344 lines
21 KiB
YAML
344 lines
21 KiB
YAML
ancestor: null
|
|
releases:
|
|
1.0.0:
|
|
changes:
|
|
bugfixes:
|
|
- 'ACME modules: fix bug in ACME v1 account update code'
|
|
- 'ACME modules: make sure some connection errors are handled properly'
|
|
- 'ACME modules: support Buypass'' ACME v1 endpoint'
|
|
- acme_certificate - fix crash when module is used with Python 2.x.
|
|
- acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account``
|
|
set to ``false``.
|
|
- 'ecs_certificate - Always specify header ``connection: keep-alive`` for ECS
|
|
API connections.'
|
|
- ecs_certificate - Fix formatting of contents of ``full_chain_path``.
|
|
- get_certificate - Fix cryptography backend when pyopenssl is unavailable (https://github.com/ansible/ansible/issues/67900)
|
|
- openssh_keypair - add logic to avoid breaking password protected keys.
|
|
- openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969).
|
|
- openssh_keypair - public key's file attributes (permissions, owner, group,
|
|
etc.) are now set to the same values as the private key.
|
|
- openssl_* modules - prevent crash on fingerprint determination in FIPS mode
|
|
(https://github.com/ansible/ansible/issues/67213).
|
|
- 'openssl_certificate - When provider is ``entrust``, use a ``connection: keep-alive``
|
|
header for ECS API connections.'
|
|
- openssl_certificate - ``provider`` option was documented as required, but
|
|
it was not checked whether it was provided. It is now only required when ``state``
|
|
is ``present``.
|
|
- openssl_certificate - fix ``assertonly`` provider certificate verification,
|
|
causing 'private key mismatch' and 'subject mismatch' errors.
|
|
- openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support
|
|
for ``cryptography`` backend. This probably needs at least cryptography 2.8,
|
|
since older versions have problems with signing certificates or CSRs with
|
|
such keys. (https://github.com/ansible/ansible/issues/59039, PR https://github.com/ansible/ansible/pull/63984)
|
|
- openssl_csr - a warning is issued if an unsupported value for ``version``
|
|
is used for the ``cryptography`` backend.
|
|
- openssl_csr - the module will now enforce that ``privatekey_path`` is specified
|
|
when ``state=present``.
|
|
- openssl_publickey - fix a module crash caused when pyOpenSSL is not installed
|
|
(https://github.com/ansible/ansible/issues/67035).
|
|
deprecated_features:
|
|
- openssl_csr - all values for the ``version`` option except ``1`` are deprecated.
|
|
The value 1 denotes the current only standardized CSR version.
|
|
minor_changes:
|
|
- luks_device - accept ``passphrase``, ``new_passphrase`` and ``remove_passphrase``.
|
|
- luks_device - add ``keysize`` parameter to set key size at LUKS container
|
|
creation
|
|
- luks_device - added support to use UUIDs, and labels with LUKS2 containers
|
|
- luks_device - added the ``type`` option that allows user explicit define the
|
|
LUKS container format version
|
|
- openssh_keypair - instead of regenerating some broken or password protected
|
|
keys, fail the module. Keys can still be regenerated by calling the module
|
|
with ``force=yes``.
|
|
- openssh_keypair - the ``regenerate`` option allows to configure the module's
|
|
behavior when it should or needs to regenerate private keys.
|
|
- openssl_* modules - the cryptography backend now properly supports ``dirName``,
|
|
``otherName`` and ``RID`` (Registered ID) names.
|
|
- openssl_certificate - Add option for changing which ACME directory to use
|
|
with acme-tiny. Set the default ACME directory to Let's Encrypt instead of
|
|
using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time
|
|
being, so no action should be neccessary.)
|
|
- openssl_certificate - Change the required version of acme-tiny to >= 4.0.0
|
|
- openssl_certificate - allow to provide content of some input files via the
|
|
``csr_content``, ``privatekey_content``, ``ownca_privatekey_content`` and
|
|
``ownca_content`` options.
|
|
- openssl_certificate - allow to return the existing/generated certificate directly
|
|
as ``certificate`` by setting ``return_content`` to ``yes``.
|
|
- openssl_certificate_info - allow to provide certificate content via ``content``
|
|
option (https://github.com/ansible/ansible/issues/64776).
