Release 1.9.7.

* Extension parsing: add new fallback code which uses the new cryptography API (#331)

* Add new code as fallback which re-serializes de-serialized extensions using the new cryptography API.

* Forgot Base64 encoding.

* Add extension by OID tests.

* There's one value which is different with the new code.

* Differences in CI.

* Working around older Jinjas.

* Value depends on which SAN was included.

* Force complete CI run now since cryptography 36.0.0 is out.

ci_complete

(cherry picked from commit 3f40795a98)

* Adjust tests.

Co-authored-by: Felix Fontein <felix@fontein.de>

.azure-pipelines/azure-pipelines.yml

@@ -19,6 +19,11 @@ schedules:
     branches:
       include:
         - main
+  - cron: 0 12 * * 0
+    displayName: Weekly (old stable branches)
+    always: true
+    branches:
+      include:
         - stable-*
 
 variables:
@@ -55,6 +60,17 @@ stages:
               test: 'devel/sanity/extra'
             - name: Units
               test: 'devel/units/1'
+  - stage: Ansible_2_12
+    displayName: Sanity & Units 2.12
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          targets:
+            - name: Sanity
+              test: '2.12/sanity/1'
+            - name: Units
+              test: '2.12/units/1'
   - stage: Ansible_2_11
     displayName: Sanity & Units 2.11
     dependsOn: []
@@ -97,16 +113,12 @@ stages:
         parameters:
           testFormat: devel/linux/{0}/1
           targets:
-            - name: CentOS 6
-              test: centos6
             - name: CentOS 7
               test: centos7
-            - name: CentOS 8
-              test: centos8
-            - name: Fedora 33
-              test: fedora33
             - name: Fedora 34
               test: fedora34
+            - name: Fedora 35
+              test: fedora35
             - name: openSUSE 15 py2
               test: opensuse15py2
             - name: openSUSE 15 py3
@@ -115,6 +127,24 @@ stages:
               test: ubuntu1804
             - name: Ubuntu 20.04
               test: ubuntu2004
+  - stage: Docker_2_12
+    displayName: Docker 2.12
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.12/linux/{0}/1
+          targets:
+            - name: CentOS 6
+              test: centos6
+            - name: CentOS 8
+              test: centos8
+            - name: Fedora 33
+              test: fedora33
+            - name: openSUSE 15 py3
+              test: opensuse15
+            - name: Ubuntu 20.04
+              test: ubuntu2004
   - stage: Docker_2_11
     displayName: Docker 2.11
     dependsOn: []
@@ -131,12 +161,8 @@ stages:
               test: fedora32
             - name: openSUSE 15 py2
               test: opensuse15py2
-            - name: openSUSE 15 py3
-              test: opensuse15
             - name: Ubuntu 18.04
               test: ubuntu1804
-            - name: Ubuntu 20.04
-              test: ubuntu2004
   - stage: Docker_2_10
     displayName: Docker 2.10
     dependsOn: []
@@ -147,22 +173,10 @@ stages:
           targets:
             - name: CentOS 6
               test: centos6
-            - name: CentOS 7
-              test: centos7
-            - name: CentOS 8
-              test: centos8
             - name: Fedora 31
               test: fedora31
-            - name: Fedora 32
-              test: fedora32
-            - name: openSUSE 15 py2
-              test: opensuse15py2
-            - name: openSUSE 15 py3
-              test: opensuse15
             - name: Ubuntu 16.04
               test: ubuntu1604
-            - name: Ubuntu 18.04
-              test: ubuntu1804
   - stage: Docker_2_9
     displayName: Docker 2.9
     dependsOn: []
@@ -175,16 +189,8 @@ stages:
               test: centos6
             - name: CentOS 7
               test: centos7
-            - name: CentOS 8
-              test: centos8
-            - name: Fedora 30
-              test: fedora30
             - name: Fedora 31
               test: fedora31
-            - name: openSUSE 15 py2
-              test: opensuse15py2
-            - name: openSUSE 15 py3
-              test: opensuse15
             - name: Ubuntu 16.04
               test: ubuntu1604
             - name: Ubuntu 18.04
@@ -203,12 +209,26 @@ stages:
               test: macos/11.1
             - name: RHEL 7.9
               test: rhel/7.9
-            - name: RHEL 8.4
+            - name: RHEL 8.5
-              test: rhel/8.4
+              test: rhel/8.5
             - name: FreeBSD 12.2
               test: freebsd/12.2
             - name: FreeBSD 13.0
               test: freebsd/13.0
+  - stage: Remote_2_12
+    displayName: Remote 2.12
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.12/{0}/1
+          targets:
+            - name: macOS 11.1
+              test: macos/11.1
+            - name: RHEL 8.4
+              test: rhel/8.4
+            - name: FreeBSD 13.0
+              test: freebsd/13.0
   - stage: Remote_2_11
     displayName: Remote 2.11
     dependsOn: []
@@ -221,8 +241,6 @@ stages:
               test: rhel/7.9
             - name: RHEL 8.3
               test: rhel/8.3
-            - name: macOS 11.1
-              test: macos/11.1
             - name: FreeBSD 12.2
               test: freebsd/12.2
   - stage: Remote_2_10
@@ -233,8 +251,6 @@ stages:
         parameters:
           testFormat: 2.10/{0}/1
           targets:
-            - name: RHEL 7.8
-              test: rhel/7.8
             - name: OS X 10.11
               test: osx/10.11
             - name: macOS 10.15
@@ -261,7 +277,6 @@ stages:
           nameFormat: Python {0}
           testFormat: devel/cloud/{0}/1
           targets:
-            - test: 2.6
             - test: 2.7
             - test: 3.5
             - test: 3.6
@@ -269,6 +284,17 @@ stages:
             - test: 3.8
             - test: 3.9
             - test: "3.10"
+  - stage: Cloud_2_12
+    displayName: Cloud 2.12
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          nameFormat: Python {0}
+          testFormat: 2.12/cloud/{0}/1
+          targets:
+            - test: 2.6
+            - test: 3.9
   - stage: Cloud_2_11
     displayName: Cloud 2.11
     dependsOn: []
@@ -306,20 +332,24 @@ stages:
     condition: succeededOrFailed()
     dependsOn:
       - Ansible_devel
+      - Ansible_2_12
       - Ansible_2_11
       - Ansible_2_10
       - Ansible_2_9
       - Remote_devel
-      - Docker_devel
+      - Remote_2_12
-      - Cloud_devel
       - Remote_2_11
-      - Docker_2_11
-      - Cloud_2_11
       - Remote_2_10
-      - Docker_2_10
-      - Cloud_2_10
       - Remote_2_9
+      - Docker_devel
+      - Docker_2_12
+      - Docker_2_11
+      - Docker_2_10
       - Docker_2_9
+      - Cloud_devel
+      - Cloud_2_12
+      - Cloud_2_11
+      - Cloud_2_10
       - Cloud_2_9
     jobs:
       - template: templates/coverage.yml

.azure-pipelines/scripts/aggregate-coverage.sh

@@ -11,7 +11,7 @@ mkdir "${agent_temp_directory}/coverage/"
 
 options=(--venv --venv-system-site-packages --color -v)
 
-ansible-test coverage combine --export "${agent_temp_directory}/coverage/" "${options[@]}"
+ansible-test coverage combine --group-by command --export "${agent_temp_directory}/coverage/" "${options[@]}"
 
 if ansible-test coverage analyze targets generate --help >/dev/null 2>&1; then
     # Only analyze coverage if the installed version of ansible-test supports it.

.azure-pipelines/scripts/publish-codecov.py

@@ -0,0 +1,101 @@
+#!/usr/bin/env python
+"""
+Upload code coverage reports to codecov.io.
+Multiple coverage files from multiple languages are accepted and aggregated after upload.
+Python coverage, as well as PowerShell and Python stubs can all be uploaded.
+"""
+
+import argparse
+import dataclasses
+import pathlib
+import shutil
+import subprocess
+import tempfile
+import typing as t
+import urllib.request
+
+
+@dataclasses.dataclass(frozen=True)
+class CoverageFile:
+    name: str
+    path: pathlib.Path
+    flags: t.List[str]
+
+
+@dataclasses.dataclass(frozen=True)
+class Args:
+    dry_run: bool
+    path: pathlib.Path
+
+
+def parse_args() -> Args:
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-n', '--dry-run', action='store_true')
+    parser.add_argument('path', type=pathlib.Path)
+
+    args = parser.parse_args()
+
+    # Store arguments in a typed dataclass
+    fields = dataclasses.fields(Args)
+    kwargs = {field.name: getattr(args, field.name) for field in fields}
+
+    return Args(**kwargs)
+
+
+def process_files(directory: pathlib.Path) -> t.Tuple[CoverageFile, ...]:
+    processed = []
+    for file in directory.joinpath('reports').glob('coverage*.xml'):
+        name = file.stem.replace('coverage=', '')
+
+        # Get flags from name
+        flags = name.replace('-powershell', '').split('=')  # Drop '-powershell' suffix
+        flags = [flag if not flag.startswith('stub') else flag.split('-')[0] for flag in flags]  # Remove "-01" from stub files
+
+        processed.append(CoverageFile(name, file, flags))
+
+    return tuple(processed)
+
+
+def upload_files(codecov_bin: pathlib.Path, files: t.Tuple[CoverageFile, ...], dry_run: bool = False) -> None:
+    for file in files:
+        cmd = [
+            str(codecov_bin),
+            '--name', file.name,
+            '--file', str(file.path),
+        ]
+        for flag in file.flags:
+            cmd.extend(['--flags', flag])
+
+        if dry_run:
+            print(f'DRY-RUN: Would run command: {cmd}')
+            continue
+
+        subprocess.run(cmd, check=True)
+
+
+def download_file(url: str, dest: pathlib.Path, flags: int, dry_run: bool = False) -> None:
+    if dry_run:
+        print(f'DRY-RUN: Would download {url} to {dest} and set mode to {flags:o}')
+        return
+
+    with urllib.request.urlopen(url) as resp:
+        with dest.open('w+b') as f:
+            # Read data in chunks rather than all at once
+            shutil.copyfileobj(resp, f, 64 * 1024)
+
+    dest.chmod(flags)
+
+
+def main():
+    args = parse_args()
+    url = 'https://ansible-ci-files.s3.amazonaws.com/codecov/linux/codecov'
+    with tempfile.TemporaryDirectory(prefix='codecov-') as tmpdir:
+        codecov_bin = pathlib.Path(tmpdir) / 'codecov'
+        download_file(url, codecov_bin, 0o755, args.dry_run)
+
+        files = process_files(args.path)
+        upload_files(codecov_bin, files, args.dry_run)
+
+
+if __name__ == '__main__':
+    main()

.azure-pipelines/scripts/publish-codecov.sh

@@ -1,27 +0,0 @@
-#!/usr/bin/env bash
-# Upload code coverage reports to codecov.io.
-# Multiple coverage files from multiple languages are accepted and aggregated after upload.
-# Python coverage, as well as PowerShell and Python stubs can all be uploaded.
-
-set -o pipefail -eu
-
-output_path="$1"
-
-curl --silent --show-error https://ansible-ci-files.s3.us-east-1.amazonaws.com/codecov/codecov.sh > codecov.sh
-
-for file in "${output_path}"/reports/coverage*.xml; do
-    name="${file}"
-    name="${name##*/}"  # remove path
-    name="${name##coverage=}"  # remove 'coverage=' prefix if present
-    name="${name%.xml}"  # remove '.xml' suffix
-
-    bash codecov.sh \
-        -f "${file}" \
-        -n "${name}" \
-        -X coveragepy \
-        -X gcov \
-        -X fix \
-        -X search \
-        -X xcode \
-        || echo "Failed to upload code coverage report to codecov.io: ${file}"
-done

.azure-pipelines/scripts/report-coverage.sh

@@ -12,4 +12,4 @@ if ! ansible-test --help >/dev/null 2>&1; then
     pip install https://github.com/ansible/ansible/archive/devel.tar.gz --disable-pip-version-check
 fi
 
-ansible-test coverage xml --stub --venv --venv-system-site-packages --color -v
+ansible-test coverage xml --group-by command --stub --venv --venv-system-site-packages --color -v

.azure-pipelines/templates/coverage.yml

@@ -33,7 +33,7 @@ jobs:
           summaryFileLocation: "$(outputPath)/reports/$(pipelinesCoverage).xml"
         displayName: Publish to Azure Pipelines
         condition: gt(variables.coverageFileCount, 0)
-      - bash: .azure-pipelines/scripts/publish-codecov.sh "$(outputPath)"
+      - bash: .azure-pipelines/scripts/publish-codecov.py "$(outputPath)"
         displayName: Publish to codecov.io
         condition: gt(variables.coverageFileCount, 0)
         continueOnError: true

