mirror of https://github.com/ansible/ansible.git
ACME: use Cryptography (if a new enough version is available) instead of OpenSSL (#42170)
* Collecting PEM -> DER conversions. * Using cryptography instead of OpenSSL binary in some situations. * Moving key-to-disk writing for key content to parse_account_key. * Rename parse_account_key -> parse_key. * Move OpenSSL specific code for key parsing and request signing into global functions. * Also using cryptography for key parsing and request signing. * Remove assert statements. * Fixing handling of key contents for cryptography code path. * Allow to disable the use of cryptography. * Updating documentation. * 1.5 seems to work as well (earlier versions don't have EC sign function). Making Python 2.x adjustments. * Changing option to select_crypto_backend. * Python 2.6 compatibility. * Trying to test both backends separately for acme_account. * Also testing both backends separately for acme_certificate and acme_certificate_revoke. * Adding changelog entry which informs about select_crypto_backend option in case autodetect fails. * Fixing YAML.pull/42346/merge
parent
7f41f0168a
commit
aef16ee195
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
minor_changes:
|
||||||
|
- "The acme_account and acme_certificate modules now support two backends:
|
||||||
|
the Python cryptograpy module or the OpenSSL binary. By default, the
|
||||||
|
modules detect if a new enough cryptography module is available and
|
||||||
|
use it, with the OpenSSL binary being a fallback. If the detection
|
||||||
|
fails for some reason, the OpenSSL binary backend can be explicitly
|
||||||
|
selected by setting select_crypto_backend to openssl."
|
@ -0,0 +1,157 @@
|
|||||||
|
- name: Generate account key
|
||||||
|
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem
|
||||||
|
|
||||||
|
- name: Parse account key (to ease debugging some test failures)
|
||||||
|
command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text
|
||||||
|
|
||||||
|
- name: Do not try to create account
|
||||||
|
acme_account:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
account_key_src: "{{ output_dir }}/accountkey.pem"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
state: present
|
||||||
|
allow_creation: no
|
||||||
|
ignore_errors: yes
|
||||||
|
register: account_not_created
|
||||||
|
|
||||||
|
- name: Create it now
|
||||||
|
acme_account:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
account_key_src: "{{ output_dir }}/accountkey.pem"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
state: present
|
||||||
|
allow_creation: yes
|
||||||
|
terms_agreed: yes
|
||||||
|
contact:
|
||||||
|
- mailto:example@example.org
|
||||||
|
register: account_created
|
||||||
|
|
||||||
|
- name: Change email address
|
||||||
|
acme_account:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
account_key_content: "{{ lookup('file', output_dir ~ '/accountkey.pem') }}"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
state: present
|
||||||
|
# allow_creation: no
|
||||||
|
contact:
|
||||||
|
- mailto:example@example.com
|
||||||
|
register: account_modified
|
||||||
|
|
||||||
|
- name: Change email address (idempotent)
|
||||||
|
acme_account:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
account_key_src: "{{ output_dir }}/accountkey.pem"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
state: present
|
||||||
|
# allow_creation: no
|
||||||
|
contact:
|
||||||
|
- mailto:example@example.com
|
||||||
|
register: account_modified_idempotent
|
||||||
|
|
||||||
|
- name: Generate new account key
|
||||||
|
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/accountkey2.pem
|
||||||
|
|
||||||
|
- name: Parse account key (to ease debugging some test failures)
|
||||||
|
command: openssl ec -in {{ output_dir }}/accountkey2.pem -noout -text
|
||||||
|
|
||||||
|
# Note that pebble has no change key endpoint implemented yet!
|
||||||
|
# When it has (and the container was updated), uncomment the
|
||||||
|
# uncomment the following tests, and delete the ones below the
|
||||||
|
# out-commented ones.
|
||||||
|
|
||||||
|
# - name: Change account key
|
||||||
|
# acme_account:
|
||||||
|
# select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
# account_key_src: "{{ output_dir }}/accountkey.pem"
|
||||||
|
# acme_version: 2
|
||||||
|
# acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
# validate_certs: no
|
||||||
|
# new_account_key_src: "{{ output_dir }}/accountkey2.pem"
|
||||||
|
# state: changed_key
|
||||||
|
# contact:
|
||||||
|
# - mailto:example@example.com
|
||||||
|
# register: account_change_key
|
||||||
|
|
||||||
|
# - name: Deactivate account
|
||||||
|
# acme_account:
|
||||||
|
# select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
# account_key_src: "{{ output_dir }}/accountkey2.pem"
|
