diff --git a/lib/ansible/module_utils/yumdnf.py b/lib/ansible/module_utils/yumdnf.py index bdcf5ad7f72..9ee2e530a25 100644 --- a/lib/ansible/module_utils/yumdnf.py +++ b/lib/ansible/module_utils/yumdnf.py @@ -45,6 +45,7 @@ yumdnf_argument_spec = dict( update_only=dict(required=False, default="no", type='bool'), validate_certs=dict(type='bool', default=True), sslverify=dict(type='bool', default=True), + sslverifystatus=dict(type='bool', default=False), lock_timeout=dict(type='int', default=30), ), required_one_of=[['name', 'list', 'update_cache']], @@ -93,6 +94,7 @@ class YumDnf(metaclass=ABCMeta): self.update_cache = self.module.params['update_cache'] self.validate_certs = self.module.params['validate_certs'] self.sslverify = self.module.params['sslverify'] + self.sslverifystatus = self.module.params['sslverifystatus'] self.lock_timeout = self.module.params['lock_timeout'] # It's possible someone passed a comma separated string since it used diff --git a/lib/ansible/modules/dnf.py b/lib/ansible/modules/dnf.py index 6b0ae995c97..c30075149c0 100644 --- a/lib/ansible/modules/dnf.py +++ b/lib/ansible/modules/dnf.py @@ -198,6 +198,13 @@ options: type: bool default: "yes" version_added: "2.13" + sslverifystatus: + description: + - Enables or disables SSL certificate revocation status checking for the repository server. + - This should be set to V(false) if the repository server does not support OCSP stapling. + type: bool + default: "no" + version_added: "2.19" allow_downgrade: description: - Specify if the named package and version is allowed to downgrade @@ -504,7 +511,7 @@ class DnfModule(YumDnf): results=[] ) - def _configure_base(self, base, conf_file, disable_gpg_check, installroot='/', sslverify=True): + def _configure_base(self, base, conf_file, disable_gpg_check, installroot='/', sslverify=True, sslverifystatus=False): """Configure the dnf Base object.""" conf = base.conf @@ -535,6 +542,7 @@ class DnfModule(YumDnf): # Set certificate validation conf.sslverify = sslverify + conf.sslverifystatus = sslverifystatus # Set installroot if not os.path.isdir(installroot): @@ -629,10 +637,10 @@ class DnfModule(YumDnf): repo.gpgcheck = False repo.repo_gpgcheck = False - def _base(self, conf_file, disable_gpg_check, disablerepo, enablerepo, installroot, sslverify): + def _base(self, conf_file, disable_gpg_check, disablerepo, enablerepo, installroot, sslverify, sslverifystatus): """Return a fully configured dnf Base object.""" base = dnf.Base() - self._configure_base(base, conf_file, disable_gpg_check, installroot, sslverify) + self._configure_base(base, conf_file, disable_gpg_check, installroot, sslverify, sslverifystatus) base.setup_loggers() base.init_plugins(set(self.disable_plugin), set(self.enable_plugin)) @@ -1206,7 +1214,7 @@ class DnfModule(YumDnf): if self.update_cache and not self.names and not self.list: self.base = self._base( self.conf_file, self.disable_gpg_check, self.disablerepo, - self.enablerepo, self.installroot, self.sslverify + self.enablerepo, self.installroot, self.sslverify, self.sslverifystatus ) self.module.exit_json( msg="Cache updated", @@ -1224,7 +1232,7 @@ class DnfModule(YumDnf): if self.list: self.base = self._base( self.conf_file, self.disable_gpg_check, self.disablerepo, - self.enablerepo, self.installroot, self.sslverify + self.enablerepo, self.installroot, self.sslverify, self.sslverifystatus ) self.list_items(self.list) else: @@ -1237,7 +1245,7 @@ class DnfModule(YumDnf): ) self.base = self._base( self.conf_file, self.disable_gpg_check, self.disablerepo, - self.enablerepo, self.installroot, self.sslverify + self.enablerepo, self.installroot, self.sslverify, self.sslverifystatus ) if self.with_modules: diff --git a/lib/ansible/modules/dnf5.py b/lib/ansible/modules/dnf5.py index 4d619a39511..846c41b936f 100644 --- a/lib/ansible/modules/dnf5.py +++ b/lib/ansible/modules/dnf5.py @@ -168,6 +168,13 @@ options: - This should be set to V(false) if one of the configured repositories is using an untrusted or self-signed certificate. type: bool default: "yes" + sslverifystatus: + description: + - Enables or disables SSL certificate revocation status checking for the repository server. + - This should be set to V(false) if the repository server does not support OCSP stapling. + type: bool + default: "no" + version_added: 2.19 allow_downgrade: description: - Specify if the named package and version is allowed to downgrade @@ -594,6 +601,7 @@ class Dnf5Module(YumDnf): conf.pkg_gpgcheck = not self.disable_gpg_check conf.localpkg_gpgcheck = not self.disable_gpg_check conf.sslverify = self.sslverify + conf.sslverifystatus = self.sslverifystatus conf.clean_requirements_on_remove = self.autoremove if not os.path.isdir(self.installroot): diff --git a/lib/ansible/modules/yum_repository.py b/lib/ansible/modules/yum_repository.py index 013e85d2d8e..87adac10d15 100644 --- a/lib/ansible/modules/yum_repository.py +++ b/lib/ansible/modules/yum_repository.py @@ -328,6 +328,11 @@ options: - Defines whether yum should verify SSL certificates/hosts at all. type: bool aliases: [ validate_certs ] + sslverifystatus: + description: + - Defines whether SSL certificate revocation status checking should be done for the repository server. + type: bool + version_added: '2.19' state: description: - State of the repo file. @@ -570,6 +575,7 @@ def main(): sslclientcert=dict(aliases=['client_cert']), sslclientkey=dict(aliases=['client_key'], no_log=False), sslverify=dict(type='bool', aliases=['validate_certs']), + sslverifystatus=dict(type='bool'), state=dict(choices=['present', 'absent'], default='present'), throttle=dict(), timeout=dict(),