@ -85,15 +85,23 @@ options:
- Digest algorithm to be used when self - signing the certificate
- Digest algorithm to be used when self - signing the certificate
selfsigned_not_before :
selfsigned_not_before :
default : + 0 s
description :
description :
- The timestamp at which the certificate starts being valid . The timestamp is formatted as an ASN .1 TIME .
- " The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp.
If this value is not specified , certificate will start being valid from now .
Time will always be interpreted as UTC . Valid formats are : C ( [ + - ] timespec | ASN .1 TIME )
where timespec can be an integer + C ( [ w | d | h | m | s ] ) ( e . g . C ( + 32 w1d2h ) .
Note that if using relative time this module is NOT idempotent .
If this value is not specified , the certificate will start being valid from now . "
aliases : [ selfsigned_notBefore ]
aliases : [ selfsigned_notBefore ]
selfsigned_not_after :
selfsigned_not_after :
default : + 3650 d
description :
description :
- The timestamp at which the certificate stops being valid . The timestamp is formatted as an ASN .1 TIME .
- " The point in time at which the certificate stops being valid. Time can be specified either as relative time or as absolute timestamp.
If this value is not specified , certificate will stop being valid 10 years from now .
Time will always be interpreted as UTC . Valid formats are : C ( [ + - ] timespec | ASN .1 TIME )
where timespec can be an integer + C ( [ w | d | h | m | s ] ) ( e . g . C ( + 32 w1d2h ) .
Note that if using relative time this module is NOT idempotent .
If this value is not specified , the certificate will stop being valid 10 years from now . "
aliases : [ selfsigned_notAfter ]
aliases : [ selfsigned_notAfter ]
ownca_path :
ownca_path :
@ -124,15 +132,23 @@ options:
version_added : " 2.7 "
version_added : " 2.7 "
ownca_not_before :
ownca_not_before :
default : + 0 s
description :
description :
- The timestamp at which the certificate starts being valid . The timestamp is formatted as an ASN .1 TIME .
- " The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp.
If this value is not specified , certificate will start being valid from now .
Time will always be interpreted as UTC . Valid formats are : C ( [ + - ] timespec | ASN .1 TIME )
where timespec can be an integer + C ( [ w | d | h | m | s ] ) ( e . g . C ( + 32 w1d2h ) .
Note that if using relative time this module is NOT idempotent .
If this value is not specified , the certificate will start being valid from now . "
version_added : " 2.7 "
version_added : " 2.7 "
ownca_not_after :
ownca_not_after :
default : + 3650 d
description :
description :
- The timestamp at which the certificate stops being valid . The timestamp is formatted as an ASN .1 TIME .
- " The point in time at which the certificate stops being valid. Time can be specified either as relative time or as absolute timestamp.
If this value is not specified , certificate will stop being valid 10 years from now .
Time will always be interpreted as UTC . Valid formats are : C ( [ + - ] timespec | ASN .1 TIME )
where timespec can be an integer + C ( [ w | d | h | m | s ] ) ( e . g . C ( + 32 w1d2h ) .
Note that if using relative time this module is NOT idempotent .
If this value is not specified , the certificate will stop being valid 10 years from now . "
version_added : " 2.7 "
version_added : " 2.7 "
acme_accountkey_path :
acme_accountkey_path :
@ -209,7 +225,10 @@ options:
valid_in :
valid_in :
description :
description :
- The certificate must still be valid in I ( valid_in ) seconds from now .
- " The certificate must still be valid at this relative time offset from now.
Valid formats are : C ( [ + - ] timespec | number_of_seconds )
where timespec can be an integer + C ( [ w | d | h | m | s ] ) ( e . g . C ( + 32 w1d2h ) .
Note that if using this parameter , this module is NOT idempotent . "
key_usage :
key_usage :
description :
description :
@ -436,6 +455,19 @@ class Certificate(crypto_utils.OpenSSLObject):
self . csr = None
self . csr = None
self . module = module
self . module = module
def get_relative_time_option ( self , input_string , input_name ) :
""" Return an ASN1 formatted string if a relative timespec
or an ASN1 formatted string is provided . """
result = input_string
if result . startswith ( " + " ) or result . startswith ( " - " ) :
result = crypto_utils . convert_relative_to_datetime (
result ) . strftime ( " % Y % m %d % H % M % SZ " )
if result is None :
raise CertificateError (
' The timespec " %s " for %s is not valid ' %
input_string , input_name )
return result
def check ( self , module , perms_required = True ) :
def check ( self , module , perms_required = True ) :
""" Ensure the resource is in its desired state. """
""" Ensure the resource is in its desired state. """
@ -495,8 +527,8 @@ class SelfSignedCertificate(Certificate):
def __init__ ( self , module ) :
def __init__ ( self , module ) :
super ( SelfSignedCertificate , self ) . __init__ ( module )
super ( SelfSignedCertificate , self ) . __init__ ( module )
self . notBefore = module . params [ ' selfsigned_not Before' ]
self . notBefore = self . get_relative_time_option ( module . params [ ' selfsigned_not _before' ] , ' selfsigned_not_before ' )
self . notAfter = module . params [ ' selfsigned_not After' ]
self . notAfter = self . get_relative_time_option ( module . params [ ' selfsigned_not _after' ] , ' selfsigned_not_after ' )
self . digest = module . params [ ' selfsigned_digest ' ]
self . digest = module . params [ ' selfsigned_digest ' ]
self . version = module . params [ ' selfsigned_version ' ]
self . version = module . params [ ' selfsigned_version ' ]
self . serial_number = randint ( 1000 , 99999 )
self . serial_number = randint ( 1000 , 99999 )
@ -520,16 +552,8 @@ class SelfSignedCertificate(Certificate):
if not self . check ( module , perms_required = False ) or self . force :
if not self . check ( module , perms_required = False ) or self . force :
cert = crypto . X509 ( )
cert = crypto . X509 ( )
cert . set_serial_number ( self . serial_number )
cert . set_serial_number ( self . serial_number )
if self . notBefore :
cert . set_notBefore ( to_bytes ( self . notBefore ) )
cert . set_notBefore ( to_bytes ( self . notBefore ) )
else :
cert . gmtime_adj_notBefore ( 0 )
if self . notAfter :
cert . set_notAfter ( to_bytes ( self . notAfter ) )
cert . set_notAfter ( to_bytes ( self . notAfter ) )
else :