CHANGELOG.rst

@@ -5,6 +5,101 @@ Community Crypto Release Notes
 .. contents:: Topics
 
 
+v1.9.7
+======
+
+Release Summary
+---------------
+
+Bugfix release with extra forward compatibility for newer versions of cryptography.
+
+Minor Changes
+-------------
+
+- acme_* modules - fix usage of ``fetch_url`` with changes in latest ansible-core ``devel`` branch (https://github.com/ansible-collections/community.crypto/pull/339).
+
+Bugfixes
+--------
+
+- acme_certificate - avoid passing multiple certificates to ``cryptography``'s X.509 certificate loader when ``fullchain_dest`` is used (https://github.com/ansible-collections/community.crypto/pull/324).
+- get_certificate, openssl_csr_info, x509_certificate_info - add fallback code for extension parsing that works with cryptography 36.0.0 and newer. This code re-serializes de-serialized extensions and thus can return slightly different values if the extension in the original CSR resp. certificate was not canonicalized correctly. This code is currently used as a fallback if the existing code stops working, but we will switch it to be the main code in a future release (https://github.com/ansible-collections/community.crypto/pull/331).
+- luks_device - now also runs a built-in LUKS signature cleaner on ``state=absent`` to make sure that also the secondary LUKS2 header is wiped when older versions of wipefs are used (https://github.com/ansible-collections/community.crypto/issues/326, https://github.com/ansible-collections/community.crypto/pull/327).
+- openssl_pkcs12 - use new PKCS#12 deserialization infrastructure from cryptography 36.0.0 if available (https://github.com/ansible-collections/community.crypto/pull/302).
+
+v1.9.6
+======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Bugfixes
+--------
+
+- cryptography backend - improve Unicode handling for Python 2 (https://github.com/ansible-collections/community.crypto/pull/313).
+
+v1.9.5
+======
+
+Release Summary
+---------------
+
+Bugfix release to fully support cryptography 35.0.0.
+
+Bugfixes
+--------
+
+- get_certificate - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294).
+- openssl_csr_info - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294).
+- openssl_csr_info - fix compatibility with the cryptography 35.0.0 release in PyOpenSSL backend (https://github.com/ansible-collections/community.crypto/pull/300).
+- openssl_pkcs12 - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/296).
+- x509_certificate_info - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294).
+- x509_certificate_info - fix compatibility with the cryptography 35.0.0 release in PyOpenSSL backend (https://github.com/ansible-collections/community.crypto/pull/300).
+
+v1.9.4
+======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Bugfixes
+--------
+
+- acme_* modules - fix commands composed for OpenSSL backend to retrieve information on CSRs and certificates from stdin to use ``/dev/stdin`` instead of ``-``. This is needed for OpenSSL 1.0.1 and 1.0.2, apparently (https://github.com/ansible-collections/community.crypto/pull/279).
+- acme_challenge_cert_helper - only return exception when cryptography is not installed, not when a too old version of it is installed. This prevents Ansible's callback to crash (https://github.com/ansible-collections/community.crypto/pull/281).
+
+v1.9.3
+======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Bugfixes
+--------
+
+- openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used to compare strings with the cryptography backend. This fixes idempotency problems with non-ASCII letters on Python 2 (https://github.com/ansible-collections/community.crypto/issues/270, https://github.com/ansible-collections/community.crypto/pull/271).
+
+v1.9.2
+======
+
+Release Summary
+---------------
+
+Bugfix release to fix the changelog. No other change compared to 1.9.0.
+
+v1.9.1
+======
+
+Release Summary
+---------------
+
+Accidental 1.9.1 release. Identical to 1.9.0.
+
 v1.9.0
 ======
 

README.md

@@ -11,7 +11,7 @@ Please note that this collection does **not** support Windows targets.
 
 ## Tested with Ansible
 
-Tested with the current Ansible 2.9, ansible-base 2.10 and ansible-core 2.11 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported.
+Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11 and ansible-core 2.12 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported.
 
 ## External requirements
 

changelogs/changelog.yaml

@@ -528,3 +528,97 @@ releases:
     changes:
       release_summary: Accidental 1.9.1 release. Identical to 1.9.0.
     release_date: '2021-08-30'
+  1.9.2:
+    changes:
+      release_summary: Bugfix release to fix the changelog. No other change compared
+        to 1.9.0.
+    fragments:
+    - 1.9.2.yml
+    release_date: '2021-08-30'
+  1.9.3:
+    changes:
+      bugfixes:
+      - openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used
+        to compare strings with the cryptography backend. This fixes idempotency problems
+        with non-ASCII letters on Python 2 (https://github.com/ansible-collections/community.crypto/issues/270,
+        https://github.com/ansible-collections/community.crypto/pull/271).
+      release_summary: Regular bugfix release.
+    fragments:
+    - 1.9.3.yml
+    - 271-openssl_csr-utf8.yml
+    release_date: '2021-09-14'
+  1.9.4:
+    changes:
+      bugfixes:
+      - acme_* modules - fix commands composed for OpenSSL backend to retrieve information
+        on CSRs and certificates from stdin to use ``/dev/stdin`` instead of ``-``.
+        This is needed for OpenSSL 1.0.1 and 1.0.2, apparently (https://github.com/ansible-collections/community.crypto/pull/279).
+      - acme_challenge_cert_helper - only return exception when cryptography is not
+        installed, not when a too old version of it is installed. This prevents Ansible's
+        callback to crash (https://github.com/ansible-collections/community.crypto/pull/281).
+      release_summary: Regular bugfix release.
+    fragments:
+    - 1.9.4.yml
+    - 279-acme-openssl.yml
+    - 282-acme_challenge_cert_helper-error.yml
+    release_date: '2021-09-28'
+  1.9.5:
+    changes:
+      bugfixes:
+      - get_certificate - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294).
+      - openssl_csr_info - fix compatibility with the cryptography 35.0.0 release
+        (https://github.com/ansible-collections/community.crypto/pull/294).
+      - openssl_csr_info - fix compatibility with the cryptography 35.0.0 release
+        in PyOpenSSL backend (https://github.com/ansible-collections/community.crypto/pull/300).
+      - openssl_pkcs12 - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/296).
+      - x509_certificate_info - fix compatibility with the cryptography 35.0.0 release
+        (https://github.com/ansible-collections/community.crypto/pull/294).
+      - x509_certificate_info - fix compatibility with the cryptography 35.0.0 release
+        in PyOpenSSL backend (https://github.com/ansible-collections/community.crypto/pull/300).
+      release_summary: Bugfix release to fully support cryptography 35.0.0.
+    fragments:
+    - 1.9.5.yml
+    - 294-cryptography-35.0.0.yml
+    - 296-openssl_pkcs12-cryptography-35.yml
+    - 300-pyopenssl-cryptography-35.yml
+    release_date: '2021-10-06'
+  1.9.6:
+    changes:
+      bugfixes:
+      - cryptography backend - improve Unicode handling for Python 2 (https://github.com/ansible-collections/community.crypto/pull/313).
+      release_summary: Regular bugfix release.
+    fragments:
+    - 1.9.6.yml
+    - 313-unicode-names.yml
+    release_date: '2021-10-30'
+  1.9.7:
+    changes:
+      bugfixes:
+      - acme_certificate - avoid passing multiple certificates to ``cryptography``'s
+        X.509 certificate loader when ``fullchain_dest`` is used (https://github.com/ansible-collections/community.crypto/pull/324).
+      - get_certificate, openssl_csr_info, x509_certificate_info - add fallback code
+        for extension parsing that works with cryptography 36.0.0 and newer. This
+        code re-serializes de-serialized extensions and thus can return slightly different
+        values if the extension in the original CSR resp. certificate was not canonicalized
+        correctly. This code is currently used as a fallback if the existing code
+        stops working, but we will switch it to be the main code in a future release
+        (https://github.com/ansible-collections/community.crypto/pull/331).
+      - luks_device - now also runs a built-in LUKS signature cleaner on ``state=absent``
+        to make sure that also the secondary LUKS2 header is wiped when older versions
+        of wipefs are used (https://github.com/ansible-collections/community.crypto/issues/326,
+        https://github.com/ansible-collections/community.crypto/pull/327).
+      - openssl_pkcs12 - use new PKCS#12 deserialization infrastructure from cryptography
+        36.0.0 if available (https://github.com/ansible-collections/community.crypto/pull/302).
+      minor_changes:
+      - acme_* modules - fix usage of ``fetch_url`` with changes in latest ansible-core
+        ``devel`` branch (https://github.com/ansible-collections/community.crypto/pull/339).
+      release_summary: Bugfix release with extra forward compatibility for newer versions
+        of cryptography.
+    fragments:
+    - 1.9.7.yml
+    - 302-openssl_pkcs12-cryptography-36.0.0.yml
+    - 324-acme_certificate-fullchain.yml
+    - 327-luks_device-wipe.yml
+    - 331-cryptography-extensions.yml
+    - fetch_url-devel.yml
+    release_date: '2021-11-22'

changelogs/fragments/1.9.2.yml

@@ -1 +0,0 @@
-release_summary: Bugfix release to fix the changelog. No other change compared to 1.9.0.

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: community
 name: crypto
-version: 1.9.2
+version: 1.9.7
 readme: README.md
 authors:
   - Ansible (github.com/ansible)

plugins/doc_fragments/module_certificate.py

@@ -457,8 +457,8 @@ options:
             - Time will always be interpreted as UTC.
             - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
               + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
-            - Note that if using relative time this module is NOT idempotent.
             - If this value is not specified, the certificate will start being valid from now.
+            - Note that this value is B(not used to determine whether an existing certificate should be regenerated).
             - This is only used by the C(ownca) provider.
         type: str
         default: +0s
@@ -470,8 +470,8 @@ options:
             - Time will always be interpreted as UTC.
             - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
               + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
-            - Note that if using relative time this module is NOT idempotent.
             - If this value is not specified, the certificate will stop being valid 10 years from now.
+            - Note that this value is B(not used to determine whether an existing certificate should be regenerated).
             - This is only used by the C(ownca) provider.
             - On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer.
               Please see U(https://support.apple.com/en-us/HT210176) for more details.
@@ -548,8 +548,8 @@ options:
             - Time will always be interpreted as UTC.
             - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
               + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
-            - Note that if using relative time this module is NOT idempotent.
             - If this value is not specified, the certificate will start being valid from now.
+            - Note that this value is B(not used to determine whether an existing certificate should be regenerated).
             - This is only used by the C(selfsigned) provider.
         type: str
         default: +0s
@@ -562,8 +562,8 @@ options:
             - Time will always be interpreted as UTC.
             - Valid format is C([+-]timespec | ASN.1 TIME) where timespec can be an integer
               + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
-            - Note that if using relative time this module is NOT idempotent.
             - If this value is not specified, the certificate will stop being valid 10 years from now.
+            - Note that this value is B(not used to determine whether an existing certificate should be regenerated).
             - This is only used by the C(selfsigned) provider.
             - On macOS 10.15 and onwards, TLS server certificates must have a validity period of 825 days or fewer.
               Please see U(https://support.apple.com/en-us/HT210176) for more details.

plugins/doc_fragments/module_csr.py

@@ -227,12 +227,11 @@ options:
         description:
             - The authority key identifier as a hex string, where two bytes are separated by colons.
             - "Example: C(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33)"
-            - If specified, I(authority_cert_issuer) must also be specified.
             - "Please note that commercial CAs ignore this value, respectively use a value of their
                own choice. Specifying this option is mostly useful for self-signed certificates
                or for own CAs."
             - Note that this is only supported if the C(cryptography) backend is used!
-            - The C(AuthorityKeyIdentifier) will only be added if at least one of I(authority_key_identifier),
+            - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier),
               I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
         type: str
     authority_cert_issuer:
@@ -241,23 +240,24 @@ options:
             - Values must be prefixed by their options. (i.e., C(email), C(URI), C(DNS), C(RID), C(IP), C(dirName),
               C(otherName) and the ones specific to your CA)
             - "Example: C(DNS:ca.example.org)"
-            - If specified, I(authority_key_identifier) must also be specified.
+            - If specified, I(authority_cert_serial_number) must also be specified.
             - "Please note that commercial CAs ignore this value, respectively use a value of their
                own choice. Specifying this option is mostly useful for self-signed certificates
                or for own CAs."
             - Note that this is only supported if the C(cryptography) backend is used!
-            - The C(AuthorityKeyIdentifier) will only be added if at least one of I(authority_key_identifier),
+            - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier),
               I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
         type: list
         elements: str
     authority_cert_serial_number:
         description:
             - The authority cert serial number.
+            - If specified, I(authority_cert_issuer) must also be specified.
             - Note that this is only supported if the C(cryptography) backend is used!
             - "Please note that commercial CAs ignore this value, respectively use a value of their
                own choice. Specifying this option is mostly useful for self-signed certificates
                or for own CAs."
-            - The C(AuthorityKeyIdentifier) will only be added if at least one of I(authority_key_identifier),
+            - The C(AuthorityKeyIdentifier) extension will only be added if at least one of I(authority_key_identifier),
               I(authority_cert_issuer) and I(authority_cert_serial_number) is specified.
         type: int
     crl_distribution_points:

plugins/module_utils/acme/acme.py

@@ -14,8 +14,9 @@ import json
 import locale
 
 from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils.urls import fetch_url
 from ansible.module_utils.common.text.converters import to_bytes
+from ansible.module_utils.urls import fetch_url
+from ansible.module_utils.six import PY3
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.backend_openssl_cli import (
     OpenSSLCLIBackend,
@@ -228,9 +229,14 @@ class ACMEClient(object):
             resp, info = fetch_url(self.module, url, data=data, headers=headers, method='POST')
             _assert_fetch_url_success(self.module, resp, info)
             result = {}
+
             try:
+                # In Python 2, reading from a closed response yields a TypeError.
+                # In Python 3, read() simply returns ''
+                if PY3 and resp.closed:
+                    raise TypeError
                 content = resp.read()
-            except AttributeError:
+            except (AttributeError, TypeError):
                 content = info.pop('body', None)
 
             if content or not parse_json_result:
@@ -284,8 +290,12 @@ class ACMEClient(object):
             _assert_fetch_url_success(self.module, resp, info)
 
             try:
+                # In Python 2, reading from a closed response yields a TypeError.
+                # In Python 3, read() simply returns ''
+                if PY3 and resp.closed:
+                    raise TypeError
                 content = resp.read()
-            except AttributeError:
+            except (AttributeError, TypeError):
                 content = info.pop('body', None)
 