||||||
|
# acme_version: 2
|
||||||
|
# acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
# validate_certs: no
|
||||||
|
# state: absent
|
||||||
|
# register: account_deactivate
|
||||||
|
|
||||||
|
# - name: Deactivate account (idempotent)
|
||||||
|
# acme_account:
|
||||||
|
# select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
# account_key_src: "{{ output_dir }}/accountkey2.pem"
|
||||||
|
# acme_version: 2
|
||||||
|
# acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
# validate_certs: no
|
||||||
|
# state: absent
|
||||||
|
# register: account_deactivate_idempotent
|
||||||
|
|
||||||
|
# - name: Do not try to create account II
|
||||||
|
# acme_account:
|
||||||
|
# select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
# account_key_src: "{{ output_dir }}/accountkey2.pem"
|
||||||
|
# acme_version: 2
|
||||||
|
# acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
# validate_certs: no
|
||||||
|
# state: present
|
||||||
|
# allow_creation: no
|
||||||
|
# ignore_errors: yes
|
||||||
|
# register: account_not_created_2
|
||||||
|
|
||||||
|
# - name: Do not try to create account III
|
||||||
|
# acme_account:
|
||||||
|
# select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
# account_key_src: "{{ output_dir }}/accountkey.pem"
|
||||||
|
# acme_version: 2
|
||||||
|
# acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
# validate_certs: no
|
||||||
|
# state: present
|
||||||
|
# allow_creation: no
|
||||||
|
# ignore_errors: yes
|
||||||
|
# register: account_not_created_3
|
||||||
|
|
||||||
|
- name: Deactivate account
|
||||||
|
acme_account:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
account_key_src: "{{ output_dir }}/accountkey.pem"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
state: absent
|
||||||
|
register: account_deactivate
|
||||||
|
|
||||||
|
- name: Deactivate account (idempotent)
|
||||||
|
acme_account:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
account_key_src: "{{ output_dir }}/accountkey.pem"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
state: absent
|
||||||
|
register: account_deactivate_idempotent
|
||||||
|
|
||||||
|
- name: Do not try to create account II
|
||||||
|
acme_account:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
account_key_src: "{{ output_dir }}/accountkey.pem"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
state: present
|
||||||
|
allow_creation: no
|
||||||
|
ignore_errors: yes
|
||||||
|
register: account_not_created_2
|
@ -1,152 +1,31 @@
|
|||||||
---
|
---
|
||||||
- block:
|
- block:
|
||||||
- name: Generate account key
|
- name: Running tests with OpenSSL backend
|
||||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem
|
include_tasks: impl.yml
|
||||||
|
vars:
|
||||||
|
select_crypto_backend: openssl
|
||||||
|
|
||||||
- name: Parse account key (to ease debugging some test failures)
|
- import_tasks: ../tests/validate.yml
|
||||||
command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text
|
|
||||||
|
|
||||||
- name: Do not try to create account
|
|
||||||
acme_account:
|
|
||||||
account_key_src: "{{ output_dir }}/accountkey.pem"
|
|
||||||
acme_version: 2
|
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
state: present
|
|
||||||
allow_creation: no
|
|
||||||
ignore_errors: yes
|
|
||||||
register: account_not_created
|
|
||||||
|
|
||||||
- name: Create it now
|
|
||||||
acme_account:
|
|
||||||
account_key_src: "{{ output_dir }}/accountkey.pem"
|
|
||||||
acme_version: 2
|
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
state: present
|
|
||||||
allow_creation: yes
|
|
||||||
terms_agreed: yes
|
|
||||||
contact:
|
|
||||||
- mailto:example@example.org
|
|
||||||
register: account_created
|
|
||||||
|
|
||||||
- name: Change email address
|
|
||||||
acme_account:
|
|
||||||
account_key_content: "{{ lookup('file', output_dir ~ '/accountkey.pem') }}"
|
|
||||||
acme_version: 2
|
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
state: present
|
|
||||||
# allow_creation: no
|
|
||||||
contact:
|
|
||||||
- mailto:example@example.com
|
|
||||||
register: account_modified
|
|
||||||
|
|
||||||
- name: Change email address (idempotent)
|
|
||||||
acme_account:
|
|
||||||
account_key_src: "{{ output_dir }}/accountkey.pem"
|
|
||||||
acme_version: 2
|
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
state: present
|
|
||||||
# allow_creation: no
|
|
||||||
contact:
|
|
||||||
- mailto:example@example.com
|
|
||||||
register: account_modified_idempotent
|
|
||||||
|
|
||||||
- name: Generate new account key
|
|
||||||
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/accountkey2.pem
|
|
||||||
|
|
||||||
- name: Parse account key (to ease debugging some test failures)
