ansible/test/integration/targets/get_certificate/tests/validate.yml

- name: Get servers certificate
  get_certificate:
    host: "{{ httpbin_host }}"
    port: 443
  register: result

- debug: var=result

- assert:
    that:
      # This module should never change anything
      - result is not changed
      - result is not failed
      # We got the correct ST from the cert
      - "'North Carolina' == result.subject.ST"

- name: Connect to http port (will fail because there is no SSL cert to get)
  get_certificate:
    host: "{{ httpbin_host }}"
    port: 80
  register: result
  ignore_errors: true

- assert:
    that:
      - result is not changed
      - result is failed
      # We got the expected error message
      - "'The handshake operation timed out' in result.msg or 'unknown protocol' in result.msg or 'wrong version number' in result.msg"
 
- name: Test timeout option
  get_certificate:
    host: "{{ httpbin_host }}"
    port: 1234
    timeout: 1
  register: result
  ignore_errors: true

- assert:
    that:
      - result is not changed
      - result is failed
      # We got the expected error message
      - "'Failed to get cert from port with error: timed out' == result.msg or 'Connection refused' in result.msg"

- name: Test failure if ca_cert is not a valid file
  get_certificate:
    host: "{{ httpbin_host }}"
    port: 443
    ca_cert: dn.e
  register: result
  ignore_errors: true

- assert:
    that:
      - result is not changed
      - result is failed
      # We got the correct response from the module
      - "'ca_cert file does not exist' == result.msg"

- name: Download CA Cert as pem from server
  get_url:
    url: "http://ansible.http.tests/cacert.pem"
    dest: "{{ output_dir }}/temp.pem"

- name: Get servers certificate comparing it to its own ca_cert file
  get_certificate:
    ca_cert: '{{ output_dir }}/temp.pem'
    host: "{{ httpbin_host }}"
    port: 443
  register: result

- assert:
    that:
      - result is not changed
      - result is not failed

- name: Get a temp directory
  tempfile:
    state: directory
  register: my_temp_dir

- name: Deploy the bogus_ca.pem file
  copy:
    src: "bogus_ca.pem"
    dest: "{{ my_temp_dir.path }}/bogus_ca.pem"

- name: Get servers certificate comparing it to an invalid ca_cert file
  get_certificate:
    ca_cert: '{{ my_temp_dir.path }}/bogus_ca.pem'
    host: "{{ httpbin_host }}"
    port: 443
  register: result
  ignore_errors: true

- assert:
    that:
      - result is not changed
      - result.failed
Added get_certificate module (#41735) * Added get_certificate module. * Fixed test against bogus_ca.pem file 6 years ago			`- name: Get servers certificate`
			`get_certificate:`
			`host: "{{ httpbin_host }}"`
			`port: 443`
			`register: result`

			`- debug: var=result`

			`- assert:`
			`that:`
			`# This module should never change anything`
			`- result is not changed`
			`- result is not failed`
			`# We got the correct ST from the cert`
			`- "'North Carolina' == result.subject.ST"`

			`- name: Connect to http port (will fail because there is no SSL cert to get)`
			`get_certificate:`
			`host: "{{ httpbin_host }}"`
			`port: 80`
			`register: result`
			`ignore_errors: true`

			`- assert:`
			`that:`
			`- result is not changed`
			`- result is failed`
			`# We got the expected error message`
			`- "'The handshake operation timed out' in result.msg or 'unknown protocol' in result.msg or 'wrong version number' in result.msg"`

			`- name: Test timeout option`
			`get_certificate:`
			`host: "{{ httpbin_host }}"`
			`port: 1234`
			`timeout: 1`
			`register: result`
			`ignore_errors: true`

			`- assert:`
			`that:`
			`- result is not changed`
			`- result is failed`
			`# We got the expected error message`
			`- "'Failed to get cert from port with error: timed out' == result.msg or 'Connection refused' in result.msg"`

Stop using ca_certs alias. (#54507) 6 years ago			`- name: Test failure if ca_cert is not a valid file`
Added get_certificate module (#41735) * Added get_certificate module. * Fixed test against bogus_ca.pem file 6 years ago			`get_certificate:`
			`host: "{{ httpbin_host }}"`
			`port: 443`
Stop using ca_certs alias. (#54507) 6 years ago			`ca_cert: dn.e`
Added get_certificate module (#41735) * Added get_certificate module. * Fixed test against bogus_ca.pem file 6 years ago			`register: result`
			`ignore_errors: true`

