cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Reference RFC 8555 instead of latest draft. (#53674)

Browse source
This commit is contained in:
Felix Fontein 2019-03-15 01:19:36 +01:00 committed by Alicia Cozine
parent 40af4a144d
commit a043570579
7 changed files with 37 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
lib/ansible/module_utils/acme.py
View file

@ -429,7 +429,7 @@ class ACMEDirectory(object):
and allows to obtain a Replay-Nonce. The acme_directory URL and allows to obtain a Replay-Nonce. The acme_directory URL
needs to support unauthenticated GET requests; ACME endpoints needs to support unauthenticated GET requests; ACME endpoints
requiring authentication are not supported. requiring authentication are not supported.
https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.1.1 https://tools.ietf.org/html/rfc8555#section-7.1.1
''' '''
def __init__(self, module, account): def __init__(self, module, account):
@ -500,7 +500,7 @@ class ACMEAccount(object):
def get_keyauthorization(self, token): def get_keyauthorization(self, token):
''' '''
Returns the key authorization for the given token Returns the key authorization for the given token
https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-8.1 https://tools.ietf.org/html/rfc8555#section-8.1
''' '''
accountkey_json = json.dumps(self.jwk, sort_keys=True, separators=(',', ':')) accountkey_json = json.dumps(self.jwk, sort_keys=True, separators=(',', ':'))
thumbprint = nopad_b64(hashlib.sha256(accountkey_json.encode('utf8')).digest()) thumbprint = nopad_b64(hashlib.sha256(accountkey_json.encode('utf8')).digest())
@ -541,10 +541,10 @@ class ACMEAccount(object):
''' '''
Sends a JWS signed HTTP POST request to the ACME server and returns Sends a JWS signed HTTP POST request to the ACME server and returns
the response as dictionary the response as dictionary
https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-6.2 https://tools.ietf.org/html/rfc8555#section-6.2
If payload is None, a POST-as-GET is performed. If payload is None, a POST-as-GET is performed.
(https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-6.3) (https://tools.ietf.org/html/rfc8555#section-6.3)
''' '''
key_data = key_data or self.key_data key_data = key_data or self.key_data
jws_header = jws_header or self.jws_header jws_header = jws_header or self.jws_header
@ -575,7 +575,7 @@ class ACMEAccount(object):
try: try:
decoded_result = self.module.from_json(content.decode('utf8')) decoded_result = self.module.from_json(content.decode('utf8'))
# In case of badNonce error, try again (up to 5 times) # In case of badNonce error, try again (up to 5 times)
# (https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-6.7) # (https://tools.ietf.org/html/rfc8555#section-6.7)
if (400 <= info['status'] < 600 and if (400 <= info['status'] < 600 and
decoded_result.get('type') == 'urn:ietf:params:acme:error:badNonce' and decoded_result.get('type') == 'urn:ietf:params:acme:error:badNonce' and
failed_tries <= 5): failed_tries <= 5):
@ -651,7 +651,7 @@ class ACMEAccount(object):
``False`` if it already existed (e.g. it was not newly created), ``False`` if it already existed (e.g. it was not newly created),
or does not exist. In case the account was created or exists, or does not exist. In case the account was created or exists,
``data`` contains the account data; otherwise, it is ``None``. ``data`` contains the account data; otherwise, it is ``None``.
https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.3 https://tools.ietf.org/html/rfc8555#section-7.3
''' '''
contact = contact or [] contact = contact or []
@ -670,7 +670,7 @@ class ACMEAccount(object):
'contact': contact 'contact': contact
} }
if not allow_creation: if not allow_creation:
# https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.3.1 # https://tools.ietf.org/html/rfc8555#section-7.3.1
new_reg['onlyReturnExisting'] = True new_reg['onlyReturnExisting'] = True
if terms_agreed: if terms_agreed:
new_reg['termsOfServiceAgreed'] = True new_reg['termsOfServiceAgreed'] = True
@ -689,7 +689,7 @@ class ACMEAccount(object):
# A bug in Pebble (https://github.com/letsencrypt/pebble/issues/179) and # A bug in Pebble (https://github.com/letsencrypt/pebble/issues/179) and
# Boulder (https://github.com/letsencrypt/boulder/issues/3971): this should # Boulder (https://github.com/letsencrypt/boulder/issues/3971): this should
# not return a valid account object according to # not return a valid account object according to
# https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.3.6: # https://tools.ietf.org/html/rfc8555#section-7.3.6:
# "Once an account is deactivated, the server MUST NOT accept further # "Once an account is deactivated, the server MUST NOT accept further
# requests authorized by that account's key." # requests authorized by that account's key."
if not allow_creation: if not allow_creation:
@ -764,7 +764,7 @@ class ACMEAccount(object):
The account URI will be stored in ``self.uri``; if it is ``None``, The account URI will be stored in ``self.uri``; if it is ``None``,
the account does not exist. the account does not exist.
https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.3 https://tools.ietf.org/html/rfc8555#section-7.3
''' '''
if self.uri is not None: if self.uri is not None:
@ -802,7 +802,7 @@ class ACMEAccount(object):
would be changed (check mode), and ``account_data`` the updated would be changed (check mode), and ``account_data`` the updated
account data. account data.
https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.3.2 https://tools.ietf.org/html/rfc8555#section-7.3.2
''' '''
# Create request # Create request
update_request = {} update_request = {}

10
lib/ansible/modules/crypto/acme/acme_account.py
View file

@ -21,7 +21,7 @@ version_added: "2.6"
short_description: Create, modify or delete ACME accounts short_description: Create, modify or delete ACME accounts
description: description:
- "Allows to create, modify or delete accounts with a CA supporting the - "Allows to create, modify or delete accounts with a CA supporting the
L(ACME protocol,https://tools.ietf.org/html/draft-ietf-acme-acme-18), L(ACME protocol,https://tools.ietf.org/html/rfc8555),
such as L(Let's Encrypt,https://letsencrypt.org/)." such as L(Let's Encrypt,https://letsencrypt.org/)."
- "This module only works with the ACME v2 protocol." - "This module only works with the ACME v2 protocol."
notes: notes:
@ -31,8 +31,8 @@ notes:
M(acme_certificate)." M(acme_certificate)."
seealso: seealso:
- name: Automatic Certificate Management Environment (ACME) - name: Automatic Certificate Management Environment (ACME)
description: The current draft specification of the ACME protocol. description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/draft-ietf-acme-acme-18 link: https://tools.ietf.org/html/rfc8555
- module: acme_account_facts - module: acme_account_facts
description: Retrieves facts about an ACME account. description: Retrieves facts about an ACME account.
- module: openssl_privatekey - module: openssl_privatekey
@ -64,7 +64,7 @@ options:
description: description:
- "A list of contact URLs." - "A list of contact URLs."
- "Email addresses must be prefixed with C(mailto:)." - "Email addresses must be prefixed with C(mailto:)."
- "See https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.1.2 - "See U(https://tools.ietf.org/html/rfc8555#section-7.3)
for what is allowed." for what is allowed."
- "Must be specified when state is C(present). Will be ignored - "Must be specified when state is C(present). Will be ignored
if state is C(absent) or C(changed_key)." if state is C(absent) or C(changed_key)."
@ -242,7 +242,7 @@ def main():
# Now we can start the account key rollover # Now we can start the account key rollover
if not module.check_mode: if not module.check_mode:
# Compose inner signed message # Compose inner signed message
# https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.3.5 # https://tools.ietf.org/html/rfc8555#section-7.3.5
url = account.directory['keyChange'] url = account.directory['keyChange']
protected = { protected = {
"alg": new_key_data['alg'], "alg": new_key_data['alg'],

2
lib/ansible/modules/crypto/acme/acme_account_facts.py
View file

@ -21,7 +21,7 @@ version_added: "2.7"
short_description: Retrieves information on ACME accounts short_description: Retrieves information on ACME accounts
description: description:
- "Allows to retrieve information on accounts a CA supporting the - "Allows to retrieve information on accounts a CA supporting the
L(ACME protocol,https://tools.ietf.org/html/draft-ietf-acme-acme-18), L(ACME protocol,https://tools.ietf.org/html/rfc8555),
such as L(Let's Encrypt,https://letsencrypt.org/)." such as L(Let's Encrypt,https://letsencrypt.org/)."
- "This module only works with the ACME v2 protocol." - "This module only works with the ACME v2 protocol."
notes: notes:

22
lib/ansible/modules/crypto/acme/acme_certificate.py
View file

@ -21,7 +21,7 @@ version_added: "2.2"
short_description: Create SSL/TLS certificates with the ACME protocol short_description: Create SSL/TLS certificates with the ACME protocol
description: description:
- "Create and renew SSL/TLS certificates with a CA supporting the - "Create and renew SSL/TLS certificates with a CA supporting the
L(ACME protocol,https://tools.ietf.org/html/draft-ietf-acme-acme-18), L(ACME protocol,https://tools.ietf.org/html/rfc8555),
such as L(Let's Encrypt,https://letsencrypt.org/). The current such as L(Let's Encrypt,https://letsencrypt.org/). The current
implementation supports the C(http-01), C(dns-01) and C(tls-alpn-01) implementation supports the C(http-01), C(dns-01) and C(tls-alpn-01)
challenges." challenges."
@ -36,7 +36,7 @@ description:
the necessary certificate has to be created and served. the necessary certificate has to be created and served.
It is I(not) the responsibility of this module to perform these steps." It is I(not) the responsibility of this module to perform these steps."
- "For details on how to fulfill these challenges, you might have to read through - "For details on how to fulfill these challenges, you might have to read through
L(the main ACME specification,https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-8) L(the main ACME specification,https://tools.ietf.org/html/rfc8555#section-8)
and the L(TLS-ALPN-01 specification,https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-3). and the L(TLS-ALPN-01 specification,https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-3).
Also, consider the examples provided for this module." Also, consider the examples provided for this module."
- "The module includes experimental support for IP identifiers according to - "The module includes experimental support for IP identifiers according to
@ -55,8 +55,8 @@ seealso:
Provides useful information for example on rate limits. Provides useful information for example on rate limits.
link: https://letsencrypt.org/docs/ link: https://letsencrypt.org/docs/
- name: Automatic Certificate Management Environment (ACME) - name: Automatic Certificate Management Environment (ACME)
description: The current draft specification of the ACME protocol. description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/draft-ietf-acme-acme-18 link: https://tools.ietf.org/html/rfc8555
- name: ACME TLS ALPN Challenge Extension - name: ACME TLS ALPN Challenge Extension
description: The current draft specification of the C(tls-alpn-01) challenge. description: The current draft specification of the C(tls-alpn-01) challenge.
link: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05 link: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05
@ -351,7 +351,7 @@ authorizations:
type: complex type: complex
contains: contains:
authorization: authorization:
description: ACME authorization object. See U(https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.1.4) description: ACME authorization object. See U(https://tools.ietf.org/html/rfc8555#section-7.1.4)
returned: success returned: success
type: dict type: dict
order_uri: order_uri:
@ -534,13 +534,13 @@ class ACMEClient(object):
keyauthorization = self.account.get_keyauthorization(token) keyauthorization = self.account.get_keyauthorization(token)
if challenge_type == 'http-01': if challenge_type == 'http-01':
# https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-8.3 # https://tools.ietf.org/html/rfc8555#section-8.3
resource = '.well-known/acme-challenge/' + token resource = '.well-known/acme-challenge/' + token
data[challenge_type] = {'resource': resource, 'resource_value': keyauthorization} data[challenge_type] = {'resource': resource, 'resource_value': keyauthorization}
elif challenge_type == 'dns-01': elif challenge_type == 'dns-01':
if identifier_type != 'dns': if identifier_type != 'dns':
continue continue
# https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-8.4 # https://tools.ietf.org/html/rfc8555#section-8.4
resource = '_acme-challenge' resource = '_acme-challenge'
value = nopad_b64(hashlib.sha256(to_bytes(keyauthorization)).digest()) value = nopad_b64(hashlib.sha256(to_bytes(keyauthorization)).digest())
record = (resource + identifier[1:]) if identifier.startswith('*.') else (resource + '.' + identifier) record = (resource + identifier[1:]) if identifier.startswith('*.') else (resource + '.' + identifier)
@ -639,7 +639,7 @@ class ACMEClient(object):
''' '''
Create a new certificate based on the csr. Create a new certificate based on the csr.
Return the certificate object as dict Return the certificate object as dict
https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.4 https://tools.ietf.org/html/rfc8555#section-7.4
''' '''
csr = pem_to_der(self.csr) csr = pem_to_der(self.csr)
new_cert = { new_cert = {
@ -673,7 +673,7 @@ class ACMEClient(object):
def _download_cert(self, url): def _download_cert(self, url):
''' '''
Download and parse the certificate chain. Download and parse the certificate chain.
https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.4.2 https://tools.ietf.org/html/rfc8555#section-7.4.2
''' '''
content, info = self.account.get_request(url, parse_json_result=False, headers={'Accept': 'application/pem-certificate-chain'}) content, info = self.account.get_request(url, parse_json_result=False, headers={'Accept': 'application/pem-certificate-chain'})
@ -741,7 +741,7 @@ class ACMEClient(object):
def _new_order_v2(self): def _new_order_v2(self):
''' '''
Start a new certificate order (ACME v2 protocol). Start a new certificate order (ACME v2 protocol).
https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.4 https://tools.ietf.org/html/rfc8555#section-7.4
''' '''
identifiers = [] identifiers = []
for identifier_type, identifier in self.identifiers: for identifier_type, identifier in self.identifiers:
@ -906,7 +906,7 @@ class ACMEClient(object):
''' '''
Deactivates all valid authz's. Does not raise exceptions. Deactivates all valid authz's. Does not raise exceptions.
https://community.letsencrypt.org/t/authorization-deactivation/19860/2 https://community.letsencrypt.org/t/authorization-deactivation/19860/2
https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.5.2 https://tools.ietf.org/html/rfc8555#section-7.5.2
''' '''
authz_deactivate = { authz_deactivate = {
'status': 'deactivated' 'status': 'deactivated'

