Fixes compatibility issues with the latest ansible-core 2.11 beta, and contains a lot of internal refactoring for the ACME modules and support for private key passphrases for them.
- acme module_utils - the
acmemodule_utils has been split up into several Python modules (ansible-collections#184). - acme_* modules - codebase refactor which should not be visible to end-users (ansible-collections#184).
- acme_* modules - support account key passphrases for
cryptographybackend (ansible-collections#197, ansible-collections#207). - acme_certificate_revoke - support revoking by private keys that are passphrase protected for
cryptographybackend (ansible-collections#207). - acme_challenge_cert_helper - add
private_key_passphraseparameter (ansible-collections#207).
- acme module_utils - the
acmemodule_utils (ansible_collections.community.crypto.plugins.module_utils.acme) is deprecated and will be removed in community.crypto 2.0.0. Use the new Python modules in theacmepackage instead (ansible_collections.community.crypto.plugins.module_utils.acme.xxx) (ansible-collections#184).
- action_module plugin helper - make compatible with latest changes in ansible-core 2.11.0b3 (ansible-collections#202).
- openssl_privatekey_pipe - make compatible with latest changes in ansible-core 2.11.0b3 (ansible-collections#202).
Regular feature and bugfix release. Deprecates a return value.
- acme_account_info - when
retrieve_ordersis notignoreand the ACME server allows to query orders, the new return valueorder_urisis always populated with a list of URIs (ansible-collections#178). - luks_device - allow to specify sector size for LUKS2 containers with new
sector_sizeparameter (ansible-collections#193).
- acme_account_info - when
retrieve_orders=url_list,orderswill no longer be returned in community.crypto 2.0.0. Useorder_urisinstead (ansible-collections#178).
- openssl_csr - no longer fails when comparing CSR without basic constraint when
basic_constraintsis specified (ansible-collections#179, ansible-collections#180).
Release with several new features and bugfixes.
- The ACME module_utils has been relicensed back from the Simplified BSD License (https://opensource.org/licenses/BSD-2-Clause) to the GPLv3+ (same license used by most other code in this collection). This undoes a licensing change when the original GPLv3+ licensed code was moved to module_utils in ansible/ansible#40697 (ansible-collections#165).
- The
crypto/identify.pymodule_utils has been renamed tocrypto/pem.py(ansible-collections#166). - luks_device -
new_keyfile,new_passphrase,remove_keyfileandremove_passphraseare now idempotent (ansible-collections#19, ansible-collections#168). - luks_device - allow to configure PBKDF (ansible-collections#163).
- openssl_csr, openssl_csr_pipe - allow to specify CRL distribution endpoints with
crl_distribution_points(ansible-collections#147, ansible-collections#167). - openssl_pkcs12 - allow to specify certificate bundles in
other_certificatesby using new optionother_certificates_parse_all(ansible-collections#149, ansible-collections#166).
- acme_certificate - error when requested challenge type is not found for non-valid challenges, instead of hanging on step 2 (ansible-collections#171, ansible-collections#173).
Contains new modules openssl_privatekey_pipe, openssl_csr_pipe and x509_certificate_pipe which allow to create or update private keys, CSRs and X.509 certificates without having to write them to disk.
- openssh_cert - add module parameter
use_agentto enable using signing keys stored in ssh-agent (ansible-collections#116). - openssl_csr - refactor module to allow code re-use by openssl_csr_pipe (ansible-collections#123).
- openssl_privatekey - refactor module to allow code re-use by openssl_privatekey_pipe (ansible-collections#119).
- openssl_privatekey - the elliptic curve
secp192r1now triggers a security warning. Elliptic curves of at least 224 bits should be used for new keys; see here (ansible-collections#132). - x509_certificate - for the
selfsignedprovider, a CSR is not required anymore. If no CSR is provided, the module behaves as if a minimal CSR which only contains the public key has been provided (ansible-collections#32, ansible-collections#129). - x509_certificate - refactor module to allow code re-use by x509_certificate_pipe (ansible-collections#135).
