diff --git a/lib/ansible/modules/web_infrastructure/letsencrypt.py b/lib/ansible/modules/web_infrastructure/letsencrypt.py index 13cde803017..dcdf50f42e7 100644 --- a/lib/ansible/modules/web_infrastructure/letsencrypt.py +++ b/lib/ansible/modules/web_infrastructure/letsencrypt.py @@ -23,14 +23,13 @@ description: - "Create and renew SSL certificates with Let's Encrypt. Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public's benefit. For details see U(https://letsencrypt.org). The current - implementation supports the http-01, tls-sni-02 and dns-01 challenges." + implementation supports the http-01 and dns-01 challenges." - "To use this module, it has to be executed at least twice. Either as two different tasks in the same run or during multiple runs." - "Between these two tasks you have to fulfill the required steps for the chosen challenge by whatever means necessary. For http-01 that means creating the necessary challenge file on the destination webserver. For - dns-01 the necessary dns record has to be created. tls-sni-02 requires - you to create a SSL certificate with the appropriate subjectAlternativeNames. + dns-01 the necessary dns record has to be created. It is I(not) the responsibility of this module to perform these steps." - "For details on how to fulfill these challenges, you might have to read through U(https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8)" @@ -109,7 +108,7 @@ options: version_added: "2.5" challenge: description: The challenge to be performed. - choices: [ 'http-01', 'dns-01', 'tls-sni-02'] + choices: [ 'http-01', 'dns-01'] default: 'http-01' csr: description: @@ -937,25 +936,10 @@ class ACMEClient(object): token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge['token']) keyauthorization = self.account.get_keyauthorization(token) - # NOTE: tls-sni-01 is not supported by choice - # too complex to be useful and tls-sni-02 is an alternative - # as soon as it is implemented server side if type == 'http-01': # https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.3 resource = '.well-known/acme-challenge/' + token data[type] = {'resource': resource, 'resource_value': keyauthorization} - elif type == 'tls-sni-02': - # https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.4 - token_digest = hashlib.sha256(token.encode('utf8')).hexdigest() - ka_digest = hashlib.sha256(keyauthorization.encode('utf8')).hexdigest() - len_token_digest = len(token_digest) - len_ka_digest = len(ka_digest) - resource = 'subjectAlternativeNames' - value = [ - "{0}.{1}.token.acme.invalid".format(token_digest[:len_token_digest // 2], token_digest[len_token_digest // 2:]), - "{0}.{1}.ka.acme.invalid".format(ka_digest[:len_ka_digest // 2], ka_digest[len_ka_digest // 2:]), - ] - data[type] = {'resource': resource, 'resource_value': value} elif type == 'dns-01': # https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.5 resource = '_acme-challenge' @@ -1296,7 +1280,7 @@ def main(): acme_version=dict(required=False, default=1, choices=[1, 2], type='int'), agreement=dict(required=False, type='str'), terms_agreed=dict(required=False, default=False, type='bool'), - challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01', 'tls-sni-02'], type='str'), + challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01'], type='str'), csr=dict(required=True, aliases=['src'], type='path'), data=dict(required=False, default=None, type='dict'), dest=dict(aliases=['cert'], type='path'),