Topics
- v2.23.0
- v2.22.3
- v2.22.2
- v2.22.1
- v2.22.0
- v2.21.1
- v2.21.0
- v2.20.0
- v2.19.1
- v2.19.0
- v2.18.0
- v2.17.1
- v2.17.0
- v2.16.2
- v2.16.1
- v2.16.0
- v2.15.1
- v2.15.0
- v2.14.1
- v2.14.0
- v2.13.1
- v2.13.0
- v2.12.0
- v2.11.1
- v2.11.0
- v2.10.0
- v2.9.0
- v2.8.1
- v2.8.0
- v2.7.1
- v2.7.0
- v2.6.0
- v2.5.0
- v2.4.0
- v2.3.4
- v2.3.3
- v2.3.2
- v2.3.1
- v2.3.0
- v2.2.4
- v2.2.3
- v2.2.2
- v2.2.1
- v2.2.0
- v2.1.0
- v2.0.2
- v2.0.1
- v2.0.0
- v1.9.4
- v1.9.3
- v1.9.2
- v1.9.1
- v1.9.0
- v1.8.0
- v1.7.1
- v1.7.0
- v1.6.2
- v1.6.1
- v1.6.0
- v1.5.0
- v1.4.0
- v1.3.0
- v1.2.0
- v1.1.1
- v1.1.0
- v1.0.0
Feature release.
- acme_certificate - add compatibility for ACME CAs that are not fully RFC8555 compliant and do not provide
challenges
in authz objects (#824, #832). - luks_device - allow to provide passphrases base64-encoded (#827, #829).
- x509_certificate_convert - add new option
verify_cert_parsable
which allows to check whether the certificate can actually be parsed (#809, #830).
- openssl_pkcs12 - the PyOpenSSL based backend is deprecated and will be removed from community.crypto 3.0.0. From that point on you need cryptography 3.0 or newer to use this module (#667, #831).
Bugfix release.
- acme_* modules - when using the OpenSSL backend, explicitly use the UTC timezone in Python code (#811).
- time module utils - fix conversion of naive
datetime
objects to UNIX timestamps for Python 3 (#808, #810).
Bugfix release.
- acme_certificate - fix authorization failure when CSR contains SANs with mixed case (#803).
Bugfix release.
- acme_* modules - when querying renewal information, make sure to insert a slash between the base URL and the certificate identifier (#801, #802).
- various modules - pass absolute paths to
module.atomic_move()
(ansible/ansible#83950, #799).
Feature release.
- openssl_privatekey, openssl_privatekey_pipe - add default value
auto
forcipher
option, which happens to be the only supported value for this option anyway. Therefore it is no longer necessary to specifycipher=auto
when providingpassphrase
(#793, #794).
Maintenance release.
- When using cryptography >= 43.0.0, use offset-aware
datetime.datetime
objects (with timezone UTC) instead of offset-naive UTC timestamps for theInvalidityDate
X.509 CRL extension (#726, #730).
Feature release.
- certificate_complete_chain - add ability to identify Ed25519 and Ed448 complete chains (#777).
- get_certificate - adds
tls_ctx_options
option for specifying SSL CTX options (#779). - get_certificate - allow to obtain the certificate chain sent by the server, and the one used for validation, with the new
get_certificate_chain
option. Note that this option only works if the module is run with Python 3.10 or newer (#568, #784).
Feature and bugfix release.
The deprecations in this release are only relevant for collections that use shared code or docs fragments from this collection.
- acme_certificate - add
include_renewal_cert_id
option to allow requesting renewal of a specific certificate according to the current ACME Renewal Information specification draft (#739).
- acme documentation fragment - the default
community.crypto.acme[.documentation]
docs fragment is deprecated and will be removed from community.crypto 3.0.0. Replace it with both the newcommunity.crypto.acme.basic
andcommunity.crypto.acme.account
fragments (#735). - acme.backends module utils - the
get_cert_information()
method for a ACME crypto backend must be implemented from community.crypto 3.0.0 on (#736). - crypto.module_backends.common module utils - the
crypto.module_backends.common
module utils is deprecated and will be removed from community.crypto 3.0.0. Use the improvedargspec
module util instead (#749).
- x509_crl, x509_certificate, x509_certificate_info - when parsing absolute timestamps which omitted the second count, the first digit of the minutes was used as a one-digit minutes count, and the second digit of the minutes as a one-digit second count (#745).
- community.crypto.acme_ari_info - Retrieves ACME Renewal Information (ARI) for a certificate.
- community.crypto.acme_certificate_deactivate_authz - Deactivate all authz for an ACME v2 order.
- community.crypto.acme_certificate_renewal_info - Determine whether a certificate should be renewed or not.
Bugfix release.
- crypto.math module utils - change return values for
quick_is_not_prime()
andconvert_int_to_bytes(0, 0)
for special cases that do not appear when using the collection (#733). - ecs_certificate - fixed
csr
option to be empty and allow renewal of a specific certificate according to the Renewal Information specification (#740). - x509_certificate - since community.crypto 2.19.0 the module was no longer idempotent with respect to
not_before
andnot_after
times. This is now fixed (#753, #754).