         # Process result

plugins/module_utils/acme/backend_cryptography.py

@@ -14,7 +14,7 @@ import datetime
 import os
 import sys
 
-from ansible.module_utils.common.text.converters import to_bytes, to_native
+from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.backends import (
     CryptoBackend,
@@ -41,6 +41,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
     cryptography_name_to_oid,
 )
 
+from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
+    extract_first_pem,
+)
+
 try:
     import cryptography
     import cryptography.hazmat.backends
@@ -357,6 +361,9 @@ class CryptographyBackend(CryptoBackend):
         if cert_content is None:
             return -1
 
+        # Make sure we have at most one PEM. Otherwise cryptography 36.0.0 will barf.
+        cert_content = to_bytes(extract_first_pem(to_text(cert_content)) or '')
+
         try:
             cert = cryptography.x509.load_pem_x509_certificate(cert_content, _cryptography_backend)
         except Exception as e:

plugins/module_utils/acme/backend_openssl_cli.py

@@ -230,7 +230,7 @@ class OpenSSLCLIBackend(CryptoBackend):
         filename = csr_filename
         data = None
         if csr_content is not None:
-            filename = '-'
+            filename = '/dev/stdin'
             data = csr_content.encode('utf-8')
 
         openssl_csr_cmd = [self.openssl_binary, "req", "-in", filename, "-noout", "-text"]
@@ -267,7 +267,7 @@ class OpenSSLCLIBackend(CryptoBackend):
         filename = cert_filename
         data = None
         if cert_content is not None:
-            filename = '-'
+            filename = '/dev/stdin'
             data = cert_content.encode('utf-8')
             cert_filename_suffix = ''
         elif cert_filename is not None:

plugins/module_utils/acme/errors.py

@@ -7,8 +7,8 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
-from ansible.module_utils.six import binary_type
 from ansible.module_utils.common.text.converters import to_text
+from ansible.module_utils.six import binary_type, PY3
 
 
 def format_error_problem(problem, subproblem_prefix=''):
@@ -52,8 +52,12 @@ class ACMEProtocolException(ModuleFailException):
         # Try to get hold of content, if response is given and content is not provided
         if content is None and content_json is None and response is not None:
             try:
+                # In Python 2, reading from a closed response yields a TypeError.
+                # In Python 3, read() simply returns ''
+                if PY3 and response.closed:
+                    raise TypeError
                 content = response.read()
-            except AttributeError:
+            except (AttributeError, TypeError):
                 content = info.pop('body', None)
 
         # Make sure that content_json is None or a dictionary

plugins/module_utils/crypto/_obj2txt.py

@@ -20,6 +20,10 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
 
+# WARNING: this function no longer works with cryptography 35.0.0 and newer!
+#          It must **ONLY** be used in compatibility code for older
+#          cryptography versions!
+
 def obj2txt(openssl_lib, openssl_ffi, obj):
     # Set to 80 on the recommendation of
     # https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values

plugins/module_utils/crypto/cryptography_support.py

@@ -23,12 +23,15 @@ import base64
 import binascii
 import re
 
+from distutils.version import LooseVersion
+
 from ansible.module_utils.common.text.converters import to_text, to_bytes
 from ._asn1 import serialize_asn1_string_as_der
 
 try:
     import cryptography
     from cryptography import x509
+    from cryptography.hazmat.backends import default_backend
     from cryptography.hazmat.primitives import serialization
     import ipaddress
 except ImportError:
@@ -44,6 +47,15 @@ except ImportError:
     # Error handled in the calling module.
     _load_key_and_certificates = None
 
+try:
+    # This is a separate try/except since this is only present in cryptography 36.0.0 or newer
+    from cryptography.hazmat.primitives.serialization.pkcs12 import (
+        load_pkcs12 as _load_pkcs12,
+    )
+except ImportError:
+    # Error handled in the calling module.
+    _load_pkcs12 = None
+
 from .basic import (
     CRYPTOGRAPHY_HAS_ED25519,
     CRYPTOGRAPHY_HAS_ED448,
@@ -64,12 +76,23 @@ DOTTED_OID = re.compile(r'^\d+(?:\.\d+)+$')
 
 
 def cryptography_get_extensions_from_cert(cert):
+    result = dict()
+    try:
         # Since cryptography won't give us the DER value for an extension
         # (that is only stored for unrecognized extensions), we have to re-do
         # the extension parsing outselves.
-    result = dict()
+        backend = default_backend()
+        try:
+            # For certain old versions of cryptography, backend is a MultiBackend object,
+            # which has no _lib attribute. In that case, revert to the old approach.
+            backend._lib
+        except AttributeError:
             backend = cert._backend
+
         x509_obj = cert._x509
+        # With cryptography 35.0.0, we can no longer use obj2txt. Unfortunately it still does
+        # not allow to get the raw value of an extension, so we have to use this ugly hack:
+        exts = list(cert.extensions)
 
         for i in range(backend._lib.X509_get_ext_count(x509_obj)):
             ext = backend._lib.X509_get_ext(x509_obj, i)
@@ -83,16 +106,39 @@ def cryptography_get_extensions_from_cert(cert):
                 critical=(crit == 1),
                 value=base64.b64encode(der),
             )
+            try:
                 oid = obj2txt(backend._lib, backend._ffi, backend._lib.X509_EXTENSION_get_object(ext))
+            except AttributeError:
+                oid = exts[i].oid.dotted_string
             result[oid] = entry
+
+    except Exception:
+        # In case the above method breaks, we likely have cryptography 36.0.0 or newer.
+        # Use it's public_bytes() feature in that case. We will later switch this around
+        # so that this code will be the default, but for now this will act as a fallback
+        # since it will re-serialize de-serialized data, which can be different (if the
+        # original data was not canonicalized) from what was contained in the certificate.
+        for ext in cert.extensions:
+            result[ext.oid.dotted_string] = dict(
+                critical=ext.critical,
+                value=base64.b64encode(ext.value.public_bytes()),
+            )
+
     return result
 
 
 def cryptography_get_extensions_from_csr(csr):
+    result = dict()
+    try:
         # Since cryptography won't give us the DER value for an extension
         # (that is only stored for unrecognized extensions), we have to re-do
         # the extension parsing outselves.
-    result = dict()
+        backend = default_backend()
+        try:
+            # For certain old versions of cryptography, backend is a MultiBackend object,
+            # which has no _lib attribute. In that case, revert to the old approach.
+            backend._lib
+        except AttributeError:
             backend = csr._backend
 
         extensions = backend._lib.X509_REQ_get_extensions(csr._x509_req)
@@ -104,6 +150,10 @@ def cryptography_get_extensions_from_csr(csr):
             )
         )
 
+        # With cryptography 35.0.0, we can no longer use obj2txt. Unfortunately it still does
+        # not allow to get the raw value of an extension, so we have to use this ugly hack:
+        exts = list(csr.extensions)
+
         for i in range(backend._lib.sk_X509_EXTENSION_num(extensions)):
             ext = backend._lib.sk_X509_EXTENSION_value(extensions, i)
             if ext == backend._ffi.NULL:
@@ -116,8 +166,24 @@ def cryptography_get_extensions_from_csr(csr):
                 critical=(crit == 1),
                 value=base64.b64encode(der),
             )
+            try:
                 oid = obj2txt(backend._lib, backend._ffi, backend._lib.X509_EXTENSION_get_object(ext))
+            except AttributeError:
+                oid = exts[i].oid.dotted_string
             result[oid] = entry
+
+    except Exception:
+        # In case the above method breaks, we likely have cryptography 36.0.0 or newer.
+        # Use it's public_bytes() feature in that case. We will later switch this around
+        # so that this code will be the default, but for now this will act as a fallback
+        # since it will re-serialize de-serialized data, which can be different (if the
+        # original data was not canonicalized) from what was contained in the CSR.
+        for ext in csr.extensions:
+            result[ext.oid.dotted_string] = dict(
+                critical=ext.critical,
+                value=base64.b64encode(ext.value.public_bytes()),
+            )
+
     return result
 
 
@@ -280,11 +346,11 @@ def _dn_escape_value(value):
     '''
     Escape Distinguished Name's attribute value.
     '''
-    value = value.replace('\\', '\\\\')
+    value = value.replace(u'\\', u'\\\\')
-    for ch in [',', '#', '+', '<', '>', ';', '"', '=', '/']:
+    for ch in [u',', u'#', u'+', u'<', u'>', u';', u'"', u'=', u'/']:
-        value = value.replace(ch, '\\%s' % ch)
+        value = value.replace(ch, u'\\%s' % ch)
-    if value.startswith(' '):
+    if value.startswith(u' '):
-        value = r'\ ' + value[1:]
+        value = u'\\ ' + value[1:]
     return value
 
 
@@ -294,24 +360,24 @@ def cryptography_decode_name(name):
     Raises an OpenSSLObjectError if the name is not supported.
     '''
     if isinstance(name, x509.DNSName):
-        return 'DNS:{0}'.format(name.value)
+        return u'DNS:{0}'.format(name.value)
     if isinstance(name, x509.IPAddress):
         if isinstance(name.value, (ipaddress.IPv4Network, ipaddress.IPv6Network)):
-            return 'IP:{0}/{1}'.format(name.value.network_address.compressed, name.value.prefixlen)
+            return u'IP:{0}/{1}'.format(name.value.network_address.compressed, name.value.prefixlen)
-        return 'IP:{0}'.format(name.value.compressed)
+        return u'IP:{0}'.format(name.value.compressed)
     if isinstance(name, x509.RFC822Name):
-        return 'email:{0}'.format(name.value)
+        return u'email:{0}'.format(name.value)
     if isinstance(name, x509.UniformResourceIdentifier):
-        return 'URI:{0}'.format(name.value)
+        return u'URI:{0}'.format(name.value)
     if isinstance(name, x509.DirectoryName):
-        return 'dirName:' + ''.join([
+        return u'dirName:' + u''.join([
-            '/{0}={1}'.format(cryptography_oid_to_name(attribute.oid, short=True), _dn_escape_value(attribute.value))
+            u'/{0}={1}'.format(to_text(cryptography_oid_to_name(attribute.oid, short=True)), _dn_escape_value(attribute.value))
             for attribute in name.value
         ])
     if isinstance(name, x509.RegisteredID):
-        return 'RID:{0}'.format(name.value.dotted_string)
+        return u'RID:{0}'.format(name.value.dotted_string)
     if isinstance(name, x509.OtherName):
-        return 'otherName:{0};{1}'.format(name.type_id.dotted_string, _get_hex(name.value))
+        return u'otherName:{0};{1}'.format(name.type_id.dotted_string, _get_hex(name.value))
     raise OpenSSLObjectError('Cannot decode name "{0}"'.format(name))
 
