134 lines
8.7 KiB
ReStructuredText
134 lines
8.7 KiB
ReStructuredText
==============================
|
|
Community Crypto Release Notes
|
|
==============================
|
|
|
|
.. contents:: Topics
|
|
|
|
|
|
v1.1.1
|
|
======
|
|
|
|
Release Summary
|
|
---------------
|
|
|
|
Bugfixes for Ansible 2.10.0.
|
|
|
|
Bugfixes
|
|
--------
|
|
|
|
- meta/runtime.yml - convert Ansible version numbers for old names of modules to collection version numbers (https://github.com/ansible-collections/community.crypto/pull/108).
|
|
- openssl_csr - improve handling of IDNA errors (https://github.com/ansible-collections/community.crypto/issues/105).
|
|
|
|
v1.1.0
|
|
======
|
|
|
|
Release Summary
|
|
---------------
|
|
|
|
Release for Ansible 2.10.0.
|
|
|
|
|
|
Minor Changes
|
|
-------------
|
|
|
|
- acme_account - add ``external_account_binding`` option to allow creation of ACME accounts with External Account Binding (https://github.com/ansible-collections/community.crypto/issues/89).
|
|
- acme_certificate - allow new selector ``test_certificates: first`` for ``select_chain`` parameter (https://github.com/ansible-collections/community.crypto/pull/102).
|
|
- cryptography backends - support arbitrary dotted OIDs (https://github.com/ansible-collections/community.crypto/issues/39).
|
|
- get_certificate - add support for SNI (https://github.com/ansible-collections/community.crypto/issues/69).
|
|
- luks_device - add support for encryption options on container creation (https://github.com/ansible-collections/community.crypto/pull/97).
|
|
- openssh_cert - add support for PKCS#11 tokens (https://github.com/ansible-collections/community.crypto/pull/95).
|
|
- openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness for serial numbers, instead of a random number between 1000 and 99999. Please note that this is not a high quality random number (https://github.com/ansible-collections/community.crypto/issues/76).
|
|
- openssl_csr - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46).
|
|
- openssl_csr_info - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46).
|
|
|
|
Bugfixes
|
|
--------
|
|
|
|
- acme_inspect - fix problem with Python 3.5 that JSON was not decoded (https://github.com/ansible-collections/community.crypto/issues/86).
|
|
- get_certificate - fix ``ca_cert`` option handling when ``proxy_host`` is used (https://github.com/ansible-collections/community.crypto/pull/84).
|
|
- openssl_*, x509_* modules - fix handling of general names which refer to IP networks and not IP addresses (https://github.com/ansible-collections/community.crypto/pull/92).
|
|
|
|
New Modules
|
|
-----------
|
|
|
|
- openssl_signature - Sign data with openssl
|
|
- openssl_signature_info - Verify signatures with openssl
|
|
|
|
v1.0.0
|
|
======
|
|
|
|
Release Summary
|
|
---------------
|
|
|
|
This is the first proper release of the ``community.crypto`` collection. This changelog contains all changes to the modules in this collection that were added after the release of Ansible 2.9.0.
|
|
|
|
|
|
Minor Changes
|
|
-------------
|
|
|
|
- luks_device - accept ``passphrase``, ``new_passphrase`` and ``remove_passphrase``.
|
|
- luks_device - add ``keysize`` parameter to set key size at LUKS container creation
|
|
- luks_device - added support to use UUIDs, and labels with LUKS2 containers
|
|
- luks_device - added the ``type`` option that allows user explicit define the LUKS container format version
|
|
- openssh_keypair - instead of regenerating some broken or password protected keys, fail the module. Keys can still be regenerated by calling the module with ``force=yes``.
|
|
- openssh_keypair - the ``regenerate`` option allows to configure the module's behavior when it should or needs to regenerate private keys.
|
|
- openssl_* modules - the cryptography backend now properly supports ``dirName``, ``otherName`` and ``RID`` (Registered ID) names.
|
|
- openssl_certificate - Add option for changing which ACME directory to use with acme-tiny. Set the default ACME directory to Let's Encrypt instead of using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time being, so no action should be neccessary.)
|
|
- openssl_certificate - Change the required version of acme-tiny to >= 4.0.0
|
|
- openssl_certificate - allow to provide content of some input files via the ``csr_content``, ``privatekey_content``, ``ownca_privatekey_content`` and ``ownca_content`` options.
|
|
- openssl_certificate - allow to return the existing/generated certificate directly as ``certificate`` by setting ``return_content`` to ``yes``.