Bugfix and feature release.
- When using cryptography >= 42.0.0, use offset-aware
datetime.datetime
objects (with timezone UTC) instead of offset-naive UTC timestamps (#726, #727). - openssh_cert - avoid UTC functions deprecated in Python 3.12 when using Python 3 (#727).
- acme.backends module utils - from community.crypto on, all implementations of
CryptoBackend
must overrideget_ordered_csr_identifiers()
. The current default implementation, which simply sorts the result ofget_csr_identifiers()
, will then be removed (#725).
- acme_certificate - respect the order of the CNAME and SAN identifiers that are passed on when creating an ACME order (#723, #725).
- community.crypto.x509_certificate_convert - Convert X.509 certificates
Bugfix and feature release.
- x509_crl - the new option
serial_numbers
allow to configure in which format serial numbers can be provided torevoked_certificates[].serial_number
. The default is as integers (serial_numbers=integer
) for backwards compatibility; settingserial_numbers=hex-octets
allows to specify colon-separated hex octet strings like00:11:22:FF
(#687, #715).
- openssl_csr_pipe, openssl_privatekey_pipe, x509_certificate_pipe - the current behavior of check mode is deprecated and will change in community.crypto 3.0.0. The current behavior is similar to the modules without
_pipe
: if the object needs to be (re-)generated, only thechanged
status is set, but the object is not updated. From community.crypto 3.0.0 on, the modules will ignore check mode and always act as if check mode is not active. This behavior can already achieved now by addingcheck_mode: false
to the task. If you think this breaks your use-case of this module, please create an issue in the community.crypto repository (#712, #714).
- luks_device - fixed module a bug that prevented using
remove_keyslot
with the value0
(#710). - luks_device - fixed module falsely outputting
changed=false
when trying to add a new slot with a key that is already present in another slot. The module now rejects adding keys that are already present in another slot (#710). - luks_device - fixed testing of LUKS passphrases in when specifying a keyslot for cryptsetup version 2.0.3. The output of this cryptsetup version slightly differs from later versions (#710).
- community.crypto.parse_serial - Convert a serial number as a colon-separated list of hex numbers to an integer
- community.crypto.to_serial - Convert an integer to a colon-separated list of hex numbers
Bugfix release for compatibility with cryptography 42.0.0.
- openssl_dhparam - was using an internal function instead of the public API to load DH param files when using the
cryptography
backend. The internal function was removed in cryptography 42.0.0. The module now uses the public API, which has been available since support for DH params was added to cryptography (#698). - openssl_privatekey_info -
check_consistency=true
no longer works for RSA keys with cryptography 42.0.0+ (#701). - openssl_privatekey_info -
check_consistency=true
now reports a warning if it cannot determine consistency (#705).
Feature release.
- luks_device - add allow discards option (#693).
Bugfix release.
- acme_* modules - directly react on bad return data for account creation/retrieval/updating requests (#682).
- acme_* modules - fix improved error reporting in case of socket errors, bad status lines, and unknown connection errors (#684).
- acme_* modules - increase number of retries from 5 to 10 to increase stability with unstable ACME endpoints (#685).
- acme_* modules - make account registration handling more flexible to accept 404 instead of 400 send by DigiCert's ACME endpoint when an account does not exist (#681).
Bugfix release.
- acme_* modules - also retry requests in case of socket errors, bad status lines, and unknown connection errors; improve error messages in these cases (#680).
Bugfix release.
- luks_devices - add new options
keyslot
,new_keyslot
, andremove_keyslot
to allow adding/removing keys to/from specific keyslots (#664).
- openssl_pkcs12 - modify autodetect to not detect pyOpenSSL >= 23.3.0, which removed PKCS#12 support (#666).
Bugfix release.
Bugfix and feature release.
- openssh_keypair - fail when comment cannot be updated (#646).
- get_certificate - the default
false
of theasn1_base64
option is deprecated and will change totrue
in community.crypto 3.0.0 (#600).
- openssh_cert, openssh_keypair - the modules ignored return codes of
ssh
andssh-keygen
in some cases (#645, #646). - openssh_keypair - fix comment updating for OpenSSH before 6.5 (#646).
- community.crypto.gpg_fingerprint - Retrieve a GPG fingerprint from a GPG public or private key
- community.crypto.gpg_fingerprint - Retrieve a GPG fingerprint from a GPG public or private key file
Bugfix and maintenance release with updated documentation.
From this version on, community.crypto is using the new Ansible semantic markup in its documentation. If you look at documentation with the ansible-doc CLI tool from ansible-core before 2.15, please note that it does not render the markup correctly. You should be still able to read it in most cases, but you need ansible-core 2.15 or later to see it as it is intended. Alternatively you can look at the devel docsite for the rendered HTML version of the documentation of the latest release.
- Fix PEM detection/identification to also accept random other lines before the line starting with
-----BEGIN
(#627, #628).
- Ansible markup will show up in raw form on ansible-doc text output for ansible-core before 2.15. If you have trouble deciphering the documentation markup, please upgrade to ansible-core 2.15 (or newer), or read the HTML documentation on https://docs.ansible.com/ansible/devel/collections/community/crypto/.
