ACME: new helper module for ACME challenges which need TLS certs (#43756)

* Added helper module for generating ACME challenge certificates. * Soft-fail on missing cryptography. Also check version. * Adding integration test. * Move acme_challenge_cert_helper from web_infrastructure to crypto/acme. * Adjusting to draft-05. * The cryptography branch has already been merged.
2018-08-22 23:12:43 +02:00 · 2018-08-22 23:12:43 +02:00 · 960d99a785
commit 960d99a785
parent 6ac4dae834
6 changed files with 314 additions and 2 deletions
--- a/lib/ansible/modules/crypto/acme/acme_challenge_cert_helper.py
+++ b/lib/ansible/modules/crypto/acme/acme_challenge_cert_helper.py
@ -0,0 +1,264 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2018 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+                    'status': ['preview'],
+                    'supported_by': 'community'}
+
+
+DOCUMENTATION = '''
+---
+module: acme_challenge_cert_helper
+author: "Felix Fontein (@felixfontein)"
+version_added: "2.7"
+short_description: Prepare certificates required for ACME challenges such as C(tls-alpn-01)
+description:
+   - "Prepares certificates for ACME challenges such as C(tls-alpn-01)."
+   - "The raw data is provided by the M(acme_certificate) module, and needs to be
+      converted to a certificate to be used for challenge validation. This module
+      provides a simple way to generate the required certificates."
+   - "The C(tls-alpn-01) implementation is based on
+      L(the draft-05 version of the specification,https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05)."
+requirements:
+   - "cryptography >= 1.3"
+options:
+  challenge:
+    description:
+      - "The challenge type."
+    required: yes
+    choices:
+    - tls-alpn-01
+  challenge_data:
+    description:
+      - "The C(challenge_data) entry provided by M(acme_certificate) for the challenge."
+    required: yes
+  private_key_src:
+    description:
+      - "Path to a file containing the private key file to use for this challenge
+         certificate."
+      - "Mutually exclusive with C(private_key_content)."
+  private_key_content:
+    description:
+      - "Content of the private key to use for this challenge certificate."
+      - "Mutually exclusive with C(private_key_src)."
+'''
+
+EXAMPLES = '''
+- name: Create challenges for a given CRT for sample.com
+  acme_certificate:
+    account_key_src: /etc/pki/cert/private/account.key
+    challenge: tls-alpn-01
+    csr: /etc/pki/cert/csr/sample.com.csr
+    dest: /etc/httpd/ssl/sample.com.crt
+  register: sample_com_challenge
+
+- name: Create certificates for challenges
+  acme_challenge_cert_helper:
+    challenge: tls-alpn-01
+    challenge_data: "{{ item.value['tls-alpn-01'] }}"
+    private_key_src: /etc/pki/cert/key/sample.com.key
+  with_items: "{{ sample_com_challenge.challenge_data }}"
+  register: sample_com_challenge_certs
+
+- name: Install challenge certificates
+  # We need to set up HTTPS such that for the domain,
+  # regular_certificate is delivered for regular connections,
+  # except if ALPN selects the "acme-tls/1"; then, the
+  # challenge_certificate must be delivered.
+  # This can for example be achieved with very new versions
+  # of NGINX; search for ssl_preread and
+  # ssl_preread_alpn_protocols for information on how to
+  # route by ALPN protocol.
+  ...:
+    domain: "{{ item.domain }}"
+    challenge_certificate: "{{ item.challenge_certificate }}"
+    regular_certificate: "{{ item.regular_certificate }}"
+    private_key: /etc/pki/cert/key/sample.com.key
+  with_items: "{{ sample_com_challenge_certs.results }}"
+
+- name: Create certificate for a given CSR for sample.com
+  acme_certificate:
+    account_key_src: /etc/pki/cert/private/account.key
+    challenge: tls-alpn-01
+    csr: /etc/pki/cert/csr/sample.com.csr
+    dest: /etc/httpd/ssl/sample.com.crt
+    data: "{{ sample_com_challenge }}"
+'''
+
+RETURN = '''
+domain:
+  description:
+    - "The domain the challenge is for."
+  returned: always
+  type: string
+challenge_certificate:
+  description:
+    - "The challenge certificate in PEM format."
+  returned: always
+  type: string
+regular_certificate:
+  description:
+    - "A self-signed certificate for the challenge domain."
+    - "If no existing certificate exists, can be used to set-up
+       https in the first place if that is needed for providing
+       the challenge."
