# Community Crypto Release Notes **Topics** - v1\.9\.25 - Release Summary - Bugfixes - v1\.9\.24 - Release Summary - Bugfixes - v1\.9\.23 - Release Summary - Bugfixes - v1\.9\.22 - Release Summary - Bugfixes - v1\.9\.21 - Release Summary - Bugfixes - v1\.9\.20 - Release Summary - Bugfixes - v1\.9\.19 - Release Summary - Bugfixes - v1\.9\.18 - Release Summary - Bugfixes - v1\.9\.17 - Release Summary - Bugfixes - v1\.9\.16 - Release Summary - Bugfixes - v1\.9\.15 - Release Summary - Bugfixes - v1\.9\.14 - Release Summary - Bugfixes - v1\.9\.13 - Release Summary - Bugfixes - v1\.9\.12 - Release Summary - Bugfixes - Known Issues - v1\.9\.11 - Release Summary - Bugfixes - v1\.9\.10 - Release Summary - Bugfixes - v1\.9\.9 - Bugfixes - v1\.9\.8 - Release Summary - v1\.9\.7 - Release Summary - Minor Changes - Bugfixes - v1\.9\.6 - Release Summary - Bugfixes - v1\.9\.5 - Release Summary - Bugfixes - v1\.9\.4 - Release Summary - Bugfixes - v1\.9\.3 - Release Summary - Bugfixes - v1\.9\.2 - Release Summary - v1\.9\.1 - Release Summary - v1\.9\.0 - Release Summary - Minor Changes - Bugfixes - v1\.8\.0 - Release Summary - Minor Changes - Bugfixes - v1\.7\.1 - Release Summary - Bugfixes - v1\.7\.0 - Release Summary - Minor Changes - Bugfixes - New Modules - v1\.6\.2 - Release Summary - Bugfixes - v1\.6\.1 - Release Summary - Bugfixes - v1\.6\.0 - Release Summary - Minor Changes - Deprecated Features - Bugfixes - v1\.5\.0 - Release Summary - Minor Changes - Deprecated Features - Bugfixes - v1\.4\.0 - Release Summary - Minor Changes - Bugfixes - v1\.3\.0 - Release Summary - Minor Changes - Bugfixes - New Modules - v1\.2\.0 - Release Summary - Minor Changes - Security Fixes - Bugfixes - v1\.1\.1 - Release Summary - Bugfixes - v1\.1\.0 - Release Summary - Minor Changes - Bugfixes - New Modules - v1\.0\.0 - Release Summary - Minor Changes - Deprecated Features - Removed Features \(previously deprecated\) - Bugfixes - New Modules ## v1\.9\.25 ### Release Summary Bugfix release\. ### Bugfixes * crypto\.math module utils \- change return values for quick\_is\_not\_prime\(\) for special cases that do not appear when using the collection \([https\://github\.com/ansible\-collections/community\.crypto/pull/733](https\://github\.com/ansible\-collections/community\.crypto/pull/733)\)\. * ecs\_certificate \- fixed csr option to be empty and allow renewal of a specific certificate according to the Renewal Information specification \([https\://github\.com/ansible\-collections/community\.crypto/pull/740](https\://github\.com/ansible\-collections/community\.crypto/pull/740)\)\. ## v1\.9\.24 ### Release Summary Bugfix release\. ### Bugfixes * openssl\_dhparam \- was using an internal function instead of the public API to load DH param files when using the cryptography backend\. The internal function was removed in cryptography 42\.0\.0\. The module now uses the public API\, which has been available since support for DH params was added to cryptography \([https\://github\.com/ansible\-collections/community\.crypto/pull/698](https\://github\.com/ansible\-collections/community\.crypto/pull/698)\)\. * openssl\_privatekey\_info \- check\_consistency\=true no longer works for RSA keys with cryptography 42\.0\.0\+ \([https\://github\.com/ansible\-collections/community\.crypto/pull/701](https\://github\.com/ansible\-collections/community\.crypto/pull/701)\)\. * x509\_certificate \- when using the PyOpenSSL backend with provider\=assertonly\, better handle unexpected errors when validating private keys \([https\://github\.com/ansible\-collections/community\.crypto/pull/704](https\://github\.com/ansible\-collections/community\.crypto/pull/704)\)\. ## v1\.9\.23 ### Release Summary Bugfix release\. ### Bugfixes * openssl\_pkcs12 \- modify autodetect to not detect pyOpenSSL \>\= 23\.3\.0\, which removed PKCS\#12 support \([https\://github\.com/ansible\-collections/community\.crypto/pull/666](https\://github\.com/ansible\-collections/community\.crypto/pull/666)\)\. ## v1\.9\.22 ### Release Summary Bugfix release\. ### Bugfixes * openssh\_keypair \- always generate a new key pair if the private key does not exist\. Previously\, the module would fail when regenerate\=fail without an existing key\, contradicting the documentation \([https\://github\.com/ansible\-collections/community\.crypto/pull/598](https\://github\.com/ansible\-collections/community\.crypto/pull/598)\)\. ## v1\.9\.21 ### Release Summary Bugfix release\. ### Bugfixes * action plugin helper \- fix handling of deprecations for ansible\-core 2\.14\.2 \([https\://github\.com/ansible\-collections/community\.crypto/pull/572](https\://github\.com/ansible\-collections/community\.crypto/pull/572)\)\. * openssl\_csr\, openssl\_csr\_pipe \- prevent invalid values for crl\_distribution\_points that do not have one of full\_name\, relative\_name\, and crl\_issuer \([https\://github\.com/ansible\-collections/community\.crypto/pull/560](https\://github\.com/ansible\-collections/community\.crypto/pull/560)\)\. ## v1\.9\.20 ### Release Summary Bugfix release\. ### Bugfixes * openssl\_publickey\_info \- do not crash with internal error when public key cannot be parsed \([https\://github\.com/ansible\-collections/community\.crypto/pull/551](https\://github\.com/ansible\-collections/community\.crypto/pull/551)\)\. ## v1\.9\.19 ### Release Summary Bugfix release\. ### Bugfixes * openssl\_privatekey\_pipe \- ensure compatibility with newer versions of ansible\-core \([https\://github\.com/ansible\-collections/community\.crypto/pull/515](https\://github\.com/ansible\-collections/community\.crypto/pull/515)\)\. ## v1\.9\.18 ### Release Summary Bugfix release\. ### Bugfixes * openssl\_pkcs12 \- when using the pyOpenSSL backend\, do not crash when trying to read non\-existing other certificates \([https\://github\.com/ansible\-collections/community\.crypto/issues/486](https\://github\.com/ansible\-collections/community\.crypto/issues/486)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/487](https\://github\.com/ansible\-collections/community\.crypto/pull/487)\)\. ## v1\.9\.17 ### Release Summary Bugfix release\. ### Bugfixes * Include Apache\-2\.0\.txt file for plugins/module\_utils/crypto/\_obj2txt\.py and plugins/module\_utils/crypto/\_objects\_data\.py\. * openssl\_csr \- the module no longer crashes with \'permitted\_subtrees/excluded\_subtrees must be a non\-empty list or None\' if only one of name\_constraints\_permitted and name\_constraints\_excluded is provided \([https\://github\.com/ansible\-collections/community\.crypto/issues/481](https\://github\.com/ansible\-collections/community\.crypto/issues/481)\)\. * x509\_crl \- do not