ACME: improve acme_certificate docs, include cert_id in acme_certificate_renewal_info return value (#747)

* Use community.dns.quote_txt filter instead of regex replace to quote TXT entry value. * Fix documentation of acme_certificate's challenge_data return value. * Also return cert_id from acme_certificate_renewal_info module. * The cert ID cannot be computed if the certificate has no AKI. This happens with older Pebble versions, which are used when testing against older ansible-core/-base/Ansible versions. * Fix AKI extraction for older OpenSSL versions.
2026-05-06 13:22:58 +00:00 · 2024-05-04 23:38:57 +02:00
parent 59606d48ad
commit 553ab45f46
14 changed files with 323 additions and 115 deletions
--- a/plugins/module_utils/acme/acme.py
+++ b/plugins/module_utils/acme/acme.py
@@ -390,6 +390,7 @@ class ACMEClient(object):

    def get_renewal_info(
        self,
+        cert_id=None,
        cert_info=None,
        cert_filename=None,
        cert_content=None,
@@ -399,7 +400,8 @@ class ACMEClient(object):
        if not self.directory.has_renewal_info_endpoint():
            raise ModuleFailException('The ACME endpoint does not support ACME Renewal Information retrieval')

-        cert_id = compute_cert_id(self.backend, cert_info=cert_info, cert_filename=cert_filename, cert_content=cert_content)
+        if cert_id is None:
+            cert_id = compute_cert_id(self.backend, cert_info=cert_info, cert_filename=cert_filename, cert_content=cert_content)
        url = '{base}{cert_id}'.format(base=self.directory.directory['renewalInfo'], cert_id=cert_id)

        data, info = self.get_request(url, parse_json_result=True, fail_on_error=True, get_only=True)
--- a/plugins/module_utils/acme/backend_openssl_cli.py
+++ b/plugins/module_utils/acme/backend_openssl_cli.py
@@ -56,12 +56,12 @@ def _decode_octets(octets_text):
    return binascii.unhexlify(re.sub(r"(\s|:)", "", octets_text).encode("utf-8"))


-def _extract_octets(out_text, name, required=True):
-    match = re.search(
-        r"\s+%s:\s*\n\s+([A-Fa-f0-9]{2}(?::[A-Fa-f0-9]{2})*)\s*\n" % name,
-        out_text,
-        re.MULTILINE | re.DOTALL,
+def _extract_octets(out_text, name, required=True, potential_prefixes=None):
+    regexp = r"\s+%s:\s*\n\s+%s([A-Fa-f0-9]{2}(?::[A-Fa-f0-9]{2})*)\s*\n" % (
+        name,
+        ('(?:%s)' % '|'.join(re.escape(pp) for pp in potential_prefixes)) if potential_prefixes else '',
    )
+    match = re.search(regexp, out_text, re.MULTILINE | re.DOTALL)
    if match is not None:
        return _decode_octets(match.group(1))
    if not required:
@@ -379,7 +379,7 @@ class OpenSSLCLIBackend(CryptoBackend):
            serial = convert_bytes_to_int(_extract_octets(out_text, 'Serial Number', required=True))

        ski = _extract_octets(out_text, 'X509v3 Subject Key Identifier', required=False)
-        aki = _extract_octets(out_text, 'X509v3 Authority Key Identifier', required=False)
+        aki = _extract_octets(out_text, 'X509v3 Authority Key Identifier', required=False, potential_prefixes=['keyid:', ''])

        return CertificateInformation(
            not_valid_after=not_after,
--- a/plugins/module_utils/acme/utils.py
+++ b/plugins/module_utils/acme/utils.py
@@ -109,7 +109,7 @@ def compute_cert_id(backend, cert_info=None, cert_filename=None, cert_content=No

    # Convert Authority Key Identifier to string
    if cert_info.authority_key_identifier is None:
-        raise ModuleFailException('Module has no Authority Key Identifier extension')
+        raise ModuleFailException('Certificate has no Authority Key Identifier extension')
    aki = to_native(base64.urlsafe_b64encode(cert_info.authority_key_identifier)).replace('=', '')

    # Convert serial number to string