Feature release.
- acme_certificate - allow to use no challenge by providing
no challenge
for thechallenge
option. This is needed for ACME servers where validation is done without challenges (#613, #615). - acme_certificate - validate and wait for challenges in parallel instead handling them one after another (#617).
- x509_certificate_info - added support for certificates in DER format when using
path
parameter (#603).
Bugfix release.
- execution environment definition - fix installation of
python3-pyOpenSSL
package on CentOS and RHEL (#606). - execution environment definition - fix source of
python3-pyOpenSSL
package for Rocky Linux 9+ (#606).
Bugfix and maintenance release.
- x509_crl - the
crl_mode
option has been added to replace the existingmode
option (#596).
- x509_crl - the
mode
option is deprecated; usecrl_mode
instead. Themode
option will change its meaning in community.crypto 3.0.0, and will refer to the CRL file's mode instead (#596).
- openssh_keypair - always generate a new key pair if the private key does not exist. Previously, the module would fail when
regenerate=fail
without an existing key, contradicting the documentation (#598). - x509_crl - remove problem with ansible-core 2.16 due to
AnsibleModule
is now validating themode
parameter's values (#596).
Feature release.
- get_certificate - add
asn1_base64
option to control whether the ASN.1 included in theextensions
return value is binary data or Base64 encoded (#592).
Maintenance release with improved documentation.
Feature and bugfix release.
- get_certificate - adds
ciphers
option for custom cipher selection (#571).
- action plugin helper - fix handling of deprecations for ansible-core 2.14.2 (#572).
- execution environment binary dependencies (bindep.txt) - fix
python3-pyOpenSSL
dependency resolution on RHEL 9+ / CentOS Stream 9+ platforms (#575). - various plugins - remove unnecessary imports (#569).
Bugfix and feature release.
- openssl_csr, openssl_csr_pipe - prevent invalid values for
crl_distribution_points
that do not have one offull_name
,relative_name
, andcrl_issuer
(#560). - openssl_publickey_info - do not crash with internal error when public key cannot be parsed (#551).
- community.crypto.openssl_csr_info - Retrieve information from OpenSSL Certificate Signing Requests (CSR)
- community.crypto.openssl_privatekey_info - Retrieve information from OpenSSL private keys
- community.crypto.openssl_publickey_info - Retrieve information from OpenSSL public keys in PEM format
- community.crypto.split_pem - Split PEM file contents into multiple objects
- community.crypto.x509_certificate_info - Retrieve information from X.509 certificates in PEM format
- community.crypto.x509_crl_info - Retrieve information from X.509 CRLs in PEM format
Regular feature release.
- x509_certificate_info - adds
issuer_uri
field in return value based on Authority Information Access data (#530).
Maintenance release with improved documentation.
Feature release.
- acme_* modules - handle more gracefully if CA's new nonce call does not return a nonce (#525).
- acme_* modules - include symbolic HTTP status codes in error and log messages when available (#524).
- openssl_pkcs12 - add option
encryption_level
which allows to chosecompatibility2022
when cryptography >= 38.0.0 is used to enable a more backwards compatible encryption algorithm. If cryptography uses OpenSSL 3.0.0 or newer, the default algorithm is not compatible with older software (#523).
Maintenance release.
Feature release.
- acme* modules - also support the HTTP 503 Service Unavailable and 408 Request Timeout response status for automatic retries (#513).
- openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core (#515).
Feature release.
- acme* modules - support the HTTP 429 Too Many Requests response status (#508).
- openssh_keypair - added
pkcs1
,pkcs8
, andssh
to the available choices for theprivate_key_format
option (#511).
Maintenance release with improved licensing declaration and documentation fixes.
- All software licenses are now in the
LICENSES/
directory of the collection root. Moreover,SPDX-License-Identifier:
is used to declare the applicable license for every file that is not automatically generated (#491).
Deprecation and bugfix release. No new features this time.
- Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be removed in the next major release (community.crypto 3.0.0). Some modules might still work with these versions afterwards, but we will no longer keep compatibility code that was needed to support them (#460).
- openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying to read non-existing other certificates (#486, #487).
Re-release of what was intended to be 2.3.3.
A mistake during the release process caused the 2.3.3 tag to end up on the commit for 1.9.17, which caused the release pipeline to re-publish 1.9.17 as 2.3.3.
This release is identical to what should have been 2.3.3, except that the version number has been bumped to 2.3.4 and this changelog entry for 2.3.4 has been added.
Bugfix release.
- Include
Apache-2.0.txt
file forplugins/module_utils/crypto/_obj2txt.py
andplugins/module_utils/crypto/_objects_data.py
. - openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees must be a non-empty list or None' if only one of
name_constraints_permitted
andname_constraints_excluded
is provided (#481). - x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (#473, #474).
Maintenance and bugfix release.
- Include
simplified_bsd.txt
license file for the ECS module utils. - certificate_complete_chain - do not stop execution if an unsupported signature algorithm is encountered; warn instead (#457).
Maintenance release.
- Include
PSF-license.txt
file forplugins/module_utils/_version.py
.
Feature and bugfix release.
- Prepare collection for inclusion in an Execution Environment by declaring its dependencies. Please note that system packages are used for cryptography and PyOpenSSL, which can be rather limited. If you need features from newer cryptography versions, you will have to manually force a newer version to be installed by pip by specifying something like
cryptography >= 37.0.0
in your Execution Environment's Python dependencies file (#440). - Support automatic conversion for Internalionalized Domain Names (IDNs). When passing general names, for example Subject Alternative Names to
community.crypto.openssl_csr
, these will automatically be converted to IDNA. Conversion will be done per label to IDNA2008 if possible, and IDNA2003 if IDNA2008 conversion fails for that label. Note that IDNA conversion requires the Python idna library to be installed. Please note that depending on which versions of the cryptography library are used, it could try to process the converted IDNA another time with the Pythonidna
library and reject IDNA2003 encoded values. Using a new enoughcryptography
version avoids this (#426, #436). - acme_* modules - add parameter
request_timeout
to manage HTTP(S) request timeout (#447, #448). - luks_devices - added
perf_same_cpu_crypt
,perf_submit_from_crypt_cpus
,perf_no_read_workqueue
,perf_no_write_workqueue
for performance tuning when opening LUKS2 containers (#427). - luks_devices - added
persistent
option when opening LUKS2 containers (#434). - openssl_csr_info - add
name_encoding
option to control the encoding (IDNA, Unicode) used to return domain names in general names (#436). - openssl_pkcs12 - allow to provide the private key as text instead of having to read it from a file. This allows to store the private key in an encrypted form, for example in Ansible Vault (#452).
- x509_certificate_info - add
name_encoding
option to control the encoding (IDNA, Unicode) used to return domain names in general names (#436). - x509_crl - add
name_encoding
option to control the encoding (IDNA, Unicode) used to return domain names in general names (#436). - x509_crl_info - add
name_encoding
option to control the encoding (IDNA, Unicode) used to return domain names in general names (#436).
- Make collection more robust when PyOpenSSL is used with an incompatible cryptography version (#445).
- x509_crl - fix crash when
issuer
for a revoked certificate is specified (#441).
Regular maintenance release.
- openssh_* modules - fix exception handling to report traceback to users for enhanced traceability (#417).
Regular bugfix release.
Regular bugfix release.
In this release, we extended the test matrix to include Alpine 3, ArchLinux, Debian Bullseye, and CentOS Stream 8. CentOS 8 was removed from the test matrix.
- certificate_complete_chain - allow multiple potential intermediate certificates to have the same subject (#399, #403).
- x509_certificate - for the
ownca
provider, check whether the CA private key actually belongs to the CA certificate (#407). - x509_certificate - regenerate certificate when the CA's public key changes for
provider=ownca
(#407). - x509_certificate - regenerate certificate when the CA's subject changes for
provider=ownca
(#400, #402). - x509_certificate - regenerate certificate when the private key changes for
provider=selfsigned
(#407).
Bugfix release.
- openssh_cert - fixed false
changed
status forhost
certificates when usingfull_idempotence
(#395, #396).
Regular bugfix and feature release.
- openssh_cert - added
ignore_timestamps
parameter so it can be used semi-idempotent with relative timestamps invalid_to
/valid_from
(#379).
- luks_devices - set
LANG
and similar environment variables to avoid translated output, which can break some of the module's functionality like key management (#388, #385).
Feature and bugfix release.
- Adjust error messages that indicate
cryptography
is not installed fromCan't
toCannot
(#374).
- Various modules and plugins - use vendored version of
distutils.version
instead of the deprecated Python standard librarydistutils
(#353). - certificate_complete_chain - do not append root twice if the chain already ends with a root certificate (#360).
- certificate_complete_chain - do not hang when infinite loop is found (#355, #360).
- community.crypto.crypto_info - Retrieve cryptographic capabilities
- community.crypto.openssl_privatekey_convert - Convert OpenSSL private keys
Documentation fix release. No actual code changes.
Bugfix release with extra forward compatibility for newer versions of cryptography.
- acme_* modules - fix usage of
fetch_url
with changes in latest ansible-coredevel
branch (#339).
- acme_certificate - avoid passing multiple certificates to
cryptography
's X.509 certificate loader whenfullchain_dest
is used (#324). - get_certificate, openssl_csr_info, x509_certificate_info - add fallback code for extension parsing that works with cryptography 36.0.0 and newer. This code re-serializes de-serialized extensions and thus can return slightly different values if the extension in the original CSR resp. certificate was not canonicalized correctly. This code is currently used as a fallback if the existing code stops working, but we will switch it to be the main code in a future release (#331).
- luks_device - now also runs a built-in LUKS signature cleaner on
state=absent
to make sure that also the secondary LUKS2 header is wiped when older versions of wipefs are used (#326, #327). - openssl_pkcs12 - use new PKCS#12 deserialization infrastructure from cryptography 36.0.0 if available (#302).