|
|
||||||
command: openssl ec -in {{ output_dir }}/accountkey2.pem -noout -text
|
|
||||||
|
|
||||||
# Note that pebble has no change key endpoint implemented yet!
|
|
||||||
# When it has (and the container was updated), uncomment the
|
|
||||||
# uncomment the following tests, and delete the ones below the
|
|
||||||
# out-commented ones.
|
|
||||||
|
|
||||||
# - name: Change account key
|
|
||||||
# acme_account:
|
|
||||||
# account_key_src: "{{ output_dir }}/accountkey.pem"
|
|
||||||
# acme_version: 2
|
|
||||||
# acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
# validate_certs: no
|
|
||||||
# new_account_key_src: "{{ output_dir }}/accountkey2.pem"
|
|
||||||
# state: changed_key
|
|
||||||
# contact:
|
|
||||||
# - mailto:example@example.com
|
|
||||||
# register: account_change_key
|
|
||||||
|
|
||||||
# - name: Deactivate account
|
|
||||||
# acme_account:
|
|
||||||
# account_key_src: "{{ output_dir }}/accountkey2.pem"
|
|
||||||
# acme_version: 2
|
|
||||||
# acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
# validate_certs: no
|
|
||||||
# state: absent
|
|
||||||
# register: account_deactivate
|
|
||||||
|
|
||||||
# - name: Deactivate account (idempotent)
|
|
||||||
# acme_account:
|
|
||||||
# account_key_src: "{{ output_dir }}/accountkey2.pem"
|
|
||||||
# acme_version: 2
|
|
||||||
# acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
# validate_certs: no
|
|
||||||
# state: absent
|
|
||||||
# register: account_deactivate_idempotent
|
|
||||||
|
|
||||||
# - name: Do not try to create account II
|
|
||||||
# acme_account:
|
|
||||||
# account_key_src: "{{ output_dir }}/accountkey2.pem"
|
|
||||||
# acme_version: 2
|
|
||||||
# acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
# validate_certs: no
|
|
||||||
# state: present
|
|
||||||
# allow_creation: no
|
|
||||||
# ignore_errors: yes
|
|
||||||
# register: account_not_created_2
|
|
||||||
|
|
||||||
# - name: Do not try to create account III
|
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
|
||||||
# acme_account:
|
when: openssl_version.stdout is version('1.0.0', '>=')
|
||||||
# account_key_src: "{{ output_dir }}/accountkey.pem"
|
|
||||||
# acme_version: 2
|
|
||||||
# acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
# validate_certs: no
|
|
||||||
# state: present
|
|
||||||
# allow_creation: no
|
|
||||||
# ignore_errors: yes
|
|
||||||
# register: account_not_created_3
|
|
||||||
|
|
||||||
- name: Deactivate account
|
- name: Remove output directory
|
||||||
acme_account:
|
file:
|
||||||
account_key_src: "{{ output_dir }}/accountkey.pem"
|
path: "{{ output_dir }}"
|
||||||
acme_version: 2
|
state: absent
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
state: absent
|
|
||||||
register: account_deactivate
|
|
||||||
|
|
||||||
- name: Deactivate account (idempotent)
|
- name: Re-create output directory
|
||||||
acme_account:
|
file:
|
||||||
account_key_src: "{{ output_dir }}/accountkey.pem"
|
path: "{{ output_dir }}"
|
||||||
acme_version: 2
|
state: directory
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
state: absent
|
|
||||||
register: account_deactivate_idempotent
|
|
||||||
|
|
||||||
- name: Do not try to create account II
|
- block:
|
||||||
acme_account:
|
- name: Running tests with cryptography backend
|
||||||
account_key_src: "{{ output_dir }}/accountkey.pem"
|
include_tasks: impl.yml
|
||||||
acme_version: 2
|
vars:
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
select_crypto_backend: cryptography
|
||||||
validate_certs: no
|
|
||||||
state: present
|
|
||||||
allow_creation: no
|
|
||||||
ignore_errors: yes
|
|
||||||
register: account_not_created_2
|
|
||||||
|
|
||||||
- import_tasks: ../tests/validate.yml
|
- import_tasks: ../tests/validate.yml
|
||||||
|
|
||||||
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
|
when: cryptography_version.stdout is version('1.5', '>=')
|
||||||
when: openssl_version.stdout is version('1.0.0', '>=')
|
|
||||||
|
@ -0,0 +1,240 @@
|
|||||||
|
---
|
||||||
|
## SET UP ACCOUNT KEYS ########################################################################
|
||||||
|
- name: Create ECC256 account key
|
||||||
|
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
|
||||||
|
- name: Create ECC384 account key
|
||||||
|
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
|
||||||
|
- name: Create RSA-2048 account key
|
||||||
|
command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
|
||||||
|
## SET UP ACCOUNTS ############################################################################
|
||||||
|
- name: Make sure ECC256 account hasn't been created yet
|
||||||
|
acme_account:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
account_key_src: "{{ output_dir }}/account-ec256.pem"
|
||||||
|
state: absent
|
||||||
|
- name: Create ECC384 account
|
||||||
|
acme_account:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
|
||||||
|
state: present
|
||||||
|
allow_creation: yes
|
||||||
|
terms_agreed: yes
|
||||||
|
contact:
|
||||||
|
- mailto:example@example.org
|
||||||
|
- mailto:example@example.com
|
||||||
|
- name: Create RSA-2048 account
|
||||||
|
acme_account:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