 
@@ -442,17 +508,74 @@ def cryptography_serial_number_of_cert(cert):
 def parse_pkcs12(pkcs12_bytes, passphrase=None):
     '''Returns a tuple (private_key, certificate, additional_certificates, friendly_name).
     '''
-    if _load_key_and_certificates is None:
+    if _load_pkcs12 is None and _load_key_and_certificates is None:
-        raise ValueError('load_key_and_certificates() not present in the current cryptography version')
+        raise ValueError('neither load_pkcs12() nor load_key_and_certificates() present in the current cryptography version')
-    private_key, certificate, additional_certificates = _load_key_and_certificates(
+
-        pkcs12_bytes, to_bytes(passphrase) if passphrase is not None else None)
+    if passphrase is not None:
+        passphrase = to_bytes(passphrase)
+
+    # Main code for cryptography 36.0.0 and forward
+    if _load_pkcs12 is not None:
+        return _parse_pkcs12_36_0_0(pkcs12_bytes, passphrase)
+
+    if LooseVersion(cryptography.__version__) >= LooseVersion('35.0'):
+        return _parse_pkcs12_35_0_0(pkcs12_bytes, passphrase)
+
+    return _parse_pkcs12_legacy(pkcs12_bytes, passphrase)
+
+
+def _parse_pkcs12_36_0_0(pkcs12_bytes, passphrase=None):
+    # Requires cryptography 36.0.0 or newer
+    pkcs12 = _load_pkcs12(pkcs12_bytes, passphrase)
+    additional_certificates = [cert.certificate for cert in pkcs12.additional_certs]
+    private_key = pkcs12.key
+    certificate = None
+    friendly_name = None
+    if pkcs12.cert:
+        certificate = pkcs12.cert.certificate
+        friendly_name = pkcs12.cert.friendly_name
+    return private_key, certificate, additional_certificates, friendly_name
+
+
+def _parse_pkcs12_35_0_0(pkcs12_bytes, passphrase=None):
+    # Backwards compatibility code for cryptography 35.x
+    private_key, certificate, additional_certificates = _load_key_and_certificates(pkcs12_bytes, passphrase)
 
     friendly_name = None
     if certificate:
         # See https://github.com/pyca/cryptography/issues/5760#issuecomment-842687238
-        maybe_name = certificate._backend._lib.X509_alias_get0(
+        backend = default_backend()
-            certificate._x509, certificate._backend._ffi.NULL)
+
-        if maybe_name != certificate._backend._ffi.NULL:
+        # This code basically does what load_key_and_certificates() does, but without error-checking.
-            friendly_name = certificate._backend._ffi.string(maybe_name)
+        # Since load_key_and_certificates succeeded, it should not fail.
+        pkcs12 = backend._ffi.gc(
+            backend._lib.d2i_PKCS12_bio(backend._bytes_to_bio(pkcs12_bytes).bio, backend._ffi.NULL),
+            backend._lib.PKCS12_free)
+        certificate_x509_ptr = backend._ffi.new("X509 **")
+        with backend._zeroed_null_terminated_buf(to_bytes(passphrase) if passphrase is not None else None) as passphrase_buffer:
+            backend._lib.PKCS12_parse(
+                pkcs12,
+                passphrase_buffer,
+                backend._ffi.new("EVP_PKEY **"),
+                certificate_x509_ptr,
+                backend._ffi.new("Cryptography_STACK_OF_X509 **"))
+        if certificate_x509_ptr[0] != backend._ffi.NULL:
+            maybe_name = backend._lib.X509_alias_get0(certificate_x509_ptr[0], backend._ffi.NULL)
+            if maybe_name != backend._ffi.NULL:
+                friendly_name = backend._ffi.string(maybe_name)
 
     return private_key, certificate, additional_certificates, friendly_name
+
+
+def _parse_pkcs12_legacy(pkcs12_bytes, passphrase=None):
+    # Backwards compatibility code for cryptography < 35.0.0
+    private_key, certificate, additional_certificates = _load_key_and_certificates(pkcs12_bytes, passphrase)
+
+    friendly_name = None
+    if certificate:
+        # See https://github.com/pyca/cryptography/issues/5760#issuecomment-842687238
+        backend = certificate._backend
+        maybe_name = backend._lib.X509_alias_get0(certificate._x509, backend._ffi.NULL)
+        if maybe_name != backend._ffi.NULL:
+            friendly_name = backend._ffi.string(maybe_name)
+    return private_key, certificate, additional_certificates, friendly_name

plugins/module_utils/crypto/module_backends/csr.py

@@ -592,7 +592,7 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
     def _check_csr(self):
         """Check whether provided parameters, assuming self.existing_csr and self.privatekey have been populated."""
         def _check_subject(csr):
-            subject = [(cryptography_name_to_oid(entry[0]), entry[1]) for entry in self.subject]
+            subject = [(cryptography_name_to_oid(entry[0]), to_text(entry[1])) for entry in self.subject]
             current_subject = [(sub.oid, sub.value) for sub in csr.subject]
             return set(subject) == set(current_subject)
 
@@ -604,8 +604,8 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
 
         def _check_subjectAltName(extensions):
             current_altnames_ext = _find_extension(extensions, cryptography.x509.SubjectAlternativeName)
-            current_altnames = [str(altname) for altname in current_altnames_ext.value] if current_altnames_ext else []
+            current_altnames = [to_text(altname) for altname in current_altnames_ext.value] if current_altnames_ext else []
-            altnames = [str(cryptography_get_name(altname)) for altname in self.subjectAltName] if self.subjectAltName else []
+            altnames = [to_text(cryptography_get_name(altname)) for altname in self.subjectAltName] if self.subjectAltName else []
             if set(altnames) != set(current_altnames):
                 return False
             if altnames:
@@ -678,10 +678,10 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
 
         def _check_nameConstraints(extensions):
             current_nc_ext = _find_extension(extensions, cryptography.x509.NameConstraints)
-            current_nc_perm = [str(altname) for altname in current_nc_ext.value.permitted_subtrees] if current_nc_ext else []
+            current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees] if current_nc_ext else []
-            current_nc_excl = [str(altname) for altname in current_nc_ext.value.excluded_subtrees] if current_nc_ext else []
+            current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees] if current_nc_ext else []
-            nc_perm = [str(cryptography_get_name(altname, 'name constraints permitted')) for altname in self.name_constraints_permitted]
+            nc_perm = [to_text(cryptography_get_name(altname, 'name constraints permitted')) for altname in self.name_constraints_permitted]
-            nc_excl = [str(cryptography_get_name(altname, 'name constraints excluded')) for altname in self.name_constraints_excluded]
+            nc_excl = [to_text(cryptography_get_name(altname, 'name constraints excluded')) for altname in self.name_constraints_excluded]
             if set(nc_perm) != set(current_nc_perm) or set(nc_excl) != set(current_nc_excl):
                 return False
             if nc_perm or nc_excl:
@@ -710,9 +710,9 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
                 aci = None
                 csr_aci = None
                 if self.authority_cert_issuer is not None:
-                    aci = [str(cryptography_get_name(n, 'authority cert issuer')) for n in self.authority_cert_issuer]
+                    aci = [to_text(cryptography_get_name(n, 'authority cert issuer')) for n in self.authority_cert_issuer]
                 if ext.value.authority_cert_issuer is not None:
-                    csr_aci = [str(n) for n in ext.value.authority_cert_issuer]
+                    csr_aci = [to_text(n) for n in ext.value.authority_cert_issuer]
                 return (ext.value.key_identifier == self.authority_key_identifier
                         and csr_aci == aci
                         and ext.value.authority_cert_serial_number == self.authority_cert_serial_number)

plugins/module_utils/crypto/pem.py

@@ -72,3 +72,13 @@ def split_pem_list(text, keep_inbetween=False):
                     result.append(''.join(current))
                     current = [] if keep_inbetween else None
     return result
+
+
+def extract_first_pem(text):
+    '''
+    Given one PEM or multiple concatenated PEM objects, return only the first one, or None if there is none.
+    '''
+    all_pems = split_pem_list(text)
+    if not all_pems:
+        return None
+    return all_pems[0]

plugins/module_utils/crypto/pyopenssl_support.py

@@ -21,10 +21,12 @@ __metaclass__ = type
 
 import base64
 
-from ansible.module_utils.common.text.converters import to_bytes, to_text
+from ansible.module_utils.common.text.converters import to_bytes, to_text, to_native
 
 from ansible_collections.community.crypto.plugins.module_utils.compat import ipaddress as compat_ipaddress
 
+from ._objects import OID_LOOKUP
+
 try:
     import OpenSSL
 except ImportError:
@@ -87,6 +89,7 @@ def pyopenssl_get_extensions_from_cert(cert):
             critical=bool(ext.get_critical()),
             value=base64.b64encode(ext.get_data()),
         )
+        try:
             oid = obj2txt(
                 OpenSSL._util.lib,
                 OpenSSL._util.ffi,
@@ -99,6 +102,12 @@ def pyopenssl_get_extensions_from_cert(cert):
             # Unfortunately this gives the wrong result in case the linked OpenSSL
             # doesn't know the OID. That's why we have to get the OID dotted string
             # similarly to how cryptography does it.
+        except AttributeError:
+            # When PyOpenSSL is used with cryptography >= 35.0.0, obj2txt cannot be used.
+            # We try to figure out the OID with our internal lookup table, and if we fail,
+            # we use the short name OpenSSL returns.
+            oid = to_native(ext.get_short_name())
+            oid = OID_LOOKUP.get(oid, oid)
         result[oid] = entry
     return result
 
@@ -113,6 +122,7 @@ def pyopenssl_get_extensions_from_csr(csr):
             critical=bool(ext.get_critical()),
             value=base64.b64encode(ext.get_data()),
         )
+        try:
             oid = obj2txt(
                 OpenSSL._util.lib,
                 OpenSSL._util.ffi,
@@ -125,6 +135,12 @@ def pyopenssl_get_extensions_from_csr(csr):
             # Unfortunately this gives the wrong result in case the linked OpenSSL
             # doesn't know the OID. That's why we have to get the OID dotted string
             # similarly to how cryptography does it.
+        except AttributeError:
+            # When PyOpenSSL is used with cryptography >= 35.0.0, obj2txt cannot be used.
+            # We try to figure out the OID with our internal lookup table, and if we fail,
+            # we use the short name OpenSSL returns.
+            oid = to_native(ext.get_short_name())
+            oid = OID_LOOKUP.get(oid, oid)
         result[oid] = entry
     return result
 

plugins/module_utils/openssh/backends/common.py

@@ -160,7 +160,8 @@ class KeygenCommand(object):
         self._run_command = module.run_command
 
     def generate_certificate(self, certificate_path, identifier, options, pkcs11_provider, principals,
-                             serial_number, signing_key_path, type, time_parameters, use_agent, **kwargs):
+                             serial_number, signature_algorithm, signing_key_path, type,
+                             time_parameters, use_agent, **kwargs):
         args = [self._bin_path, '-s', signing_key_path, '-P', '', '-I', identifier]
 
         if options:
@@ -178,6 +179,8 @@ class KeygenCommand(object):
             args.extend(['-U'])
         if time_parameters.validity_string:
             args.extend(['-V', time_parameters.validity_string])
+        if signature_algorithm:
+            args.extend(['-t', signature_algorithm])
         args.append(certificate_path)
 
         return self._run_command(args, **kwargs)

plugins/module_utils/openssh/certificate.py

@@ -555,6 +555,11 @@ class OpensshCertificate(object):
     def signing_key(self):
         return to_text(self._cert_info.signing_key_fingerprint())
 
+    @property
+    def signature_type(self):
+        signature_data = OpensshParser.signature_data(self.signature)
+        return to_text(signature_data['signature_type'])
+
     @staticmethod
     def _parse_cert_info(pub_key_type, parser):
         cert_info = get_cert_info_object(pub_key_type)

plugins/module_utils/openssh/utils.py

@@ -201,8 +201,9 @@ class OpensshParser(object):
         signature_blob = parser.string()
 
         blob_parser = cls(signature_blob)
-        if signature_type == b'ssh-rsa':
+        if signature_type in (b'ssh-rsa', b'rsa-sha2-256', b'rsa-sha2-512'):
             # https://datatracker.ietf.org/doc/html/rfc4253#section-6.6
+            # https://datatracker.ietf.org/doc/html/rfc8332#section-3
             signature_data['s'] = cls._big_int(signature_blob, "big")
         elif signature_type == b'ssh-dss':
             # https://datatracker.ietf.org/doc/html/rfc4253#section-6.6

plugins/modules/acme_challenge_cert_helper.py

@@ -202,7 +202,10 @@ def main():
         ),
     )
     if not HAS_CRYPTOGRAPHY:
+        # Some callbacks die when exception is provided with value None
+        if CRYPTOGRAPHY_IMP_ERR:
             module.fail_json(msg=missing_required_lib('cryptography >= 1.3'), exception=CRYPTOGRAPHY_IMP_ERR)
+        module.fail_json(msg=missing_required_lib('cryptography >= 1.3'))
 
     try:
         # Get parameters

plugins/modules/luks_device.py

@@ -356,6 +356,34 @@ LUKS_NAME_REGEX = re.compile(r'\s*crypt\s+([^\s]*)\s*')
 LUKS_DEVICE_REGEX = re.compile(r'\s*device:\s+([^\s]*)\s*')
 