A new major release of the community.crypto
collection. The main changes are removal of the PyOpenSSL backends for almost all modules (openssl_pkcs12
being the only exception), and removal of the assertonly
provider in the x509_certificate
provider. There are also some other breaking changes which should improve the user interface/experience of this collection long-term.
- acme_certificate - the
subject
andissuer
fields in in theselect_chain
entries are now more strictly validated (#316). - openssl_csr, openssl_csr_pipe - provide a new
subject_ordered
option if the order of the components in the subject is of importance (#291, #316). - openssl_csr, openssl_csr_pipe - there is now stricter validation of the values of the
subject
option (#316). - openssl_privatekey_info - add
check_consistency
option to request private key consistency checks to be done (#309). - x509_certificate, x509_certificate_pipe - add
ignore_timestamps
option which allows to enable idempotency for 'not before' and 'not after' options (#295, #317). - x509_crl - provide a new
issuer_ordered
option if the order of the components in the issuer is of importance (#291, #316). - x509_crl - there is now stricter validation of the values of the
issuer
option (#316).
- Adjust
dirName
text parsing and to text converting code to conform to Sections 2 and 3 of RFC 4514. This is similar to how cryptography handles this (#274). - acme module utils - removing compatibility code (#290).
- acme_* modules - removed vendored copy of the Python library
ipaddress
. If you are using Python 2.x, please make sure to install the library (#287). - compatibility module_utils - removed vendored copy of the Python library
ipaddress
(#287). - crypto module utils - removing compatibility code (#290).
- get_certificate, openssl_csr_info, x509_certificate_info - depending on the
cryptography
version used, the modules might not return the ASN.1 value for an extension as contained in the certificate respectively CSR, but a re-encoded version of it. This should usually be identical to the value contained in the source file, unless the value was malformed. For extensions not handled by C(cryptography) the value contained in the source file is always returned unaltered (#318). - module_utils - removed various PyOpenSSL support functions and default backend values that are not needed for the openssl_pkcs12 module (#273).
- openssl_csr, openssl_csr_pipe, x509_crl - the
subject
respectivelyissuer
fields no longer ignore empty values, but instead fail when encountering them (#316). - openssl_privatekey_info - by default consistency checks are not run; they need to be explicitly requested by passing
check_consistency=true
(#309). - x509_crl - for idempotency checks, the
issuer
order is ignored. If order is important, use the newissuer_ordered
option (#316).
- acme_* modules - ACME version 1 is now deprecated and support for it will be removed in community.crypto 2.0.0 (#288).
- acme_* modules - the
acme_directory
option is now required (#290). - acme_* modules - the
acme_version
option is now required (#290). - acme_account_facts - the deprecated redirect has been removed. Use community.crypto.acme_account_info instead (#290).
- acme_account_info -
retrieve_orders=url_list
no longer returns the return valueorders
. Use theorder_uris
return value instead (#290). - crypto.info module utils - the deprecated redirect has been removed. Use
crypto.pem
instead (#290). - get_certificate - removed the
pyopenssl
backend (#273). - openssl_certificate - the deprecated redirect has been removed. Use community.crypto.x509_certificate instead (#290).
- openssl_certificate_info - the deprecated redirect has been removed. Use community.crypto.x509_certificate_info instead (#290).
- openssl_csr - removed the
pyopenssl
backend (#273). - openssl_csr and openssl_csr_pipe -
version
now only accepts the (default) value 1 (#290). - openssl_csr_info - removed the
pyopenssl
backend (#273). - openssl_csr_pipe - removed the
pyopenssl
backend (#273). - openssl_privatekey - removed the
pyopenssl
backend (#273). - openssl_privatekey_info - removed the
pyopenssl
backend (#273). - openssl_privatekey_pipe - removed the
pyopenssl
backend (#273). - openssl_publickey - removed the
pyopenssl
backend (#273). - openssl_publickey_info - removed the
pyopenssl
backend (#273). - openssl_signature - removed the
pyopenssl
backend (#273). - openssl_signature_info - removed the
pyopenssl
backend (#273). - x509_certificate - remove
assertonly
provider (#289). - x509_certificate - removed the
pyopenssl
backend (#273). - x509_certificate_info - removed the
pyopenssl
backend (#273). - x509_certificate_pipe - removed the
pyopenssl
backend (#273).
- cryptography backend - improve Unicode handling for Python 2 (#313).
- get_certificate - fix compatibility with the cryptography 35.0.0 release (#294).
- openssl_csr_info - fix compatibility with the cryptography 35.0.0 release (#294).
- openssl_pkcs12 - fix compatibility with the cryptography 35.0.0 release (#296).
- x509_certificate_info - fix compatibility with the cryptography 35.0.0 release (#294).
Regular bugfix release.
- acme_* modules - fix commands composed for OpenSSL backend to retrieve information on CSRs and certificates from stdin to use
/dev/stdin
instead of-
. This is needed for OpenSSL 1.0.1 and 1.0.2, apparently (#279). - acme_challenge_cert_helper - only return exception when cryptography is not installed, not when a too old version of it is installed. This prevents Ansible's callback to crash (#281).
Regular bugfix release.
- openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used to compare strings with the cryptography backend. This fixes idempotency problems with non-ASCII letters on Python 2 (#270, #271).
Bugfix release to fix the changelog. No other change compared to 1.9.0.
Accidental 1.9.1 release. Identical to 1.9.0.
Regular feature release.
- get_certificate - added
starttls
option to retrieve certificates from servers which require clients to request an encrypted connection (#264). - openssh_keypair - added
diff
support (#260).
- keypair_backend module utils - simplify code to pass sanity tests (#263).
- openssh_keypair - fixed
cryptography
backend to preserve original file permissions when regenerating a keypair requires existing files to be overwritten (#260). - openssh_keypair - fixed error handling to restore original keypair if regeneration fails (#260).
- x509_crl - restore inherited function signature to pass sanity tests (#263).
Regular bugfix and feature release.
- Avoid internal ansible-core module_utils in favor of equivalent public API available since at least Ansible 2.9 (#253).
- openssh certificate module utils - new module_utils for parsing OpenSSH certificates (#246).
- openssh_cert - added
regenerate
option to validate additional certificate parameters which trigger regeneration of an existing certificate (#256). - openssh_cert - adding
diff
support (#255).
- openssh_cert - fixed certificate generation to restore original certificate if an error is encountered (#255).
- openssh_keypair - fixed a bug that prevented custom file attributes being applied to public keys (#257).
Bugfix release.
- openssl_pkcs12 - fix crash when loading passphrase-protected PKCS#12 files with
cryptography
backend (#247, #248).
Regular feature and bugfix release.
- cryptography_openssh module utils - new module_utils for managing asymmetric keypairs and OpenSSH formatted/encoded asymmetric keypairs (#213).
- openssh_keypair - added
backend
parameter for selecting between the cryptography library or the OpenSSH binary for the execution of actions performed byopenssh_keypair
(#236). - openssh_keypair - added
passphrase
parameter for encrypting/decrypting OpenSSH private keys (#225). - openssl_csr - add diff mode (#38, #150).
- openssl_csr_info - now returns
public_key_type
andpublic_key_data
(#233). - openssl_csr_info - refactor module to allow code reuse for diff mode (#204).
- openssl_csr_pipe - add diff mode (#38, #150).
- openssl_pkcs12 - added option
select_crypto_backend
and acryptography
backend. This requires cryptography 3.0 or newer, and does not support theiter_size
andmaciter_size
options (#234). - openssl_privatekey - add diff mode (#38, #150).
- openssl_privatekey_info - refactor module to allow code reuse for diff mode (#205).
- openssl_privatekey_pipe - add diff mode (#38, #150).
- openssl_publickey - add diff mode (#38, #150).
- x509_certificate - add diff mode (#38, #150).
- x509_certificate_info - now returns
public_key_type
andpublic_key_data
(#233). - x509_certificate_info - refactor module to allow code reuse for diff mode (#206).
- x509_certificate_pipe - add diff mode (#38, #150).
- x509_crl - add diff mode (#38, #150).
- x509_crl_info - add
list_revoked_certificates
option to avoid enumerating all revoked certificates (#232). - x509_crl_info - refactor module to allow code reuse for diff mode (#203).
- openssh_keypair - fix
check_mode
to populate return values for existing keypairs (#113, #230). - various modules - prevent crashes when modules try to set attributes on not yet existing files in check mode. This will be fixed in ansible-core 2.12, but it is not backported to every Ansible version we support (https://github.com/ansible-collections/community.crypto/issue/242, #243).
- x509_certificate - fix crash when
assertonly
provider is used and some error conditions should be reported (#240, #241).
- community.crypto.openssl_publickey_info - Provide information for OpenSSL public keys
Bugfix release. Fixes compatibility issue of ACME modules with step-ca.
- acme_* modules - avoid crashing for ACME servers where the
meta
directory key is not present (#220, #221).
Bugfix release.
Fixes compatibility issues with the latest ansible-core 2.11 beta, and contains a lot of internal refactoring for the ACME modules and support for private key passphrases for them.
- acme module_utils - the
acme
module_utils has been split up into several Python modules (#184). - acme_* modules - codebase refactor which should not be visible to end-users (#184).
- acme_* modules - support account key passphrases for
cryptography
backend (#197, #207). - acme_certificate_revoke - support revoking by private keys that are passphrase protected for
cryptography
backend (#207). - acme_challenge_cert_helper - add
private_key_passphrase
parameter (#207).
- acme module_utils - the
acme
module_utils (ansible_collections.community.crypto.plugins.module_utils.acme
) is deprecated and will be removed in community.crypto 2.0.0. Use the new Python modules in theacme
package instead (ansible_collections.community.crypto.plugins.module_utils.acme.xxx
) (#184).
- action_module plugin helper - make compatible with latest changes in ansible-core 2.11.0b3 (#202).
- openssl_privatekey_pipe - make compatible with latest changes in ansible-core 2.11.0b3 (#202).
Regular feature and bugfix release. Deprecates a return value.