account_key_src: "{{ output_dir }}/account-rsa2048.pem"
|
||||||
|
state: present
|
||||||
|
allow_creation: yes
|
||||||
|
terms_agreed: yes
|
||||||
|
contact: []
|
||||||
|
## OBTAIN CERTIFICATES ########################################################################
|
||||||
|
- name: Obtain cert 1
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 1
|
||||||
|
certificate_name: cert-1
|
||||||
|
key_type: rsa
|
||||||
|
rsa_bits: 2048
|
||||||
|
subject_alt_name: "DNS:example.com"
|
||||||
|
subject_alt_name_critical: no
|
||||||
|
account_key: account-ec256
|
||||||
|
challenge: http-01
|
||||||
|
modify_account: yes
|
||||||
|
deactivate_authzs: no
|
||||||
|
force: no
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: yes
|
||||||
|
account_email: "example@example.org"
|
||||||
|
- name: Obtain cert 2
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 2
|
||||||
|
certificate_name: cert-2
|
||||||
|
key_type: ec256
|
||||||
|
subject_alt_name: "DNS:*.example.com,DNS:example.com"
|
||||||
|
subject_alt_name_critical: yes
|
||||||
|
account_key: account-ec384
|
||||||
|
challenge: dns-01
|
||||||
|
modify_account: no
|
||||||
|
deactivate_authzs: yes
|
||||||
|
force: no
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: no
|
||||||
|
account_email: ""
|
||||||
|
- name: Obtain cert 3
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 3
|
||||||
|
certificate_name: cert-3
|
||||||
|
key_type: ec384
|
||||||
|
subject_alt_name: "DNS:*.example.com,DNS:example.org,DNS:t1.example.com"
|
||||||
|
subject_alt_name_critical: no
|
||||||
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa2048.pem') }}"
|
||||||
|
challenge: dns-01
|
||||||
|
modify_account: no
|
||||||
|
deactivate_authzs: no
|
||||||
|
force: no
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: no
|
||||||
|
account_email: ""
|
||||||
|
- name: Obtain cert 4
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 4
|
||||||
|
certificate_name: cert-4
|
||||||
|
key_type: rsa
|
||||||
|
rsa_bits: 2048
|
||||||
|
subject_alt_name: "DNS:example.com,DNS:t1.example.com,DNS:test.t2.example.com,DNS:example.org,DNS:test.example.org"
|
||||||
|
subject_alt_name_critical: no
|
||||||
|
account_key: account-rsa2048
|
||||||
|
challenge: http-01
|
||||||
|
modify_account: no
|
||||||
|
deactivate_authzs: yes
|
||||||
|
force: yes
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: no
|
||||||
|
account_email: ""
|
||||||
|
- name: Obtain cert 5
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 5, Iteration 1/4
|
||||||
|
certificate_name: cert-5
|
||||||
|
key_type: ec521
|
||||||
|
subject_alt_name: "DNS:t2.example.com"
|
||||||
|
subject_alt_name_critical: no
|
||||||
|
account_key: account-ec384
|
||||||
|
challenge: http-01
|
||||||
|
modify_account: no
|
||||||
|
deactivate_authzs: yes
|
||||||
|
force: yes
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: no
|
||||||
|
account_email: ""
|
||||||
|
- name: Obtain cert 5 (should not, since already there and valid for more than 10 days)
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 5, Iteration 2/4
|
||||||
|
certificate_name: cert-5
|
||||||
|
key_type: ec521
|
||||||
|
subject_alt_name: "DNS:t2.example.com"
|
||||||
|
subject_alt_name_critical: no
|
||||||
|
account_key: account-ec384
|
||||||
|
challenge: http-01
|
||||||
|
modify_account: no
|
||||||
|
deactivate_authzs: yes
|
||||||
|
force: no
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: no
|
||||||
|
account_email: ""
|
||||||
|
- set_fact:
|
||||||
|
cert_5_recreate_1: "{{ challenge_data is changed }}"
|
||||||
|
- name: Obtain cert 5 (should again by less days)
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 5, Iteration 3/4
|
||||||
|
certificate_name: cert-5
|
||||||
|
key_type: ec521
|
||||||
|
subject_alt_name: "DNS:t2.example.com"
|
||||||
|
subject_alt_name_critical: no
|
||||||
|
account_key: account-ec384
|
||||||
|
challenge: http-01
|
||||||
|
modify_account: no
|
||||||
|
deactivate_authzs: yes
|
||||||
|
force: yes
|
||||||
|
remaining_days: 1000
|
||||||
|
terms_agreed: no
|
||||||
|
account_email: ""
|
||||||
|
- set_fact:
|
||||||
|
cert_5_recreate_2: "{{ challenge_data is changed }}"
|
||||||
|
- name: Obtain cert 5 (should again by force)
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 5, Iteration 4/4
|
||||||
|
certificate_name: cert-5
|
||||||
|
key_type: ec521
|
||||||
|
subject_alt_name: "DNS:t2.example.com"
|
||||||
|
subject_alt_name_critical: no
|
||||||
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
|
||||||
|
challenge: http-01
|
||||||
|
modify_account: no
|
||||||
|
deactivate_authzs: yes
|
||||||
|
force: yes
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: no
|
||||||
|
account_email: ""
|
||||||
|
- set_fact:
|
||||||
|
cert_5_recreate_3: "{{ challenge_data is changed }}"
|
||||||
|
- name: Obtain cert 6
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 6
|
||||||
|
certificate_name: cert-6
|
||||||
|
key_type: rsa
|
||||||
|
rsa_bits: 2048
|
||||||
|
subject_alt_name: "DNS:example.org"
|
||||||
|
subject_alt_name_critical: no
|
||||||
|
account_key: account-ec256
|
||||||
|
challenge: tls-alpn-01
|
||||||
|
modify_account: yes
|
||||||
|
