mirror of
https://github.com/ansible-collections/community.crypto.git
synced 2026-05-06 05:12:54 +00:00
Small docs improvements (#374)
* Small improvements. * Document behavior changes.
This commit is contained in:
Felix Fontein
GitHub
@@ -133,7 +133,7 @@ EXAMPLES = '''
|
||||
- mailto:me@example.com
|
||||
- mailto:myself@example.org
|
||||
|
||||
- name: Make sure account has given email address. Don't create account if it doesn't exist
|
||||
- name: Make sure account has given email address. Do not create account if it does not exist
|
||||
community.crypto.acme_account:
|
||||
account_key_src: /etc/pki/cert/private/account.key
|
||||
state: present
|
||||
|
||||
@@ -170,7 +170,7 @@ options:
|
||||
aliases: ['cert']
|
||||
fullchain_dest:
|
||||
description:
|
||||
- "The destination file for the full chain (i.e. certificate followed
|
||||
- "The destination file for the full chain (that is, a certificate followed
|
||||
by chain of intermediate certificates)."
|
||||
- "Required if C(dest) is not specified."
|
||||
type: path
|
||||
@@ -204,7 +204,7 @@ options:
|
||||
description:
|
||||
- Enforces the execution of the challenge and validation, even if an
|
||||
existing certificate is still valid for more than C(remaining_days).
|
||||
- This is especially helpful when having an updated CSR e.g. with
|
||||
- This is especially helpful when having an updated CSR, for example with
|
||||
additional domains for which a new certificate is desired.
|
||||
type: bool
|
||||
default: no
|
||||
@@ -238,9 +238,9 @@ options:
|
||||
- "Determines which certificates in the chain will be tested."
|
||||
- "I(all) tests all certificates in the chain (excluding the leaf, which is
|
||||
identical in all chains)."
|
||||
- "I(first) only tests the first certificate in the chain, i.e. the one which
|
||||
- "I(first) only tests the first certificate in the chain, that is the one which
|
||||
signed the leaf."
|
||||
- "I(last) only tests the last certificate in the chain, i.e. the one furthest
|
||||
- "I(last) only tests the last certificate in the chain, that is the one furthest
|
||||
away from the leaf. Its issuer is the root certificate of this chain."
|
||||
type: str
|
||||
default: all
|
||||
|
||||
@@ -225,7 +225,7 @@ def main():
|
||||
if result.get('type') == error_type and result.get('detail') == 'Certificate already revoked':
|
||||
# Fallback: boulder returns this in case the certificate was already revoked.
|
||||
already_revoked = True
|
||||
# If we know the certificate was already revoked, we don't fail,
|
||||
# If we know the certificate was already revoked, we do not fail,
|
||||
# but successfully terminate while indicating no change
|
||||
if already_revoked:
|
||||
module.exit_json(changed=False)
|
||||
|
||||
@@ -327,7 +327,7 @@ def main():
|
||||
completed = []
|
||||
occured_certificates = set([cert.cert for cert in chain])
|
||||
if current.cert in roots.certificate_by_cert:
|
||||
# Don't try to complete the chain when it's already ending with a root certificate
|
||||
# Do not try to complete the chain when it's already ending with a root certificate
|
||||
current = None
|
||||
while current:
|
||||
root = roots.find_parent(current)
|
||||
|
||||
@@ -81,8 +81,8 @@ options:
|
||||
- The number of days the certificate must have left being valid. If C(cert_days < remaining_days) then a new certificate will be
|
||||
obtained using I(request_type).
|
||||
- If C(request_type=renew), a renewal will fail if the certificate being renewed has been issued within the past 30 days, so do not set a
|
||||
I(remaining_days) value that is within 30 days of the full lifetime of the certificate being acted upon. (e.g. if you are requesting Certificates
|
||||
with a 90 day lifetime, do not set remaining_days to a value C(60) or higher).
|
||||
I(remaining_days) value that is within 30 days of the full lifetime of the certificate being acted upon.
|
||||
- For exmaple, if you are requesting Certificates with a 90 day lifetime, do not set I(remaining_days) to a value C(60) or higher).
|
||||
- The I(force) option may be used to ensure that a new certificate is always obtained.
|
||||
type: int
|
||||
default: 30
|
||||
@@ -97,8 +97,8 @@ options:
|
||||
- Specifying C(request_type=reissue) means that an existing certificate (specified by I(tracking_id) if present, otherwise I(path)) will be
|
||||
reissued.
|
||||
If there is no certificate to reissue, a new certificate is requested.
|
||||
- If a certificate was issued within the past 30 days, the 'renew' operation is not a valid operation and will fail.