- acme_account_info - when
retrieve_orders
is notignore
and the ACME server allows to query orders, the new return valueorder_uris
is always populated with a list of URIs (#178). - luks_device - allow to specify sector size for LUKS2 containers with new
sector_size
parameter (#193).
- acme_account_info - when
retrieve_orders=url_list
,orders
will no longer be returned in community.crypto 2.0.0. Useorder_uris
instead (#178).
- openssl_csr - no longer fails when comparing CSR without basic constraint when
basic_constraints
is specified (#179, #180).
Release with several new features and bugfixes.
- The ACME module_utils has been relicensed back from the Simplified BSD License (https://opensource.org/licenses/BSD-2-Clause) to the GPLv3+ (same license used by most other code in this collection). This undoes a licensing change when the original GPLv3+ licensed code was moved to module_utils in ansible/ansible#40697 (#165).
- The
crypto/identify.py
module_utils has been renamed tocrypto/pem.py
(#166). - luks_device -
new_keyfile
,new_passphrase
,remove_keyfile
andremove_passphrase
are now idempotent (#19, #168). - luks_device - allow to configure PBKDF (#163).
- openssl_csr, openssl_csr_pipe - allow to specify CRL distribution endpoints with
crl_distribution_points
(#147, #167). - openssl_pkcs12 - allow to specify certificate bundles in
other_certificates
by using new optionother_certificates_parse_all
(#149, #166).
- acme_certificate - error when requested challenge type is not found for non-valid challenges, instead of hanging on step 2 (#171, #173).
Contains new modules openssl_privatekey_pipe
, openssl_csr_pipe
and x509_certificate_pipe
which allow to create or update private keys, CSRs and X.509 certificates without having to write them to disk.
- openssh_cert - add module parameter
use_agent
to enable using signing keys stored in ssh-agent (#116). - openssl_csr - refactor module to allow code reuse by openssl_csr_pipe (#123).
- openssl_privatekey - refactor module to allow code reuse by openssl_privatekey_pipe (#119).
- openssl_privatekey - the elliptic curve
secp192r1
now triggers a security warning. Elliptic curves of at least 224 bits should be used for new keys; see here (#132). - x509_certificate - for the
selfsigned
provider, a CSR is not required anymore. If no CSR is provided, the module behaves as if a minimal CSR which only contains the public key has been provided (#32, #129). - x509_certificate - refactor module to allow code reuse by x509_certificate_pipe (#135).
- openssl_pkcs12 - report the correct state when
action
isparse
(#143). - support code - improve handling of certificate and certificate signing request (CSR) loading with the
cryptography
backend when errors occur (#138, #139). - x509_certificate - fix
entrust
provider, which was broken since community.crypto 0.1.0 due to a feature added before the collection move (#135).
- community.crypto.openssl_csr_pipe - Generate OpenSSL Certificate Signing Request (CSR)
- community.crypto.openssl_privatekey_pipe - Generate OpenSSL private keys without disk access
- community.crypto.x509_certificate_pipe - Generate and/or check OpenSSL certificates
Please note that this release fixes a security issue (CVE-2020-25646).
- acme_certificate - allow to pass CSR file as content with new option
csr_content
(#115). - x509_certificate_info - add
fingerprints
return value which returns certificate fingerprints (#121).
- openssl_csr - the option
privatekey_content
was not marked asno_log
, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocation
field (CVE-2020-25646, #125). - openssl_privatekey_info - the option
content
was not marked asno_log
, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocation
field (CVE-2020-25646, #125). - openssl_publickey - the option
privatekey_content
was not marked asno_log
, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocation
field (CVE-2020-25646, #125). - openssl_signature - the option
privatekey_content
was not marked asno_log
, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocation
field (CVE-2020-25646, #125). - x509_certificate - the options
privatekey_content
andownca_privatekey_content
were not marked asno_log
, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocation
field (CVE-2020-25646, #125). - x509_crl - the option
privatekey_content
was not marked asno_log
, resulting in it being dumped into the system log by default, and returned in the registered results in theinvocation
field (CVE-2020-25646, #125).
- openssl_pkcs12 - do not crash when reading PKCS#12 file which has no private key and/or no main certificate (#103).
Bugfixes for Ansible 2.10.0.
- meta/runtime.yml - convert Ansible version numbers for old names of modules to collection version numbers (#108).
- openssl_csr - improve handling of IDNA errors (#105).
Release for Ansible 2.10.0.
- acme_account - add
external_account_binding
option to allow creation of ACME accounts with External Account Binding (#89). - acme_certificate - allow new selector
test_certificates: first
forselect_chain
parameter (#102). - cryptography backends - support arbitrary dotted OIDs (#39).
- get_certificate - add support for SNI (#69).
- luks_device - add support for encryption options on container creation (#97).
- openssh_cert - add support for PKCS#11 tokens (#95).
- openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness for serial numbers, instead of a random number between 1000 and 99999. Please note that this is not a high quality random number (#76).
- openssl_csr - add support for name constraints extension (#46).
- openssl_csr_info - add support for name constraints extension (#46).
- acme_inspect - fix problem with Python 3.5 that JSON was not decoded (#86).
