ACME: implement dns-account-01 challenge type (#996)

* Implement dns-account-01. * Bump draft versions. * dns-account-01 implementation changed in Pebble; only the one used by ansible-core 2.21/devel's ACME simulator matches the latest draft.
2026-05-07 13:53:06 +00:00 · 2026-03-29 20:49:33 +02:00
parent 4a7d18cad5
commit b1ae295fb7
10 changed files with 182 additions and 38 deletions
--- a/plugins/module_utils/_acme/certificate.py
+++ b/plugins/module_utils/_acme/certificate.py
@@ -149,9 +149,23 @@ class ACMECertificateClient:
        order.load_authorizations(client=self.client)
        return order

+    @staticmethod
+    def _update_dns_data(
+        data_dns: dict[str, list[str]],
+        dns_challenge_type: str,
+        challenge_data: dict[str, t.Any],
+    ) -> None:
+        dns_challenge = challenge_data.get(dns_challenge_type)
+        if dns_challenge:
+            values = data_dns.get(dns_challenge["record"])
+            if values is None:
+                values = []
+                data_dns[dns_challenge["record"]] = values
+            values.append(dns_challenge["resource_value"])
+
    def get_challenges_data(
        self, order: Order
-    ) -> tuple[list[dict[str, t.Any]], dict[str, list[str]]]:
+    ) -> tuple[list[dict[str, t.Any]], dict[str, list[str]], dict[str, list[str]]]:
        """
        Get challenge details.

@@ -159,7 +173,9 @@ class ACMECertificateClient:
        """
        data: list[dict[str, t.Any]] = []
        data_dns: dict[str, list[str]] = {}
+        data_dns_account: dict[str, list[str]] = {}
        dns_challenge_type = "dns-01"
+        dns_account_challenge_type = "dns-account-01"
        for authz in order.authorizations.values():
            # Skip valid authentications: their challenges are already valid
            # and do not need to be returned
@@ -173,14 +189,11 @@ class ACMECertificateClient:
                    "challenges": challenge_data,
                }
            )
-            dns_challenge = challenge_data.get(dns_challenge_type)
-            if dns_challenge:
-                values = data_dns.get(dns_challenge["record"])
-                if values is None:
-                    values = []
-                    data_dns[dns_challenge["record"]] = values
-                values.append(dns_challenge["resource_value"])
-        return data, data_dns
+            self._update_dns_data(data_dns, dns_challenge_type, challenge_data)
+            self._update_dns_data(
+                data_dns_account, dns_account_challenge_type, challenge_data
+            )
+        return data, data_dns, data_dns_account

    def check_that_authorizations_can_be_used(self, order: Order) -> None:
        bad_authzs = []