			`- assert:`
			`that:`
			`- result is not changed`
			`- result is failed`
			`# We got the correct response from the module`
standardize TLS connection properties (#54315) * openstack: standardize tls params * tower: tower_verify_ssl->validate_certs * docker: use standard tls config params - cacert_path -> ca_cert - cert_path -> client_cert - key_path -> client_key - tls_verify -> validate_certs * k8s: standardize tls connection params - verify_ssl -> validate_certs - ssl_ca_cert -> ca_cert - cert_file -> client_cert - key_file -> client_key * ingate: verify_ssl -> validate_certs * manageiq: standardize tls params - verify_ssl -> validate_certs - ca_bundle_path -> ca_cert * mysql: standardize tls params - ssl_ca -> ca_cert - ssl_cert -> client_cert - ssl_key -> client_key * nios: ssl_verify -> validate_certs * postgresql: ssl_rootcert -> ca_cert * rabbitmq: standardize tls params - cacert -> ca_cert - cert -> client_cert - key -> client_key * rackspace: verify_ssl -> validate_certs * vca: verify_certs -> validate_certs * kubevirt_cdi_upload: upload_host_verify_ssl -> upload_host_validate_certs * lxd: standardize tls params - key_file -> client_key - cert_file -> client_cert * get_certificate: ca_certs -> ca_cert * get_certificate.py: clarify one or more certs in a file Co-Authored-By: jamescassell <code@james.cassell.me> * zabbix: tls_issuer -> ca_cert * bigip_device_auth_ldap: standardize tls params - ssl_check_peer -> validate_certs - ssl_client_cert -> client_cert - ssl_client_key -> client_key - ssl_ca_cert -> ca_cert * vdirect: vdirect_validate_certs -> validate_certs * mqtt: standardize tls params - ca_certs -> ca_cert - certfile -> client_cert - keyfile -> client_key * pulp_repo: standardize tls params remove `importer_ssl` prefix * rhn_register: sslcacert -> ca_cert * yum_repository: standardize tls params The fix for yum_repository is not straightforward since this module is only a thin wrapper for the underlying commands and config. In this case, we add the new values as aliases, keeping the old as primary, only due to the internal structure of the module. Aliases added: - sslcacert -> ca_cert - sslclientcert -> client_cert - sslclientkey -> client_key - sslverify -> validate_certs * gitlab_hook: enable_ssl_verification -> hook_validate_certs * Adjust arguments for docker_swarm inventory plugin. * foreman callback: standardize tls params - ssl_cert -> client_cert - ssl_key -> client_key * grafana_annotations: validate_grafana_certs -> validate_certs * nrdp callback: validate_nrdp_certs -> validate_certs * kubectl connection: standardize tls params - kubectl_cert_file -> client_cert - kubectl_key_file -> client_key - kubectl_ssl_ca_cert -> ca_cert - kubectl_verify_ssl -> validate_certs * oc connection: standardize tls params - oc_cert_file -> client_cert - oc_key_file -> client_key - oc_ssl_ca_cert -> ca_cert - oc_verify_ssl -> validate_certs * psrp connection: cert_trust_path -> ca_cert TODO: cert_validation -> validate_certs (multi-valued vs bool) * k8s inventory: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * openshift inventory: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * tower inventory: verify_ssl -> validate_certs * hashi_vault lookup: cacert -> ca_cert * k8s lookup: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * laps_passord lookup: cacert_file -> ca_cert * changelog for TLS parameter standardization 6 years ago			`- "'ca_cert file does not exist' == result.msg"`
Added get_certificate module (#41735) * Added get_certificate module. * Fixed test against bogus_ca.pem file 6 years ago
			`- name: Download CA Cert as pem from server`
			`get_url:`
			`url: "http://ansible.http.tests/cacert.pem"`
			`dest: "{{ output_dir }}/temp.pem"`

			`- name: Get servers certificate comparing it to its own ca_cert file`
			`get_certificate:`
Stop using ca_certs alias. (#54507) 6 years ago			`ca_cert: '{{ output_dir }}/temp.pem'`
Added get_certificate module (#41735) * Added get_certificate module. * Fixed test against bogus_ca.pem file 6 years ago			`host: "{{ httpbin_host }}"`
			`port: 443`
			`register: result`

			`- assert:`
			`that:`
			`- result is not changed`
			`- result is not failed`

			`- name: Get a temp directory`
			`tempfile:`
			`state: directory`
			`register: my_temp_dir`

			`- name: Deploy the bogus_ca.pem file`
			`copy:`
			`src: "bogus_ca.pem"`
			`dest: "{{ my_temp_dir.path }}/bogus_ca.pem"`

			`- name: Get servers certificate comparing it to an invalid ca_cert file`
			`get_certificate:`
Stop using ca_certs alias. (#54507) 6 years ago			`ca_cert: '{{ my_temp_dir.path }}/bogus_ca.pem'`
Added get_certificate module (#41735) * Added get_certificate module. * Fixed test against bogus_ca.pem file 6 years ago			`host: "{{ httpbin_host }}"`
			`port: 443`
			`register: result`
			`ignore_errors: true`

			`- assert:`
			`that:`
			`- result is not changed`
			`- result.failed`