|
|
- openssl_csr - Add support for specifying the SAN ``otherName`` value in the
|
|
OpenSSL ASN.1 UTF8 string format, ``otherName:<OID>;UTF8:string value``.
|
|
- openssl_csr - allow to provide private key content via ``private_key_content``
|
|
option.
|
|
- openssl_csr - allow to return the existing/generated CSR directly as ``csr``
|
|
by setting ``return_content`` to ``yes``.
|
|
- openssl_csr_info - allow to provide CSR content via ``content`` option.
|
|
- openssl_dhparam - allow to return the existing/generated DH params directly
|
|
as ``dhparams`` by setting ``return_content`` to ``yes``.
|
|
- openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection
|
|
can be overwritten with the ``select_crypto_backend`` option.
|
|
- openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as
|
|
``pkcs12`` by setting ``return_content`` to ``yes``.
|
|
- openssl_privatekey - add ``format`` and ``format_mismatch`` options.
|
|
- openssl_privatekey - allow to return the existing/generated private key directly
|
|
as ``privatekey`` by setting ``return_content`` to ``yes``.
|
|
- openssl_privatekey - the ``regenerate`` option allows to configure the module's
|
|
behavior when it should or needs to regenerate private keys.
|
|
- openssl_privatekey_info - allow to provide private key content via ``content``
|
|
option.
|
|
- openssl_publickey - allow to provide private key content via ``private_key_content``
|
|
option.
|
|
- openssl_publickey - allow to return the existing/generated public key directly
|
|
as ``publickey`` by setting ``return_content`` to ``yes``.
|
|
release_summary: 'This is the first proper release of the ``community.crypto``
|
|
collection. This changelog contains all changes to the modules in this collection
|
|
that were added after the release of Ansible 2.9.0.
|
|
|
|
'
|
|
removed_features:
|
|
- The ``letsencrypt`` module has been removed. Use ``acme_certificate`` instead.
|
|
fragments:
|
|
- 1.0.0.yml
|
|
- 52408-luks-device.yaml
|
|
- 58973-luks_device_add-type-option.yml
|
|
- 58973_luks_device-add-label-and-uuid-support.yml
|
|
- 60388-openssl_privatekey-format.yml
|
|
- 61522-luks-device-add-option-to-define-keysize.yml
|
|
- 61658-openssh_keypair-public-key-permissions.yml
|
|
- 61693-acme-buypass-acme-v1.yml
|
|
- 61738-ecs-certificate-invalid-chain.yaml
|
|
- 62218-fix-to-entrust-api.yml
|
|
- 62790-openssl_certificate_fix_assert.yml
|
|
- 62991-openssl_dhparam-cryptography-backend.yml
|
|
- 63140-acme-fix-fetch-url-status-codes.yaml
|
|
- 63432-openssl_csr-version.yml
|
|
- 63984-openssl-ed25519-ed448.yml
|
|
- 64436-openssh_keypair-add-password-protected-key-check.yml
|
|
- 64501-fix-python2.x-backward-compatibility.yaml
|
|
- 64648-acme_certificate-acmev1.yml
|
|
- 65017-openssh_keypair-idempotence.yml
|
|
- 65400-openssl-output.yml
|
|
- 65435-openssl_csr-privatekey_path-required.yml
|
|
- 65633-crypto-argspec-fixup.yml
|
|
- 66384-openssl-content.yml
|
|
- 67036-openssl_publickey-backend.yml
|
|
- 67038-openssl-openssh-key-regenerate.yml
|
|
- 67109-openssl_certificate-acme-directory.yaml
|
|
- 67515-openssl-fingerprint-fips.yml
|
|
- 67669-cryptography-names.yml
|
|
- 67901-get_certificate-fix-cryptography.yml
|
|
- letsencrypt.yml
|
|
- openssl_csr-otherName.yml
|
|
modules:
|
|
- description: Request validation of a domain with the Entrust Certificate Services
|
|
(ECS) API
|
|
name: ecs_domain
|
|
namespace: ''
|
|
- description: Generate Certificate Revocation Lists (CRLs)
|
|
name: x509_crl
|
|
namespace: ''
|
|
- description: Retrieve information on Certificate Revocation Lists (CRLs)
|
|
name: x509_crl_info
|
|
namespace: ''
|
|
release_date: '2020-07-03'
|
|
1.1.0:
|
|
changes:
|
|
bugfixes:
|
|
- acme_inspect - fix problem with Python 3.5 that JSON was not decoded (https://github.com/ansible-collections/community.crypto/issues/86).
