Mark dns-account-01 and dns-persist-01 more explicitly as experimental. (#1002)

2026-04-27 00:46:43 +00:00 · 2026-04-17 07:32:41 +02:00
parent 0b36567667
commit cb0137baca
4 changed files with 23 additions and 8 deletions
--- a/changelogs/fragments/996-acme-dns-account-01.yml
+++ b/changelogs/fragments/996-acme-dns-account-01.yml
@@ -1,4 +1,5 @@
 minor_changes:
-  - acme_* modules - support ``dns-account-01`` challenge type according to
-    `acme-dns-account-label draft 02 <https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-account-label-02>`__
+  - acme_* modules - experimentally support ``dns-account-01`` challenge type according to
+    `acme-dns-account-label draft 02 <https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-account-label-02>`__.
+    Note that breaking changes to this challenge type can also happen in minor releases until the acme-dns-account-label draft has been finalized as an RFC
    (https://github.com/ansible-collections/community.crypto/pull/996).
--- a/changelogs/fragments/997-acme-dns-persist-01.yml
+++ b/changelogs/fragments/997-acme-dns-persist-01.yml
@@ -1,4 +1,5 @@
 minor_changes:
-  - acme_* modules - support ``dns-persist-01`` challenge type according to
-    `acme-dns-persist draft 01 <https://www.ietf.org/archive/id/draft-ietf-acme-dns-persist-01.html>`__
+  - acme_* modules - experimentally support ``dns-persist-01`` challenge type according to
+    `acme-dns-persist draft 01 <https://www.ietf.org/archive/id/draft-ietf-acme-dns-persist-01.html>`__.
+    Note that breaking changes to this challenge type can also happen in minor releases until the acme-dns-persist draft has been finalized as an RFC
    (https://github.com/ansible-collections/community.crypto/pull/997).
--- a/plugins/modules/acme_certificate.py
+++ b/plugins/modules/acme_certificate.py
@@ -24,11 +24,11 @@ description:
    and the L(TLS-ALPN-01 specification,https://www.rfc-editor.org/rfc/rfc8737.html#section-3). Also, consider the examples
    provided for this module.
  - The module support for IP identifiers according to L(RFC 8738,https://www.rfc-editor.org/rfc/rfc8738.html).
-  - The module supports the V(dns-account-01) challenge type according to
+  - The module B(experimentally) supports the V(dns-account-01) challenge type according to
    L(acme-dns-account-label draft 02, https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-account-label-02).
    Note that the supported draft version can change at any time,
    and changes will only be considered breaking once the draft reached RFC status.
-  - The module supports the V(dns-persist-01) challenge type according to
+  - The module B(experimentally) supports the V(dns-persist-01) challenge type according to
    L(acme-dns-persist draft 01, https://www.ietf.org/archive/id/draft-ietf-acme-dns-persist-01.html).
    Note that the supported draft version can change at any time,
    and changes will only be considered breaking once the draft reached RFC status.
@@ -481,6 +481,9 @@ challenge_data:
            - The keys in this dictionary are the challenge types. C(challenge-type) is a placeholder used in the documentation.
              Possible keys are V(http-01), V(dns-01), V(dns-account-01), V(dns-persist-01), and V(tls-alpn-01).
            - Note that the keys are not valid Jinja2 identifiers.
+            - B(Note) that this return value for V(dns-account-01) and V(dns-persist-01) challenges is B(experimental)
+              and can change in a breaking way also in minor releases, until the acme-dns-account-label respectively
+              the acme-dns-persist draft is in a more stable state.
          returned: changed
          type: dict
          contains:
@@ -514,6 +517,9 @@ challenge_data:
            account_uri:
              description:
                - The account URI that must be mentioned in the DNS TXT record.
+                - B(Note) that the type of this return value might change in a breaking way also in minor releases,
+                  until the acme-dns-persist draft is in a more stable state.
+                  This challenge field is currently under discussion in the ACME WG.
              returned: changed and challenge is V(dns-persist-01)
              type: str
              sample: https://ca.example/acct/123
--- a/plugins/modules/acme_certificate_order_create.py
+++ b/plugins/modules/acme_certificate_order_create.py
@@ -38,11 +38,11 @@ description:
    Also, consider the examples provided for this module.
  - The module includes support for IP identifiers according to
    L(RFC 8738,https://www.rfc-editor.org/rfc/rfc8738.html) ACME extension.
-  - The module supports the V(dns-account-01) challenge type according to
+  - The module B(experimentally) supports the V(dns-account-01) challenge type according to
    L(acme-dns-account-label draft 02, https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-account-label-02).
    Note that the supported draft version can change at any time,
    and changes will only be considered breaking once the draft reached RFC status.
-  - The module supports the V(dns-persist-01) challenge type according to
+  - The module B(experimentally) supports the V(dns-persist-01) challenge type according to
    L(acme-dns-persist draft 01, https://www.ietf.org/archive/id/draft-ietf-acme-dns-persist-01.html).
    Note that the supported draft version can change at any time,
    and changes will only be considered breaking once the draft reached RFC status.
@@ -330,6 +330,8 @@ challenge_data:
            - Information for V(dns-account-01) authorization.
            - A DNS TXT record needs to be created with the record name RV(challenge_data[].challenges.dns-01.record)
              and value RV(challenge_data[].challenges.dns-01.resource_value).
+            - B(Note) that this return value is B(experimental) and can change in a breaking way also in minor releases,
+              until the acme-dns-account-label draft is in a more stable state.
          returned: if the identifier supports V(dns-account-01) authorization
          version_added: 3.2.0
          type: dict
@@ -356,6 +358,8 @@ challenge_data:
            - Information for V(dns-persist-01) authorization.
            - A DNS TXT record needs to be created with the record name V(_validation-persist.<domain>).
              See the P(community.crypto.acme_dns_persist_record#filter) for how to create the record's content.
+            - B(Note) that this return value is B(experimental) and can change in a breaking way also in minor releases,
+              until the acme-dns-persist draft is in a more stable state.
          returned: if the identifier supports V(dns-persist-01) authorization
          version_added: 3.2.0
          type: dict
@@ -363,6 +367,9 @@ challenge_data:
            account_uri:
              description:
                - The account URI that must be mentioned in the DNS TXT record.
+                - B(Note) that the type of this return value might change in a breaking way also in minor releases,
+                  until the acme-dns-persist draft is in a more stable state.
+                  This challenge field is currently under discussion in the ACME WG.
              returned: success
              type: str
              sample: https://ca.example/acct/123