ancestor: null releases: 1.0.0: changes: bugfixes: - 'ACME modules: fix bug in ACME v1 account update code' - 'ACME modules: make sure some connection errors are handled properly' - 'ACME modules: support Buypass'' ACME v1 endpoint' - acme_certificate - fix crash when module is used with Python 2.x. - acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account`` set to ``false``. - 'ecs_certificate - Always specify header ``connection: keep-alive`` for ECS API connections.' - ecs_certificate - Fix formatting of contents of ``full_chain_path``. - get_certificate - Fix cryptography backend when pyopenssl is unavailable (https://github.com/ansible/ansible/issues/67900) - openssh_keypair - add logic to avoid breaking password protected keys. - openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969). - openssh_keypair - public key's file attributes (permissions, owner, group, etc.) are now set to the same values as the private key. - openssl_* modules - prevent crash on fingerprint determination in FIPS mode (https://github.com/ansible/ansible/issues/67213). - 'openssl_certificate - When provider is ``entrust``, use a ``connection: keep-alive`` header for ECS API connections.' - openssl_certificate - ``provider`` option was documented as required, but it was not checked whether it was provided. It is now only required when ``state`` is ``present``. - openssl_certificate - fix ``assertonly`` provider certificate verification, causing 'private key mismatch' and 'subject mismatch' errors. - openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support for ``cryptography`` backend. This probably needs at least cryptography 2.8, since older versions have problems with signing certificates or CSRs with such keys. (https://github.com/ansible/ansible/issues/59039, PR https://github.com/ansible/ansible/pull/63984) - openssl_csr - a warning is issued if an unsupported value for ``version`` is used for the ``cryptography`` backend. - openssl_csr - the module will now enforce that ``privatekey_path`` is specified when ``state=present``. - openssl_publickey - fix a module crash caused when pyOpenSSL is not installed (https://github.com/ansible/ansible/issues/67035). deprecated_features: - openssl_csr - all values for the ``version`` option except ``1`` are deprecated. The value 1 denotes the current only standardized CSR version. minor_changes: - luks_device - accept ``passphrase``, ``new_passphrase`` and ``remove_passphrase``. - luks_device - add ``keysize`` parameter to set key size at LUKS container creation - luks_device - added support to use UUIDs, and labels with LUKS2 containers - luks_device - added the ``type`` option that allows user explicit define the LUKS container format version - openssh_keypair - instead of regenerating some broken or password protected keys, fail the module. Keys can still be regenerated by calling the module with ``force=yes``. - openssh_keypair - the ``regenerate`` option allows to configure the module's behavior when it should or needs to regenerate private keys. - openssl_* modules - the cryptography backend now properly supports ``dirName``, ``otherName`` and ``RID`` (Registered ID) names. - openssl_certificate - Add option for changing which ACME directory to use with acme-tiny. Set the default ACME directory to Let's Encrypt instead of using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time being, so no action should be neccessary.) - openssl_certificate - Change the required version of acme-tiny to >= 4.0.0 - openssl_certificate - allow to provide content of some input files via the ``csr_content``, ``privatekey_content``, ``ownca_privatekey_content`` and ``ownca_content`` options. - openssl_certificate - allow to return the existing/generated certificate directly as ``certificate`` by setting ``return_content`` to ``yes``. - openssl_certificate_info - allow to provide certificate content via ``content`` option (https://github.com/ansible/ansible/issues/64776). - openssl_csr - Add support for specifying the SAN ``otherName`` value in the OpenSSL ASN.1 UTF8 string format, ``otherName:;UTF8:string value``. - openssl_csr - allow to provide private key content via ``private_key_content`` option. - openssl_csr - allow to return the existing/generated CSR directly as ``csr`` by setting ``return_content`` to ``yes``. - openssl_csr_info - allow to provide CSR content via ``content`` option. - openssl_dhparam - allow to return the existing/generated DH params directly as ``dhparams`` by setting ``return_content`` to ``yes``. - openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection can be overwritten with the ``select_crypto_backend`` option. - openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as ``pkcs12`` by setting ``return_content`` to ``yes``. - openssl_privatekey - add ``format`` and ``format_mismatch`` options. - openssl_privatekey - allow to return the existing/generated private key directly as ``privatekey`` by setting ``return_content`` to ``yes``. - openssl_privatekey - the ``regenerate`` option allows to configure the module's behavior when it should or needs to regenerate private keys. - openssl_privatekey_info - allow to provide private key content via ``content`` option. - openssl_publickey - allow to provide private key content via ``private_key_content`` option. - openssl_publickey - allow to return the existing/generated public key directly as ``publickey`` by setting ``return_content`` to ``yes``. release_summary: 'This is the first proper release of the ``community.crypto`` collection. This changelog contains all changes to the modules in this collection that were added after the release of Ansible 2.9.0. ' removed_features: - The ``letsencrypt`` module has been removed. Use ``acme_certificate`` instead. fragments: - 1.0.0.yml - 52408-luks-device.yaml - 58973-luks_device_add-type-option.yml - 58973_luks_device-add-label-and-uuid-support.yml - 60388-openssl_privatekey-format.yml - 61522-luks-device-add-option-to-define-keysize.yml - 61658-openssh_keypair-public-key-permissions.yml - 61693-acme-buypass-acme-v1.yml - 61738-ecs-certificate-invalid-chain.yaml - 62218-fix-to-entrust-api.yml - 62790-openssl_certificate_fix_assert.yml - 62991-openssl_dhparam-cryptography-backend.yml - 63140-acme-fix-fetch-url-status-codes.yaml - 63432-openssl_csr-version.yml - 63984-openssl-ed25519-ed448.yml - 64436-openssh_keypair-add-password-protected-key-check.yml - 64501-fix-python2.x-backward-compatibility.yaml - 64648-acme_certificate-acmev1.yml - 65017-openssh_keypair-idempotence.yml - 65400-openssl-output.yml - 65435-openssl_csr-privatekey_path-required.yml - 65633-crypto-argspec-fixup.yml - 66384-openssl-content.yml - 67036-openssl_publickey-backend.yml - 67038-openssl-openssh-key-regenerate.yml - 67109-openssl_certificate-acme-directory.yaml - 67515-openssl-fingerprint-fips.yml - 67669-cryptography-names.yml - 67901-get_certificate-fix-cryptography.yml - letsencrypt.yml - openssl_csr-otherName.yml modules: - description: Request validation of a domain with the Entrust Certificate Services (ECS) API name: ecs_domain namespace: '' - description: Generate Certificate Revocation Lists (CRLs) name: x509_crl namespace: '' - description: Retrieve information on Certificate Revocation Lists (CRLs) name: x509_crl_info namespace: '' release_date: '2020-07-03' 1.1.0: changes: bugfixes: - acme_inspect - fix problem with Python 3.5 that JSON was not decoded (https://github.com/ansible-collections/community.crypto/issues/86). - get_certificate - fix ``ca_cert`` option handling when ``proxy_host`` is used (https://github.com/ansible-collections/community.crypto/pull/84). - openssl_*, x509_* modules - fix handling of general names which refer to IP networks and not IP addresses (https://github.com/ansible-collections/community.crypto/pull/92). minor_changes: - acme_account - add ``external_account_binding`` option to allow creation of ACME accounts with External Account Binding (https://github.com/ansible-collections/community.crypto/issues/89). - 'acme_certificate - allow new selector ``test_certificates: first`` for ``select_chain`` parameter (https://github.com/ansible-collections/community.crypto/pull/102).' - cryptography backends - support arbitrary dotted OIDs (https://github.com/ansible-collections/community.crypto/issues/39). - get_certificate - add support for SNI (https://github.com/ansible-collections/community.crypto/issues/69). - luks_device - add support for encryption options on container creation (https://github.com/ansible-collections/community.crypto/pull/97). - openssh_cert - add support for PKCS#11 tokens (https://github.com/ansible-collections/community.crypto/pull/95). - openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness for serial numbers, instead of a random number between 1000 and 99999. Please note that this is not a high quality random number (https://github.com/ansible-collections/community.crypto/issues/76). - openssl_csr - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46). - openssl_csr_info - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46). release_summary: 'Release for Ansible 2.10.0. ' fragments: - 1.1.0.yml - 100-acme-account-external-account-binding.yml - 102-acme-certificate-select-chain-first.yml - 87-acme_inspect-python-3.5.yml - 90-cryptography-oids.yml - 90-openssl_certificate-pyopenssl-serial.yml - 92-ip-networks.yml - 92-openssl_csr-name-constraints.yml - get_certificate-add_support_for_SNI.yml - luks_device-add_encryption_option_on_create.yml - openssh_cert-pkcs11.yml modules: - description: Sign data with openssl name: openssl_signature namespace: '' - description: Verify signatures with openssl name: openssl_signature_info namespace: '' release_date: '2020-08-18' 1.1.1: changes: bugfixes: - meta/runtime.yml - convert Ansible version numbers for old names of modules to collection version numbers (https://github.com/ansible-collections/community.crypto/pull/108). - openssl_csr - improve handling of IDNA errors (https://github.com/ansible-collections/community.crypto/issues/105). release_summary: Bugfixes for Ansible 2.10.0. fragments: - 1.1.1.yml - 106-openssl_csr-idna-errors.yml - 108-meta-runtime-versions.yml release_date: '2020-09-14' 1.2.0: changes: bugfixes: - openssl_pkcs12 - do not crash when reading PKCS#12 file which has no private key and/or no main certificate (https://github.com/ansible-collections/community.crypto/issues/103). minor_changes: - acme_certificate - allow to pass CSR file as content with new option ``csr_content`` (https://github.com/ansible-collections/community.crypto/pull/115). - x509_certificate_info - add ``fingerprints`` return value which returns certificate fingerprints (https://github.com/ansible-collections/community.crypto/pull/121). release_summary: Please note that this release fixes a security issue (CVE-2020-25646). security_fixes: - openssl_csr - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). - openssl_privatekey_info - the option ``content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). - openssl_publickey - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). - openssl_signature - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). - x509_certificate - the options ``privatekey_content`` and ``ownca_privatekey_content`` were not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). - x509_crl - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). fragments: - 1.2.0.yml - 109-openssl_pkcs12-crash-no-cert-key.yml - 115-acme_certificate-csr_content.yml - 121-x509_certificate_info-fingerprints.yml - cve-2020-25646.yml release_date: '2020-10-13' 1.3.0: changes: bugfixes: - openssl_pkcs12 - report the correct state when ``action`` is ``parse`` (https://github.com/ansible-collections/community.crypto/issues/143). - support code - improve handling of certificate and certificate signing request (CSR) loading with the ``cryptography`` backend when errors occur (https://github.com/ansible-collections/community.crypto/issues/138, https://github.com/ansible-collections/community.crypto/pull/139). - x509_certificate - fix ``entrust`` provider, which was broken since community.crypto 0.1.0 due to a feature added before the collection move (https://github.com/ansible-collections/community.crypto/pull/135). minor_changes: - openssh_cert - add module parameter ``use_agent`` to enable using signing keys stored in ssh-agent (https://github.com/ansible-collections/community.crypto/issues/116). - openssl_csr - refactor module to allow code re-use by openssl_csr_pipe (https://github.com/ansible-collections/community.crypto/pull/123). - openssl_privatekey - refactor module to allow code re-use by openssl_privatekey_pipe (https://github.com/ansible-collections/community.crypto/pull/119). - openssl_privatekey - the elliptic curve ``secp192r1`` now triggers a security warning. Elliptic curves of at least 224 bits should be used for new keys; see `here `_ (https://github.com/ansible-collections/community.crypto/pull/132). - x509_certificate - for the ``selfsigned`` provider, a CSR is not required anymore. If no CSR is provided, the module behaves as if a minimal CSR which only contains the public key has been provided (https://github.com/ansible-collections/community.crypto/issues/32, https://github.com/ansible-collections/community.crypto/pull/129). - x509_certificate - refactor module to allow code re-use by x509_certificate_pipe (https://github.com/ansible-collections/community.crypto/pull/135). release_summary: 'Contains new modules ``openssl_privatekey_pipe``, ``openssl_csr_pipe`` and ``x509_certificate_pipe`` which allow to create or update private keys, CSRs and X.509 certificates without having to write them to disk. ' fragments: - 1.3.0.yml - 117-openssh_cert-use-ssh-agent.yml - 129-x509_certificate-no-csr-selfsigned.yml - 132-openssl_privatekey-ecc-order.yml - 135-x509_certificate-entrust.yml - 139-improve-error-handling.yml - 145-add-check-for-parsed-pkcs12-files.yml - privatekey-csr-certificate-refactoring.yml modules: - description: Generate OpenSSL Certificate Signing Request (CSR) name: openssl_csr_pipe namespace: '' - description: Generate OpenSSL private keys without disk access name: openssl_privatekey_pipe namespace: '' - description: Generate and/or check OpenSSL certificates name: x509_certificate_pipe namespace: '' release_date: '2020-11-24' 1.4.0: changes: bugfixes: - acme_certificate - error when requested challenge type is not found for non-valid challenges, instead of hanging on step 2 (https://github.com/ansible-collections/community.crypto/issues/171, https://github.com/ansible-collections/community.crypto/pull/173). minor_changes: - The ACME module_utils has been relicensed back from the Simplified BSD License (https://opensource.org/licenses/BSD-2-Clause) to the GPLv3+ (same license used by most other code in this collection). This undoes a licensing change when the original GPLv3+ licensed code was moved to module_utils in https://github.com/ansible/ansible/pull/40697 (https://github.com/ansible-collections/community.crypto/pull/165). - The ``crypto/identify.py`` module_utils has been renamed to ``crypto/pem.py`` (https://github.com/ansible-collections/community.crypto/pull/166). - luks_device - ``new_keyfile``, ``new_passphrase``, ``remove_keyfile`` and ``remove_passphrase`` are now idempotent (https://github.com/ansible-collections/community.crypto/issues/19, https://github.com/ansible-collections/community.crypto/pull/168). - luks_device - allow to configure PBKDF (https://github.com/ansible-collections/community.crypto/pull/163). - openssl_csr, openssl_csr_pipe - allow to specify CRL distribution endpoints with ``crl_distribution_points`` (https://github.com/ansible-collections/community.crypto/issues/147, https://github.com/ansible-collections/community.crypto/pull/167). - openssl_pkcs12 - allow to specify certificate bundles in ``other_certificates`` by using new option ``other_certificates_parse_all`` (https://github.com/ansible-collections/community.crypto/issues/149, https://github.com/ansible-collections/community.crypto/pull/166). release_summary: Release with several new features and bugfixes. fragments: - 1.4.0.yml - 163-luks-pbkdf.yml - 166-openssl_pkcs12-certificate-bundles.yml - 167-openssl_csr-crl-distribution-points.yml - 168-luks_device-add-remove-idempotence.yml - 173-acme_certificate-wrong-challenge.yml - acme-module-utils-relicense.yml release_date: '2021-01-26' 1.5.0: changes: bugfixes: - openssl_csr - no longer fails when comparing CSR without basic constraint when ``basic_constraints`` is specified (https://github.com/ansible-collections/community.crypto/issues/179, https://github.com/ansible-collections/community.crypto/pull/180). deprecated_features: - acme_account_info - when ``retrieve_orders=url_list``, ``orders`` will no longer be returned in community.crypto 2.0.0. Use ``order_uris`` instead (https://github.com/ansible-collections/community.crypto/pull/178). minor_changes: - acme_account_info - when ``retrieve_orders`` is not ``ignore`` and the ACME server allows to query orders, the new return value ``order_uris`` is always populated with a list of URIs (https://github.com/ansible-collections/community.crypto/pull/178). - luks_device - allow to specify sector size for LUKS2 containers with new ``sector_size`` parameter (https://github.com/ansible-collections/community.crypto/pull/193). release_summary: Regular feature and bugfix release. Deprecates a return value. fragments: - 1.5.0.yml - 178-acme_account_info-orders-urls.yml - 179-openssl-csr-basic-constraint.yml - 193-luks_device-sector_size.yml release_date: '2021-03-08' 1.6.0: changes: bugfixes: - action_module plugin helper - make compatible with latest changes in ansible-core 2.11.0b3 (https://github.com/ansible-collections/community.crypto/pull/202). - openssl_privatekey_pipe - make compatible with latest changes in ansible-core 2.11.0b3 (https://github.com/ansible-collections/community.crypto/pull/202). deprecated_features: - acme module_utils - the ``acme`` module_utils (``ansible_collections.community.crypto.plugins.module_utils.acme``) is deprecated and will be removed in community.crypto 2.0.0. Use the new Python modules in the ``acme`` package instead (``ansible_collections.community.crypto.plugins.module_utils.acme.xxx``) (https://github.com/ansible-collections/community.crypto/pull/184). minor_changes: - acme module_utils - the ``acme`` module_utils has been split up into several Python modules (https://github.com/ansible-collections/community.crypto/pull/184). - acme_* modules - codebase refactor which should not be visible to end-users (https://github.com/ansible-collections/community.crypto/pull/184). - acme_* modules - support account key passphrases for ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/issues/197, https://github.com/ansible-collections/community.crypto/pull/207). - acme_certificate_revoke - support revoking by private keys that are passphrase protected for ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/pull/207). - acme_challenge_cert_helper - add ``private_key_passphrase`` parameter (https://github.com/ansible-collections/community.crypto/pull/207). release_summary: Fixes compatibility issues with the latest ansible-core 2.11 beta, and contains a lot of internal refactoring for the ACME modules and support for private key passphrases for them. fragments: - 1.6.0.yml - 184-acme-refactor.yml - 202-actionmodule-plugin-utils-ansible-core-2.11.yml - 207-acme-account-key-passphrase.yml release_date: '2021-03-22' 1.6.1: changes: bugfixes: - acme_* modules - fix wrong usages of ``ACMEProtocolException`` (https://github.com/ansible-collections/community.crypto/pull/216, https://github.com/ansible-collections/community.crypto/pull/217). release_summary: Bugfix release. fragments: - 1.6.1.yml - 217-acme-exceptions.yml release_date: '2021-04-11' 1.6.2: changes: bugfixes: - acme_* modules - avoid crashing for ACME servers where the ``meta`` directory key is not present (https://github.com/ansible-collections/community.crypto/issues/220, https://github.com/ansible-collections/community.crypto/pull/221). release_summary: Bugfix release. Fixes compatibility issue of ACME modules with step-ca. fragments: - 1.6.2.yml - 221-acme-meta.yml release_date: '2021-04-28' 1.7.0: changes: bugfixes: - openssh_keypair - fix ``check_mode`` to populate return values for existing keypairs (https://github.com/ansible-collections/community.crypto/issues/113, https://github.com/ansible-collections/community.crypto/pull/230). - various modules - prevent crashes when modules try to set attributes on not yet existing files in check mode. This will be fixed in ansible-core 2.12, but it is not backported to every Ansible version we support (https://github.com/ansible-collections/community.crypto/issue/242, https://github.com/ansible-collections/community.crypto/pull/243). - x509_certificate - fix crash when ``assertonly`` provider is used and some error conditions should be reported (https://github.com/ansible-collections/community.crypto/issues/240, https://github.com/ansible-collections/community.crypto/pull/241). minor_changes: - cryptography_openssh module utils - new module_utils for managing asymmetric keypairs and OpenSSH formatted/encoded asymmetric keypairs (https://github.com/ansible-collections/community.crypto/pull/213). - openssh_keypair - added ``backend`` parameter for selecting between the cryptography library or the OpenSSH binary for the execution of actions performed by ``openssh_keypair`` (https://github.com/ansible-collections/community.crypto/pull/236). - openssh_keypair - added ``passphrase`` parameter for encrypting/decrypting OpenSSH private keys (https://github.com/ansible-collections/community.crypto/pull/225). - openssl_csr - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150). - openssl_csr_info - now returns ``public_key_type`` and ``public_key_data`` (https://github.com/ansible-collections/community.crypto/pull/233). - openssl_csr_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/204). - openssl_csr_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150). - openssl_pkcs12 - added option ``select_crypto_backend`` and a ``cryptography`` backend. This requires cryptography 3.0 or newer, and does not support the ``iter_size`` and ``maciter_size`` options (https://github.com/ansible-collections/community.crypto/pull/234). - openssl_privatekey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150). - openssl_privatekey_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/205). - openssl_privatekey_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150). - openssl_publickey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150). - x509_certificate - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150). - x509_certificate_info - now returns ``public_key_type`` and ``public_key_data`` (https://github.com/ansible-collections/community.crypto/pull/233). - x509_certificate_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/206). - x509_certificate_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150). - x509_crl - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, https://github.com/ansible-collections/community.crypto/pull/150). - x509_crl_info - add ``list_revoked_certificates`` option to avoid enumerating all revoked certificates (https://github.com/ansible-collections/community.crypto/pull/232). - x509_crl_info - refactor module to allow code re-use for diff mode (https://github.com/ansible-collections/community.crypto/pull/203). release_summary: Regular feature and bugfix release. fragments: - 1.7.0.yml - 150-diff.yml - 203-x509_crl_info.yml - 204-openssl_csr_info.yml - 205-openssl_privatekey_info.yml - 206-x509_certificate_info.yml - 213-cryptography-openssh-module-utils.yml - 225-openssh-keypair-passphrase.yml - 230-openssh_keypair-check_mode-return-values.yml - 232-x509_crl_info-list_revoked_certificates.yml - 233-public-key-info.yml - 234-openssl_pkcs12-cryptography.yml - 236-openssh_keypair-backends.yml - 241-x509_certificate-assertonly.yml - 243-permission-check-crash.yml modules: - description: Provide information for OpenSSL public keys name: openssl_publickey_info namespace: '' release_date: '2021-06-02' 1.7.1: changes: bugfixes: - openssl_pkcs12 - fix crash when loading passphrase-protected PKCS#12 files with ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/issues/247, https://github.com/ansible-collections/community.crypto/pull/248). release_summary: Bugfix release. fragments: - 1.7.1.yml - 248-openssl_pkcs12-passphrase-fix.yml release_date: '2021-06-11' 1.8.0: changes: bugfixes: - openssh_cert - fixed certificate generation to restore original certificate if an error is encountered (https://github.com/ansible-collections/community.crypto/pull/255). - openssh_keypair - fixed a bug that prevented custom file attributes being applied to public keys (https://github.com/ansible-collections/community.crypto/pull/257). minor_changes: - Avoid internal ansible-core module_utils in favor of equivalent public API available since at least Ansible 2.9 (https://github.com/ansible-collections/community.crypto/pull/253). - openssh certificate module utils - new module_utils for parsing OpenSSH certificates (https://github.com/ansible-collections/community.crypto/pull/246). - openssh_cert - added ``regenerate`` option to validate additional certificate parameters which trigger regeneration of an existing certificate (https://github.com/ansible-collections/community.crypto/pull/256). - openssh_cert - adding ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/255). release_summary: Regular bugfix and feature release. fragments: - 1.8.0.yml - 246-openssh-certificate-module-utils.yml - 255-openssh_cert-adding-diff-support.yml - 256-openssh_cert-adding-idempotency-option.yml - 257-openssh-keypair-fix-pubkey-permissions.yml - ansible-core-_text.yml release_date: '2021-08-10' 1.9.0: changes: bugfixes: - keypair_backend module utils - simplify code to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263). - openssh_keypair - fixed ``cryptography`` backend to preserve original file permissions when regenerating a keypair requires existing files to be overwritten (https://github.com/ansible-collections/community.crypto/pull/260). - openssh_keypair - fixed error handling to restore original keypair if regeneration fails (https://github.com/ansible-collections/community.crypto/pull/260). - x509_crl - restore inherited function signature to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263). minor_changes: - get_certificate - added ``starttls`` option to retrieve certificates from servers which require clients to request an encrypted connection (https://github.com/ansible-collections/community.crypto/pull/264). - openssh_keypair - added ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/260). release_summary: Regular feature release. fragments: - 1.9.0.yml - 260-openssh_keypair-diff-support.yml - 263-sanity.yml - 264-get_certificate-add-starttls-option.yml release_date: '2021-08-30' 1.9.1: changes: release_summary: Accidental 1.9.1 release. Identical to 1.9.0. release_date: '2021-08-30' 1.9.2: changes: release_summary: Bugfix release to fix the changelog. No other change compared to 1.9.0. fragments: - 1.9.2.yml release_date: '2021-08-30' 1.9.3: changes: bugfixes: - openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used to compare strings with the cryptography backend. This fixes idempotency problems with non-ASCII letters on Python 2 (https://github.com/ansible-collections/community.crypto/issues/270, https://github.com/ansible-collections/community.crypto/pull/271). release_summary: Regular bugfix release. fragments: - 1.9.3.yml - 271-openssl_csr-utf8.yml release_date: '2021-09-14' 1.9.4: changes: bugfixes: - acme_* modules - fix commands composed for OpenSSL backend to retrieve information on CSRs and certificates from stdin to use ``/dev/stdin`` instead of ``-``. This is needed for OpenSSL 1.0.1 and 1.0.2, apparently (https://github.com/ansible-collections/community.crypto/pull/279). - acme_challenge_cert_helper - only return exception when cryptography is not installed, not when a too old version of it is installed. This prevents Ansible's callback to crash (https://github.com/ansible-collections/community.crypto/pull/281). release_summary: Regular bugfix release. fragments: - 1.9.4.yml - 279-acme-openssl.yml - 282-acme_challenge_cert_helper-error.yml release_date: '2021-09-28' 1.9.5: changes: bugfixes: - get_certificate - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294). - openssl_csr_info - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294). - openssl_csr_info - fix compatibility with the cryptography 35.0.0 release in PyOpenSSL backend (https://github.com/ansible-collections/community.crypto/pull/300). - openssl_pkcs12 - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/296). - x509_certificate_info - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294). - x509_certificate_info - fix compatibility with the cryptography 35.0.0 release in PyOpenSSL backend (https://github.com/ansible-collections/community.crypto/pull/300). release_summary: Bugfix release to fully support cryptography 35.0.0. fragments: - 1.9.5.yml - 294-cryptography-35.0.0.yml - 296-openssl_pkcs12-cryptography-35.yml - 300-pyopenssl-cryptography-35.yml release_date: '2021-10-06' 1.9.6: changes: bugfixes: - cryptography backend - improve Unicode handling for Python 2 (https://github.com/ansible-collections/community.crypto/pull/313). release_summary: Regular bugfix release. fragments: - 1.9.6.yml - 313-unicode-names.yml release_date: '2021-10-30' 1.9.7: changes: bugfixes: - acme_certificate - avoid passing multiple certificates to ``cryptography``'s X.509 certificate loader when ``fullchain_dest`` is used (https://github.com/ansible-collections/community.crypto/pull/324). - get_certificate, openssl_csr_info, x509_certificate_info - add fallback code for extension parsing that works with cryptography 36.0.0 and newer. This code re-serializes de-serialized extensions and thus can return slightly different values if the extension in the original CSR resp. certificate was not canonicalized correctly. This code is currently used as a fallback if the existing code stops working, but we will switch it to be the main code in a future release (https://github.com/ansible-collections/community.crypto/pull/331). - luks_device - now also runs a built-in LUKS signature cleaner on ``state=absent`` to make sure that also the secondary LUKS2 header is wiped when older versions of wipefs are used (https://github.com/ansible-collections/community.crypto/issues/326, https://github.com/ansible-collections/community.crypto/pull/327). - openssl_pkcs12 - use new PKCS#12 deserialization infrastructure from cryptography 36.0.0 if available (https://github.com/ansible-collections/community.crypto/pull/302). minor_changes: - acme_* modules - fix usage of ``fetch_url`` with changes in latest ansible-core ``devel`` branch (https://github.com/ansible-collections/community.crypto/pull/339). release_summary: Bugfix release with extra forward compatibility for newer versions of cryptography. fragments: - 1.9.7.yml - 302-openssl_pkcs12-cryptography-36.0.0.yml - 324-acme_certificate-fullchain.yml - 327-luks_device-wipe.yml - 331-cryptography-extensions.yml - fetch_url-devel.yml release_date: '2021-11-22' 1.9.8: changes: release_summary: Documentation fix release. No actual code changes. fragments: - 1.9.8.yml release_date: '2021-12-13'