|
|
- get_certificate - fix ``ca_cert`` option handling when ``proxy_host`` is used
|
|
(https://github.com/ansible-collections/community.crypto/pull/84).
|
|
- openssl_*, x509_* modules - fix handling of general names which refer to IP
|
|
networks and not IP addresses (https://github.com/ansible-collections/community.crypto/pull/92).
|
|
minor_changes:
|
|
- acme_account - add ``external_account_binding`` option to allow creation of
|
|
ACME accounts with External Account Binding (https://github.com/ansible-collections/community.crypto/issues/89).
|
|
- 'acme_certificate - allow new selector ``test_certificates: first`` for ``select_chain``
|
|
parameter (https://github.com/ansible-collections/community.crypto/pull/102).'
|
|
- cryptography backends - support arbitrary dotted OIDs (https://github.com/ansible-collections/community.crypto/issues/39).
|
|
- get_certificate - add support for SNI (https://github.com/ansible-collections/community.crypto/issues/69).
|
|
- luks_device - add support for encryption options on container creation (https://github.com/ansible-collections/community.crypto/pull/97).
|
|
- openssh_cert - add support for PKCS#11 tokens (https://github.com/ansible-collections/community.crypto/pull/95).
|
|
- openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness
|
|
for serial numbers, instead of a random number between 1000 and 99999. Please
|
|
note that this is not a high quality random number (https://github.com/ansible-collections/community.crypto/issues/76).
|
|
- openssl_csr - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46).
|
|
- openssl_csr_info - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46).
|
|
release_summary: 'Release for Ansible 2.10.0.
|
|
|
|
'
|
|
fragments:
|
|
- 1.1.0.yml
|
|
- 100-acme-account-external-account-binding.yml
|
|
- 102-acme-certificate-select-chain-first.yml
|
|
- 87-acme_inspect-python-3.5.yml
|
|
- 90-cryptography-oids.yml
|
|
- 90-openssl_certificate-pyopenssl-serial.yml
|
|
- 92-ip-networks.yml
|
|
- 92-openssl_csr-name-constraints.yml
|
|
- get_certificate-add_support_for_SNI.yml
|
|
- luks_device-add_encryption_option_on_create.yml
|
|
- openssh_cert-pkcs11.yml
|
|
modules:
|
|
- description: Sign data with openssl
|
|
name: openssl_signature
|
|
namespace: ''
|
|
- description: Verify signatures with openssl
|
|
name: openssl_signature_info
|
|
namespace: ''
|
|
release_date: '2020-08-18'
|
|
1.1.1:
|
|
changes:
|
|
bugfixes:
|
|
- meta/runtime.yml - convert Ansible version numbers for old names of modules
|
|
to collection version numbers (https://github.com/ansible-collections/community.crypto/pull/108).
|
|
- openssl_csr - improve handling of IDNA errors (https://github.com/ansible-collections/community.crypto/issues/105).
|
|
release_summary: Bugfixes for Ansible 2.10.0.
|
|
fragments:
|
|
- 1.1.1.yml
|
|
- 106-openssl_csr-idna-errors.yml
|
|
- 108-meta-runtime-versions.yml
|
|
release_date: '2020-09-14'
|
|
1.2.0:
|
|
changes:
|
|
bugfixes:
|
|
- openssl_pkcs12 - do not crash when reading PKCS#12 file which has no private
|
|
key and/or no main certificate (https://github.com/ansible-collections/community.crypto/issues/103).
|
|
minor_changes:
|
|
- acme_certificate - allow to pass CSR file as content with new option ``csr_content``
|
|
(https://github.com/ansible-collections/community.crypto/pull/115).
|
|
- x509_certificate_info - add ``fingerprints`` return value which returns certificate
|
|
fingerprints (https://github.com/ansible-collections/community.crypto/pull/121).
|
|
release_summary: Please note that this release fixes a security issue (CVE-2020-25646).