|
|
- openssl_certificate_info - allow to provide certificate content via ``content`` option (https://github.com/ansible/ansible/issues/64776).
|
|
- openssl_csr - Add support for specifying the SAN ``otherName`` value in the OpenSSL ASN.1 UTF8 string format, ``otherName:<OID>;UTF8:string value``.
|
|
- openssl_csr - allow to provide private key content via ``private_key_content`` option.
|
|
- openssl_csr - allow to return the existing/generated CSR directly as ``csr`` by setting ``return_content`` to ``yes``.
|
|
- openssl_csr_info - allow to provide CSR content via ``content`` option.
|
|
- openssl_dhparam - allow to return the existing/generated DH params directly as ``dhparams`` by setting ``return_content`` to ``yes``.
|
|
- openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection can be overwritten with the ``select_crypto_backend`` option.
|
|
- openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as ``pkcs12`` by setting ``return_content`` to ``yes``.
|
|
- openssl_privatekey - add ``format`` and ``format_mismatch`` options.
|
|
- openssl_privatekey - allow to return the existing/generated private key directly as ``privatekey`` by setting ``return_content`` to ``yes``.
|
|
- openssl_privatekey - the ``regenerate`` option allows to configure the module's behavior when it should or needs to regenerate private keys.
|
|
- openssl_privatekey_info - allow to provide private key content via ``content`` option.
|
|
- openssl_publickey - allow to provide private key content via ``private_key_content`` option.
|
|
- openssl_publickey - allow to return the existing/generated public key directly as ``publickey`` by setting ``return_content`` to ``yes``.
|
|
|
|
Deprecated Features
|
|
-------------------
|
|
|
|
- openssl_csr - all values for the ``version`` option except ``1`` are deprecated. The value 1 denotes the current only standardized CSR version.
|
|
|
|
Removed Features (previously deprecated)
|
|
----------------------------------------
|
|
|
|
- The ``letsencrypt`` module has been removed. Use ``acme_certificate`` instead.
|
|
|
|
Bugfixes
|
|
--------
|
|
|
|
- ACME modules: fix bug in ACME v1 account update code
|
|
- ACME modules: make sure some connection errors are handled properly
|
|
- ACME modules: support Buypass' ACME v1 endpoint
|
|
- acme_certificate - fix crash when module is used with Python 2.x.
|
|
- acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account`` set to ``false``.
|
|
- ecs_certificate - Always specify header ``connection: keep-alive`` for ECS API connections.
|
|
- ecs_certificate - Fix formatting of contents of ``full_chain_path``.
|
|
- get_certificate - Fix cryptography backend when pyopenssl is unavailable (https://github.com/ansible/ansible/issues/67900)
|
|
- openssh_keypair - add logic to avoid breaking password protected keys.
|
|
- openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969).
|
|
- openssh_keypair - public key's file attributes (permissions, owner, group, etc.) are now set to the same values as the private key.
|
|
- openssl_* modules - prevent crash on fingerprint determination in FIPS mode (https://github.com/ansible/ansible/issues/67213).
|
|
- openssl_certificate - When provider is ``entrust``, use a ``connection: keep-alive`` header for ECS API connections.
|
|
- openssl_certificate - ``provider`` option was documented as required, but it was not checked whether it was provided. It is now only required when ``state`` is ``present``.
|
|
- openssl_certificate - fix ``assertonly`` provider certificate verification, causing 'private key mismatch' and 'subject mismatch' errors.
|
|
- openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support for ``cryptography`` backend. This probably needs at least cryptography 2.8, since older versions have problems with signing certificates or CSRs with such keys. (https://github.com/ansible/ansible/issues/59039, PR https://github.com/ansible/ansible/pull/63984)
|
|
- openssl_csr - a warning is issued if an unsupported value for ``version`` is used for the ``cryptography`` backend.
|
|
- openssl_csr - the module will now enforce that ``privatekey_path`` is specified when ``state=present``.
|
|
- openssl_publickey - fix a module crash caused when pyOpenSSL is not installed (https://github.com/ansible/ansible/issues/67035).
|
|
|
|
New Modules
|
|
-----------
|
|
|
|
- ecs_domain - Request validation of a domain with the Entrust Certificate Services (ECS) API
|
|
- x509_crl - Generate Certificate Revocation Lists (CRLs)
|
|
- x509_crl_info - Retrieve information on Certificate Revocation Lists (CRLs)
|