crash when signing CRL with Ed25519 or Ed448 keys \([https\://github\.com/ansible\-collections/community\.crypto/issues/473](https\://github\.com/ansible\-collections/community\.crypto/issues/473)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/474](https\://github\.com/ansible\-collections/community\.crypto/pull/474)\)\. ## v1\.9\.16 ### Release Summary Maintenance and bugfix release\. ### Bugfixes * Include simplified\_bsd\.txt license file for the ECS module utils\. * certificate\_complete\_chain \- do not stop execution if an unsupported signature algorithm is encountered\; warn instead \([https\://github\.com/ansible\-collections/community\.crypto/pull/457](https\://github\.com/ansible\-collections/community\.crypto/pull/457)\)\. ## v1\.9\.15 ### Release Summary Maintenance release\. ### Bugfixes * Include PSF\-license\.txt file for plugins/module\_utils/\_version\.py\. ## v1\.9\.14 ### Release Summary Regular bugfix release\. ### Bugfixes * Make collection more robust when PyOpenSSL is used with an incompatible cryptography version \([https\://github\.com/ansible\-collections/community\.crypto/pull/446](https\://github\.com/ansible\-collections/community\.crypto/pull/446)\)\. * openssh\_\* modules \- fix exception handling to report traceback to users for enhanced traceability \([https\://github\.com/ansible\-collections/community\.crypto/pull/417](https\://github\.com/ansible\-collections/community\.crypto/pull/417)\)\. * x509\_crl \- fix crash when issuer for a revoked certificate is specified \([https\://github\.com/ansible\-collections/community\.crypto/pull/441](https\://github\.com/ansible\-collections/community\.crypto/pull/441)\)\. ## v1\.9\.13 ### Release Summary Regular bugfix release\. ### Bugfixes * luks\_device \- fix parsing of lsblk output when device name ends with crypt \([https\://github\.com/ansible\-collections/community\.crypto/issues/409](https\://github\.com/ansible\-collections/community\.crypto/issues/409)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/410](https\://github\.com/ansible\-collections/community\.crypto/pull/410)\)\. ## v1\.9\.12 ### Release Summary Regular bugfix release\. ### Bugfixes * certificate\_complete\_chain \- allow multiple potential intermediate certificates to have the same subject \([https\://github\.com/ansible\-collections/community\.crypto/issues/399](https\://github\.com/ansible\-collections/community\.crypto/issues/399)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/403](https\://github\.com/ansible\-collections/community\.crypto/pull/403)\)\. * x509\_certificate \- for the ownca provider\, check whether the CA private key actually belongs to the CA certificate\. This fix only covers the cryptography backend\, not the pyopenssl backend \([https\://github\.com/ansible\-collections/community\.crypto/pull/407](https\://github\.com/ansible\-collections/community\.crypto/pull/407)\)\. * x509\_certificate \- regenerate certificate when the CA\'s public key changes for provider\=ownca\. This fix only covers the cryptography backend\, not the pyopenssl backend \([https\://github\.com/ansible\-collections/community\.crypto/pull/407](https\://github\.com/ansible\-collections/community\.crypto/pull/407)\)\. * x509\_certificate \- regenerate certificate when the CA\'s subject changes for provider\=ownca \([https\://github\.com/ansible\-collections/community\.crypto/issues/400](https\://github\.com/ansible\-collections/community\.crypto/issues/400)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/402](https\://github\.com/ansible\-collections/community\.crypto/pull/402)\)\. * x509\_certificate \- regenerate certificate when the private key changes for provider\=selfsigned\. This fix only covers the cryptography backend\, not the pyopenssl backend \([https\://github\.com/ansible\-collections/community\.crypto/pull/407](https\://github\.com/ansible\-collections/community\.crypto/pull/407)\)\. ### Known Issues * x509\_certificate \- when using the ownca provider with the pyopenssl backend\, changing the CA\'s public key does not cause regeneration of the certificate \([https\://github\.com/ansible\-collections/community\.crypto/pull/407](https\://github\.com/ansible\-collections/community\.crypto/pull/407)\)\. * x509\_certificate \- when using the ownca provider with the pyopenssl backend\, it is possible to specify a CA private key which is not related to the CA certificate \([https\://github\.com/ansible\-collections/community\.crypto/pull/407](https\://github\.com/ansible\-collections/community\.crypto/pull/407)\)\. * x509\_certificate \- when using the selfsigned provider with the pyopenssl backend\, changing the private key does not cause regeneration of the certificate \([https\://github\.com/ansible\-collections/community\.crypto/pull/407](https\://github\.com/ansible\-collections/community\.crypto/pull/407)\)\. ## v1\.9\.11 ### Release Summary Bugfix release\. ### Bugfixes * openssh\_cert \- fixed false changed status for host certificates when using full\_idempotence \([https\://github\.com/ansible\-collections/community\.crypto/issues/395](https\://github\.com/ansible\-collections/community\.crypto/issues/395)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/396](https\://github\.com/ansible\-collections/community\.crypto/pull/396)\)\. ## v1\.9\.10 ### Release Summary Regular bugfix release\. ### Bugfixes * luks\_devices \- set LANG and similar environment variables to avoid translated output\, which can break some of the module\'s functionality like key management \([https\://github\.com/ansible\-collections/community\.crypto/pull/388](https\://github\.com/ansible\-collections/community\.crypto/pull/388)\, [https\://github\.com/ansible\-collections/community\.crypto/issues/385](https\://github\.com/ansible\-collections/community\.crypto/issues/385)\)\. ## v1\.9\.9 ### Bugfixes * Various modules and plugins \- use vendored version of distutils\.version instead of the deprecated Python standard library distutils \([https\://github\.com/ansible\-collections/community\.crypto/pull/353](https\://github\.com/ansible\-collections/community\.crypto/pull/353)\)\. * certificate\_complete\_chain \- do not append root twice if the chain already ends with a root certificate \([https\://github\.com/ansible\-collections/community\.crypto/pull/360](https\://github\.com/ansible\-collections/community\.crypto/pull/360)\)\. * certificate\_complete\_chain \- do not hang when infinite loop is found \([https\://github\.com/ansible\-collections/community\.crypto/issues/355](https\://github\.com/ansible\-collections/community\.crypto/issues/355)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/360](https\://github\.com/ansible\-collections/community\.crypto/pull/360)\)\. ## v1\.9\.8 ### Release Summary Documentation fix release\. No actual code changes\. ## v1\.9\.7 ### Release Summary Bugfix release with extra forward compatibility for newer versions of cryptography\. ### Minor Changes * acme\_\* modules \- fix usage of fetch\_url with changes in latest ansible\-core devel branch \([https\://github\.com/ansible\-collections/community\.crypto/pull/339](https\://github\.com/ansible\-collections/community\.crypto/pull/339)\)\. ### Bugfixes * acme\_certificate \- avoid passing multiple certificates to cryptography\'s X\.509 certificate loader when fullchain\_dest is used \([https\://github\.com/ansible\-collections/community\.crypto/pull/324](https\://github\.com/ansible\-collections/community\.crypto/pull/324)\)\. * get\_certificate\, openssl\_csr\_info\, x509\_certificate\_info \- add fallback code for extension parsing that works with cryptography 36\.0\.0 and newer\. This code re\-serializes de\-serialized extensions and thus can return slightly different values if the extension in the original CSR resp\. certificate was not canonicalized correctly\. This code is currently used as a fallback if the existing code stops working\, but we will switch it to be the main code in a future release \([https\://github\.com/ansible\-collections/community\.crypto/pull/331](https\://github\.com/ansible\-collections/community\.crypto/pull/331)\)\. * luks\_device \- now also runs a built\-in LUKS signature cleaner on state\=absent to make sure that also the secondary LUKS2 header is wiped when older versions of wipefs are used \([https\://github\.com/ansible\-collections/community\.crypto/issues/326](https\://github\.com/ansible\-collections/community\.crypto/issues/326)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/327](https\://github\.com/ansible\-collections/community\.crypto/pull/327)\)\. * openssl\_pkcs12 \- use new PKCS\#12 deserialization infrastructure from cryptography 36\.0\.0 if available \([https\://github\.com/ansible\-collections/community\.crypto/pull/302](https\://github\.com/ansible\-collections/community\.crypto/pull/302)\)\. ## v1\.9\.6 ### Release Summary Regular bugfix release\. ### Bugfixes * cryptography backend \- improve Unicode handling for Python 2 \([https\://github\.com/ansible\-collections/community\.crypto/pull/313](https\://github\.com/ansible\-collections/community\.crypto/pull/313)\)\. ## v1\.9\.5 ### Release Summary Bugfix release to fully support cryptography 35\.0\.0\. ### Bugfixes * get\_certificate \- fix compatibility with the cryptography 35\.0\.0 release \([https\://github\.com/ansible\-collections/community\.crypto/pull/294](https\://github\.com/ansible\-collections/community\.crypto/pull/294)\)\. * openssl\_csr\_info \- fix compatibility with the cryptography 35\.0\.0 release \([https\://github\.com/ansible\-collections/community\.crypto/pull/294](https\://github\.com/ansible\-collections/community\.crypto/pull/294)\)\. * openssl\_csr\_info \- fix compatibility with the cryptography 35\.0\.0 release in PyOpenSSL backend \([https\://github\.com/ansible\-collections/community\.crypto/pull/300](https\://github\.com/ansible\-collections/community\.crypto/pull/300)\)\. * openssl\_pkcs12 \- fix compatibility with the cryptography 35\.0\.0 release \([https\://github\.com/ansible\-collections/community\.crypto/pull/296](https\://github\.com/ansible\-collections/community\.crypto/pull/296)\)\. * x509\_certificate\_info \- fix compatibility with the cryptography 35\.0\.0 release \([https\://github\.com/ansible\-collections/community\.crypto/pull/294](https\://github\.com/ansible\-collections/community\.crypto/pull/294)\)\. * x509\_certificate\_info \- fix compatibility with the cryptography 35\.0\.0 release in PyOpenSSL backend \([https\://github\.com/ansible\-collections/community\.crypto/pull/300](https\://github\.com/ansible\-collections/community\.crypto/pull/300)\)\. ## v1\.9\.4 ### Release Summary Regular bugfix release\. ### Bugfixes * acme\_\* modules \- fix commands composed for OpenSSL backend to retrieve information on CSRs and certificates from stdin to use /dev/stdin instead of \-\. This is needed for OpenSSL 1\.0\.1 and 1\.0\.2\, apparently \([https\://github\.com/ansible\-collections/community\.crypto/pull/279](https\://github\.com/ansible\-collections/community\.crypto/pull/279)\)\. * acme\_challenge\_cert\_helper \- only return exception when cryptography is not installed\, not when a too old version of it is installed\. This prevents Ansible\'s callback to crash \([https\://github\.com/ansible\-collections/community\.crypto/pull/281](https\://github\.com/ansible\-collections/community\.crypto/pull/281)\)\. ## v1\.9\.3 ### Release Summary Regular bugfix release\. ### Bugfixes * openssl\_csr and openssl\_csr\_pipe \- make sure that Unicode strings are used to compare strings with the cryptography backend\. This fixes idempotency problems with non\-ASCII letters on Python 2 \([https\://github\.com/ansible\-collections/community\.crypto/issues/270](https\://github\.com/ansible\-collections/community\.crypto/issues/270)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/271](https\://github\.com/ansible\-collections/community\.crypto/pull/271)\)\. ## v1\.9\.2 ### Release Summary Bugfix release to fix the changelog\. No other change compared to 1\.9\.0\. ## v1\.9\.1 ### Release Summary Accidental 1\.9\.1 release\. Identical to 1\.9\.0\. ## v1\.9\.0 ### Release Summary Regular feature release\. ### Minor Changes * get\_certificate \- added starttls option to retrieve certificates from servers which require clients to request an encrypted connection \([https\://github\.com/ansible\-collections/community\.crypto/pull/264](https\://github\.com/ansible\-collections/community\.crypto/pull/264)\)\. * openssh\_keypair \- added diff support \([https\://github\.com/ansible\-collections/community\.crypto/pull/260](https\://github\.com/ansible\-collections/community\.crypto/pull/260)\)\. ### Bugfixes * keypair\_backend module utils \- simplify code to pass sanity tests \([https\://github\.com/ansible\-collections/community\.crypto/pull/263](https\://github\.com/ansible\-collections/community\.crypto/pull/263)\)\. * openssh\_keypair \- fixed cryptography backend to preserve original file permissions when regenerating a keypair requires existing files to be overwritten \([https\://github\.com/ansible\-collections/community\.crypto/pull/260](https\://github\.com/ansible\-collections/community\.crypto/pull/260)\)\. * openssh\_keypair \- fixed error handling to restore original keypair