deactivate_authzs: no
|
||||||
|
force: no
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: yes
|
||||||
|
account_email: "example@example.org"
|
||||||
|
## DISSECT CERTIFICATES #######################################################################
|
||||||
|
# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
|
||||||
|
- name: Verifying cert 1
|
||||||
|
command: openssl verify -CAfile "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"
|
||||||
|
ignore_errors: yes
|
||||||
|
register: cert_1_valid
|
||||||
|
- name: Verifying cert 2
|
||||||
|
command: openssl verify -CAfile "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"
|
||||||
|
ignore_errors: yes
|
||||||
|
register: cert_2_valid
|
||||||
|
- name: Verifying cert 3
|
||||||
|
command: openssl verify -CAfile "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"
|
||||||
|
ignore_errors: yes
|
||||||
|
register: cert_3_valid
|
||||||
|
- name: Verifying cert 4
|
||||||
|
command: openssl verify -CAfile "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"
|
||||||
|
ignore_errors: yes
|
||||||
|
register: cert_4_valid
|
||||||
|
- name: Verifying cert 5
|
||||||
|
command: openssl verify -CAfile "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"
|
||||||
|
ignore_errors: yes
|
||||||
|
register: cert_5_valid
|
||||||
|
- name: Verifying cert 6
|
||||||
|
command: openssl verify -CAfile "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"
|
||||||
|
ignore_errors: yes
|
||||||
|
register: cert_6_valid
|
||||||
|
# Dump certificate info
|
||||||
|
- name: Dumping cert 1
|
||||||
|
command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text
|
||||||
|
register: cert_1_text
|
||||||
|
- name: Dumping cert 2
|
||||||
|
command: openssl x509 -in "{{ output_dir }}/cert-2.pem" -noout -text
|
||||||
|
register: cert_2_text
|
||||||
|
- name: Dumping cert 3
|
||||||
|
command: openssl x509 -in "{{ output_dir }}/cert-3.pem" -noout -text
|
||||||
|
register: cert_3_text
|
||||||
|
- name: Dumping cert 4
|
||||||
|
command: openssl x509 -in "{{ output_dir }}/cert-4.pem" -noout -text
|
||||||
|
register: cert_4_text
|
||||||
|
- name: Dumping cert 5
|
||||||
|
command: openssl x509 -in "{{ output_dir }}/cert-5.pem" -noout -text
|
||||||
|
register: cert_5_text
|
||||||
|
- name: Dumping cert 6
|
||||||
|
command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text
|
||||||
|
register: cert_6_text
|
@ -1,243 +1,31 @@
|
|||||||
---
|
---
|
||||||
- block:
|
- block:
|
||||||
## SET UP ACCOUNT KEYS ########################################################################
|
- name: Running tests with OpenSSL backend
|
||||||
- name: Create ECC256 account key
|
include_tasks: impl.yml
|
||||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
|
|
||||||
- name: Create ECC384 account key
|
|
||||||
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
|
|
||||||
- name: Create RSA-2048 account key
|
|
||||||
command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
|
|
||||||
## SET UP ACCOUNTS ############################################################################
|
|
||||||
- name: Make sure ECC256 account hasn't been created yet
|
|
||||||
acme_account:
|
|
||||||
acme_version: 2
|
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
account_key_src: "{{ output_dir }}/account-ec256.pem"
|
|
||||||
state: absent
|
|
||||||
- name: Create ECC384 account
|
|
||||||
acme_account:
|
|
||||||
acme_version: 2
|
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
|
|
||||||
state: present
|
|
||||||
allow_creation: yes
|
|
||||||
terms_agreed: yes
|
|
||||||
contact:
|
|
||||||
- mailto:example@example.org
|
|
||||||
- mailto:example@example.com
|
|
||||||
- name: Create RSA-2048 account
|
|
||||||
acme_account:
|
|
||||||
acme_version: 2
|
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
account_key_src: "{{ output_dir }}/account-rsa2048.pem"
|
|
||||||
state: present
|
|
||||||
allow_creation: yes
|
|
||||||
terms_agreed: yes
|
|
||||||
contact: []
|
|
||||||
## OBTAIN CERTIFICATES ########################################################################
|
|
||||||
- name: Obtain cert 1
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
vars:
|
||||||
certgen_title: Certificate 1
|
select_crypto_backend: openssl
|
||||||
certificate_name: cert-1
|
|
||||||
key_type: rsa
|
|
||||||
rsa_bits: 2048
|
|
||||||
subject_alt_name: "DNS:example.com"
|
|
||||||
subject_alt_name_critical: no
|
|
||||||
account_key: account-ec256
|
|
||||||
challenge: http-01
|
|
||||||
modify_account: yes
|
|
||||||
deactivate_authzs: no
|
|
||||||
force: no
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: yes
|
|
||||||
account_email: "example@example.org"
|
|
||||||
- name: Obtain cert 2
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
|
||||||
certgen_title: Certificate 2
|
|
||||||
certificate_name: cert-2
|
|
||||||
key_type: ec256
|
|
||||||
subject_alt_name: "DNS:*.example.com,DNS:example.com"
|
|
||||||
subject_alt_name_critical: yes
|
|
||||||
account_key: account-ec384
|
|
||||||
challenge: dns-01
|
|
||||||
modify_account: no
|
|
||||||
deactivate_authzs: yes
|
|
||||||
force: no
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: no