|
||||
- Note that C(reissue) is an operation that will result in the revocation of the certificate that is reissued, be cautious with it's use.
|
||||
- If a certificate was issued within the past 30 days, the C(renew) operation is not a valid operation and will fail.
|
||||
- Note that C(reissue) is an operation that will result in the revocation of the certificate that is reissued, be cautious with its use.
|
||||
- I(check_mode) is only supported if C(request_type=new)
|
||||
- For example, setting C(request_type=renew) and C(remaining_days=30) and pointing to the same certificate on multiple playbook runs means that on
|
||||
the first run new certificate will be requested. It will then be left along on future runs until it is within 30 days of expiry, then the
|
||||
@@ -690,7 +690,7 @@ class EcsCertificate(object):
|
||||
if len(cert_results) == 1:
|
||||
self.tracking_id = cert_results[0].get('trackingId')
|
||||
except RestOperationException as dummy:
|
||||
# If we fail to find a cert by serial number, that's fine, we just don't set self.tracking_id
|
||||
# If we fail to find a cert by serial number, that's fine, we just do not set self.tracking_id
|
||||
return
|
||||
|
||||
def set_cert_details(self, module):
|
||||
|
||||
@@ -63,11 +63,11 @@ options:
|
||||
description:
|
||||
- Email address to be used to verify domain ownership.
|
||||
- 'Email address must be either an email address present in the WHOIS data for I(domain_name), or one of the following constructed emails:
|
||||
admin@I(domain_name), administrator@I(domain_name), webmaster@I(domain_name), hostmaster@I(domain_name), postmaster@I(domain_name)'
|
||||
admin@I(domain_name), administrator@I(domain_name), webmaster@I(domain_name), hostmaster@I(domain_name), postmaster@I(domain_name).'
|
||||
- 'Note that if I(domain_name) includes subdomains, the top level domain should be used. For example, if requesting validation of
|
||||
example1.ansible.com, or test.example2.ansible.com, and you want to use the "admin" preconstructed name, the email address should be
|
||||
admin@ansible.com.'
|
||||
- If using the email values from the WHOIS data for the domain or it's top level namespace, they must be exact matches.
|
||||
- If using the email values from the WHOIS data for the domain or its top level namespace, they must be exact matches.
|
||||
- If C(verification_method=email) but I(verification_email) is not provided, the first email address found in WHOIS data for the domain will be
|
||||
used.
|
||||
- To verify domain ownership, domain owner must follow the instructions in the email they receive.
|
||||
|
||||
@@ -257,7 +257,7 @@ def main():
|
||||
|
||||
# Success?
|
||||
if backend == 'auto':
|
||||
module.fail_json(msg=("Can't detect the required Python library "
|
||||
module.fail_json(msg=("Cannot detect the required Python library "
|
||||
"cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
|
||||
|
||||
if backend == 'cryptography':
|
||||
|
||||
@@ -21,7 +21,7 @@ description:
|
||||
options:
|
||||
device:
|
||||
description:
|
||||
- "Device to work with (e.g. C(/dev/sda1)). Needed in most cases.
|
||||
- "Device to work with (for example C(/dev/sda1)). Needed in most cases.
|
||||
Can be omitted only when I(state=closed) together with I(name)
|
||||
is provided."
|
||||
type: str
|
||||
@@ -53,7 +53,7 @@ options:
|
||||
description:
|
||||
- "Sets container name when I(state=opened). Can be used
|
||||
instead of I(device) when closing the existing container
|
||||
(i.e. when I(state=closed))."
|
||||
(that is, when I(state=closed))."
|
||||
type: str
|
||||
keyfile:
|
||||
description:
|
||||
@@ -159,7 +159,7 @@ options:
|
||||
- "This option allows the user to define the cipher specification
|
||||
string for the LUKS container."
|
||||
- "Will only be used on container creation."
|
||||
- "For pre-2.6.10 kernels, use C(aes-plain) as they don't understand
|
||||
- "For pre-2.6.10 kernels, use C(aes-plain) as they do not understand
|
||||
the new cipher spec strings. To use ESSIV, use C(aes-cbc-essiv:sha256)."
|
||||
type: str
|
||||
version_added: '1.1.0'
|
||||
|
||||
@@ -110,7 +110,7 @@ options:
|
||||
description:
|
||||
- "The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp.
|
||||
Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | always)
|
||||
where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
|
||||
where timespec can be an integer + C([w | d | h | m | s]) (for example C(+32w1d2h)).
|
||||
Note that if using relative time this module is NOT idempotent."
|
||||
- Required if I(state) is C(present).