 
+# See https://gitlab.com/cryptsetup/cryptsetup/-/wikis/LUKS-standard/on-disk-format.pdf
+LUKS_HEADER = b'LUKS\xba\xbe'
+LUKS_HEADER_L = 6
+# See https://gitlab.com/cryptsetup/LUKS2-docs/-/blob/master/luks2_doc_wip.pdf
+LUKS2_HEADER_OFFSETS = [0x4000, 0x8000, 0x10000, 0x20000, 0x40000, 0x80000, 0x100000, 0x200000, 0x400000]
+LUKS2_HEADER2 = b'SKUL\xba\xbe'
+
+
+def wipe_luks_headers(device):
+    wipe_offsets = []
+    with open(device, 'rb') as f:
+        # f.seek(0)
+        data = f.read(LUKS_HEADER_L)
+        if data == LUKS_HEADER:
+            wipe_offsets.append(0)
+        for offset in LUKS2_HEADER_OFFSETS:
+            f.seek(offset)
+            data = f.read(LUKS_HEADER_L)
+            if data == LUKS2_HEADER2:
+                wipe_offsets.append(offset)
+
+    if wipe_offsets:
+        with open(device, 'wb') as f:
+            for offset in wipe_offsets:
+                f.seek(offset)
+                f.write(b'\x00\x00\x00\x00\x00\x00')
+
+
 class Handler(object):
 
     def __init__(self, module):
@@ -515,9 +543,17 @@ class CryptHandler(Handler):
             self.run_luks_close(name)
         result = self._run_command([wipefs_bin, '--all', device])
         if result[RETURN_CODE] != 0:
-            raise ValueError('Error while wiping luks container %s: %s'
+            raise ValueError('Error while wiping LUKS container signatures for %s: %s'
                              % (device, result[STDERR]))
 
+        # For LUKS2, sometimes both `cryptsetup erase` and `wipefs` do **not**
+        # erase all LUKS signatures (they seem to miss the second header). That's
+        # why we do it ourselves here.
+        try:
+            wipe_luks_headers(device)
+        except Exception as exc:
+            raise ValueError('Error while wiping LUKS container signatures for %s: %s' % (device, exc))
+
     def run_luks_add_key(self, device, keyfile, passphrase, new_keyfile,
                          new_passphrase, pbkdf):
         ''' Add new key from a keyfile or passphrase to given 'device';

plugins/modules/openssh_cert.py

@@ -49,7 +49,7 @@ options:
             - When C(fail) the task will fail if a certificate already exists at I(path) and does not
               match the module's options.
             - When C(partial_idempotence) an existing certificate will be regenerated based on
-              I(serial), I(type), I(valid_from), I(valid_to), I(valid_at), and I(principals).
+              I(serial), I(signature_algorithm), I(type), I(valid_from), I(valid_to), I(valid_at), and I(principals).
             - When C(full_idempotence) I(identifier), I(options), I(public_key), and I(signing_key)
               are also considered when compared against an existing certificate.
             - C(always) is equivalent to I(force=true).
@@ -62,6 +62,26 @@ options:
             - always
         default: partial_idempotence
         version_added: 1.8.0
+    signature_algorithm:
+        description:
+            - As of OpenSSH 8.2 the SHA-1 signature algorithm for RSA keys has been disabled and C(ssh) will refuse
+              host certificates signed with the SHA-1 algorithm. OpenSSH 8.1 made C(rsa-sha2-512) the default algorithm
+              when acting as a CA and signing certificates with a RSA key. However, for OpenSSH versions less than 8.1
+              the SHA-2 signature algorithms, C(rsa-sha2-256) or C(rsa-sha2-512), must be specified using this option
+              if compatibility with newer C(ssh) clients is required. Conversely if hosts using OpenSSH version 8.2
+              or greater must remain compatible with C(ssh) clients using OpenSSH less than 7.2, then C(ssh-rsa)
+              can be used when generating host certificates (a corresponding change to the sshd_config to add C(ssh-rsa)
+              to the C(CASignatureAlgorithms) keyword is also required).
+            - Using any value for this option with a non-RSA I(signing_key) will cause this module to fail.
+            - "Note: OpenSSH versions prior to 7.2 do not support SHA-2 signature algorithms for RSA keys and OpenSSH
+               versions prior to 7.3 do not support SHA-2 signature algorithms for certificates."
+            - See U(https://www.openssh.com/txt/release-8.2) for more information.
+        type: str
+        choices:
+            - ssh-rsa
+            - rsa-sha2-256
+            - rsa-sha2-512
+        version_added: 1.10.0
     signing_key:
         description:
             - The path to the private openssh key that is used for signing the public key in order to generate the certificate.
@@ -269,6 +289,7 @@ class Certificate(OpensshModule):
         self.public_key = self.module.params['public_key']
         self.regenerate = self.module.params['regenerate'] if not self.module.params['force'] else 'always'
         self.serial_number = self.module.params['serial_number']
+        self.signature_algorithm = self.module.params['signature_algorithm']
         self.signing_key = self.module.params['signing_key']
         self.state = self.module.params['state']
         self.type = self.module.params['type']
@@ -366,6 +387,7 @@ class Certificate(OpensshModule):
     def _is_partially_valid(self):
         return all([
             set(self.original_data.principals) == set(self.principals),
+            self.original_data.signature_type == self.signature_algorithm if self.signature_algorithm else True,
             self.original_data.serial == self.serial_number if self.serial_number is not None else True,
             self.original_data.type == self.type,
             self._compare_time_parameters(),
@@ -425,7 +447,7 @@ class Certificate(OpensshModule):
 
         self.ssh_keygen.generate_certificate(
             key_copy, self.identifier, self.options, self.pkcs11_provider, self.principals, self.serial_number,
-            self.signing_key, self.type, self.time_parameters, self.use_agent,
+            self.signature_algorithm, self.signing_key, self.type, self.time_parameters, self.use_agent,
             environ_update=dict(TZ="UTC"), check_rc=True
         )
 
@@ -485,6 +507,8 @@ def get_cert_dict(data):
 
     result = data.to_dict()
     result.pop('nonce')
+    result['signature_algorithm'] = data.signature_type
+
     return result
 
 
@@ -503,6 +527,7 @@ def main():
                 default='partial_idempotence',
                 choices=['never', 'fail', 'partial_idempotence', 'full_idempotence', 'always']
             ),
+            signature_algorithm=dict(type='str', choices=['ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512']),
             signing_key=dict(type='path'),
             serial_number=dict(type='int'),
             state=dict(type='str', default='present', choices=['absent', 'present']),

tests/integration/targets/acme_account/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_account/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_acme
+  - setup_remote_tmp_dir

tests/integration/targets/acme_account/tasks/impl.yml

@@ -1,9 +1,9 @@
 - block:
   - name: Generate account keys
     openssl_privatekey:
-      path: "{{ output_dir }}/{{ item.name }}.pem"
+      path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
-      passphrase: "{{ item.pass | default(omit, true) }}"
+      passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
-      cipher: "{{ 'auto' if item.pass | default() else omit }}"
+      cipher: "{{ 'auto' if (item.pass | default(false)) else omit }}"
       type: ECC
       curve: secp256r1
       force: true
@@ -11,8 +11,8 @@
 
   - name: Parse account keys (to ease debugging some test failures)
     openssl_privatekey_info:
-      path: "{{ output_dir }}/{{ item.name }}.pem"
+      path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
-      passphrase: "{{ item.pass | default(omit, true) }}"
+      passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
       return_private_key_data: true
     loop: "{{ account_keys }}"
 
@@ -28,7 +28,7 @@
 - name: Do not try to create account
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -40,7 +40,7 @@
 - name: Create it now (check mode, diff)
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -56,7 +56,7 @@
 - name: Create it now
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -70,7 +70,7 @@
 - name: Create it now (idempotent)
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -81,10 +81,15 @@
     - mailto:example@example.org
   register: account_created_idempotent
 
+- name: Read account key
+  slurp:
+    src: '{{ remote_tmp_dir }}/accountkey.pem'
+  register: slurp
+
 - name: Change email address (check mode, diff)
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_content: "{{ lookup('file', output_dir ~ '/accountkey.pem') }}"
+    account_key_content: "{{ slurp.content | b64decode }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -99,7 +104,7 @@
 - name: Change email address
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_content: "{{ lookup('file', output_dir ~ '/accountkey.pem') }}"
+    account_key_content: "{{ slurp.content | b64decode }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -112,7 +117,7 @@
 - name: Change email address (idempotent)
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_created.account_uri }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
@@ -126,7 +131,7 @@
 - name: Cannot access account with wrong URI
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_created.account_uri ~ '12345thisdoesnotexist' }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
@@ -139,7 +144,7 @@
 - name: Clear contact email addresses (check mode, diff)
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -153,7 +158,7 @@
 - name: Clear contact email addresses
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -165,7 +170,7 @@
 - name: Clear contact email addresses (idempotent)
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -177,11 +182,11 @@
 - name: Change account key (check mode, diff)
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
-    new_account_key_src: "{{ output_dir }}/accountkey2.pem"
+    new_account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     state: changed_key
     contact:
@@ -193,11 +198,11 @@
 - name: Change account key
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
-    new_account_key_src: "{{ output_dir }}/accountkey2.pem"
+    new_account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     state: changed_key
     contact:
@@ -207,7 +212,7 @@
 - name: Deactivate account (check mode, diff)
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
@@ -220,7 +225,7 @@
 - name: Deactivate account
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
@@ -231,7 +236,7 @@
 - name: Deactivate account (idempotent)
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
@@ -242,7 +247,7 @@
 - name: Do not try to create account II
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
@@ -255,7 +260,7 @@
 - name: Do not try to create account III
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -267,7 +272,7 @@
 - name: Create account with External Account Binding
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/{{ item.account }}.pem"
+    account_key_src: "{{ remote_tmp_dir }}/{{ item.account }}.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no

tests/integration/targets/acme_account/tasks/main.yml

@@ -17,12 +17,12 @@
 
 - name: Remove output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: absent
 
 - name: Re-create output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: directory
 
 - block:

tests/integration/targets/acme_account_info/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_account_info/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_acme
+  - setup_remote_tmp_dir

tests/integration/targets/acme_account_info/tasks/impl.yml

@@ -2,7 +2,7 @@
 - block:
   - name: Generate account keys
     openssl_privatekey:
-      path: "{{ output_dir }}/{{ item }}.pem"
+      path: "{{ remote_tmp_dir }}/{{ item }}.pem"
       type: ECC
       curve: secp256r1
       force: true
@@ -10,7 +10,7 @@
 
   - name: Parse account keys (to ease debugging some test failures)
     openssl_privatekey_info:
-      path: "{{ output_dir }}/{{ item }}.pem"
+      path: "{{ remote_tmp_dir }}/{{ item }}.pem"
       return_private_key_data: true
     loop: "{{ account_keys }}"
 
@@ -22,7 +22,7 @@
 - name: Check that account does not exist
   acme_account_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -31,7 +31,7 @@
 - name: Create it now
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -44,16 +44,21 @@
 - name: Check that account exists
   acme_account_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
   register: account_created
 
+- name: Read account key
+  slurp:
+    src: '{{ remote_tmp_dir }}/accountkey.pem'
+  register: slurp
+
 - name: Clear email address
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_content: "{{ lookup('file', output_dir ~ '/accountkey.pem') }}"
+    account_key_content: "{{ slurp.content | b64decode }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -64,7 +69,7 @@
 - name: Check that account was modified
   acme_account_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -74,7 +79,7 @@
 - name: Check with wrong account URI
   acme_account_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -84,7 +89,7 @@
 - name: Check with wrong account key
   acme_account_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey2.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no

tests/integration/targets/acme_account_info/tasks/main.yml

@@ -17,12 +17,12 @@
 
 - name: Remove output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: absent
 
 - name: Re-create output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: directory
 
 - block:

tests/integration/targets/acme_certificate/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_certificate/meta/main.yml

@@ -1,2 +1,5 @@
 dependencies:
   - setup_acme
+  - setup_pyopenssl  # needed for Ubuntu 16.04
+  - setup_remote_tmp_dir
+  - prepare_jinja2_compat