|
|
security_fixes:
|
|
- openssl_csr - the option ``privatekey_content`` was not marked as ``no_log``,
|
|
resulting in it being dumped into the system log by default, and returned
|
|
in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
|
|
- openssl_privatekey_info - the option ``content`` was not marked as ``no_log``,
|
|
resulting in it being dumped into the system log by default, and returned
|
|
in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
|
|
- openssl_publickey - the option ``privatekey_content`` was not marked as ``no_log``,
|
|
resulting in it being dumped into the system log by default, and returned
|
|
in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
|
|
- openssl_signature - the option ``privatekey_content`` was not marked as ``no_log``,
|
|
resulting in it being dumped into the system log by default, and returned
|
|
in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
|
|
- x509_certificate - the options ``privatekey_content`` and ``ownca_privatekey_content``
|
|
were not marked as ``no_log``, resulting in it being dumped into the system
|
|
log by default, and returned in the registered results in the ``invocation``
|
|
field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
|
|
- x509_crl - the option ``privatekey_content`` was not marked as ``no_log``,
|
|
resulting in it being dumped into the system log by default, and returned
|
|
in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125).
|
|
fragments:
|
|
- 1.2.0.yml
|
|
- 109-openssl_pkcs12-crash-no-cert-key.yml
|
|
- 115-acme_certificate-csr_content.yml
|
|
- 121-x509_certificate_info-fingerprints.yml
|
|
- cve-2020-25646.yml
|
|
release_date: '2020-10-13'
|
|
1.3.0:
|
|
changes:
|
|
bugfixes:
|
|
- openssl_pkcs12 - report the correct state when ``action`` is ``parse`` (https://github.com/ansible-collections/community.crypto/issues/143).
|
|
- support code - improve handling of certificate and certificate signing request
|
|
(CSR) loading with the ``cryptography`` backend when errors occur (https://github.com/ansible-collections/community.crypto/issues/138,
|
|
https://github.com/ansible-collections/community.crypto/pull/139).
|
|
- x509_certificate - fix ``entrust`` provider, which was broken since community.crypto
|
|
0.1.0 due to a feature added before the collection move (https://github.com/ansible-collections/community.crypto/pull/135).
|
|
minor_changes:
|
|
- openssh_cert - add module parameter ``use_agent`` to enable using signing
|
|
keys stored in ssh-agent (https://github.com/ansible-collections/community.crypto/issues/116).
|
|
- openssl_csr - refactor module to allow code re-use by openssl_csr_pipe (https://github.com/ansible-collections/community.crypto/pull/123).
|
|
- openssl_privatekey - refactor module to allow code re-use by openssl_privatekey_pipe
|
|
(https://github.com/ansible-collections/community.crypto/pull/119).
|
|
- openssl_privatekey - the elliptic curve ``secp192r1`` now triggers a security
|
|
warning. Elliptic curves of at least 224 bits should be used for new keys;
|
|
see `here <https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec.html#elliptic-curves>`_
|
|
(https://github.com/ansible-collections/community.crypto/pull/132).
|
|
- x509_certificate - for the ``selfsigned`` provider, a CSR is not required
|
|
anymore. If no CSR is provided, the module behaves as if a minimal CSR which
|
|
only contains the public key has been provided (https://github.com/ansible-collections/community.crypto/issues/32,
|
|
https://github.com/ansible-collections/community.crypto/pull/129).
|
|
- x509_certificate - refactor module to allow code re-use by x509_certificate_pipe
|
|
(https://github.com/ansible-collections/community.crypto/pull/135).
|
|
release_summary: 'Contains new modules ``openssl_privatekey_pipe``, ``openssl_csr_pipe``
|
|
and ``x509_certificate_pipe`` which allow to create or update private keys,
|
|
CSRs and X.509 certificates without having to write them to disk.