# If no NotAfter specified, expire in
# 10 years. 315360000 is 10 years in seconds.
cert . gmtime_adj_notAfter ( 315360000 )
cert . set_subject ( self . csr . get_subject ( ) )
cert . set_subject ( self . csr . get_subject ( ) )
cert . set_issuer ( self . csr . get_subject ( ) )
cert . set_issuer ( self . csr . get_subject ( ) )
cert . set_version ( self . version - 1 )
cert . set_version ( self . version - 1 )
@ -561,11 +585,9 @@ class SelfSignedCertificate(Certificate):
}
}
if check_mode :
if check_mode :
now = datetime . datetime . utcnow ( )
ten = now . replace ( now . year + 10 )
result . update ( {
result . update ( {
' notBefore ' : self . notBefore if self . notBefore else now . strftime ( " % Y % m %d % H % M % SZ " ) ,
' notBefore ' : self . notBefore ,
' notAfter ' : self . notAfter if self . notAfter else ten . strftime ( " % Y % m %d % H % M % SZ " ) ,
' notAfter ' : self . notAfter ,
' serial_number ' : self . serial_number ,
' serial_number ' : self . serial_number ,
} )
} )
else :
else :
@ -583,8 +605,8 @@ class OwnCACertificate(Certificate):
def __init__ ( self , module ) :
def __init__ ( self , module ) :
super ( OwnCACertificate , self ) . __init__ ( module )
super ( OwnCACertificate , self ) . __init__ ( module )
self . notBefore = module . params [ ' ownca_not_before ' ]
self . notBefore = self . get_relative_time_option ( module . params [ ' ownca_not_before ' ] , ' ownca_not_before ' )
self . notAfter = module . params [ ' ownca_not_after ' ]
self . notAfter = self . get_relative_time_option ( module . params [ ' ownca_not_after ' ] , ' ownca_not_after ' )
self . digest = module . params [ ' ownca_digest ' ]
self . digest = module . params [ ' ownca_digest ' ]
self . version = module . params [ ' ownca_version ' ]
self . version = module . params [ ' ownca_version ' ]
self . serial_number = randint ( 1000 , 99999 )
self . serial_number = randint ( 1000 , 99999 )
@ -617,16 +639,8 @@ class OwnCACertificate(Certificate):
if not self . check ( module , perms_required = False ) or self . force :
if not self . check ( module , perms_required = False ) or self . force :
cert = crypto . X509 ( )
cert = crypto . X509 ( )
cert . set_serial_number ( self . serial_number )
cert . set_serial_number ( self . serial_number )
if self . notBefore :
cert . set_notBefore ( to_bytes ( self . notBefore ) )
cert . set_notBefore ( to_bytes ( self . notBefore ) )
else :
cert . gmtime_adj_notBefore ( 0 )
if self . notAfter :
cert . set_notAfter ( to_bytes ( self . notAfter ) )
cert . set_notAfter ( to_bytes ( self . notAfter ) )
else :