+  returned: always
+  type: string
+'''
+
+from ansible.module_utils.acme import (
+    ModuleFailException,
+    read_file,
+)
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_bytes, to_text
+
+import base64
+import datetime
+import sys
+
+try:
+    import cryptography
+    import cryptography.hazmat.backends
+    import cryptography.hazmat.primitives.serialization
+    import cryptography.hazmat.primitives.asymmetric.rsa
+    import cryptography.hazmat.primitives.asymmetric.ec
+    import cryptography.hazmat.primitives.asymmetric.padding
+    import cryptography.hazmat.primitives.hashes
+    import cryptography.hazmat.primitives.asymmetric.utils
+    import cryptography.x509
+    import cryptography.x509.oid
+    from distutils.version import LooseVersion
+    HAS_CRYPTOGRAPHY = (LooseVersion(cryptography.__version__) >= LooseVersion('1.3'))
+    _cryptography_backend = cryptography.hazmat.backends.default_backend()
+except ImportError as e:
+    HAS_CRYPTOGRAPHY = False
+
+
+# Convert byte string to ASN1 encoded octet string
+if sys.version_info[0] >= 3:
+    def encode_octet_string(octet_string):
+        if len(octet_string) >= 128:
+            raise ModuleFailException('Cannot handle octet strings with more than 128 bytes')
+        return bytes([0x4, len(octet_string)]) + octet_string
+else:
+    def encode_octet_string(octet_string):
+        if len(octet_string) >= 128:
+            raise ModuleFailException('Cannot handle octet strings with more than 128 bytes')
+        return b'\x04' + chr(len(octet_string)) + octet_string
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec=dict(
+            challenge=dict(required=True, choices=['tls-alpn-01'], type='str'),
+            challenge_data=dict(required=True, type='dict'),
+            private_key_src=dict(type='path'),
+            private_key_content=dict(type='str', no_log=True),
+        ),
+        required_one_of=(
+            ['private_key_src', 'private_key_content'],
+        ),
+        mutually_exclusive=(
+            ['private_key_src', 'private_key_content'],
+        ),
+    )
+    if not HAS_CRYPTOGRAPHY:
+        module.fail(msg='cryptography >= 1.3 is required for this module.')
+
+    try:
+        # Get parameters
+        challenge = module.params['challenge']
+        challenge_data = module.params['challenge_data']
+
+        # Get hold of private key
+        private_key_content = module.params.get('private_key_content')
+        if private_key_content is None:
+            private_key_content = read_file(module.params['private_key_src'])
+        else:
+            private_key_content = to_bytes(private_key_content)
+        try:
+            private_key = cryptography.hazmat.primitives.serialization.load_pem_private_key(private_key_content, password=None, backend=_cryptography_backend)
+        except Exception as e:
+            raise ModuleFailException('Error while loading private key: {0}'.format(e))
+
+        # Some common attributes
+        domain = to_text(challenge_data['resource'])
+        subject = issuer = cryptography.x509.Name([
+            cryptography.x509.NameAttribute(cryptography.x509.oid.NameOID.COMMON_NAME, domain),
+        ])
+        not_valid_before = datetime.datetime.utcnow()
+        not_valid_after = datetime.datetime.utcnow() + datetime.timedelta(days=10)
+
+        # Generate regular self-signed certificate
+        regular_certificate = cryptography.x509.CertificateBuilder().subject_name(
+            subject
+        ).issuer_name(
+            issuer
+        ).public_key(
+            private_key.public_key()
+        ).serial_number(
+            cryptography.x509.random_serial_number()
+        ).not_valid_before(
+            not_valid_before
+        ).not_valid_after(
+            not_valid_after
+        ).add_extension(
+            cryptography.x509.SubjectAlternativeName([cryptography.x509.DNSName(domain)]),
+            critical=False,
+        ).sign(
+            private_key,
+            cryptography.hazmat.primitives.hashes.SHA256(),
+            _cryptography_backend
+        )
+
+        # Process challenge
+        if challenge == 'tls-alpn-01':
+            value = base64.b64decode(challenge_data['resource_value'])
+            challenge_certificate = cryptography.x509.CertificateBuilder().subject_name(
+                subject
+            ).issuer_name(
+                issuer
+            ).public_key(
+                private_key.public_key()
+            ).serial_number(
+                cryptography.x509.random_serial_number()
+            ).not_valid_before(
+                not_valid_before
+            ).not_valid_after(
+                not_valid_after