|
|
||||||
account_email: ""
|
|
||||||
- name: Obtain cert 3
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
|
||||||
certgen_title: Certificate 3
|
|
||||||
certificate_name: cert-3
|
|
||||||
key_type: ec384
|
|
||||||
subject_alt_name: "DNS:*.example.com,DNS:example.org,DNS:t1.example.com"
|
|
||||||
subject_alt_name_critical: no
|
|
||||||
account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa2048.pem') }}"
|
|
||||||
challenge: dns-01
|
|
||||||
modify_account: no
|
|
||||||
deactivate_authzs: no
|
|
||||||
force: no
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: no
|
|
||||||
account_email: ""
|
|
||||||
- name: Obtain cert 4
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
|
||||||
certgen_title: Certificate 4
|
|
||||||
certificate_name: cert-4
|
|
||||||
key_type: rsa
|
|
||||||
rsa_bits: 2048
|
|
||||||
subject_alt_name: "DNS:example.com,DNS:t1.example.com,DNS:test.t2.example.com,DNS:example.org,DNS:test.example.org"
|
|
||||||
subject_alt_name_critical: no
|
|
||||||
account_key: account-rsa2048
|
|
||||||
challenge: http-01
|
|
||||||
modify_account: no
|
|
||||||
deactivate_authzs: yes
|
|
||||||
force: yes
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: no
|
|
||||||
account_email: ""
|
|
||||||
- name: Obtain cert 5
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
|
||||||
certgen_title: Certificate 5, Iteration 1/4
|
|
||||||
certificate_name: cert-5
|
|
||||||
key_type: ec521
|
|
||||||
subject_alt_name: "DNS:t2.example.com"
|
|
||||||
subject_alt_name_critical: no
|
|
||||||
account_key: account-ec384
|
|
||||||
challenge: http-01
|
|
||||||
modify_account: no
|
|
||||||
deactivate_authzs: yes
|
|
||||||
force: yes
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: no
|
|
||||||
account_email: ""
|
|
||||||
- name: Obtain cert 5 (should not, since already there and valid for more than 10 days)
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
|
||||||
certgen_title: Certificate 5, Iteration 2/4
|
|
||||||
certificate_name: cert-5
|
|
||||||
key_type: ec521
|
|
||||||
subject_alt_name: "DNS:t2.example.com"
|
|
||||||
subject_alt_name_critical: no
|
|
||||||
account_key: account-ec384
|
|
||||||
challenge: http-01
|
|
||||||
modify_account: no
|
|
||||||
deactivate_authzs: yes
|
|
||||||
force: no
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: no
|
|
||||||
account_email: ""
|
|
||||||
- set_fact:
|
|
||||||
cert_5_recreate_1: "{{ challenge_data is changed }}"
|
|
||||||
- name: Obtain cert 5 (should again by less days)
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
|
||||||
certgen_title: Certificate 5, Iteration 3/4
|
|
||||||
certificate_name: cert-5
|
|
||||||
key_type: ec521
|
|
||||||
subject_alt_name: "DNS:t2.example.com"
|
|
||||||
subject_alt_name_critical: no
|
|
||||||
account_key: account-ec384
|
|
||||||
challenge: http-01
|
|
||||||
modify_account: no
|
|
||||||
deactivate_authzs: yes
|
|
||||||
force: yes
|
|
||||||
remaining_days: 1000
|
|
||||||
terms_agreed: no
|
|
||||||
account_email: ""
|
|
||||||
- set_fact:
|
|
||||||
cert_5_recreate_2: "{{ challenge_data is changed }}"
|
|
||||||
- name: Obtain cert 5 (should again by force)
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
|
||||||
certgen_title: Certificate 5, Iteration 4/4
|
|
||||||
certificate_name: cert-5
|
|
||||||
key_type: ec521
|
|
||||||
subject_alt_name: "DNS:t2.example.com"
|
|
||||||
subject_alt_name_critical: no
|
|
||||||
account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
|
|
||||||
challenge: http-01
|
|
||||||
modify_account: no
|
|
||||||
deactivate_authzs: yes
|
|
||||||
force: yes
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: no
|
|
||||||
account_email: ""
|
|
||||||
- set_fact:
|
|
||||||
cert_5_recreate_3: "{{ challenge_data is changed }}"
|
|
||||||
- name: Obtain cert 6
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
|
||||||
certgen_title: Certificate 6
|
|
||||||
certificate_name: cert-6
|
|
||||||
key_type: rsa
|
|
||||||
rsa_bits: 2048
|
|
||||||
subject_alt_name: "DNS:example.org"
|
|
||||||
subject_alt_name_critical: no
|
|
||||||
account_key: account-ec256
|
|
||||||
challenge: tls-alpn-01
|
|
||||||
modify_account: yes
|
|
||||||
deactivate_authzs: no
|
|
||||||
force: no
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: yes
|
|
||||||
account_email: "example@example.org"
|
|
||||||
## DISSECT CERTIFICATES #######################################################################
|
|
||||||
# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
|
|
||||||
- name: Verifying cert 1
|
|
||||||
command: openssl verify -CAfile "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"
|
|
||||||
ignore_errors: yes
|
|
||||||
register: cert_1_valid
|
|
||||||
- name: Verifying cert 2
|
|
||||||
command: openssl verify -CAfile "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"
|
|
||||||
ignore_errors: yes
|
|
||||||
register: cert_2_valid
|
|
||||||
- name: Verifying cert 3
|
|
||||||
command: openssl verify -CAfile "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"
|
|
||||||
ignore_errors: yes
|
|
||||||
register: cert_3_valid
|
|
||||||
- name: Verifying cert 4
|
|
||||||
