

@ -490,7 +490,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-op
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Show generated key</span>
<span class="w"> </span><span class="nt">ansible.builtin.debug</span><span class="p">:</span>
<span class="w"> </span><span class="nt">msg</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;</span><span class="cp">{{</span> <span class="nv">output.privatekey</span> <span class="cp">}}</span><span class="s">&quot;</span>
<span class="c1"># DO NOT OUTPUT KEY MATERIAL TO CONSOLE OR LOGS IN PRODUCTION!</span>
<span class="w"> </span><span class="c1"># DO NOT OUTPUT KEY MATERIAL TO CONSOLE OR LOGS IN PRODUCTION!</span>
<span class="c1"># The following example needs CNCF SOPS (https://github.com/getsops/sops) set up and</span>

28
pr/828/x509_certificate_module.html
View File

@ -941,7 +941,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-x5
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Get certificate information</span>
<span class="w"> </span><span class="nt">community.crypto.x509_certificate_info</span><span class="p">:</span>
<span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/ssl/crt/ansible.com.crt</span>
<span class="w"> </span><span class="c1"># for valid_at, invalid_at and valid_in</span>
<span class="w"> </span><span class="c1"># for valid_at, invalid_at and valid_in</span>
<span class="w"> </span><span class="nt">valid_at</span><span class="p">:</span>
<span class="w"> </span><span class="nt">one_day_ten_hours</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;+1d10h&quot;</span>
<span class="w"> </span><span class="nt">fixed_timestamp</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">20200331202428Z</span>
@ -950,7 +950,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-x5
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Get CSR information</span>
<span class="w"> </span><span class="nt">community.crypto.openssl_csr_info</span><span class="p">:</span>
<span class="w"> </span><span class="c1"># Verifies that the CSR signature is valid; module will fail if not</span>
<span class="w"> </span><span class="c1"># Verifies that the CSR signature is valid; module will fail if not</span>
<span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/etc/ssl/csr/ansible.com.csr</span>
<span class="w"> </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">result_csr</span>
@ -962,37 +962,37 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-x5
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Check conditions on certificate, CSR, and private key</span>
<span class="w"> </span><span class="nt">ansible.builtin.assert</span><span class="p">:</span>
<span class="w"> </span><span class="nt">that</span><span class="p">:</span>
<span class="w"> </span><span class="c1"># When private key was specified for assertonly, this was checked:</span>
<span class="w"> </span><span class="c1"># When private key was specified for assertonly, this was checked:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">result.public_key == result_privatekey.public_key</span>
<span class="w"> </span><span class="c1"># When CSR was specified for assertonly, this was checked:</span>
<span class="w"> </span><span class="c1"># When CSR was specified for assertonly, this was checked:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">result.public_key == result_csr.public_key</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">result.subject_ordered == result_csr.subject_ordered</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">result.extensions_by_oid == result_csr.extensions_by_oid</span>
<span class="w"> </span><span class="c1"># signature_algorithms check</span>
<span class="w"> </span><span class="c1"># signature_algorithms check</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.signature_algorithm</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">&#39;sha256WithRSAEncryption&#39;</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">result.signature_algorithm</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">&#39;sha512WithRSAEncryption&#39;&quot;</span>
<span class="w"> </span><span class="c1"># subject and subject_strict</span>
<span class="w"> </span><span class="c1"># subject and subject_strict</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.subject.commonName</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">&#39;ansible.com&#39;&quot;</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.subject</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">length</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">1&quot;</span><span class="w"> </span><span class="c1"># the number must be the number of entries you check for</span>
<span class="w"> </span><span class="c1"># issuer and issuer_strict</span>
<span class="w"> </span><span class="c1"># issuer and issuer_strict</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.issuer.commonName</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">&#39;ansible.com&#39;&quot;</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.issuer</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">length</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">1&quot;</span><span class="w"> </span><span class="c1"># the number must be the number of entries you check for</span>
<span class="w"> </span><span class="c1"># has_expired</span>
<span class="w"> </span><span class="c1"># has_expired</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">not result.expired</span>
<span class="w"> </span><span class="c1"># version</span>
<span class="w"> </span><span class="c1"># version</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">result.version == 3</span>
<span class="w"> </span><span class="c1"># key_usage and key_usage_strict</span>
<span class="w"> </span><span class="c1"># key_usage and key_usage_strict</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;&#39;Data</span><span class="nv"> </span><span class="s">Encipherment&#39;</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">result.key_usage&quot;</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.key_usage</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">length</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">1&quot;</span><span class="w"> </span><span class="c1"># the number must be the number of entries you check for</span>
<span class="w"> </span><span class="c1"># extended_key_usage and extended_key_usage_strict</span>
<span class="w"> </span><span class="c1"># extended_key_usage and extended_key_usage_strict</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;&#39;DVCS&#39;</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">result.extended_key_usage&quot;</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.extended_key_usage</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">length</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">1&quot;</span><span class="w"> </span><span class="c1"># the number must be the number of entries you check for</span>
<span class="w"> </span><span class="c1"># subject_alt_name and subject_alt_name_strict</span>
<span class="w"> </span><span class="c1"># subject_alt_name and subject_alt_name_strict</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;&#39;dns:ansible.com&#39;</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">result.subject_alt_name&quot;</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.subject_alt_name</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">length</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">1&quot;</span><span class="w"> </span><span class="c1"># the number must be the number of entries you check for</span>
<span class="w"> </span><span class="c1"># not_before and not_after</span>
<span class="w"> </span><span class="c1"># not_before and not_after</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.not_before</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">&#39;20190331202428Z&#39;&quot;</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.not_after</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">&#39;20190413202428Z&#39;&quot;</span>
<span class="w"> </span><span class="c1"># valid_at, invalid_at and valid_in</span>
<span class="w"> </span><span class="c1"># valid_at, invalid_at and valid_in</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.valid_at.one_day_ten_hours&quot;</span><span class="w"> </span><span class="c1"># for valid_at</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;not</span><span class="nv"> </span><span class="s">result.valid_at.fixed_timestamp&quot;</span><span class="w"> </span><span class="c1"># for invalid_at</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;result.valid_at.ten_seconds&quot;</span><span class="w"> </span><span class="c1"># for valid_in</span>