tests/integration/targets/acme_certificate/tasks/impl.yml

@@ -3,7 +3,7 @@
 - block:
   - name: Generate account keys
     openssl_privatekey:
-      path: "{{ output_dir }}/{{ item.name }}.pem"
+      path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
       type: "{{ item.type }}"
       size: "{{ item.size | default(omit) }}"
       curve: "{{ item.curve | default(omit) }}"
@@ -28,15 +28,19 @@
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
-    account_key_src: "{{ output_dir }}/account-ec256.pem"
+    account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
     state: absent
+- name: Read account key (EC384)
+  slurp:
+    src: '{{ remote_tmp_dir }}/account-ec384.pem'
+  register: slurp
 - name: Create ECC384 account
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
-    account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
+    account_key_content: "{{ slurp.content | b64decode }}"
     state: present
     allow_creation: yes
     terms_agreed: yes
@@ -49,7 +53,7 @@
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
-    account_key_src: "{{ output_dir }}/account-rsa.pem"
+    account_key_src: "{{ remote_tmp_dir }}/account-rsa.pem"
     state: present
     allow_creation: yes
     terms_agreed: yes
@@ -115,6 +119,10 @@
   set_fact:
     cert_2_obtain_results: "{{ certificate_obtain_result }}"
     cert_2_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
+- name: Read account key (RSA)
+  slurp:
+    src: '{{ remote_tmp_dir }}/account-rsa.pem'
+  register: slurp_account_key
 - name: Obtain cert 3
   include_tasks: obtain-cert.yml
   vars:
@@ -123,7 +131,7 @@
     key_type: ec384
     subject_alt_name: "DNS:*.example.com,DNS:example.org,DNS:t1.example.com"
     subject_alt_name_critical: no
-    account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa.pem') }}"
+    account_key_content: "{{ slurp_account_key.content | b64decode }}"
     challenge: dns-01
     modify_account: no
     deactivate_authzs: no
@@ -231,6 +239,10 @@
   set_fact:
     cert_5_recreate_2: "{{ challenge_data is changed }}"
     cert_5c_obtain_results: "{{ certificate_obtain_result }}"
+- name: Read account key (EC384)
+  slurp:
+    src: '{{ remote_tmp_dir }}/account-ec384.pem'
+  register: slurp_account_key
 - name: Obtain cert 5 (should again by force)
   include_tasks: obtain-cert.yml
   vars:
@@ -239,7 +251,7 @@
     key_type: ec521
     subject_alt_name: "DNS:t2.example.com"
     subject_alt_name_critical: no
-    account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
+    account_key_content: "{{ slurp_account_key.content | b64decode }}"
     challenge: http-01
     modify_account: no
     deactivate_authzs: yes
@@ -252,6 +264,7 @@
   set_fact:
     cert_5_recreate_3: "{{ challenge_data is changed }}"
     cert_5d_obtain_results: "{{ certificate_obtain_result }}"
+- block:
   - name: Obtain cert 6
     include_tasks: obtain-cert.yml
     vars:
@@ -284,6 +297,8 @@
     set_fact:
       cert_6_obtain_results: "{{ certificate_obtain_result }}"
       cert_6_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
+  when: acme_intermediates[0].subject_key_identifier is defined
+- block:
   - name: Obtain cert 7
     include_tasks: obtain-cert.yml
     vars:
@@ -312,6 +327,8 @@
     set_fact:
       cert_7_obtain_results: "{{ certificate_obtain_result }}"
       cert_7_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
+  when: acme_roots[2].subject_key_identifier is defined
+- block:
   - name: Obtain cert 8
     include_tasks: obtain-cert.yml
     vars:
@@ -338,103 +355,113 @@
     set_fact:
       cert_8_obtain_results: "{{ certificate_obtain_result }}"
       cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
+  when: cryptography_version.stdout is version('1.3', '>=')
 ## DISSECT CERTIFICATES #######################################################################
 # Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
 - name: Verifying cert 1
-  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-1-root.pem" -untrusted "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"'
+  command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-1-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-1-chain.pem" "{{ remote_tmp_dir }}/cert-1.pem"'
   ignore_errors: yes
   register: cert_1_valid
 - name: Verifying cert 2
-  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-2-root.pem" -untrusted "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"'
+  command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-2-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-2-chain.pem" "{{ remote_tmp_dir }}/cert-2.pem"'
   ignore_errors: yes
   register: cert_2_valid
 - name: Verifying cert 3
-  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-3-root.pem" -untrusted "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"'
+  command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-3-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-3-chain.pem" "{{ remote_tmp_dir }}/cert-3.pem"'
   ignore_errors: yes
   register: cert_3_valid
 - name: Verifying cert 4
-  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-4-root.pem" -untrusted "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"'
+  command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-4-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-4-chain.pem" "{{ remote_tmp_dir }}/cert-4.pem"'
   ignore_errors: yes
   register: cert_4_valid
 - name: Verifying cert 5
-  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-5-root.pem" -untrusted "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"'
+  command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-5-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-5-chain.pem" "{{ remote_tmp_dir }}/cert-5.pem"'
   ignore_errors: yes
   register: cert_5_valid
 - name: Verifying cert 6
-  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"'
+  command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-6-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-6-chain.pem" "{{ remote_tmp_dir }}/cert-6.pem"'
   ignore_errors: yes
   register: cert_6_valid
+  when: acme_intermediates[0].subject_key_identifier is defined
 - name: Verifying cert 7
-  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-7-root.pem" -untrusted "{{ output_dir }}/cert-7-chain.pem" "{{ output_dir }}/cert-7.pem"'
+  command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-7-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-7-chain.pem" "{{ remote_tmp_dir }}/cert-7.pem"'
   ignore_errors: yes
   register: cert_7_valid
+  when: acme_roots[2].subject_key_identifier is defined
 - name: Verifying cert 8
-  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-8-root.pem" -untrusted "{{ output_dir }}/cert-8-chain.pem" "{{ output_dir }}/cert-8.pem"'
+  command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
   ignore_errors: yes
   register: cert_8_valid
+  when: cryptography_version.stdout is version('1.3', '>=')
 # Dump certificate info
 - name: Dumping cert 1
-  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-1.pem" -noout -text'
+  command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text'
   register: cert_1_text
 - name: Dumping cert 2
-  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-2.pem" -noout -text'
+  command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-2.pem" -noout -text'
   register: cert_2_text
 - name: Dumping cert 3
-  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-3.pem" -noout -text'
+  command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-3.pem" -noout -text'
   register: cert_3_text
 - name: Dumping cert 4
-  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-4.pem" -noout -text'
+  command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-4.pem" -noout -text'
   register: cert_4_text
 - name: Dumping cert 5
-  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-5.pem" -noout -text'
+  command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-5.pem" -noout -text'
   register: cert_5_text
 - name: Dumping cert 6
-  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-6.pem" -noout -text'
+  command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-6.pem" -noout -text'
   register: cert_6_text
+  when: acme_intermediates[0].subject_key_identifier is defined
 - name: Dumping cert 7
-  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-7.pem" -noout -text'
+  command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-7.pem" -noout -text'
   register: cert_7_text
+  when: acme_roots[2].subject_key_identifier is defined
 - name: Dumping cert 8
-  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-8.pem" -noout -text'
+  command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
   register: cert_8_text
+  when: cryptography_version.stdout is version('1.3', '>=')
 # Dump certificate info
 - name: Dumping cert 1
   x509_certificate_info:
-    path: "{{ output_dir }}/cert-1.pem"
+    path: "{{ remote_tmp_dir }}/cert-1.pem"
   register: cert_1_info
 - name: Dumping cert 2
   x509_certificate_info:
-    path: "{{ output_dir }}/cert-2.pem"
+    path: "{{ remote_tmp_dir }}/cert-2.pem"
   register: cert_2_info
 - name: Dumping cert 3
   x509_certificate_info:
-    path: "{{ output_dir }}/cert-3.pem"
+    path: "{{ remote_tmp_dir }}/cert-3.pem"
   register: cert_3_info
 - name: Dumping cert 4
   x509_certificate_info:
-    path: "{{ output_dir }}/cert-4.pem"
+    path: "{{ remote_tmp_dir }}/cert-4.pem"
   register: cert_4_info
 - name: Dumping cert 5
   x509_certificate_info:
-    path: "{{ output_dir }}/cert-5.pem"
+    path: "{{ remote_tmp_dir }}/cert-5.pem"
   register: cert_5_info
 - name: Dumping cert 6
   x509_certificate_info:
-    path: "{{ output_dir }}/cert-6.pem"
+    path: "{{ remote_tmp_dir }}/cert-6.pem"
   register: cert_6_info
+  when: acme_intermediates[0].subject_key_identifier is defined
 - name: Dumping cert 7
   x509_certificate_info:
-    path: "{{ output_dir }}/cert-7.pem"
+    path: "{{ remote_tmp_dir }}/cert-7.pem"
   register: cert_7_info
+  when: acme_roots[2].subject_key_identifier is defined
 - name: Dumping cert 8
   x509_certificate_info:
-    path: "{{ output_dir }}/cert-8.pem"
+    path: "{{ remote_tmp_dir }}/cert-8.pem"
   register: cert_8_info
+  when: cryptography_version.stdout is version('1.3', '>=')
 ## GET ACCOUNT ORDERS #########################################################################
 - name: Don't retrieve orders
   acme_account_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/account-ec256.pem"
+    account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -443,7 +470,7 @@
 - name: Retrieve orders as URL list (1/2)
   acme_account_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/account-ec256.pem"
+    account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -452,7 +479,7 @@
 - name: Retrieve orders as URL list (2/2)
   acme_account_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/account-ec384.pem"
+    account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -461,7 +488,7 @@
 - name: Retrieve orders as object list (1/2)
   acme_account_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/account-ec256.pem"
+    account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -470,7 +497,7 @@
 - name: Retrieve orders as object list (2/2)
   acme_account_info:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/account-ec384.pem"
+    account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no

tests/integration/targets/acme_certificate/tasks/main.yml

@@ -8,38 +8,48 @@
   - name: Obtain root and intermediate certificates
     get_url:
       url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}"
-      dest: "{{ output_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem"
+      dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem"
     loop: "{{ query('nested', types, root_numbers) }}"
 
   - name: Analyze root certificates
     x509_certificate_info:
-      path: "{{ output_dir }}/acme-root-{{ item }}.pem"
+      path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem"
     loop: "{{ root_numbers }}"
     register: acme_roots
 
   - name: Analyze intermediate certificates
     x509_certificate_info:
-      path: "{{ output_dir }}/acme-intermediate-{{ item }}.pem"
+      path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem"
     loop: "{{ root_numbers }}"
     register: acme_intermediates
 
-  - set_fact:
+  - name: Read root certificates
-      x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
+    slurp:
-      y__: "{{ lookup('file', output_dir ~ '/acme-root-' ~ item.item ~ '.pem', rstrip=False) }}"
+      src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}"
-    loop: "{{ acme_roots.results }}"
+    loop: "{{ root_numbers }}"
-    register: acme_roots_tmp
+    register: slurp_roots
+
+  - set_fact:
+      x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
+    loop: "{{ acme_roots.results }}"
+    register: acme_roots_tmp
+
+  - name: Read intermediate certificates
+    slurp:
+      src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}"
+    loop: "{{ root_numbers }}"
+    register: slurp_intermediates
 
   - set_fact:
       x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
-      y__: "{{ lookup('file', output_dir ~ '/acme-intermediate-' ~ item.item ~ '.pem', rstrip=False) }}"
     loop: "{{ acme_intermediates.results }}"
     register: acme_intermediates_tmp
 
   - set_fact:
       acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}"
-      acme_root_certs: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.y__') | list }}"
+      acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}"
       acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}"
-      acme_intermediate_certs: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.y__') | list }}"
+      acme_intermediate_certs: "{{ slurp_intermediates.results | map(attribute='content') | map('b64decode') | list }}"
 
   vars:
     types:
@@ -88,12 +98,12 @@
 
 - name: Remove output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: absent
 
 - name: Re-create output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: directory
 
 - block:

tests/integration/targets/acme_certificate/tests/validate.yml

@@ -7,6 +7,14 @@
   assert:
     that:
       - "'DNS:example.com' in cert_1_text.stdout"
+- name: Read certificate 1 files
+  slurp:
+    src: '{{ remote_tmp_dir }}/{{ item }}'
+  loop:
+    - cert-1.pem
+    - cert-1-chain.pem
+    - cert-1-fullchain.pem
+  register: slurp
 - name: Check that certificate 1 retrieval got all chains
   assert:
     that:
@@ -15,9 +23,9 @@
       - "'cert' in cert_1_obtain_results.all_chains[cert_1_alternate | int]"
       - "'chain' in cert_1_obtain_results.all_chains[cert_1_alternate | int]"
       - "'full_chain' in cert_1_obtain_results.all_chains[cert_1_alternate | int]"
-      - "lookup('file', output_dir ~ '/cert-1.pem', rstrip=False) == cert_1_obtain_results.all_chains[cert_1_alternate | int].cert"
+      - "(slurp.results[0].content | b64decode) == cert_1_obtain_results.all_chains[cert_1_alternate | int].cert"
-      - "lookup('file', output_dir ~ '/cert-1-chain.pem', rstrip=False) == cert_1_obtain_results.all_chains[cert_1_alternate | int].chain"
+      - "(slurp.results[1].content | b64decode) == cert_1_obtain_results.all_chains[cert_1_alternate | int].chain"
-      - "lookup('file', output_dir ~ '/cert-1-fullchain.pem', rstrip=False) == cert_1_obtain_results.all_chains[cert_1_alternate | int].full_chain"
+      - "(slurp.results[2].content | b64decode) == cert_1_obtain_results.all_chains[cert_1_alternate | int].full_chain"
 
 - name: Check that certificate 2 is valid
   assert:
@@ -28,6 +36,14 @@
     that:
       - "'DNS:*.example.com' in cert_2_text.stdout"
       - "'DNS:example.com' in cert_2_text.stdout"
+- name: Read certificate 2 files
+  slurp:
+    src: '{{ remote_tmp_dir }}/{{ item }}'
+  loop:
+    - cert-2.pem
+    - cert-2-chain.pem
+    - cert-2-fullchain.pem
+  register: slurp
 - name: Check that certificate 1 retrieval got all chains
   assert:
     that:
@@ -36,9 +52,9 @@
       - "'cert' in cert_2_obtain_results.all_chains[cert_2_alternate | int]"
       - "'chain' in cert_2_obtain_results.all_chains[cert_2_alternate | int]"
       - "'full_chain' in cert_2_obtain_results.all_chains[cert_2_alternate | int]"
-      - "lookup('file', output_dir ~ '/cert-2.pem', rstrip=False) == cert_2_obtain_results.all_chains[cert_2_alternate | int].cert"
+      - "(slurp.results[0].content | b64decode) == cert_2_obtain_results.all_chains[cert_2_alternate | int].cert"
-      - "lookup('file', output_dir ~ '/cert-2-chain.pem', rstrip=False) == cert_2_obtain_results.all_chains[cert_2_alternate | int].chain"
+      - "(slurp.results[1].content | b64decode) == cert_2_obtain_results.all_chains[cert_2_alternate | int].chain"
-      - "lookup('file', output_dir ~ '/cert-2-fullchain.pem', rstrip=False) == cert_2_obtain_results.all_chains[cert_2_alternate | int].full_chain"
+      - "(slurp.results[2].content | b64decode) == cert_2_obtain_results.all_chains[cert_2_alternate | int].full_chain"
 
