community.crypto.get_certificate module – Get a certificate from a host:port
Note
This module is part of the community.crypto collection (version 2.10.0).
To install it, use: ansible-galaxy collection install community.crypto.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.crypto.get_certificate.
Synopsis
Makes a secure connection and returns information about the presented certificate
The module uses the cryptography Python library.
Support SNI (Server Name Indication) only with python >= 2.7.
Requirements
The below requirements are needed on the host that executes this module.
python >= 2.7 when using
proxy_hostcryptography >= 1.6
Parameters
Parameter |
Comments |
|---|---|
A PEM file containing one or more root certificates; if present, the cert will be validated against these root certs. Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it. |
|
The host to get the cert for (IP is fine) |
|
The port to connect to |
|
Proxy host used when get a certificate. |
|
Proxy port used when get a certificate. Default: |
|
Determines which crypto backend to use. The default choice is If set to Choices:
|
|
Server name used for SNI (Server Name Indication) when hostname is an IP or is different from server name. |
|
Requests a secure connection for protocols which require clients to initiate encryption. Only available for Choices:
|
|
The timeout in seconds Default: |
Attributes
Attribute |
Support |
Description |
|---|---|---|
Support: none This action does not modify state. |
Can run in |
|
Support: N/A This action does not modify state. |
Will return details on what has changed (or possibly needs changing in |
Notes
Note
When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.
Examples
- name: Get the cert from an RDP port
community.crypto.get_certificate:
host: "1.2.3.4"
port: 3389
delegate_to: localhost
run_once: true
register: cert
- name: Get a cert from an https port
community.crypto.get_certificate:
host: "www.google.com"
port: 443
delegate_to: localhost
run_once: true
register: cert
- name: How many days until cert expires
debug:
msg: "cert expires in: {{ expire_days }} days."
vars:
expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The certificate retrieved from the port Returned: success |
|
Boolean indicating if the cert is expired Returned: success |
|
Extensions applied to the cert Returned: success |
|
The Base64 encoded ASN.1 content of the extension. Note that depending on the Returned: success |
|
Whether the extension is critical. Returned: success |
|
The extension’s name. Returned: success |
|
Information about the issuer of the cert Returned: success |
|
Expiration date of the cert Returned: success |
|
Issue date of the cert Returned: success |
|
The serial number of the cert Returned: success |
|
The algorithm used to sign the cert Returned: success |
|
Information about the subject of the cert (OU, CN, etc) Returned: success |
|
The version number of the certificate Returned: success |
Collection links
Issue Tracker Repository (Sources) Submit a bug report Request a feature Communication