# If no NotAfter specified, expire in
# 10 years. 315360000 is 10 years in seconds.
cert . gmtime_adj_notAfter ( 315360000 )
cert . set_subject ( self . csr . get_subject ( ) )
cert . set_subject ( self . csr . get_subject ( ) )
cert . set_issuer ( self . ca_cert . get_subject ( ) )
cert . set_issuer ( self . ca_cert . get_subject ( ) )
cert . set_version ( self . version - 1 )
cert . set_version ( self . version - 1 )
@ -660,11 +674,9 @@ class OwnCACertificate(Certificate):
}
}
if check_mode :
if check_mode :
now = datetime . datetime . utcnow ( )
ten = now . replace ( now . year + 10 )
result . update ( {
result . update ( {
' notBefore ' : self . notBefore if self . notBefore else now . strftime ( " % Y % m %d % H % M % SZ " ) ,
' notBefore ' : self . notBefore ,
' notAfter ' : self . notAfter if self . notAfter else ten . strftime ( " % Y % m %d % H % M % SZ " ) ,
' notAfter ' : self . notAfter ,
' serial_number ' : self . serial_number ,
' serial_number ' : self . serial_number ,
} )
} )
else :
else :
@ -854,15 +866,22 @@ class AssertOnlyCertificate(Certificate):
def _validate_valid_in ( ) :
def _validate_valid_in ( ) :
if self . valid_in :
if self . valid_in :
valid_in_date = datetime . datetime . utcnow ( ) + datetime . timedelta ( seconds = self . valid_in )
if not self . valid_in . startswith ( " + " ) and not self . valid_in . startswith ( " - " ) :
valid_in_date = to_bytes ( valid_in_date . strftime ( ' % Y % m %d % H % M % SZ ' ) , errors = ' surrogate_or_strict ' )
try :
if not ( self . cert . get_notBefore ( ) < = valid_in_date < = self . cert . get_notAfter ( ) ) :
int ( self . valid_in )
except ValueError :
raise CertificateError (
' The supplied value for " valid_in " ( %s ) is not an integer or a valid timespec ' % self . valid_in )
self . valid_in = " + " + self . valid_in + " s "
valid_in_asn1 = self . get_relative_time_option ( self . valid_in , " valid_in " )
valid_in_date = to_bytes ( valid_in_asn1 , errors = ' surrogate_or_strict ' )
if not ( self . cert . get_notBefore ( ) < = valid_in_date < =
self . cert . get_notAfter ( ) ) :
self . message . append (
self . message . append (
' Certificate is not valid in %s seconds from now ( %s ) - notBefore: %s - notAfter: %s ' % ( self . valid_in ,
' Certificate is not valid in %s from now (that would be %s ) - notBefore: %s - notAfter: %s '
valid_in_date ,
% ( self . valid_in , valid_in_date ,
self . cert . get_notBefore ( ) ,
self . cert . get_notBefore ( ) ,
self . cert . get_notAfter ( ) )
self . cert . get_notAfter ( ) ) )
)
for validation in [ ' signature_algorithms ' , ' subject ' , ' issuer ' ,
for validation in [ ' signature_algorithms ' , ' subject ' , ' issuer ' ,
' has_expired ' , ' version ' , ' keyUsage ' ,
' has_expired ' , ' version ' , ' keyUsage ' ,
@ -1004,13 +1023,15 @@ def main():
notAfter = dict ( type = ' str ' , aliases = [ ' not_after ' ] ) ,
notAfter = dict ( type = ' str ' , aliases = [ ' not_after ' ] ) ,
valid_at = dict ( type = ' str ' ) ,
valid_at = dict ( type = ' str ' ) ,
invalid_at = dict ( type = ' str ' ) ,
invalid_at = dict ( type = ' str ' ) ,
valid_in = dict ( type = ' int ' ) ,
valid_in = dict ( type = ' str ' ) ,
# provider: selfsigned
# provider: selfsigned
selfsigned_version = dict ( type = ' int ' , default = ' 3 ' ) ,
selfsigned_version = dict ( type = ' int ' , default = ' 3 ' ) ,
selfsigned_digest = dict ( type = ' str ' , default = ' sha256 ' ) ,
selfsigned_digest = dict ( type = ' str ' , default = ' sha256 ' ) ,
selfsigned_notBefore = dict ( type = ' str ' , aliases = [ ' selfsigned_not_before ' ] ) ,
selfsigned_not_before = dict (
selfsigned_notAfter = dict ( type = ' str ' , aliases = [ ' selfsigned_not_after ' ] ) ,
type = ' str ' , default = ' +0s ' , aliases = [ ' selfsigned_notBefore ' ] ) ,
selfsigned_not_after = dict (
type = ' str ' , default = ' +3650d ' , aliases = [ ' selfsigned_notAfter ' ] ) ,
# provider: ownca
# provider: ownca
ownca_path = dict ( type = ' path ' ) ,
ownca_path = dict ( type = ' path ' ) ,
@ -1018,8 +1039,8 @@ def main():
ownca_privatekey_passphrase = dict ( type = ' path ' , no_log = True ) ,
ownca_privatekey_passphrase = dict ( type = ' path ' , no_log = True ) ,
ownca_digest = dict ( type = ' str ' , default = ' sha256 ' ) ,
ownca_digest = dict ( type = ' str ' , default = ' sha256 ' ) ,
ownca_version = dict ( type = ' int ' , default = ' 3 ' ) ,
ownca_version = dict ( type = ' int ' , default = ' 3 ' ) ,
ownca_not_before = dict ( type = ' str ' ),
ownca_not_before = dict ( type = ' str ' , default = ' +0s ' ),
ownca_not_after = dict ( type = ' str ' ),
ownca_not_after = dict ( type = ' str ' , default = ' +3650d ' ),
# provider: acme
# provider: acme
acme_accountkey_path = dict ( type = ' path ' ) ,
acme_accountkey_path = dict ( type = ' path ' ) ,