|
|
|
|
'
|
|
fragments:
|
|
- 1.3.0.yml
|
|
- 117-openssh_cert-use-ssh-agent.yml
|
|
- 129-x509_certificate-no-csr-selfsigned.yml
|
|
- 132-openssl_privatekey-ecc-order.yml
|
|
- 135-x509_certificate-entrust.yml
|
|
- 139-improve-error-handling.yml
|
|
- 145-add-check-for-parsed-pkcs12-files.yml
|
|
- privatekey-csr-certificate-refactoring.yml
|
|
modules:
|
|
- description: Generate OpenSSL Certificate Signing Request (CSR)
|
|
name: openssl_csr_pipe
|
|
namespace: ''
|
|
- description: Generate OpenSSL private keys without disk access
|
|
name: openssl_privatekey_pipe
|
|
namespace: ''
|
|
- description: Generate and/or check OpenSSL certificates
|
|
name: x509_certificate_pipe
|
|
namespace: ''
|
|
release_date: '2020-11-24'
|
|
1.4.0:
|
|
changes:
|
|
bugfixes:
|
|
- acme_certificate - error when requested challenge type is not found for non-valid
|
|
challenges, instead of hanging on step 2 (https://github.com/ansible-collections/community.crypto/issues/171,
|
|
https://github.com/ansible-collections/community.crypto/pull/173).
|
|
minor_changes:
|
|
- The ACME module_utils has been relicensed back from the Simplified BSD License
|
|
(https://opensource.org/licenses/BSD-2-Clause) to the GPLv3+ (same license
|
|
used by most other code in this collection). This undoes a licensing change
|
|
when the original GPLv3+ licensed code was moved to module_utils in https://github.com/ansible/ansible/pull/40697
|
|
(https://github.com/ansible-collections/community.crypto/pull/165).
|
|
- The ``crypto/identify.py`` module_utils has been renamed to ``crypto/pem.py``
|
|
(https://github.com/ansible-collections/community.crypto/pull/166).
|
|
- luks_device - ``new_keyfile``, ``new_passphrase``, ``remove_keyfile`` and
|
|
``remove_passphrase`` are now idempotent (https://github.com/ansible-collections/community.crypto/issues/19,
|
|
https://github.com/ansible-collections/community.crypto/pull/168).
|
|
- luks_device - allow to configure PBKDF (https://github.com/ansible-collections/community.crypto/pull/163).
|
|
- openssl_csr, openssl_csr_pipe - allow to specify CRL distribution endpoints
|
|
with ``crl_distribution_points`` (https://github.com/ansible-collections/community.crypto/issues/147,
|
|
https://github.com/ansible-collections/community.crypto/pull/167).
|
|
- openssl_pkcs12 - allow to specify certificate bundles in ``other_certificates``
|
|
by using new option ``other_certificates_parse_all`` (https://github.com/ansible-collections/community.crypto/issues/149,
|
|
https://github.com/ansible-collections/community.crypto/pull/166).
|
|
release_summary: Release with several new features and bugfixes.
|
|
fragments:
|
|
- 1.4.0.yml
|
|
- 163-luks-pbkdf.yml
|
|
- 166-openssl_pkcs12-certificate-bundles.yml
|
|
- 167-openssl_csr-crl-distribution-points.yml
|
|
- 168-luks_device-add-remove-idempotence.yml
|
|
- 173-acme_certificate-wrong-challenge.yml
|
|
- acme-module-utils-relicense.yml
|
|
release_date: '2021-01-26'
|
|
1.5.0:
|
|
changes:
|
|
bugfixes:
|
|
- openssl_csr - no longer fails when comparing CSR without basic constraint
|
|
when ``basic_constraints`` is specified (https://github.com/ansible-collections/community.crypto/issues/179,
|
|
https://github.com/ansible-collections/community.crypto/pull/180).
|
|
deprecated_features:
|
|
- acme_account_info - when ``retrieve_orders=url_list``, ``orders`` will no
|
|
longer be returned in community.crypto 2.0.0. Use ``order_uris`` instead (https://github.com/ansible-collections/community.crypto/pull/178).
|
|
minor_changes:
|
|
- acme_account_info - when ``retrieve_orders`` is not ``ignore`` and the ACME
|
|
server allows to query orders, the new return value ``order_uris`` is always
|
|
populated with a list of URIs (https://github.com/ansible-collections/community.crypto/pull/178).
|
|
- luks_device - allow to specify sector size for LUKS2 containers with new ``sector_size``
|
|
parameter (https://github.com/ansible-collections/community.crypto/pull/193).
|
|
release_summary: Regular feature and bugfix release. Deprecates a return value.
|
|
fragments:
|
|
- 1.5.0.yml
|
|
- 178-acme_account_info-orders-urls.yml
|
|
- 179-openssl-csr-basic-constraint.yml
|
|
- 193-luks_device-sector_size.yml
|
|
release_date: '2021-03-08'
|