 - name: Check that certificate 3 is valid
   assert:
@@ -50,6 +66,14 @@
       - "'DNS:*.example.com' in cert_3_text.stdout"
       - "'DNS:example.org' in cert_3_text.stdout"
       - "'DNS:t1.example.com' in cert_3_text.stdout"
+- name: Read certificate 3 files
+  slurp:
+    src: '{{ remote_tmp_dir }}/{{ item }}'
+  loop:
+    - cert-3.pem
+    - cert-3-chain.pem
+    - cert-3-fullchain.pem
+  register: slurp
 - name: Check that certificate 1 retrieval got all chains
   assert:
     that:
@@ -58,9 +82,9 @@
       - "'cert' in cert_3_obtain_results.all_chains[cert_3_alternate | int]"
       - "'chain' in cert_3_obtain_results.all_chains[cert_3_alternate | int]"
       - "'full_chain' in cert_3_obtain_results.all_chains[cert_3_alternate | int]"
-      - "lookup('file', output_dir ~ '/cert-3.pem', rstrip=False) == cert_3_obtain_results.all_chains[cert_3_alternate | int].cert"
+      - "(slurp.results[0].content | b64decode) == cert_3_obtain_results.all_chains[cert_3_alternate | int].cert"
-      - "lookup('file', output_dir ~ '/cert-3-chain.pem', rstrip=False) == cert_3_obtain_results.all_chains[cert_3_alternate | int].chain"
+      - "(slurp.results[1].content | b64decode) == cert_3_obtain_results.all_chains[cert_3_alternate | int].chain"
-      - "lookup('file', output_dir ~ '/cert-3-fullchain.pem', rstrip=False) == cert_3_obtain_results.all_chains[cert_3_alternate | int].full_chain"
+      - "(slurp.results[2].content | b64decode) == cert_3_obtain_results.all_chains[cert_3_alternate | int].full_chain"
 
 - name: Check that certificate 4 is valid
   assert:
@@ -100,6 +124,7 @@
     that:
       - cert_5_recreate_3 == True
 
+- block:
   - name: Check that certificate 6 is valid
     assert:
       that:
@@ -108,6 +133,29 @@
     assert:
       that:
         - "'DNS:example.org' in cert_6_text.stdout"
+  when: acme_intermediates[0].subject_key_identifier is defined
+
+- block:
+  - name: Check that certificate 7 is valid
+    assert:
+      that:
+        - cert_7_valid is not failed
+  - name: Check that certificate 7 contains correct SANs
+    assert:
+      that:
+        - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
+  when: acme_roots[2].subject_key_identifier is defined
+
+- block:
+  - name: Check that certificate 8 is valid
+    assert:
+      that:
+        - cert_8_valid is not failed
+  - name: Check that certificate 8 contains correct SANs
+    assert:
+      that:
+        - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
+  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: Validate that orders were not retrieved
   assert:

tests/integration/targets/acme_certificate_revoke/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_certificate_revoke/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_acme
+  - setup_remote_tmp_dir

tests/integration/targets/acme_certificate_revoke/tasks/impl.yml

@@ -3,7 +3,7 @@
 - block:
   - name: Generate account keys
     openssl_privatekey:
-      path: "{{ output_dir }}/{{ item.name }}.pem"
+      path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
       type: "{{ item.type }}"
       size: "{{ item.size | default(omit) }}"
       curve: "{{ item.curve | default(omit) }}"
@@ -22,6 +22,10 @@
         type: RSA
         size: "{{ default_rsa_key_size }}"
 ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
+- name: Read account key (EC256)
+  slurp:
+    src: '{{ remote_tmp_dir }}/account-ec256.pem'
+  register: slurp_account_key
 - name: Obtain cert 1
   include_tasks: obtain-cert.yml
   vars:
@@ -31,7 +35,7 @@
     rsa_bits: "{{ default_rsa_key_size }}"
     subject_alt_name: "DNS:example.com"
     subject_alt_name_critical: no
-    account_key_content: "{{ lookup('file', output_dir ~ '/account-ec256.pem') }}"
+    account_key_content: "{{ slurp_account_key.content | b64decode }}"
     challenge: http-01
     modify_account: yes
     deactivate_authzs: no
@@ -76,8 +80,8 @@
 - name: Revoke certificate 1 via account key
   acme_certificate_revoke:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/account-ec256.pem"
+    account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
-    certificate: "{{ output_dir }}/cert-1.pem"
+    certificate: "{{ remote_tmp_dir }}/cert-1.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -86,19 +90,23 @@
 - name: Revoke certificate 2 via certificate private key
   acme_certificate_revoke:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    private_key_src: "{{ output_dir }}/cert-2.key"
+    private_key_src: "{{ remote_tmp_dir }}/cert-2.key"
     private_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
-    certificate: "{{ output_dir }}/cert-2.pem"
+    certificate: "{{ remote_tmp_dir }}/cert-2.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
   ignore_errors: yes
   register: cert_2_revoke
+- name: Read account key (RSA)
+  slurp:
+    src: '{{ remote_tmp_dir }}/account-rsa.pem'
+  register: slurp_account_key
 - name: Revoke certificate 3 via account key (fullchain)
   acme_certificate_revoke:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa.pem') }}"
+    account_key_content: "{{ slurp_account_key.content | b64decode }}"
-    certificate: "{{ output_dir }}/cert-3-fullchain.pem"
+    certificate: "{{ remote_tmp_dir }}/cert-3-fullchain.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no

tests/integration/targets/acme_certificate_revoke/tasks/main.yml

@@ -17,12 +17,12 @@
 
 - name: Remove output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: absent
 
 - name: Re-create output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: directory
 
 - block:

tests/integration/targets/acme_challenge_cert_helper/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_challenge_cert_helper/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_acme
+  - setup_remote_tmp_dir

tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml

@@ -7,7 +7,7 @@
 - block:
   - name: Generate ECC256 accoun keys
     openssl_privatekey:
-      path: "{{ output_dir }}/account-ec256.pem"
+      path: "{{ remote_tmp_dir }}/account-ec256.pem"
       type: ECC
       curve: secp256r1
       force: true
@@ -31,4 +31,4 @@
       terms_agreed: yes
       account_email: "example@example.org"
 
-  when: openssl_version.stdout is version('1.0.0', '>=') or cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('1.5', '>=')

tests/integration/targets/acme_inspect/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_inspect/meta/main.yml

@@ -1,2 +1,4 @@
 dependencies:
   - setup_acme
+  - setup_remote_tmp_dir
+  - prepare_jinja2_compat

tests/integration/targets/acme_inspect/tasks/impl.yml

@@ -2,7 +2,7 @@
 - block:
   - name: Generate account keys
     openssl_privatekey:
-      path: "{{ output_dir }}/{{ item }}.pem"
+      path: "{{ remote_tmp_dir }}/{{ item }}.pem"
       type: ECC
       curve: secp256r1
       force: true
@@ -10,7 +10,7 @@
 
   - name: Parse account keys (to ease debugging some test failures)
     openssl_privatekey_info:
-      path: "{{ output_dir }}/{{ item }}.pem"
+      path: "{{ remote_tmp_dir }}/{{ item }}.pem"
       return_private_key_data: true
     loop: "{{ account_keys }}"
 
@@ -32,7 +32,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     acme_version: 2
     validate_certs: no
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     url: "{{ directory.directory.newAccount}}"
     method: post
     content: '{"termsOfServiceAgreed":true}'
@@ -46,7 +46,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     acme_version: 2
     validate_certs: no
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_creation.headers.location }}"
     url: "{{ account_creation.headers.location }}"
     method: get
@@ -58,7 +58,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     acme_version: 2
     validate_certs: no
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_creation.headers.location }}"
     url: "{{ account_creation.headers.location }}"
     method: post
@@ -77,7 +77,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     acme_version: 2
     validate_certs: no
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_creation.headers.location }}"
     url: "{{ directory.directory.newOrder }}"
     method: post
@@ -100,7 +100,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     acme_version: 2
     validate_certs: no
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_creation.headers.location }}"
     url: "{{ new_order.headers.location }}"
     method: get
@@ -112,7 +112,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     acme_version: 2
     validate_certs: no
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_creation.headers.location }}"
     url: "{{ item }}"
     method: get
@@ -125,7 +125,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     acme_version: 2
     validate_certs: no
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_creation.headers.location }}"
     url: "{{ (item.challenges | selectattr('type', 'equalto', 'http-01') | list)[0].url }}"
     method: get
@@ -138,7 +138,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     acme_version: 2
     validate_certs: no
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_creation.headers.location }}"
     url: "{{ item.url }}"
     method: post
@@ -152,7 +152,7 @@
     acme_directory: https://{{ acme_host }}:14000/dir
     acme_version: 2
     validate_certs: no
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
     account_uri: "{{ account_creation.headers.location }}"
     url: "{{ item.url }}"
     method: get

tests/integration/targets/acme_inspect/tasks/main.yml

@@ -17,12 +17,12 @@
 
 - name: Remove output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: absent
 
 - name: Re-create output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: directory
 
 - block:

tests/integration/targets/certificate_complete_chain/aliases

@@ -1 +1,2 @@
+shippable/cloud/group1
 shippable/posix/group1

tests/integration/targets/certificate_complete_chain/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
+  - setup_openssl
   - setup_remote_tmp_dir

tests/integration/targets/certificate_complete_chain/tasks/main.yml

@@ -3,9 +3,6 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
 
-- name: register cryptography version
-  command: '{{ ansible_python.executable }} -c ''import cryptography; print(cryptography.__version__)'''
-  register: cryptography_version
 - block:
   - name: Make sure testhost directory exists
     file:
@@ -16,10 +13,9 @@
     copy:
       src: '{{ role_path }}/files/'
       dest: '{{ remote_tmp_dir }}/files/'
-      remote_src: yes
   - name: Find root for cert 1
     certificate_complete_chain:
-      input_chain: '{{ lookup(''file'', ''cert1-fullchain.pem'', rstrip=False) }}'
+      input_chain: '{{ lookup("file", "cert1-fullchain.pem", rstrip=False) }}'
       root_certificates:
       - '{{ remote_tmp_dir }}/files/roots/'
     register: cert1_root
@@ -30,7 +26,7 @@
       - cert1_root.root == lookup('file', 'cert1-root.pem', rstrip=False)
   - name: Find rootchain for cert 1
     certificate_complete_chain:
-      input_chain: '{{ lookup(''file'', ''cert1.pem'', rstrip=False) }}'
+      input_chain: '{{ lookup("file", "cert1.pem", rstrip=False) }}'
       intermediate_certificates:
       - '{{ remote_tmp_dir }}/files/cert1-chain.pem'
       root_certificates:
@@ -44,7 +40,7 @@
       - cert1_rootchain.root == lookup('file', 'cert1-root.pem', rstrip=False)
   - name: Find root for cert 2
     certificate_complete_chain:
-      input_chain: '{{ lookup(''file'', ''cert2-fullchain.pem'', rstrip=False) }}'
+      input_chain: '{{ lookup("file", "cert2-fullchain.pem", rstrip=False) }}'
       root_certificates:
       - '{{ remote_tmp_dir }}/files/roots/'
     register: cert2_root
@@ -55,7 +51,7 @@
       - cert2_root.root == lookup('file', 'cert2-root.pem', rstrip=False)
   - name: Find rootchain for cert 2
     certificate_complete_chain:
-      input_chain: '{{ lookup(''file'', ''cert2.pem'', rstrip=False) }}'
+      input_chain: '{{ lookup("file", "cert2.pem", rstrip=False) }}'
       intermediate_certificates:
       - '{{ remote_tmp_dir }}/files/cert2-chain.pem'
       root_certificates:
@@ -69,7 +65,7 @@
       - cert2_rootchain.root == lookup('file', 'cert2-root.pem', rstrip=False)
   - name: Find alternate rootchain for cert 2
     certificate_complete_chain:
-      input_chain: '{{ lookup(''file'', ''cert2.pem'', rstrip=True) }}'
+      input_chain: '{{ lookup("file", "cert2.pem", rstrip=True) }}'
       intermediate_certificates:
       - '{{ remote_tmp_dir }}/files/cert2-altchain.pem'
       root_certificates:

tests/integration/targets/get_certificate/aliases

@@ -1,3 +1,4 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive
 needs/httptester

tests/integration/targets/get_certificate/tasks/main.yml

@@ -4,16 +4,35 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
 
+- set_fact:
+    skip_tests: false
+
 - block:
 
