From 7f41f0168a7219e825711ffba853478187c26ab6 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 12 Aug 2018 10:29:48 +0200 Subject: [PATCH] ACME certificate revocation: add support for new draft-14 error message (#43980) * Adding support for new certificate-already-revoked error message in draft-14. * Updating documentation. * Fixing typo. --- .../acme_certificate_revoke.py | 32 ++++++++++++------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/lib/ansible/modules/web_infrastructure/acme_certificate_revoke.py b/lib/ansible/modules/web_infrastructure/acme_certificate_revoke.py index 20336ee7a30..703c6f02b15 100644 --- a/lib/ansible/modules/web_infrastructure/acme_certificate_revoke.py +++ b/lib/ansible/modules/web_infrastructure/acme_certificate_revoke.py @@ -26,13 +26,11 @@ description: L(Let's Encrypt,https://letsencrypt.org/)." - "Note that exactly one of C(account_key_src), C(account_key_content), C(private_key_src) or C(private_key_content) must be specified." - - "Also note that in general, trying to revoke an already revoked - certificate will lead to an error. The module tries to detect some - common error messages (for example, the ones issued by - L(Let's Encrypt,https://letsencrypt.org/)'s - L(Boulder,https://github.com/letsencrypt/boulder/) software), but - this might stop working and probably will not work for other server - softwares." + - "Also note that trying to revoke an already revoked certificate + should result in an unchanged status, even if the revocation reason + was different than the one specified here. Also, depending on the + server, it can happen that some other error is returned if the + certificate has already been revoked." extends_documentation_fragment: - acme options: @@ -193,12 +191,22 @@ def main(): # Step 2: sign revokation request with account key result, info = account.send_signed_request(endpoint, payload) if info['status'] != 200: - if module.params.get('acme_version') == 1: - error_type = 'urn:acme:error:malformed' + already_revoked = False + # Standarized error in draft 14 (https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.6) + if result.get('type') == 'urn:ietf:params:acme:error:alreadyRevoked': + already_revoked = True else: - error_type = 'urn:ietf:params:acme:error:malformed' - if result.get('type') == error_type and result.get('detail') == 'Certificate already revoked': - # Fallback: boulder returns this in case the certificate was already revoked. + # Hack for Boulder errors + if module.params.get('acme_version') == 1: + error_type = 'urn:acme:error:malformed' + else: + error_type = 'urn:ietf:params:acme:error:malformed' + if result.get('type') == error_type and result.get('detail') == 'Certificate already revoked': + # Fallback: boulder returns this in case the certificate was already revoked. + already_revoked = True + # If we know the certificate was already revoked, we don't fail, + # but successfully terminate while indicating no change + if already_revoked: module.exit_json(changed=False) raise ModuleFailException('Error revoking certificate: {0} {1}'.format(info['status'], result)) module.exit_json(changed=True)