if regeneration fails \([https\://github\.com/ansible\-collections/community\.crypto/pull/260](https\://github\.com/ansible\-collections/community\.crypto/pull/260)\)\. * x509\_crl \- restore inherited function signature to pass sanity tests \([https\://github\.com/ansible\-collections/community\.crypto/pull/263](https\://github\.com/ansible\-collections/community\.crypto/pull/263)\)\. ## v1\.8\.0 ### Release Summary Regular bugfix and feature release\. ### Minor Changes * Avoid internal ansible\-core module\_utils in favor of equivalent public API available since at least Ansible 2\.9 \([https\://github\.com/ansible\-collections/community\.crypto/pull/253](https\://github\.com/ansible\-collections/community\.crypto/pull/253)\)\. * openssh certificate module utils \- new module\_utils for parsing OpenSSH certificates \([https\://github\.com/ansible\-collections/community\.crypto/pull/246](https\://github\.com/ansible\-collections/community\.crypto/pull/246)\)\. * openssh\_cert \- added regenerate option to validate additional certificate parameters which trigger regeneration of an existing certificate \([https\://github\.com/ansible\-collections/community\.crypto/pull/256](https\://github\.com/ansible\-collections/community\.crypto/pull/256)\)\. * openssh\_cert \- adding diff support \([https\://github\.com/ansible\-collections/community\.crypto/pull/255](https\://github\.com/ansible\-collections/community\.crypto/pull/255)\)\. ### Bugfixes * openssh\_cert \- fixed certificate generation to restore original certificate if an error is encountered \([https\://github\.com/ansible\-collections/community\.crypto/pull/255](https\://github\.com/ansible\-collections/community\.crypto/pull/255)\)\. * openssh\_keypair \- fixed a bug that prevented custom file attributes being applied to public keys \([https\://github\.com/ansible\-collections/community\.crypto/pull/257](https\://github\.com/ansible\-collections/community\.crypto/pull/257)\)\. ## v1\.7\.1 ### Release Summary Bugfix release\. ### Bugfixes * openssl\_pkcs12 \- fix crash when loading passphrase\-protected PKCS\#12 files with cryptography backend \([https\://github\.com/ansible\-collections/community\.crypto/issues/247](https\://github\.com/ansible\-collections/community\.crypto/issues/247)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/248](https\://github\.com/ansible\-collections/community\.crypto/pull/248)\)\. ## v1\.7\.0 ### Release Summary Regular feature and bugfix release\. ### Minor Changes * cryptography\_openssh module utils \- new module\_utils for managing asymmetric keypairs and OpenSSH formatted/encoded asymmetric keypairs \([https\://github\.com/ansible\-collections/community\.crypto/pull/213](https\://github\.com/ansible\-collections/community\.crypto/pull/213)\)\. * openssh\_keypair \- added backend parameter for selecting between the cryptography library or the OpenSSH binary for the execution of actions performed by openssh\_keypair \([https\://github\.com/ansible\-collections/community\.crypto/pull/236](https\://github\.com/ansible\-collections/community\.crypto/pull/236)\)\. * openssh\_keypair \- added passphrase parameter for encrypting/decrypting OpenSSH private keys \([https\://github\.com/ansible\-collections/community\.crypto/pull/225](https\://github\.com/ansible\-collections/community\.crypto/pull/225)\)\. * openssl\_csr \- add diff mode \([https\://github\.com/ansible\-collections/community\.crypto/issues/38](https\://github\.com/ansible\-collections/community\.crypto/issues/38)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/150](https\://github\.com/ansible\-collections/community\.crypto/pull/150)\)\. * openssl\_csr\_info \- now returns public\_key\_type and public\_key\_data \([https\://github\.com/ansible\-collections/community\.crypto/pull/233](https\://github\.com/ansible\-collections/community\.crypto/pull/233)\)\. * openssl\_csr\_info \- refactor module to allow code re\-use for diff mode \([https\://github\.com/ansible\-collections/community\.crypto/pull/204](https\://github\.com/ansible\-collections/community\.crypto/pull/204)\)\. * openssl\_csr\_pipe \- add diff mode \([https\://github\.com/ansible\-collections/community\.crypto/issues/38](https\://github\.com/ansible\-collections/community\.crypto/issues/38)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/150](https\://github\.com/ansible\-collections/community\.crypto/pull/150)\)\. * openssl\_pkcs12 \- added option select\_crypto\_backend and a cryptography backend\. This requires cryptography 3\.0 or newer\, and does not support the iter\_size and maciter\_size options \([https\://github\.com/ansible\-collections/community\.crypto/pull/234](https\://github\.com/ansible\-collections/community\.crypto/pull/234)\)\. * openssl\_privatekey \- add diff mode \([https\://github\.com/ansible\-collections/community\.crypto/issues/38](https\://github\.com/ansible\-collections/community\.crypto/issues/38)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/150](https\://github\.com/ansible\-collections/community\.crypto/pull/150)\)\. * openssl\_privatekey\_info \- refactor module to allow code re\-use for diff mode \([https\://github\.com/ansible\-collections/community\.crypto/pull/205](https\://github\.com/ansible\-collections/community\.crypto/pull/205)\)\. * openssl\_privatekey\_pipe \- add diff mode \([https\://github\.com/ansible\-collections/community\.crypto/issues/38](https\://github\.com/ansible\-collections/community\.crypto/issues/38)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/150](https\://github\.com/ansible\-collections/community\.crypto/pull/150)\)\. * openssl\_publickey \- add diff mode \([https\://github\.com/ansible\-collections/community\.crypto/issues/38](https\://github\.com/ansible\-collections/community\.crypto/issues/38)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/150](https\://github\.com/ansible\-collections/community\.crypto/pull/150)\)\. * x509\_certificate \- add diff mode \([https\://github\.com/ansible\-collections/community\.crypto/issues/38](https\://github\.com/ansible\-collections/community\.crypto/issues/38)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/150](https\://github\.com/ansible\-collections/community\.crypto/pull/150)\)\. * x509\_certificate\_info \- now returns public\_key\_type and public\_key\_data \([https\://github\.com/ansible\-collections/community\.crypto/pull/233](https\://github\.com/ansible\-collections/community\.crypto/pull/233)\)\. * x509\_certificate\_info \- refactor module to allow code re\-use for diff mode \([https\://github\.com/ansible\-collections/community\.crypto/pull/206](https\://github\.com/ansible\-collections/community\.crypto/pull/206)\)\. * x509\_certificate\_pipe \- add diff mode \([https\://github\.com/ansible\-collections/community\.crypto/issues/38](https\://github\.com/ansible\-collections/community\.crypto/issues/38)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/150](https\://github\.com/ansible\-collections/community\.crypto/pull/150)\)\. * x509\_crl \- add diff mode \([https\://github\.com/ansible\-collections/community\.crypto/issues/38](https\://github\.com/ansible\-collections/community\.crypto/issues/38)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/150](https\://github\.com/ansible\-collections/community\.crypto/pull/150)\)\. * x509\_crl\_info \- add list\_revoked\_certificates option to avoid enumerating all revoked certificates \([https\://github\.com/ansible\-collections/community\.crypto/pull/232](https\://github\.com/ansible\-collections/community\.crypto/pull/232)\)\. * x509\_crl\_info \- refactor module to allow code re\-use for diff mode \([https\://github\.com/ansible\-collections/community\.crypto/pull/203](https\://github\.com/ansible\-collections/community\.crypto/pull/203)\)\. ### Bugfixes * openssh\_keypair \- fix check\_mode to populate return values for existing keypairs \([https\://github\.com/ansible\-collections/community\.crypto/issues/113](https\://github\.com/ansible\-collections/community\.crypto/issues/113)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/230](https\://github\.com/ansible\-collections/community\.crypto/pull/230)\)\. * various modules \- prevent crashes when modules try to set attributes on not yet existing files in check mode\. This will be fixed in ansible\-core 2\.12\, but it is not backported to every Ansible version we support \([https\://github\.com/ansible\-collections/community\.crypto/issue/242](https\://github\.com/ansible\-collections/community\.crypto/issue/242)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/243](https\://github\.com/ansible\-collections/community\.crypto/pull/243)\)\. * x509\_certificate \- fix crash when assertonly provider is used and some error conditions should be reported \([https\://github\.com/ansible\-collections/community\.crypto/issues/240](https\://github\.com/ansible\-collections/community\.crypto/issues/240)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/241](https\://github\.com/ansible\-collections/community\.crypto/pull/241)\)\. ### New Modules * openssl\_publickey\_info \- Provide information for OpenSSL public keys ## v1\.6\.2 ### Release Summary Bugfix release\. Fixes compatibility issue of ACME modules with step\-ca\. ### Bugfixes * acme\_\* modules \- avoid crashing for ACME servers where the meta directory key is not present \([https\://github\.com/ansible\-collections/community\.crypto/issues/220](https\://github\.com/ansible\-collections/community\.crypto/issues/220)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/221](https\://github\.com/ansible\-collections/community\.crypto/pull/221)\)\. ## v1\.6\.1 ### Release Summary Bugfix release\. ### Bugfixes * acme\_\* modules \- fix wrong usages of ACMEProtocolException \([https\://github\.com/ansible\-collections/community\.crypto/pull/216](https\://github\.com/ansible\-collections/community\.crypto/pull/216)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/217](https\://github\.com/ansible\-collections/community\.crypto/pull/217)\)\. ## v1\.6\.0 ### Release Summary Fixes compatibility issues with the latest ansible\-core 2\.11 beta\, and contains a lot of internal refactoring for the ACME modules and support for private key passphrases for them\. ### Minor Changes * acme module\_utils \- the acme module\_utils has been split up into several Python modules \([https\://github\.com/ansible\-collections/community\.crypto/pull/184](https\://github\.com/ansible\-collections/community\.crypto/pull/184)\)\. * acme\_\* modules \- codebase refactor which should not be visible to end\-users \([https\://github\.com/ansible\-collections/community\.crypto/pull/184](https\://github\.com/ansible\-collections/community\.crypto/pull/184)\)\. * acme\_\* modules \- support account key passphrases for cryptography backend \([https\://github\.com/ansible\-collections/community\.crypto/issues/197](https\://github\.com/ansible\-collections/community\.crypto/issues/197)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/207](https\://github\.com/ansible\-collections/community\.crypto/pull/207)\)\. * acme\_certificate\_revoke \- support revoking by private keys that are passphrase protected for cryptography backend \([https\://github\.com/ansible\-collections/community\.crypto/pull/207](https\://github\.com/ansible\-collections/community\.crypto/pull/207)\)\. * acme\_challenge\_cert\_helper \- add private\_key\_passphrase parameter \([https\://github\.com/ansible\-collections/community\.crypto/pull/207](https\://github\.com/ansible\-collections/community\.crypto/pull/207)\)\. ### Deprecated Features * acme module\_utils \- the acme module\_utils \(ansible\_collections\.community\.crypto\.plugins\.module\_utils\.acme\) is deprecated and will be removed in community\.crypto 2\.0\.0\. Use the new Python modules in the acme package instead \(ansible\_collections\.community\.crypto\.plugins\.module\_utils\.acme\.xxx\) \([https\://github\.com/ansible\-collections/community\.crypto/pull/184](https\://github\.com/ansible\-collections/community\.crypto/pull/184)\)\. ### Bugfixes * action\_module plugin helper \- make compatible with latest changes in ansible\-core 2\.11\.0b3 \([https\://github\.com/ansible\-collections/community\.crypto/pull/202](https\://github\.com/ansible\-collections/community\.crypto/pull/202)\)\. * openssl\_privatekey\_pipe \- make compatible with latest changes in ansible\-core 2\.11\.0b3 \([https\://github\.com/ansible\-collections/community\.crypto/pull/202](https\://github\.com/ansible\-collections/community\.crypto/pull/202)\)\. ## v1\.5\.0 ### Release Summary Regular feature and bugfix release\. Deprecates a return value\. ### Minor Changes * acme\_account\_info \- when retrieve\_orders is not ignore and the ACME server allows to query orders\, the new return value order\_uris is always populated with a list of URIs \([https\://github\.com/ansible\-collections/community\.crypto/pull/178](https\://github\.com/ansible\-collections/community\.crypto/pull/178)\)\. * luks\_device \- allow to specify sector size for LUKS2 containers with new sector\_size parameter \([https\://github\.com/ansible\-collections/community\.crypto/pull/193](https\://github\.com/ansible\-collections/community\.crypto/pull/193)\)\. ### Deprecated Features * acme\_account\_info \- when retrieve\_orders\=url\_list\, orders will no longer be returned in community\.crypto 2\.0\.0\. Use order\_uris instead \([https\://github\.com/ansible\-collections/community\.crypto/pull/178](https\://github\.com/ansible\-collections/community\.crypto/pull/178)\)\. ### Bugfixes * openssl\_csr \- no longer fails when comparing CSR without basic constraint when basic\_constraints is specified \([https\://github\.com/ansible\-collections/community\.crypto/issues/179](https\://github\.com/ansible\-collections/community\.crypto/issues/179)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/180](https\://github\.com/ansible\-collections/community\.crypto/pull/180)\)\. ## v1\.4\.0 ### Release Summary Release with several new features and bugfixes\. ### Minor Changes * The ACME module\_utils has been relicensed back from the Simplified BSD License \([https\://opensource\.org/licenses/BSD\-2\-Clause](https\://opensource\.org/licenses/BSD\-2\-Clause)\) to the GPLv3\+ \(same license used by most other code in this collection\)\. This undoes a licensing change when the original GPLv3\+ licensed code was moved to module\_utils in [https\://github\.com/ansible/ansible/pull/40697](https\://github\.com/ansible/ansible/pull/40697) \([https\://github\.com/ansible\-collections/community\.crypto/pull/165](https\://github\.com/ansible\-collections/community\.crypto/pull/165)\)\. * The crypto/identify\.py module\_utils has been renamed to crypto/pem\.py \([https\://github\.com/ansible\-collections/community\.crypto/pull/166](https\://github\.com/ansible\-collections/community\.crypto/pull/166)\)\. * luks\_device \- new\_keyfile\, new\_passphrase\, remove\_keyfile and remove\_passphrase are now idempotent \([https\://github\.com/ansible\-collections/community\.crypto/issues/19](https\://github\.com/ansible\-collections/community\.crypto/issues/19)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/168](https\://github\.com/ansible\-collections/community\.crypto/pull/168)\)\. * luks\_device \- allow to configure PBKDF \([https\://github\.com/ansible\-collections/community\.crypto/pull/163](https\://github\.com/ansible\-collections/community\.crypto/pull/163)\)\. * openssl\_csr\, openssl\_csr\_pipe \- allow to specify CRL distribution endpoints with crl\_distribution\_points \([https\://github\.com/ansible\-collections/community\.crypto/issues/147](https\://github\.com/ansible\-collections/community\.crypto/issues/147)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/167](https\://github\.com/ansible\-collections/community\.crypto/pull/167)\)\. * openssl\_pkcs12 \- allow to specify certificate bundles in other\_certificates by using new option other\_certificates\_parse\_all \([https\://github\.com/ansible\-collections/community\.crypto/issues/149](https\://github\.com/ansible\-collections/community\.crypto/issues/149)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/166](https\://github\.com/ansible\-collections/community\.crypto/pull/166)\)\. ### Bugfixes * acme\_certificate \- error when requested challenge type is not found for non\-valid challenges\, instead of hanging on step 2 \([https\://github\.com/ansible\-collections/community\.crypto/issues/171](https\://github\.com/ansible\-collections/community\.crypto/issues/171)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/173](https\://github\.com/ansible\-collections/community\.crypto/pull/173)\)\. ## v1\.3\.0 ### Release Summary Contains new modules openssl\_privatekey\_pipe\, openssl\_csr\_pipe and x509\_certificate\_pipe which allow to create or update private keys\, CSRs and X\.509 certificates without having to write them to disk\. ### Minor Changes * openssh\_cert \- add module parameter use\_agent to enable using signing keys stored in ssh\-agent \([https\://github\.com/ansible\-collections/community\.crypto/issues/116](https\://github\.com/ansible\-collections/community\.crypto/issues/116)\)\. * openssl\_csr \- refactor module to allow code re\-use by openssl\_csr\_pipe \([https\://github\.com/ansible\-collections/community\.crypto/pull/123](https\://github\.com/ansible\-collections/community\.crypto/pull/123)\)\. * openssl\_privatekey \- refactor module to allow code re\-use by openssl\_privatekey\_pipe \([https\://github\.com/ansible\-collections/community\.crypto/pull/119](https\://github\.com/ansible\-collections/community\.crypto/pull/119)\)\. * openssl\_privatekey \- the elliptic curve secp192r1 now triggers a security warning\. Elliptic curves of at least 224 bits should be used for new keys\; see [here](https\://cryptography\.io/en/latest/hazmat/primitives/asymmetric/ec\.html\#elliptic\-curves) \([https\://github\.com/ansible\-collections/community\.crypto/pull/132](https\://github\.com/ansible\-collections/community\.crypto/pull/132)\)\. * x509\_certificate \- for the selfsigned provider\, a CSR is not required anymore\. If no CSR is provided\, the module behaves as if a minimal CSR which only contains the public key has been provided \([https\://github\.com/ansible\-collections/community\.crypto/issues/32](https\://github\.com/ansible\-collections/community\.crypto/issues/32)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/129](https\://github\.com/ansible\-collections/community\.crypto/pull/129)\)\. * x509\_certificate \- refactor module to allow code re\-use by x509\_certificate\_pipe \([https\://github\.com/ansible\-collections/community\.crypto/pull/135](https\://github\.com/ansible\-collections/community\.crypto/pull/135)\)\. ### Bugfixes * openssl\_pkcs12 \- report the correct state when action is parse \([https\://github\.com/ansible\-collections/community\.crypto/issues/143](https\://github\.com/ansible\-collections/community\.crypto/issues/143)\)\. * support code \- improve handling of certificate and certificate signing request \(CSR\) loading with the cryptography backend when errors occur \([https\://github\.com/ansible\-collections/community\.crypto/issues/138](https\://github\.com/ansible\-collections/community\.crypto/issues/138)\, [https\://github\.com/ansible\-collections/community\.crypto/pull/139](https\://github\.com/ansible\-collections/community\.crypto/pull/139)\)\. * x509\_certificate \- fix entrust provider\, which was broken since community\.crypto 0\.1\.0 due to a feature added before the collection move \([https\://github\.com/ansible\-collections/community\.crypto/pull/135](https\://github\.com/ansible\-collections/community\.crypto/pull/135)\)\. ### New Modules * openssl\_csr\_pipe \- Generate OpenSSL Certificate Signing Request \(CSR\) * openssl\_privatekey\_pipe \- Generate OpenSSL private keys without disk access * x509\_certificate\_pipe \- Generate and/or check OpenSSL certificates ## v1\.2\.0 ### Release Summary Please note that this release fixes a security issue \(CVE\-2020\-25646\)\. ### Minor Changes * acme\_certificate \- allow to pass CSR file as content with new option csr\_content \([https\://github\.com/ansible\-collections/community\.crypto/pull/115](https\://github\.com/ansible\-collections/community\.crypto/pull/115)\)\. * x509\_certificate\_info \- add fingerprints return value which returns certificate fingerprints \([https\://github\.com/ansible\-collections/community\.crypto/pull/121](https\://github\.com/ansible\-collections/community\.crypto/pull/121)\)\. ### Security Fixes * openssl\_csr \- the option privatekey\_content was not marked as no\_log\, resulting in it being dumped into the system log by default\, and returned in the registered results in the invocation field \(CVE\-2020\-25646\, [https\://github\.com/ansible\-collections/community\.crypto/pull/125](https\://github\.com/ansible\-collections/community\.crypto/pull/125)\)\. * openssl\_privatekey\_info \- the option content was not marked as no\_log\, resulting in it being dumped into the system log by default\, and returned in the registered results in the invocation field \(CVE\-2020\-25646\, [https\://github\.com/ansible\-collections/community\.crypto/pull/125](https\://github\.com/ansible\-collections/community\.crypto/pull/125)\)\. * openssl\_publickey \- the option privatekey\_content was not marked as no\_log\, resulting in it being dumped into the system log by default\, and returned in the registered results in the invocation field \(CVE\-2020\-25646\, [https\://github\.com/ansible\-collections/community\.crypto/pull/125](https\://github\.com/ansible\-collections/community\.crypto/pull/125)\)\. * openssl\_signature \- the option privatekey\_content was not marked as no\_log\, resulting in it being dumped into the system log by default\, and returned in the registered results in the invocation field \(CVE\-2020\-25646\, [https\://github\.com/ansible\-collections/community\.crypto/pull/125](https\://github\.com/ansible\-collections/community\.crypto/pull/125)\)\. * x509\_certificate \- the options privatekey\_content and ownca\_privatekey\_content were not marked as no\_log\, resulting in it being dumped into the system log by default\, and returned in the registered results in the invocation field \(CVE\-2020\-25646\, [https\://github\.com/ansible\-collections/community\.crypto/pull/125](https\://github\.com/ansible\-collections/community\.crypto/pull/125)\)\. * x509\_crl \- the option privatekey\_content was not marked as no\_log\, resulting in it being dumped into the system log by default\, and returned in the registered results in the invocation field \(CVE\-2020\-25646\, [https\://github\.com/ansible\-collections/community\.crypto/pull/125](https\://github\.com/ansible\-collections/community\.crypto/pull/125)\)\. ### Bugfixes * openssl\_pkcs12 \- do not crash when reading PKCS\#12 file which has no private key and/or no main certificate \([https\://github\.com/ansible\-collections/community\.crypto/issues/103](https\://github\.com/ansible\-collections/community\.crypto/issues/103)\)\. ## v1\.1\.1 ### Release Summary Bugfixes for Ansible 2\.10\.0\. ### Bugfixes * meta/runtime\.yml \- convert Ansible version numbers for old names of modules to collection version numbers \([https\://github\.com/ansible\-collections/community\.crypto/pull/108](https\://github\.com/ansible\-collections/community\.crypto/pull/108)\)\. * openssl\_csr \- improve handling of IDNA errors \([https\://github\.com/ansible\-collections/community\.crypto/issues/105](https\://github\.com/ansible\-collections/community\.crypto/issues/105)\)\. ## v1\.1\.0 ### Release Summary Release for Ansible 2\.10\.0\. ### Minor Changes * acme\_account \- add external\_account\_binding option to allow creation of ACME accounts with External Account Binding \([https\://github\.com/ansible\-collections/community\.crypto/issues/89](https\://github\.com/ansible\-collections/community\.crypto/issues/89)\)\. * acme\_certificate \- allow new selector test\_certificates\: first for select\_chain parameter \([https\://github\.com/ansible\-collections/community\.crypto/pull/102](https\://github\.com/ansible\-collections/community\.crypto/pull/102)\)\. * cryptography backends \- support arbitrary dotted OIDs \([https\://github\.com/ansible\-collections/community\.crypto/issues/39](https\://github\.com/ansible\-collections/community\.crypto/issues/39)\)\. * get\_certificate \- add support for SNI \([https\://github\.com/ansible\-collections/community\.crypto/issues/69](https\://github\.com/ansible\-collections/community\.crypto/issues/69)\)\. * luks\_device \- add support for encryption options on container creation \([https\://github\.com/ansible\-collections/community\.crypto/pull/97](https\://github\.com/ansible\-collections/community\.crypto/pull/97)\)\. * openssh\_cert \- add support for PKCS\#11 tokens \([https\://github\.com/ansible\-collections/community\.crypto/pull/95](https\://github\.com/ansible\-collections/community\.crypto/pull/95)\)\. * openssl\_certificate \- the PyOpenSSL backend now uses 160 bits of randomness for serial numbers\, instead of a random number between 1000 and 99999\. Please note that this is not a high quality random number \([https\://github\.com/ansible\-collections/community\.crypto/issues/76](https\://github\.com/ansible\-collections/community\.crypto/issues/76)\)\. * openssl\_csr \- add support for name constraints extension \([https\://github\.com/ansible\-collections/community\.crypto/issues/46](https\://github\.com/ansible\-collections/community\.crypto/issues/46)\)\. * openssl\_csr\_info \- add support for name constraints extension \([https\://github\.com/ansible\-collections/community\.crypto/issues/46](https\://github\.com/ansible\-collections/community\.crypto/issues/46)\)\. ### Bugfixes * acme\_inspect \- fix problem with Python 3\.5 that JSON was not decoded \([https\://github\.com/ansible\-collections/community\.crypto/issues/86](https\://github\.com/ansible\-collections/community\.crypto/issues/86)\)\. * get\_certificate \- fix ca\_cert option handling when proxy\_host is used \([https\://github\.com/ansible\-collections/community\.crypto/pull/84](https\://github\.com/ansible\-collections/community\.crypto/pull/84)\)\. * openssl\_\*\, x509\_\* modules \- fix handling of general names which refer to IP networks and not IP addresses \([https\://github\.com/ansible\-collections/community\.crypto/pull/92](https\://github\.com/ansible\-collections/community\.crypto/pull/92)\)\. ### New