- get_certificate - fix
ca_cert
option handling whenproxy_host
is used (#84). - openssl_*, x509_* modules - fix handling of general names which refer to IP networks and not IP addresses (#92).
- community.crypto.openssl_signature - Sign data with openssl
- community.crypto.openssl_signature_info - Verify signatures with openssl
This is the first proper release of the community.crypto
collection. This changelog contains all changes to the modules in this collection that were added after the release of Ansible 2.9.0.
- luks_device - accept
passphrase
,new_passphrase
andremove_passphrase
. - luks_device - add
keysize
parameter to set key size at LUKS container creation - luks_device - added support to use UUIDs, and labels with LUKS2 containers
- luks_device - added the
type
option that allows user explicit define the LUKS container format version - openssh_keypair - instead of regenerating some broken or password protected keys, fail the module. Keys can still be regenerated by calling the module with
force=yes
. - openssh_keypair - the
regenerate
option allows to configure the module's behavior when it should or needs to regenerate private keys. - openssl_* modules - the cryptography backend now properly supports
dirName
,otherName
andRID
(Registered ID) names. - openssl_certificate - Add option for changing which ACME directory to use with acme-tiny. Set the default ACME directory to Let's Encrypt instead of using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time being, so no action should be necessary.)
- openssl_certificate - Change the required version of acme-tiny to >= 4.0.0
- openssl_certificate - allow to provide content of some input files via the
csr_content
,privatekey_content
,ownca_privatekey_content
andownca_content
options. - openssl_certificate - allow to return the existing/generated certificate directly as
certificate
by settingreturn_content
toyes
. - openssl_certificate_info - allow to provide certificate content via
content
option (ansible/ansible#64776). - openssl_csr - Add support for specifying the SAN
otherName
value in the OpenSSL ASN.1 UTF8 string format,otherName:<OID>;UTF8:string value
. - openssl_csr - allow to provide private key content via
private_key_content
option. - openssl_csr - allow to return the existing/generated CSR directly as
csr
by settingreturn_content
toyes
. - openssl_csr_info - allow to provide CSR content via
content
option. - openssl_dhparam - allow to return the existing/generated DH params directly as
dhparams
by settingreturn_content
toyes
. - openssl_dhparam - now supports a
cryptography
-based backend. Auto-detection can be overwritten with theselect_crypto_backend
option. - openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as
pkcs12
by settingreturn_content
toyes
. - openssl_privatekey - add
format
andformat_mismatch
options. - openssl_privatekey - allow to return the existing/generated private key directly as
privatekey
by settingreturn_content
toyes
. - openssl_privatekey - the
regenerate
option allows to configure the module's behavior when it should or needs to regenerate private keys. - openssl_privatekey_info - allow to provide private key content via
content
option. - openssl_publickey - allow to provide private key content via
private_key_content
option. - openssl_publickey - allow to return the existing/generated public key directly as
publickey
by settingreturn_content
toyes
.
- openssl_csr - all values for the
version
option except1
are deprecated. The value 1 denotes the current only standardized CSR version.
- The
letsencrypt
module has been removed. Useacme_certificate
instead.
- ACME modules: fix bug in ACME v1 account update code
- ACME modules: make sure some connection errors are handled properly
- ACME modules: support Buypass' ACME v1 endpoint
- acme_certificate - fix crash when module is used with Python 2.x.
- acme_certificate - fix misbehavior when ACME v1 is used with
modify_account
set tofalse
. - ecs_certificate - Always specify header
connection: keep-alive
for ECS API connections. - ecs_certificate - Fix formatting of contents of
full_chain_path
. - get_certificate - Fix cryptography backend when pyopenssl is unavailable (ansible/ansible#67900)
- openssh_keypair - add logic to avoid breaking password protected keys.
- openssh_keypair - fixes idempotence issue with public key (ansible/ansible#64969).
- openssh_keypair - public key's file attributes (permissions, owner, group, etc.) are now set to the same values as the private key.
- openssl_* modules - prevent crash on fingerprint determination in FIPS mode (ansible/ansible#67213).
- openssl_certificate - When provider is
entrust
, use aconnection: keep-alive
header for ECS API connections. - openssl_certificate -
provider
option was documented as required, but it was not checked whether it was provided. It is now only required whenstate
ispresent
. - openssl_certificate - fix
assertonly
provider certificate verification, causing 'private key mismatch' and 'subject mismatch' errors. - openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support for
cryptography
backend. This probably needs at least cryptography 2.8, since older versions have problems with signing certificates or CSRs with such keys. (ansible/ansible#59039, PR ansible/ansible#63984) - openssl_csr - a warning is issued if an unsupported value for
version
is used for thecryptography
backend. - openssl_csr - the module will now enforce that
privatekey_path
is specified whenstate=present
. - openssl_publickey - fix a module crash caused when pyOpenSSL is not installed (ansible/ansible#67035).
- community.crypto.ecs_domain - Request validation of a domain with the Entrust Certificate Services (ECS) API
- community.crypto.x509_crl - Generate Certificate Revocation Lists (CRLs)
- community.crypto.x509_crl_info - Retrieve information on Certificate Revocation Lists (CRLs)