- openssl_pkcs12 - report the correct state when
actionisparse(ansible-collections#143). - support code - improve handling of certificate and certificate signing request (CSR) loading with the
cryptographybackend when errors occur (ansible-collections#138, ansible-collections#139). - x509_certificate - fix
entrustprovider, which was broken since community.crypto 0.1.0 due to a feature added before the collection move (ansible-collections#135).
- openssl_csr_pipe - Generate OpenSSL Certificate Signing Request (CSR)
- openssl_privatekey_pipe - Generate OpenSSL private keys without disk access
- x509_certificate_pipe - Generate and/or check OpenSSL certificates
Please note that this release fixes a security issue (CVE-2020-25646).
- acme_certificate - allow to pass CSR file as content with new option
csr_content(ansible-collections#115). - x509_certificate_info - add
fingerprintsreturn value which returns certificate fingerprints (ansible-collections#121).
- openssl_csr - the option
privatekey_contentwas not marked asno_log, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocationfield (CVE-2020-25646, ansible-collections#125). - openssl_privatekey_info - the option
contentwas not marked asno_log, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocationfield (CVE-2020-25646, ansible-collections#125). - openssl_publickey - the option
privatekey_contentwas not marked asno_log, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocationfield (CVE-2020-25646, ansible-collections#125). - openssl_signature - the option
privatekey_contentwas not marked asno_log, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocationfield (CVE-2020-25646, ansible-collections#125). - x509_certificate - the options
privatekey_contentandownca_privatekey_contentwere not marked asno_log, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocationfield (CVE-2020-25646, ansible-collections#125). - x509_crl - the option
privatekey_contentwas not marked asno_log, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocationfield (CVE-2020-25646, ansible-collections#125).
- openssl_pkcs12 - do not crash when reading PKCS#12 file which has no private key and/or no main certificate (ansible-collections#103).
Bugfixes for Ansible 2.10.0.
- meta/runtime.yml - convert Ansible version numbers for old names of modules to collection version numbers (ansible-collections#108).
- openssl_csr - improve handling of IDNA errors (ansible-collections#105).
Release for Ansible 2.10.0.
- acme_account - add
external_account_bindingoption to allow creation of ACME accounts with External Account Binding (ansible-collections#89). - acme_certificate - allow new selector
test_certificates: firstforselect_chainparameter (ansible-collections#102). - cryptography backends - support arbitrary dotted OIDs (ansible-collections#39).
- get_certificate - add support for SNI (ansible-collections#69).
- luks_device - add support for encryption options on container creation (ansible-collections#97).
- openssh_cert - add support for PKCS#11 tokens (ansible-collections#95).
- openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness for serial numbers, instead of a random number between 1000 and 99999. Please note that this is not a high quality random number (ansible-collections#76).
- openssl_csr - add support for name constraints extension (ansible-collections#46).
- openssl_csr_info - add support for name constraints extension (ansible-collections#46).
- acme_inspect - fix problem with Python 3.5 that JSON was not decoded (ansible-collections#86).
- get_certificate - fix
ca_certoption handling whenproxy_hostis used (ansible-collections#84). - openssl_*, x509_* modules - fix handling of general names which refer to IP networks and not IP addresses (ansible-collections#92).
- openssl_signature - Sign data with openssl
- openssl_signature_info - Verify signatures with openssl
This is the first proper release of the community.crypto collection. This changelog contains all changes to the modules in this collection that were added after the release of Ansible 2.9.0.
- luks_device - accept
passphrase,new_passphraseandremove_passphrase. - luks_device - add
keysizeparameter to set key size at LUKS container creation - luks_device - added support to use UUIDs, and labels with LUKS2 containers
- luks_device - added the
typeoption that allows user explicit define the LUKS container format version - openssh_keypair - instead of regenerating some broken or password protected keys, fail the module. Keys can still be regenerated by calling the module with
force=yes. - openssh_keypair - the
regenerateoption allows to configure the module's behavior when it should or needs to regenerate private keys. - openssl_* modules - the cryptography backend now properly supports
dirName,otherNameandRID(Registered ID) names. - openssl_certificate - Add option for changing which ACME directory to use with acme-tiny. Set the default ACME directory to Let's Encrypt instead of using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time being, so no action should be neccessary.)
