ACME: implement dns-account-01 challenge type (#996)

* Implement dns-account-01. * Bump draft versions. * dns-account-01 implementation changed in Pebble; only the one used by ansible-core 2.21/devel's ACME simulator matches the latest draft.
2026-05-06 21:33:00 +00:00 · 2026-03-29 20:49:33 +02:00
parent 4a7d18cad5
commit b1ae295fb7
10 changed files with 182 additions and 38 deletions
--- a/tests/integration/targets/acme_certificate/tasks/impl.yml
+++ b/tests/integration/targets/acme_certificate/tasks/impl.yml
@@ -364,6 +364,29 @@
      ansible.builtin.set_fact:
        cert_8_obtain_results: "{{ certificate_obtain_result }}"
        cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
+- when: ansible_version.full is version('2.21', '>=')
+  block:
+    - name: Obtain cert 9
+      ansible.builtin.include_tasks: obtain-cert.yml
+      vars:
+        certgen_title: Certificate 9
+        certificate_name: cert-9
+        key_type: ec256
+        subject_alt_name: "DNS:*.example.com,DNS:example.org,DNS:t1.example.com"
+        subject_alt_name_critical: false
+        account_key: account-ec256
+        challenge: dns-account-01
+        modify_account: true
+        deactivate_authzs: false
+        force: false
+        remaining_days: 1
+        terms_agreed: true
+        account_email: "example@example.org"
+        use_csr_content: true
+    - name: Store obtain results for cert 9
+      ansible.builtin.set_fact:
+        cert_9_obtain_results: "{{ certificate_obtain_result }}"
+        cert_9_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"

 ## DISSECT CERTIFICATES #######################################################################
 # Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
@@ -401,6 +424,11 @@
  ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
  ignore_errors: true
  register: cert_8_valid
+- name: Verifying cert 9
+  ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-9-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-9-chain.pem" "{{ remote_tmp_dir }}/cert-9.pem"'
+  ignore_errors: true
+  register: cert_9_valid
+  when: ansible_version.full is version('2.21', '>=')

 # Dump certificate info
 - name: Dumping cert 1
@@ -429,6 +457,10 @@
 - name: Dumping cert 8
  ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
  register: cert_8_text
+- name: Dumping cert 9
+  ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-9.pem" -noout -text'
+  register: cert_9_text
+  when: ansible_version.full is version('2.21', '>=')

 # Dump certificate info
 - name: Dumping cert 1
@@ -465,6 +497,11 @@
  community.crypto.x509_certificate_info:
    path: "{{ remote_tmp_dir }}/cert-8.pem"
  register: cert_8_info
+- name: Dumping cert 9
+  community.crypto.x509_certificate_info:
+    path: "{{ remote_tmp_dir }}/cert-9.pem"
+  register: cert_9_info
+  when: ansible_version.full is version('2.21', '>=')

 ## GET ACCOUNT ORDERS #########################################################################
 - name: Don't retrieve orders
--- a/tests/integration/targets/acme_certificate/tests/validate.yml
+++ b/tests/integration/targets/acme_certificate/tests/validate.yml
@@ -160,6 +160,19 @@
        that:
          - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"

+- when: ansible_version.full is version('2.21', '>=')
+  block:
+    - name: Check that certificate 9 is valid
+      ansible.builtin.assert:
+        that:
+          - cert_9_valid is not failed
+    - name: Check that certificate 9 contains correct SANs
+      ansible.builtin.assert:
+        that:
+          - "'DNS:*.example.com' in cert_9_text.stdout"
+          - "'DNS:example.org' in cert_9_text.stdout"
+          - "'DNS:t1.example.com' in cert_9_text.stdout"
+
 - name: Validate that orders were not retrieved
  ansible.builtin.assert:
    that:
--- a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml
+++ b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml
@@ -72,7 +72,7 @@
    body_format: json
    body: "{{ item.value }}"
  with_dict: "{{ challenge_data.challenge_data_dns }}"
-  when: "challenge_data is changed and challenge == 'dns-01'"
+  when: "challenge_data is changed and challenge in ['dns-01', 'dns-account-01']"
 - name: ({{ certgen_title }}) Create TLS ALPN challenges (acme_challenge_cert_helper)
  community.crypto.acme_challenge_cert_helper:
    challenge: tls-alpn-01
@@ -146,7 +146,7 @@
    url: "http://{{ acme_host }}:5000/dns/{{ item.key }}"
    method: DELETE
  with_dict: "{{ challenge_data.challenge_data_dns }}"
-  when: "challenge_data is changed and challenge == 'dns-01'"
+  when: "challenge_data is changed and challenge in ['dns-01', 'dns-account-01']"
 - name: ({{ certgen_title }}) Deleting TLS ALPN challenges
  ansible.builtin.uri:
    url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.value['tls-alpn-01'].resource }}"