* Generate SHA256 signed certificates
Vulnerability scanners are increasingly reporting SHA-1 signed certificates as a vulnerability on servers. Before this change, -ForceNewSSLCert generates a signature algorithm that openssl shows as sha1WthRSAEncryption for WinRM port 5986. After, this forces certificates to be signed with SHA256, which openssl shows sha256WithRSAEncryption.
Some example SHA-1 deprecations include:
- https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4010323
- https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
Also note that RDP 3389 on Windows 2016 also defaults to a SHA256 certificate.
The specifics were merged from a script mod I found at https://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-7a0321b7 intended for Exchange. It also includes a mod to add an alternate DNS listing so the cert contains CN=HOSTNAME plus now also an alternative of the FQDN.
I tested this change on Windows 2008R2, 2012R2, and 2016 Datacenter.
* Keep WinRM cert key length at 4096.
* Remove WinRM cert exportpolicy setting.
updated with newer methods
fixed ssl name to match ansible convention
more options for host info
added vars_prefix
added comments explaining current flow
reformated commentd out code so pep8 can be happy
enabled caching
* File module: correct description of "state"
It was probably intended to say "intermediate subdirectories will be created" and not "immediate subdirectories will be created".
The «if err» test always passed after #cf938e99926 changed the earlier
assignment to always set err to "\n" if stderr was empty, and so every
script plugin (e.g., ec2.py) started to always report an empty ERROR.
* add user password lock option to user module
* fixup! add user password lock option to user module
* add unlock, set no default
* fixup! add unlock, set no default
* fixup! fixup! add unlock, set no default
* add lock password for FreeBSD, netBSD
* fixup! add lock password for FreeBSD, netBSD
* Update the documentation to list Python 3 as official
* Add some reference targets for inventory variables so we can link to docs
* Add a platform FAQ section
Populate it with
* virtualenv info (previously on the python3 support page)
* BSD (Link to the working with BSD page)
* Solaris (Document how to work around the non-POSIX shell on some
Solaris hosts)
Fixes#21594
* Fix some refs in the release_and_maintenance document
* Fix unindent error in module template
Fix for the module/plugin template unintentionally unindented inside of
a raw block, leading to errors like:
ERROR: docs/docsite/rst/modules/redshift_facts_module.rst:289:0: Explicit markup ends without a blank line; unexpected unindent.
* Make wording for Solaris troubleshooting better.
The docs suggest that `port` parameter is the default port upon
which targets listen. As such, a target need only provide a `Port`
key to override the default.
The big one is that we needed to set plugin_type when we processed the by_support template.
Also added to list_of_CATEGORY_plugins page (which might not be used)
and corrected a place where I did module_name instead of name_module
The regex to find labels inside of angle brackets was not detecting
anything before so I missed all of those.
* Fixed the regex in find-plugin-refs to take care of that.
* Fixed plugin_formatter to emit namespaced labels for the M() macro.
* Add yarn module based off of NPM module, adjust syntax for install cmd
* Update author list
* Add Return docbloc
* Remove extra var assignment
* Always return output without emojis, small changes for yarn 0.16.1
* Move import line, add ANSIBLE_METADATA, bump version_added
* Updating module format to meet newest lint requirements. Update options and example docs.
* Bring back RETURN block and main() execution.
* All trailing whitespace removed.
* Remove json try/except.
* Add initial pass at setting up Yarn integration tests.
* Add better handling for latest and removal states. Add tests for upgrading a single package.
* Fix issue where state=latest for installing all packages caused failure.
* Set yarn bin to latest version for tests. Fix sanity tests.
* Switch template task to copy task in yarn integration tests.
* Update apt.py
Proposing description of "cache_valid_time" for Ansible 2.4 or greater.
If 'cache_valid_time' is set, 'update_cache' is set implicitly.
This means the logic should be reversed.
label: docsite_pr
* Proposing the description of "cache_valid_time"..
This commit follows the discussion in #37972.
label: docsite_pr
* Update win_certificate_store.py
Improvements to describe the different destination stores.
+label: docsite_pr
* Update win_certificate_store.py
Whole line needs to be quoted -- lingfish YAML fail.
We're porting autogenerated plugin docs so that :ref: targets are
namespaced by plugin type. To do this effectively, we need to know
where all the :ref: targets which refer to the bare plugin names are in
the rst files. This script will find those.