command: openssl verify -CAfile "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"
|
|
||||||
ignore_errors: yes
|
|
||||||
register: cert_4_valid
|
|
||||||
- name: Verifying cert 5
|
|
||||||
command: openssl verify -CAfile "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"
|
|
||||||
ignore_errors: yes
|
|
||||||
register: cert_5_valid
|
|
||||||
- name: Verifying cert 6
|
|
||||||
command: openssl verify -CAfile "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"
|
|
||||||
ignore_errors: yes
|
|
||||||
register: cert_6_valid
|
|
||||||
# Dump certificate info
|
|
||||||
- name: Dumping cert 1
|
|
||||||
command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text
|
|
||||||
register: cert_1_text
|
|
||||||
- name: Dumping cert 2
|
|
||||||
command: openssl x509 -in "{{ output_dir }}/cert-2.pem" -noout -text
|
|
||||||
register: cert_2_text
|
|
||||||
- name: Dumping cert 3
|
|
||||||
command: openssl x509 -in "{{ output_dir }}/cert-3.pem" -noout -text
|
|
||||||
register: cert_3_text
|
|
||||||
- name: Dumping cert 4
|
|
||||||
command: openssl x509 -in "{{ output_dir }}/cert-4.pem" -noout -text
|
|
||||||
register: cert_4_text
|
|
||||||
- name: Dumping cert 5
|
|
||||||
command: openssl x509 -in "{{ output_dir }}/cert-5.pem" -noout -text
|
|
||||||
register: cert_5_text
|
|
||||||
- name: Dumping cert 6
|
|
||||||
command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text
|
|
||||||
register: cert_6_text
|
|
||||||
|
|
||||||
- import_tasks: ../tests/validate.yml
|
- import_tasks: ../tests/validate.yml
|
||||||
|
|
||||||
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
|
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
|
||||||
when: openssl_version.stdout is version('1.0.0', '>=')
|
when: openssl_version.stdout is version('1.0.0', '>=')
|
||||||
|
|
||||||
|
- name: Remove output directory
|
||||||
|
file:
|
||||||
|
path: "{{ output_dir }}"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Re-create output directory
|
||||||
|
file:
|
||||||
|
path: "{{ output_dir }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Running tests with cryptography backend
|
||||||
|
include_tasks: impl.yml
|
||||||
|
vars:
|
||||||
|
select_crypto_backend: cryptography
|
||||||
|
|
||||||
|
- import_tasks: ../tests/validate.yml
|
||||||
|
|
||||||
|
when: cryptography_version.stdout is version('1.5', '>=')
|
||||||
|
@ -0,0 +1,89 @@
|
|||||||
|
---
|
||||||
|
## SET UP ACCOUNT KEYS ########################################################################
|
||||||
|
- name: Create ECC256 account key
|
||||||
|
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
|
||||||
|
- name: Create ECC384 account key
|
||||||
|
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
|
||||||
|
- name: Create RSA-2048 account key
|
||||||
|
command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
|
||||||
|
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
|
||||||
|
- name: Obtain cert 1
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 1 for revocation
|
||||||
|
certificate_name: cert-1
|
||||||
|
key_type: rsa
|
||||||
|
rsa_bits: 2048
|
||||||
|
subject_alt_name: "DNS:example.com"
|
||||||
|
subject_alt_name_critical: no
|
||||||
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-ec256.pem') }}"
|
||||||
|
challenge: http-01
|
||||||
|
modify_account: yes
|
||||||
|
deactivate_authzs: no
|
||||||
|
force: no
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: yes
|
||||||
|
account_email: "example@example.org"
|
||||||
|
- name: Obtain cert 2
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 2 for revocation
|
||||||
|
certificate_name: cert-2
|
||||||
|
key_type: ec256
|
||||||
|
subject_alt_name: "DNS:*.example.com"
|
||||||
|
subject_alt_name_critical: yes
|
||||||
|
account_key: account-ec384
|
||||||
|
challenge: dns-01
|
||||||
|
modify_account: yes
|
||||||
|
deactivate_authzs: yes
|
||||||
|
force: no
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: yes
|
||||||
|
account_email: "example@example.org"
|
||||||
|
- name: Obtain cert 3
|
||||||
|
include_tasks: obtain-cert.yml
|
||||||
|
vars:
|
||||||
|
certgen_title: Certificate 3 for revocation
|
||||||
|
certificate_name: cert-3
|
||||||
|
key_type: ec384
|
||||||
|
subject_alt_name: "DNS:t1.example.com"
|
||||||
|
subject_alt_name_critical: no
|
||||||
|
account_key: account-rsa2048
|
||||||
|
challenge: dns-01
|
||||||
|
modify_account: yes
|
||||||
|
deactivate_authzs: no
|
||||||
|
force: no
|
||||||
|
remaining_days: 10
|
||||||
|
terms_agreed: yes
|
||||||
|
account_email: "example@example.org"
|
||||||
|
## REVOKE CERTIFICATES ########################################################################
|
||||||
|
- name: Revoke certificate 1 via account key
|
||||||
|
acme_certificate_revoke:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
account_key_src: "{{ output_dir }}/account-ec256.pem"
|
||||||
|
certificate: "{{ output_dir }}/cert-1.pem"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
ignore_errors: yes
|
||||||
|
register: cert_1_revoke
|
||||||
|
- name: Revoke certificate 2 via certificate private key
|
||||||
|
acme_certificate_revoke:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
private_key_src: "{{ output_dir }}/cert-2.key"