+            ).add_extension(
+                cryptography.x509.SubjectAlternativeName([cryptography.x509.DNSName(domain)]),
+                critical=False,
+            ).add_extension(
+                cryptography.x509.UnrecognizedExtension(
+                    cryptography.x509.ObjectIdentifier("1.3.6.1.5.5.7.1.31"),
+                    encode_octet_string(value),
+                ),
+                critical=True,
+            ).sign(
+                private_key,
+                cryptography.hazmat.primitives.hashes.SHA256(),
+                _cryptography_backend
+            )
+
+        module.exit_json(
+            changed=True,
+            domain=domain,
+            challenge_certificate=challenge_certificate.public_bytes(cryptography.hazmat.primitives.serialization.Encoding.PEM),
+            regular_certificate=regular_certificate.public_bytes(cryptography.hazmat.primitives.serialization.Encoding.PEM)
+        )
+    except ModuleFailException as e:
+        e.do_fail(module)
+
+
+if __name__ == '__main__':
+    main()
--- a/test/integration/targets/acme_challenge_cert_helper/aliases
+++ b/test/integration/targets/acme_challenge_cert_helper/aliases
@ -0,0 +1,2 @@
+shippable/cloud/group1
+cloud/acme
--- a/test/integration/targets/acme_challenge_cert_helper/meta/main.yml
+++ b/test/integration/targets/acme_challenge_cert_helper/meta/main.yml
@ -0,0 +1,2 @@
+dependencies:
+  - setup_acme
--- a/test/integration/targets/acme_challenge_cert_helper/tasks/main.yml
+++ b/test/integration/targets/acme_challenge_cert_helper/tasks/main.yml
@ -0,0 +1,25 @@
+---
+- block:
+  - name: Create ECC256 account key
+    command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
+  - name: Obtain cert 1
+    include_tasks: obtain-cert.yml
+    vars:
+      select_crypto_backend: auto
+      certgen_title: Certificate 1
+      certificate_name: cert-1
+      key_type: rsa
+      rsa_bits: 2048
+      subject_alt_name: "DNS:example.com"
+      subject_alt_name_critical: no
+      account_key: account-ec256
+      challenge: tls-alpn-01
+      challenge_alpn_tls: acme_challenge_cert_helper
+      modify_account: yes
+      deactivate_authzs: no
+      force: no
+      remaining_days: 10
+      terms_agreed: yes
+      account_email: "example@example.org"
+
+  when: openssl_version.stdout is version('1.0.0', '>=') or cryptography_version.stdout is version('1.5', '>=')
--- a/test/integration/targets/acme_challenge_cert_helper/tasks/obtain-cert.yml
+++ b/test/integration/targets/acme_challenge_cert_helper/tasks/obtain-cert.yml
@ -0,0 +1 @@
+../../setup_acme/tasks/obtain-cert.yml
--- a/test/integration/targets/setup_acme/tasks/obtain-cert.yml
+++ b/test/integration/targets/setup_acme/tasks/obtain-cert.yml
@ -85,7 +85,25 @@
    body: "{{ item.value }}"
  with_dict: "{{ challenge_data.challenge_data_dns }}"
  when: "challenge_data is changed and challenge == 'dns-01'"
- name: ({{ certgen_title }}) Create TLS ALPN challenges
+- name: ({{ certgen_title }}) Create TLS ALPN challenges (acm_challenge_cert_helper)
+  acme_challenge_cert_helper:
+    challenge: tls-alpn-01
+    challenge_data: "{{ item.value['tls-alpn-01'] }}"
+    private_key_src: "{{ output_dir }}/{{ certificate_name }}.key"
+  with_dict: "{{ challenge_data.challenge_data }}"
+  register: tls_alpn_challenges
+  when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is defined and challenge_alpn_tls == 'acme_challenge_cert_helper')"
+- name: ({{ certgen_title }}) Set TLS ALPN challenges (acm_challenge_cert_helper)
+  uri:
+    url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.domain }}/certificate-and-key"
+    method: PUT
+    body_format: raw
+    body: "{{ item.challenge_certificate }}\n{{ lookup('file', output_dir ~ '/' ~ certificate_name ~ '.key') }}"
+    headers:
+      content-type: "application/pem-certificate-chain"
+  with_items: "{{ tls_alpn_challenges.results }}"
+  when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is defined and challenge_alpn_tls == 'acme_challenge_cert_helper')"
+- name: ({{ certgen_title }}) Create TLS ALPN challenges (der-value-b64)
  uri:
    url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.value['tls-alpn-01'].resource }}/der-value-b64"
    method: PUT
@ -94,7 +112,7 @@
    headers:
      content-type: "application/octet-stream"
  with_dict: "{{ challenge_data.challenge_data }}"
-  when: "challenge_data is changed and challenge == 'tls-alpn-01'"
+  when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is not defined or challenge_alpn_tls == 'der-value-b64')"
 ## ACME STEP 2 ################################################################################
 - name: ({{ certgen_title }}) Obtain cert, step 2
  acme_certificate: