caf7fd2245
* Raise OpenSSLBadPassphraseError if passphrase is wrong. * Improve handling of passphrase errors. Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail. Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate. * Add changelog. * Add tests. * Adjustments for some versions of PyOpenSSL. * Update lib/ansible/modules/crypto/openssl_certificate.py Improve text. Co-Authored-By: felixfontein <felix@fontein.de>
199 lines
5.6 KiB
YAML
199 lines
5.6 KiB
YAML
---
|
|
- name: Generate privatekey
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey.pem'
|
|
|
|
- name: Generate privatekey with password
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekeypw.pem'
|
|
passphrase: hunter2
|
|
cipher: auto
|
|
select_crypto_backend: cryptography
|
|
|
|
- name: Generate CSR
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
subject:
|
|
commonName: www.example.com
|
|
|
|
- name: Generate selfsigned certificate
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert.pem'
|
|
csr_path: '{{ output_dir }}/csr.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
register: selfsigned_certificate
|
|
|
|
- name: Generate selfsigned certificate
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert.pem'
|
|
csr_path: '{{ output_dir }}/csr.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
register: selfsigned_certificate_idempotence
|
|
|
|
- name: Generate selfsigned certificate (check mode)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert.pem'
|
|
csr_path: '{{ output_dir }}/csr.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
check_mode: yes
|
|
|
|
- name: Check selfsigned certificate
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert.pem'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
provider: assertonly
|
|
has_expired: False
|
|
version: 3
|
|
signature_algorithms:
|
|
- sha256WithRSAEncryption
|
|
- sha256WithECDSAEncryption
|
|
subject:
|
|
commonName: www.example.com
|
|
|
|
- name: Generate selfsigned v2 certificate
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_v2.pem'
|
|
csr_path: '{{ output_dir }}/csr.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
selfsigned_version: 2
|
|
|
|
- name: Generate privatekey2
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey2.pem'
|
|
|
|
- name: Generate CSR2
|
|
openssl_csr:
|
|
subject:
|
|
CN: www.example.com
|
|
C: US
|
|
ST: California
|
|
L: Los Angeles
|
|
O: ACME Inc.
|
|
OU:
|
|
- Roadrunner pest control
|
|
- Pyrotechnics
|
|
path: '{{ output_dir }}/csr2.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey2.pem'
|
|
keyUsage:
|
|
- digitalSignature
|
|
extendedKeyUsage:
|
|
- ipsecUser
|
|
- biometricInfo
|
|
|
|
- name: Generate selfsigned certificate2
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert2.pem'
|
|
csr_path: '{{ output_dir }}/csr2.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey2.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
|
|
- name: Check selfsigned certificate2
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert2.pem'
|
|
privatekey_path: '{{ output_dir }}/privatekey2.pem'
|
|
provider: assertonly
|
|
has_expired: False
|
|
version: 3
|
|
signature_algorithms:
|
|
- sha256WithRSAEncryption
|
|
- sha256WithECDSAEncryption
|
|
subject:
|
|
commonName: www.example.com
|
|
C: US
|
|
ST: California
|
|
L: Los Angeles
|
|
O: ACME Inc.
|
|
OU:
|
|
- Roadrunner pest control
|
|
- Pyrotechnics
|
|
keyUsage:
|
|
- digitalSignature
|
|
extendedKeyUsage:
|
|
- ipsecUser
|
|
- biometricInfo
|
|
|
|
- name: Create private key 3
|
|
openssl_privatekey:
|
|
path: "{{ output_dir }}/privatekey3.pem"
|
|
|
|
- name: Create CSR 3
|
|
openssl_csr:
|
|
subject:
|
|
CN: www.example.com
|
|
privatekey_path: "{{ output_dir }}/privatekey3.pem"
|
|
path: "{{ output_dir }}/csr3.pem"
|
|
|
|
- name: Create certificate3 with notBefore and notAfter
|
|
openssl_certificate:
|
|
provider: selfsigned
|
|
selfsigned_not_before: 20181023133742Z
|
|
selfsigned_not_after: 20191023133742Z
|
|
path: "{{ output_dir }}/cert3.pem"
|
|
csr_path: "{{ output_dir }}/csr3.pem"
|
|
privatekey_path: "{{ output_dir }}/privatekey3.pem"
|
|
|
|
- name: Generate privatekey
|
|
openssl_privatekey:
|
|
path: '{{ output_dir }}/privatekey_ecc.pem'
|
|
type: ECC
|
|
curve: secp256k1
|
|
|
|
- name: Generate CSR
|
|
openssl_csr:
|
|
path: '{{ output_dir }}/csr_ecc.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
|
|
subject:
|
|
commonName: www.example.com
|
|
|
|
- name: Generate selfsigned certificate
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_ecc.pem'
|
|
csr_path: '{{ output_dir }}/csr_ecc.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
register: selfsigned_certificate_ecc
|
|
|
|
- name: Generate selfsigned certificate (failed passphrase 1)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_pw1.pem'
|
|
csr_path: '{{ output_dir }}/csr_ecc.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekey.pem'
|
|
privatekey_passphrase: hunter2
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
ignore_errors: yes
|
|
register: passphrase_error_1
|
|
|
|
- name: Generate selfsigned certificate (failed passphrase 2)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_pw2.pem'
|
|
csr_path: '{{ output_dir }}/csr_ecc.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
|
privatekey_passphrase: wrong_password
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
ignore_errors: yes
|
|
register: passphrase_error_2
|
|
|
|
- name: Generate selfsigned certificate (failed passphrase 3)
|
|
openssl_certificate:
|
|
path: '{{ output_dir }}/cert_pw3.pem'
|
|
csr_path: '{{ output_dir }}/csr_ecc.csr'
|
|
privatekey_path: '{{ output_dir }}/privatekeypw.pem'
|
|
provider: selfsigned
|
|
selfsigned_digest: sha256
|
|
ignore_errors: yes
|
|
register: passphrase_error_3
|
|
|
|
- import_tasks: ../tests/validate_selfsigned.yml
|