|
||||||
|
certificate: "{{ output_dir }}/cert-2.pem"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
ignore_errors: yes
|
||||||
|
register: cert_2_revoke
|
||||||
|
- name: Revoke certificate 3 via account key (fullchain)
|
||||||
|
acme_certificate_revoke:
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa2048.pem') }}"
|
||||||
|
certificate: "{{ output_dir }}/cert-3-fullchain.pem"
|
||||||
|
acme_version: 2
|
||||||
|
acme_directory: https://{{ acme_host }}:14000/dir
|
||||||
|
validate_certs: no
|
||||||
|
ignore_errors: yes
|
||||||
|
register: cert_3_revoke
|
@ -1,92 +1,31 @@
|
|||||||
---
|
---
|
||||||
- block:
|
- block:
|
||||||
## SET UP ACCOUNT KEYS ########################################################################
|
- name: Running tests with OpenSSL backend
|
||||||
- name: Create ECC256 account key
|
include_tasks: impl.yml
|
||||||
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
|
|
||||||
- name: Create ECC384 account key
|
|
||||||
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
|
|
||||||
- name: Create RSA-2048 account key
|
|
||||||
command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
|
|
||||||
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
|
|
||||||
- name: Obtain cert 1
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
vars:
|
||||||
certgen_title: Certificate 1 for revocation
|
select_crypto_backend: openssl
|
||||||
certificate_name: cert-1
|
|
||||||
key_type: rsa
|
|
||||||
rsa_bits: 2048
|
|
||||||
subject_alt_name: "DNS:example.com"
|
|
||||||
subject_alt_name_critical: no
|
|
||||||
account_key_content: "{{ lookup('file', output_dir ~ '/account-ec256.pem') }}"
|
|
||||||
challenge: http-01
|
|
||||||
modify_account: yes
|
|
||||||
deactivate_authzs: no
|
|
||||||
force: no
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: yes
|
|
||||||
account_email: "example@example.org"
|
|
||||||
- name: Obtain cert 2
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
|
||||||
certgen_title: Certificate 2 for revocation
|
|
||||||
certificate_name: cert-2
|
|
||||||
key_type: ec256
|
|
||||||
subject_alt_name: "DNS:*.example.com"
|
|
||||||
subject_alt_name_critical: yes
|
|
||||||
account_key: account-ec384
|
|
||||||
challenge: dns-01
|
|
||||||
modify_account: yes
|
|
||||||
deactivate_authzs: yes
|
|
||||||
force: no
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: yes
|
|
||||||
account_email: "example@example.org"
|
|
||||||
- name: Obtain cert 3
|
|
||||||
include_tasks: obtain-cert.yml
|
|
||||||
vars:
|
|
||||||
certgen_title: Certificate 3 for revocation
|
|
||||||
certificate_name: cert-3
|
|
||||||
key_type: ec384
|
|
||||||
subject_alt_name: "DNS:t1.example.com"
|
|
||||||
subject_alt_name_critical: no
|
|
||||||
account_key: account-rsa2048
|
|
||||||
challenge: dns-01
|
|
||||||
modify_account: yes
|
|
||||||
deactivate_authzs: no
|
|
||||||
force: no
|
|
||||||
remaining_days: 10
|
|
||||||
terms_agreed: yes
|
|
||||||
account_email: "example@example.org"
|
|
||||||
## REVOKE CERTIFICATES ########################################################################
|
|
||||||
- name: Revoke certificate 1 via account key
|
|
||||||
acme_certificate_revoke:
|
|
||||||
account_key_src: "{{ output_dir }}/account-ec256.pem"
|
|
||||||
certificate: "{{ output_dir }}/cert-1.pem"
|
|
||||||
acme_version: 2
|
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
ignore_errors: yes
|
|
||||||
register: cert_1_revoke
|
|
||||||
- name: Revoke certificate 2 via certificate private key
|
|
||||||
acme_certificate_revoke:
|
|
||||||
private_key_src: "{{ output_dir }}/cert-2.key"
|
|
||||||
certificate: "{{ output_dir }}/cert-2.pem"
|
|
||||||
acme_version: 2
|
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
ignore_errors: yes
|
|
||||||
register: cert_2_revoke
|
|
||||||
- name: Revoke certificate 3 via account key (fullchain)
|
|
||||||
acme_certificate_revoke:
|
|
||||||
account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa2048.pem') }}"
|
|
||||||
certificate: "{{ output_dir }}/cert-3-fullchain.pem"
|
|
||||||
acme_version: 2
|
|
||||||
acme_directory: https://{{ acme_host }}:14000/dir
|
|
||||||
validate_certs: no
|
|
||||||
ignore_errors: yes
|
|
||||||
register: cert_3_revoke
|
|
||||||
|
|
||||||
- import_tasks: ../tests/validate.yml
|
- import_tasks: ../tests/validate.yml
|
||||||
|
|
||||||
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
|
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
|
||||||
when: openssl_version.stdout is version('1.0.0', '>=')
|
when: openssl_version.stdout is version('1.0.0', '>=')
|
||||||
|
|
||||||
|
- name: Remove output directory
|
||||||
|
file:
|
||||||
|
path: "{{ output_dir }}"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Re-create output directory
|
||||||
|
file:
|
||||||
|
path: "{{ output_dir }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Running tests with cryptography backend
|
||||||
|
include_tasks: impl.yml
|
||||||
|
vars:
|
||||||
|
select_crypto_backend: cryptography
|
||||||
|
|
||||||
|
- import_tasks: ../tests/validate.yml
|
||||||
|
|
||||||
|
when: cryptography_version.stdout is version('1.5', '>=')
|
||||||
|
Loading…
Reference in New Issue