8
lib/ansible/modules/crypto/acme/acme_certificate_revoke.py
View file

@ -21,7 +21,7 @@ version_added: "2.7"
short_description: Revoke certificates with the ACME protocol short_description: Revoke certificates with the ACME protocol
description: description:
- "Allows to revoke certificates issued by a CA supporting the - "Allows to revoke certificates issued by a CA supporting the
L(ACME protocol,https://tools.ietf.org/html/draft-ietf-acme-acme-18), L(ACME protocol,https://tools.ietf.org/html/rfc8555),
such as L(Let's Encrypt,https://letsencrypt.org/)." such as L(Let's Encrypt,https://letsencrypt.org/)."
notes: notes:
- "Exactly one of C(account_key_src), C(account_key_content), - "Exactly one of C(account_key_src), C(account_key_content),
@ -37,8 +37,8 @@ seealso:
Provides useful information for example on rate limits. Provides useful information for example on rate limits.
link: https://letsencrypt.org/docs/ link: https://letsencrypt.org/docs/
- name: Automatic Certificate Management Environment (ACME) - name: Automatic Certificate Management Environment (ACME)
description: The current draft specification of the ACME protocol. description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/draft-ietf-acme-acme-18 link: https://tools.ietf.org/html/rfc8555
- module: acme_inspect - module: acme_inspect
description: Allows to debug problems. description: Allows to debug problems.
extends_documentation_fragment: extends_documentation_fragment:
@ -202,7 +202,7 @@ def main():
result, info = account.send_signed_request(endpoint, payload) result, info = account.send_signed_request(endpoint, payload)
if info['status'] != 200: if info['status'] != 200:
already_revoked = False already_revoked = False
# Standarized error from draft 14 on (https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.6) # Standarized error from draft 14 on (https://tools.ietf.org/html/rfc8555#section-7.6)
if result.get('type') == 'urn:ietf:params:acme:error:alreadyRevoked': if result.get('type') == 'urn:ietf:params:acme:error:alreadyRevoked':
already_revoked = True already_revoked = True
else: else:

4
lib/ansible/modules/crypto/acme/acme_challenge_cert_helper.py
View file

@ -28,8 +28,8 @@ description:
L(the draft-05 version of the specification,https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05)." L(the draft-05 version of the specification,https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05)."
seealso: seealso:
- name: Automatic Certificate Management Environment (ACME) - name: Automatic Certificate Management Environment (ACME)
description: The current draft specification of the ACME protocol. description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/draft-ietf-acme-acme-18 link: https://tools.ietf.org/html/rfc8555
- name: ACME TLS ALPN Challenge Extension - name: ACME TLS ALPN Challenge Extension
description: The current draft specification of the C(tls-alpn-01) challenge. description: The current draft specification of the C(tls-alpn-01) challenge.
link: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05 link: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05

8
lib/ansible/modules/crypto/acme/acme_inspect.py
View file

@ -21,7 +21,7 @@ version_added: "2.8"
short_description: Send direct requests to an ACME server short_description: Send direct requests to an ACME server
description: description:
- "Allows to send direct requests to an ACME server with the - "Allows to send direct requests to an ACME server with the
L(ACME protocol,https://tools.ietf.org/html/draft-ietf-acme-acme-18), L(ACME protocol,https://tools.ietf.org/html/rfc8555),
which is supported by CAs such as L(Let's Encrypt,https://letsencrypt.org/)." which is supported by CAs such as L(Let's Encrypt,https://letsencrypt.org/)."
- "This module can be used to debug failed certificate request attempts, - "This module can be used to debug failed certificate request attempts,
for example when M(acme_certificate) fails or encounters a problem which for example when M(acme_certificate) fails or encounters a problem which
@ -41,8 +41,8 @@ notes:
url=https://acme-v02.api.letsencrypt.org/acme/acct/1\")" url=https://acme-v02.api.letsencrypt.org/acme/acct/1\")"
seealso: seealso:
- name: Automatic Certificate Management Environment (ACME) - name: Automatic Certificate Management Environment (ACME)
description: The current draft specification of the ACME protocol. description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/draft-ietf-acme-acme-18 link: https://tools.ietf.org/html/rfc8555
- name: ACME TLS ALPN Challenge Extension - name: ACME TLS ALPN Challenge Extension
description: The current draft specification of the C(tls-alpn-01) challenge. description: The current draft specification of the C(tls-alpn-01) challenge.
link: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05 link: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05
@ -124,7 +124,7 @@ EXAMPLES = r'''
vars: vars:
account_info: account_info:
# For valid values, see # For valid values, see
# https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.3 # https://tools.ietf.org/html/rfc8555#section-7.3
contact: contact:
- mailto:me@example.com - mailto:me@example.com