Modules * openssl\_signature \- Sign data with openssl * openssl\_signature\_info \- Verify signatures with openssl ## v1\.0\.0 ### Release Summary This is the first proper release of the community\.crypto collection\. This changelog contains all changes to the modules in this collection that were added after the release of Ansible 2\.9\.0\. ### Minor Changes * luks\_device \- accept passphrase\, new\_passphrase and remove\_passphrase\. * luks\_device \- add keysize parameter to set key size at LUKS container creation * luks\_device \- added support to use UUIDs\, and labels with LUKS2 containers * luks\_device \- added the type option that allows user explicit define the LUKS container format version * openssh\_keypair \- instead of regenerating some broken or password protected keys\, fail the module\. Keys can still be regenerated by calling the module with force\=yes\. * openssh\_keypair \- the regenerate option allows to configure the module\'s behavior when it should or needs to regenerate private keys\. * openssl\_\* modules \- the cryptography backend now properly supports dirName\, otherName and RID \(Registered ID\) names\. * openssl\_certificate \- Add option for changing which ACME directory to use with acme\-tiny\. Set the default ACME directory to Let\'s Encrypt instead of using acme\-tiny\'s default\. \(acme\-tiny also uses Let\'s Encrypt at the time being\, so no action should be neccessary\.\) * openssl\_certificate \- Change the required version of acme\-tiny to \>\= 4\.0\.0 * openssl\_certificate \- allow to provide content of some input files via the csr\_content\, privatekey\_content\, ownca\_privatekey\_content and ownca\_content options\. * openssl\_certificate \- allow to return the existing/generated certificate directly as certificate by setting return\_content to yes\. * openssl\_certificate\_info \- allow to provide certificate content via content option \([https\://github\.com/ansible/ansible/issues/64776](https\://github\.com/ansible/ansible/issues/64776)\)\. * openssl\_csr \- Add support for specifying the SAN otherName value in the OpenSSL ASN\.1 UTF8 string format\, otherName\:\\;UTF8\:string value\. * openssl\_csr \- allow to provide private key content via private\_key\_content option\. * openssl\_csr \- allow to return the existing/generated CSR directly as csr by setting return\_content to yes\. * openssl\_csr\_info \- allow to provide CSR content via content option\. * openssl\_dhparam \- allow to return the existing/generated DH params directly as dhparams by setting return\_content to yes\. * openssl\_dhparam \- now supports a cryptography\-based backend\. Auto\-detection can be overwritten with the select\_crypto\_backend option\. * openssl\_pkcs12 \- allow to return the existing/generated PKCS\#12 directly as pkcs12 by setting return\_content to yes\. * openssl\_privatekey \- add format and format\_mismatch options\. * openssl\_privatekey \- allow to return the existing/generated private key directly as privatekey by setting return\_content to yes\. * openssl\_privatekey \- the regenerate option allows to configure the module\'s behavior when it should or needs to regenerate private keys\. * openssl\_privatekey\_info \- allow to provide private key content via content option\. * openssl\_publickey \- allow to provide private key content via private\_key\_content option\. * openssl\_publickey \- allow to return the existing/generated public key directly as publickey by setting return\_content to yes\. ### Deprecated Features * openssl\_csr \- all values for the version option except 1 are deprecated\. The value 1 denotes the current only standardized CSR version\. ### Removed Features \(previously deprecated\) * The letsencrypt module has been removed\. Use acme\_certificate instead\. ### Bugfixes * ACME modules\: fix bug in ACME v1 account update code * ACME modules\: make sure some connection errors are handled properly * ACME modules\: support Buypass\' ACME v1 endpoint * acme\_certificate \- fix crash when module is used with Python 2\.x\. * acme\_certificate \- fix misbehavior when ACME v1 is used with modify\_account set to false\. * ecs\_certificate \- Always specify header connection\: keep\-alive for ECS API connections\. * ecs\_certificate \- Fix formatting of contents of full\_chain\_path\. * get\_certificate \- Fix cryptography backend when pyopenssl is unavailable \([https\://github\.com/ansible/ansible/issues/67900](https\://github\.com/ansible/ansible/issues/67900)\) * openssh\_keypair \- add logic to avoid breaking password protected keys\. * openssh\_keypair \- fixes idempotence issue with public key \([https\://github\.com/ansible/ansible/issues/64969](https\://github\.com/ansible/ansible/issues/64969)\)\. * openssh\_keypair \- public key\'s file attributes \(permissions\, owner\, group\, etc\.\) are now set to the same values as the private key\. * openssl\_\* modules \- prevent crash on fingerprint determination in FIPS mode \([https\://github\.com/ansible/ansible/issues/67213](https\://github\.com/ansible/ansible/issues/67213)\)\. * openssl\_certificate \- When provider is entrust\, use a connection\: keep\-alive header for ECS API connections\. * openssl\_certificate \- provider option was documented as required\, but it was not checked whether it was provided\. It is now only required when state is present\. * openssl\_certificate \- fix assertonly provider certificate verification\, causing \'private key mismatch\' and \'subject mismatch\' errors\. * openssl\_certificate and openssl\_csr \- fix Ed25519 and Ed448 private key support for cryptography backend\. This probably needs at least cryptography 2\.8\, since older versions have problems with signing certificates or CSRs with such keys\. \([https\://github\.com/ansible/ansible/issues/59039](https\://github\.com/ansible/ansible/issues/59039)\, PR [https\://github\.com/ansible/ansible/pull/63984](https\://github\.com/ansible/ansible/pull/63984)\) * openssl\_csr \- a warning is issued if an unsupported value for version is used for the cryptography backend\. * openssl\_csr \- the module will now enforce that privatekey\_path is specified when state\=present\. * openssl\_publickey \- fix a module crash caused when pyOpenSSL is not installed \([https\://github\.com/ansible/ansible/issues/67035](https\://github\.com/ansible/ansible/issues/67035)\)\. ### New Modules * ecs\_domain \- Request validation of a domain with the Entrust Certificate Services \(ECS\) API * x509\_crl \- Generate Certificate Revocation Lists \(CRLs\) * x509\_crl\_info \- Retrieve information on Certificate Revocation Lists \(CRLs\)