|
||||
type: str
|
||||
@@ -118,7 +118,7 @@ options:
|
||||
description:
|
||||
- "The point in time the certificate is valid to. Time can be specified either as relative time or as absolute timestamp.
|
||||
Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | forever)
|
||||
where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
|
||||
where timespec can be an integer + C([w | d | h | m | s]) (for example C(+32w1d2h)).
|
||||
Note that if using relative time this module is NOT idempotent."
|
||||
- Required if I(state) is C(present).
|
||||
type: str
|
||||
|
||||
@@ -94,7 +94,7 @@ options:
|
||||
this B(changed) for Ansible 2.10. For Ansible 2.9, the behavior was as if C(full_idempotence)
|
||||
is specified.
|
||||
- If set to C(never), the module will fail if the key cannot be read or the passphrase
|
||||
isn't matching, and will never regenerate an existing key.
|
||||
is not matching, and will never regenerate an existing key.
|
||||
- If set to C(fail), the module will fail if the key does not correspond to the module's
|
||||
options.
|
||||
- If set to C(partial_idempotence), the key will be regenerated if it does not conform to
|
||||
|
||||
@@ -14,7 +14,7 @@ DOCUMENTATION = r'''
|
||||
module: openssl_csr
|
||||
short_description: Generate OpenSSL Certificate Signing Request (CSR)
|
||||
description:
|
||||
- "Please note that the module regenerates an existing CSR if it doesn't match the module's
|
||||
- "Please note that the module regenerates an existing CSR if it does not match the module's
|
||||
options, or if it seems to be corrupt. If you are concerned that this could overwrite
|
||||
your existing CSR, consider using the I(backup) option."
|
||||
author:
|
||||
|
||||
@@ -15,7 +15,7 @@ module: openssl_csr_pipe
|
||||
short_description: Generate OpenSSL Certificate Signing Request (CSR)
|
||||
version_added: 1.3.0
|
||||
description:
|
||||
- "Please note that the module regenerates an existing CSR if it doesn't match the module's
|
||||
- "Please note that the module regenerates an existing CSR if it does not match the module's
|
||||
options, or if it seems to be corrupt."
|
||||
author:
|
||||
- Yanis Guenane (@Spredzy)
|
||||
|
||||
@@ -67,7 +67,7 @@ options:
|
||||
version_added: "1.0.0"
|
||||
return_content:
|
||||
description:
|
||||
- If set to C(yes), will return the (current or generated) DH params' content as I(dhparams).
|
||||
- If set to C(yes), will return the (current or generated) DH parameter's content as I(dhparams).
|
||||
type: bool
|
||||
default: no
|
||||
version_added: "1.0.0"
|
||||
@@ -286,7 +286,7 @@ class DHParameterOpenSSL(DHParameterBase):
|
||||
rc, out, err = module.run_command(command, check_rc=False)
|
||||
result = to_native(out)
|
||||
if rc != 0:
|
||||
# If the call failed the file probably doesn't exist or is
|
||||
# If the call failed the file probably does not exist or is
|
||||
# unreadable
|
||||
return False
|
||||
# output contains "(xxxx bit)"
|
||||
@@ -380,7 +380,7 @@ def main():
|
||||
|
||||
# Success?
|
||||
if backend == 'auto':
|
||||
module.fail_json(msg=("Can't detect either the required Python library cryptography (>= {0}) "
|
||||
module.fail_json(msg=("Cannot detect either the required Python library cryptography (>= {0}) "
|
||||
"or the OpenSSL binary openssl").format(MINIMAL_CRYPTOGRAPHY_VERSION))
|
||||
|
||||
if backend == 'openssl':
|
||||
|
||||
@@ -648,7 +648,7 @@ def select_backend(module, backend):
|
||||
|
||||
# Success?
|
||||
if backend == 'auto':
|
||||
module.fail_json(msg=("Can't detect any of the required Python libraries "
|
||||
module.fail_json(msg=("Cannot detect any of the required Python libraries "
|
||||
"cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
|
||||
MINIMAL_CRYPTOGRAPHY_VERSION,
|
||||
MINIMAL_PYOPENSSL_VERSION))
|
||||
|
||||
@@ -45,7 +45,7 @@ options:
|
||||
- Whether to return private key data.
|
||||
- Only set this to C(yes) when you want private information about this key to
|
||||
leave the remote machine.
|
||||
- "B(WARNING:) you have to make sure that private key data isn't accidentally logged!"
|
||||
- "B(WARNING:) you have to make sure that private key data is not accidentally logged!"