- openssl_certificate - Change the required version of acme-tiny to >= 4.0.0
- openssl_certificate - allow to provide content of some input files via the
csr_content,privatekey_content,ownca_privatekey_contentandownca_contentoptions. - openssl_certificate - allow to return the existing/generated certificate directly as
certificateby settingreturn_contenttoyes. - openssl_certificate_info - allow to provide certificate content via
contentoption (ansible/ansible#64776). - openssl_csr - Add support for specifying the SAN
otherNamevalue in the OpenSSL ASN.1 UTF8 string format,otherName:<OID>;UTF8:string value. - openssl_csr - allow to provide private key content via
private_key_contentoption. - openssl_csr - allow to return the existing/generated CSR directly as
csrby settingreturn_contenttoyes. - openssl_csr_info - allow to provide CSR content via
contentoption. - openssl_dhparam - allow to return the existing/generated DH params directly as
dhparamsby settingreturn_contenttoyes. - openssl_dhparam - now supports a
cryptography-based backend. Auto-detection can be overwritten with theselect_crypto_backendoption. - openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as
pkcs12by settingreturn_contenttoyes. - openssl_privatekey - add
formatandformat_mismatchoptions. - openssl_privatekey - allow to return the existing/generated private key directly as
privatekeyby settingreturn_contenttoyes. - openssl_privatekey - the
regenerateoption allows to configure the module's behavior when it should or needs to regenerate private keys. - openssl_privatekey_info - allow to provide private key content via
contentoption. - openssl_publickey - allow to provide private key content via
private_key_contentoption. - openssl_publickey - allow to return the existing/generated public key directly as
publickeyby settingreturn_contenttoyes.
- openssl_csr - all values for the
versionoption except1are deprecated. The value 1 denotes the current only standardized CSR version.
- The
letsencryptmodule has been removed. Useacme_certificateinstead.
- ACME modules: fix bug in ACME v1 account update code
- ACME modules: make sure some connection errors are handled properly
- ACME modules: support Buypass' ACME v1 endpoint
- acme_certificate - fix crash when module is used with Python 2.x.
- acme_certificate - fix misbehavior when ACME v1 is used with
modify_accountset tofalse. - ecs_certificate - Always specify header
connection: keep-alivefor ECS API connections. - ecs_certificate - Fix formatting of contents of
full_chain_path. - get_certificate - Fix cryptography backend when pyopenssl is unavailable (ansible/ansible#67900)
- openssh_keypair - add logic to avoid breaking password protected keys.
- openssh_keypair - fixes idempotence issue with public key (ansible/ansible#64969).
- openssh_keypair - public key's file attributes (permissions, owner, group, etc.) are now set to the same values as the private key.
- openssl_* modules - prevent crash on fingerprint determination in FIPS mode (ansible/ansible#67213).
- openssl_certificate - When provider is
entrust, use aconnection: keep-aliveheader for ECS API connections. - openssl_certificate -
provideroption was documented as required, but it was not checked whether it was provided. It is now only required whenstateispresent. - openssl_certificate - fix
assertonlyprovider certificate verification, causing 'private key mismatch' and 'subject mismatch' errors. - openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support for
cryptographybackend. This probably needs at least cryptography 2.8, since older versions have problems with signing certificates or CSRs with such keys. (ansible/ansible#59039, PR ansible/ansible#63984) - openssl_csr - a warning is issued if an unsupported value for
versionis used for thecryptographybackend. - openssl_csr - the module will now enforce that
privatekey_pathis specified whenstate=present. - openssl_publickey - fix a module crash caused when pyOpenSSL is not installed (ansible/ansible#67035).
- ecs_domain - Request validation of a domain with the Entrust Certificate Services (ECS) API
- x509_crl - Generate Certificate Revocation Lists (CRLs)
- x509_crl_info - Retrieve information on Certificate Revocation Lists (CRLs)