|
||||
type: bool
|
||||
default: no
|
||||
check_consistency:
|
||||
|
||||
@@ -431,7 +431,7 @@ def main():
|
||||
|
||||
# Success?
|
||||
if backend == 'auto':
|
||||
module.fail_json(msg=("Can't detect the required Python library "
|
||||
module.fail_json(msg=("Cannot detect the required Python library "
|
||||
"cryptography (>= {0})").format(minimal_cryptography_version))
|
||||
|
||||
if module.params['format'] == 'OpenSSH' and backend != 'cryptography':
|
||||
|
||||
@@ -246,7 +246,7 @@ def main():
|
||||
|
||||
# Success?
|
||||
if backend == 'auto':
|
||||
module.fail_json(msg=("Can't detect the required Python library "
|
||||
module.fail_json(msg=("Cannot detect the required Python library "
|
||||
"cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
|
||||
try:
|
||||
if backend == 'cryptography':
|
||||
|
||||
@@ -276,7 +276,7 @@ def main():
|
||||
|
||||
# Success?
|
||||
if backend == 'auto':
|
||||
module.fail_json(msg=("Can't detect any of the required Python libraries "
|
||||
module.fail_json(msg=("Cannot detect any of the required Python libraries "
|
||||
"cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
|
||||
try:
|
||||
if backend == 'cryptography':
|
||||
|
||||
@@ -50,7 +50,7 @@ options:
|
||||
- Time can be specified either as relative time or as absolute timestamp.
|
||||
- Time will always be interpreted as UTC.
|
||||
- Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
|
||||
+ C([w | d | h | m | s]) (e.g. C(+32w1d2h), and ASN.1 TIME (in other words, pattern C(YYYYMMDDHHMMSSZ)).
|
||||
+ C([w | d | h | m | s]) (for example C(+32w1d2h)), and ASN.1 TIME (in other words, pattern C(YYYYMMDDHHMMSSZ)).
|
||||
Note that all timestamps will be treated as being in UTC.
|
||||
type: dict
|
||||
select_crypto_backend:
|
||||
|
||||
@@ -114,7 +114,7 @@ options:
|
||||
- Time can be specified either as relative time or as absolute timestamp.
|
||||
- Time will always be interpreted as UTC.
|
||||
- Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
|
||||
+ C([w | d | h | m | s]) (e.g. C(+32w1d2h).
|
||||
+ C([w | d | h | m | s]) (for example C(+32w1d2h)).
|
||||
- Note that if using relative time this module is NOT idempotent, except when
|
||||
I(ignore_timestamps) is set to C(yes).
|
||||
type: str
|
||||
@@ -127,7 +127,7 @@ options:
|
||||
- Time can be specified either as relative time or as absolute timestamp.
|
||||
- Time will always be interpreted as UTC.
|
||||
- Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
|
||||
+ C([w | d | h | m | s]) (e.g. C(+32w1d2h).
|
||||
+ C([w | d | h | m | s]) (for example C(+32w1d2h)).
|
||||
- Note that if using relative time this module is NOT idempotent, except when
|
||||
I(ignore_timestamps) is set to C(yes).
|
||||
- Required if I(state) is C(present).
|
||||
@@ -172,7 +172,7 @@ options:
|
||||
- Time can be specified either as relative time or as absolute timestamp.
|
||||
- Time will always be interpreted as UTC.
|
||||
- Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
|
||||
+ C([w | d | h | m | s]) (e.g. C(+32w1d2h).
|
||||
+ C([w | d | h | m | s]) (for example C(+32w1d2h)).
|
||||
- Note that if using relative time this module is NOT idempotent, except when
|
||||
I(ignore_timestamps) is set to C(yes).
|
||||
type: str
|
||||
@@ -215,7 +215,7 @@ options:
|
||||
- Time can be specified either as relative time or as absolute timestamp.
|
||||
- Time will always be interpreted as UTC.
|
||||
- Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
|
||||
+ C([w | d | h | m | s]) (e.g. C(+32w1d2h).
|
||||
+ C([w | d | h | m | s]) (for example C(+32w1d2h)).
|
||||
- Note that if using relative time this module is NOT idempotent. This will NOT
|
||||
change when I(ignore_timestamps) is set to C(yes).
|
||||
type: str
|
||||
@@ -647,7 +647,7 @@ class CRL(OpenSSLObject):
|
||||
old_entries = [self._compress_entry(cryptography_decode_revoked_certificate(cert)) for cert in self.crl]
|
||||
new_entries = [self._compress_entry(cert) for cert in self.revoked_certificates]
|
||||
if self.update:
|
||||
# We don't simply use a set so that duplicate entries are treated correctly
|
||||
# We do not simply use a set so that duplicate entries are treated correctly
|
||||
for entry in new_entries:
|
||||
try:
|
||||
old_entries.remove(entry)
|
||||
|
||||
Reference in New Issue
Block a user