   - name: Get servers certificate with backend auto-detection
     get_certificate:
       host: "{{ httpbin_host }}"
       port: 443
+    ignore_errors: true
+    register: result
+
+  - set_fact:
+      skip_tests: |
+        {{
+          result is failed and (
+            'error: [Errno 1] _ssl.c:492: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure' in result.msg
+            or
+            'error: _ssl.c:314: Invalid SSL protocol variant specified.' in result.msg
+          )
+        }}
+
+  - assert:
+      that:
+        - result is success or skip_tests
 
   when: |
     pyopenssl_version.stdout is version('0.15', '>=') or
-    (cryptography_version.stdout is version('1.6', '>=') and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6))
+    cryptography_version.stdout is version('1.6', '>=')
 
 - block:
 
@@ -21,17 +40,7 @@
     vars:
       select_crypto_backend: pyopenssl
 
-  when: pyopenssl_version.stdout is version('0.15', '>=')
+  when: pyopenssl_version.stdout is version('0.15', '>=') and not skip_tests
-
-- name: Remove output directory
-  file:
-    path: "{{ output_dir }}"
-    state: absent
-
-- name: Re-create output directory
-  file:
-    path: "{{ output_dir }}"
-    state: directory
 
 - block:
 
@@ -42,6 +51,4 @@
   # The module doesn't work with CentOS 6. Since the pyOpenSSL installed there is too old,
   # we never noticed before. This becomes a problem with the new cryptography backend,
   # since there is a new enough cryptography version...
-  when: |
+  when: cryptography_version.stdout is version('1.6', '>=') and not skip_tests
-    cryptography_version.stdout is version('1.6', '>=') and
-    (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)

tests/integration/targets/get_certificate/tests/validate.yml

@@ -97,14 +97,19 @@
       # We got the correct response from the module
       - "'ca_cert file does not exist' == result.msg"
 
+- name: Get a temp directory
+  tempfile:
+    state: directory
+  register: my_temp_dir
+
 - name: Download CA Cert as pem from server
   get_url:
     url: "http://ansible.http.tests/cacert.pem"
-    dest: "{{ output_dir }}/temp.pem"
+    dest: "{{ my_temp_dir.path }}/temp.pem"
 
 - name: Get servers certificate comparing it to its own ca_cert file
   get_certificate:
-    ca_cert: '{{ output_dir }}/temp.pem'
+    ca_cert: '{{ my_temp_dir.path }}/temp.pem'
     host: "{{ httpbin_host }}"
     port: 443
     select_crypto_backend: "{{ select_crypto_backend }}"
@@ -115,11 +120,6 @@
       - result is not changed
       - result is not failed
 
-- name: Get a temp directory
-  tempfile:
-    state: directory
-  register: my_temp_dir
-
 - name: Deploy the bogus_ca.pem file
   copy:
     src: "bogus_ca.pem"

tests/integration/targets/luks_device/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - setup_remote_tmp_dir

tests/integration/targets/luks_device/tasks/main.yml

@@ -4,18 +4,25 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
 
+- name: Copy keyfiles
+  copy:
+    src: '{{ item }}'
+    dest: '{{ remote_tmp_dir }}/{{ item }}'
+  loop:
+    - keyfile1
+    - keyfile2
 - name: Make sure cryptsetup is installed
   package:
     name: cryptsetup
     state: present
   become: yes
 - name: Create cryptfile
-  command: dd if=/dev/zero of={{ output_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32
+  command: dd if=/dev/zero of={{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32
 - name: Create lookback device
-  command: losetup -f {{ output_dir.replace('~', ansible_env.HOME) }}/cryptfile
+  command: losetup -f {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile
   become: yes
 - name: Determine loop device name
-  command: losetup -j {{ output_dir.replace('~', ansible_env.HOME) }}/cryptfile --output name
+  command: losetup -j {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile --output name
   become: yes
   register: cryptfile_device_output
 - set_fact:
@@ -37,5 +44,5 @@
   - command: losetup -d "{{ cryptfile_device }}"
     become: yes
   - file:
-      dest: "{{ output_dir }}/cryptfile"
+      dest: "{{ remote_tmp_dir }}/cryptfile"
       state: absent

tests/integration/targets/luks_device/tasks/tests/create-destroy.yml

@@ -3,7 +3,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   check_mode: yes
@@ -13,7 +13,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   become: yes
@@ -22,7 +22,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   become: yes
@@ -31,7 +31,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   check_mode: yes
@@ -48,7 +48,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
   check_mode: yes
   become: yes
   register: open_check
@@ -56,21 +56,21 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
   become: yes
   register: open
 - name: Open (idempotent)
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
   become: yes
   register: open_idem
 - name: Open (idempotent, check)
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
   check_mode: yes
   become: yes
   register: open_idem_check
@@ -118,7 +118,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
   become: yes
 
 - name: Closed (via device, check)
@@ -158,7 +158,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
   become: yes
 
 - name: Absent (check)

tests/integration/targets/luks_device/tasks/tests/device-check.yml

@@ -3,7 +3,7 @@
   luks_device:
     device: /dev/asdfasdfasdf
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   check_mode: yes
@@ -14,7 +14,7 @@
   luks_device:
     device: /dev/asdfasdfasdf
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   ignore_errors: yes
@@ -31,7 +31,7 @@
   luks_device:
     device: /tmp/
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   check_mode: yes
@@ -42,7 +42,7 @@
   luks_device:
     device: /tmp/
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   ignore_errors: yes

tests/integration/targets/luks_device/tasks/tests/key-management.yml

@@ -3,7 +3,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: closed
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   become: yes
@@ -14,7 +14,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
   become: yes
   ignore_errors: yes
   register: open_try
@@ -31,7 +31,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile2"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
   become: yes
   ignore_errors: yes
   register: open_try
@@ -43,8 +43,8 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: closed
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
-    new_keyfile: "{{ role_path }}/files/keyfile2"
+    new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
     pbkdf:
       iteration_time: 0.1
   become: yes
@@ -54,8 +54,8 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: closed
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
-    new_keyfile: "{{ role_path }}/files/keyfile2"
+    new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
   become: yes
   register: result_2
 
@@ -70,7 +70,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile2"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
   become: yes
   ignore_errors: yes
   register: open_try
@@ -91,8 +91,8 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: closed
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
-    remove_keyfile: "{{ role_path }}/files/keyfile1"
+    remove_keyfile: "{{ remote_tmp_dir }}/keyfile1"
   become: yes
   register: result_1
 
@@ -100,8 +100,8 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: closed
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
-    remove_keyfile: "{{ role_path }}/files/keyfile1"
+    remove_keyfile: "{{ remote_tmp_dir }}/keyfile1"
   become: yes
   register: result_2
 
@@ -116,7 +116,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
   become: yes
   ignore_errors: yes
   register: open_try
@@ -128,7 +128,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile2"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
   become: yes
   ignore_errors: yes
   register: open_try
@@ -149,8 +149,8 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: closed
-    keyfile: "{{ role_path }}/files/keyfile2"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
-    remove_keyfile: "{{ role_path }}/files/keyfile2"
+    remove_keyfile: "{{ remote_tmp_dir }}/keyfile2"
   become: yes
   ignore_errors: yes
   register: remove_last_key
@@ -165,7 +165,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile2"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
   become: yes
   ignore_errors: yes
   register: open_try
@@ -182,8 +182,8 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: closed
-    keyfile: "{{ role_path }}/files/keyfile2"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
-    remove_keyfile: "{{ role_path }}/files/keyfile2"
+    remove_keyfile: "{{ remote_tmp_dir }}/keyfile2"
     force_remove_last_key: yes
   become: yes
 
@@ -193,7 +193,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile2"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
   become: yes
   ignore_errors: yes
   register: open_try

tests/integration/targets/luks_device/tasks/tests/options.yml

@@ -3,7 +3,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     keysize: 256
     pbkdf:
       iteration_count: 1000
@@ -13,7 +13,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     keysize: 256
     pbkdf:
       iteration_count: 1000
@@ -23,7 +23,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     keysize: 512
     pbkdf:
       iteration_count: 1000
@@ -33,7 +33,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: present
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     passphrase: "{{ cryptfile_passphrase1 }}"
     pbkdf:
       iteration_count: 1000

tests/integration/targets/luks_device/tasks/tests/passphrase.yml

@@ -54,7 +54,7 @@
     state: closed
     passphrase: "{{ cryptfile_passphrase1 }}"
     new_passphrase: "{{ cryptfile_passphrase2 }}"
-    new_keyfile: "{{ role_path }}/files/keyfile1"
+    new_keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   become: yes
@@ -122,7 +122,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
   become: yes
   ignore_errors: yes
   register: open_try
@@ -135,7 +135,7 @@
     device: "{{ cryptfile_device }}"
     state: closed
     passphrase: "{{ cryptfile_passphrase1 }}"
-    new_keyfile: "{{ role_path }}/files/keyfile1"
+    new_keyfile: "{{ remote_tmp_dir }}/keyfile1"
     pbkdf:
       iteration_time: 0.1
   become: yes
@@ -144,7 +144,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: closed
-    remove_keyfile: "{{ role_path }}/files/keyfile1"
+    remove_keyfile: "{{ remote_tmp_dir }}/keyfile1"
     remove_passphrase: "{{ cryptfile_passphrase1 }}"
   become: yes
   ignore_errors: yes
@@ -157,7 +157,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
   become: yes
   ignore_errors: yes
   register: open_try
@@ -219,7 +219,7 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: closed
-    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
     new_passphrase: "{{ cryptfile_passphrase3 }}"
     pbkdf:
       iteration_time: 0.1

tests/integration/targets/openssh_cert/meta/main.yml

@@ -1,3 +1,4 @@
 dependencies:
   - setup_ssh_keygen
   - setup_ssh_agent
+  - setup_remote_tmp_dir

tests/integration/targets/openssh_cert/tasks/main.yml

@@ -5,9 +5,9 @@
 
 - name: Declare global variables
   set_fact:
-    signing_key: '{{ output_dir }}/id_key'
+    signing_key: '{{ remote_tmp_dir }}/id_key'
-    public_key: '{{ output_dir }}/id_key.pub'
+    public_key: '{{ remote_tmp_dir }}/id_key.pub'
-    certificate_path: '{{ output_dir }}/id_cert'
+    certificate_path: '{{ remote_tmp_dir }}/id_cert'
 
 - name: Generate keypair
   openssh_keypair:

tests/integration/targets/openssh_cert/tests/key_idempotency.yml

@@ -4,8 +4,8 @@
 ####################################################################
 
 - set_fact:
-    new_signing_key: "{{ output_dir }}/new_key"
+    new_signing_key: "{{ remote_tmp_dir }}/new_key"
-    new_public_key: "{{ output_dir }}/new_key.pub"
+    new_public_key: "{{ remote_tmp_dir }}/new_key.pub"
 
 - name: Generate new test key
   openssh_keypair:
@@ -20,6 +20,81 @@
     valid_from: always
     valid_to: forever
 
+- block:
+    - name: Generate cert with updated signature algorithm
+      openssh_cert:
+        type: user
+        path: "{{ certificate_path }}"
+        public_key: "{{ public_key }}"
+        signing_key: "{{ signing_key }}"
+        signature_algorithm: rsa-sha2-256
+        valid_from: always
+        valid_to: forever
+      register: updated_signature_algorithm
+
+    - name: Assert signature algorithm update causes change
+      assert:
+        that:
+          - updated_signature_algorithm is changed
+
+    - name: Generate cert with updated signature algorithm (idempotent)
+      openssh_cert:
+        type: user
+        path: "{{ certificate_path }}"
+        public_key: "{{ public_key }}"
+        signing_key: "{{ signing_key }}"
+        signature_algorithm: rsa-sha2-256
+        valid_from: always
+        valid_to: forever
+      register: updated_signature_algorithm_idempotent
+
+    - name: Assert signature algorithm update is idempotent
+      assert:
+        that:
+          - updated_signature_algorithm_idempotent is not changed
+
+    - name: Generate cert with original signature algorithm
+      openssh_cert:
+        type: user
+        path: "{{ certificate_path }}"
+        public_key: "{{ public_key }}"
+        signing_key: "{{ signing_key }}"
+        signature_algorithm: ssh-rsa
+        valid_from: always
+        valid_to: forever
+      register: second_signature_algorithm
+
+    - name: Assert second signature algorithm update causes change
+      assert:
+        that:
+          - second_signature_algorithm is changed
+
+    - name: Omit signature algorithm
+      openssh_cert:
+        type: user
+        path: "{{ certificate_path }}"
+        public_key: "{{ public_key }}"
+        signing_key: "{{ signing_key }}"
+        valid_from: always
+        valid_to: forever
+      register: omitted_signature_algorithm
+
+    - name: Assert omitted_signature_algorithm does not cause change
+      assert:
+        that:
+          - omitted_signature_algorithm is not changed
+
+    - name: Revert to original certificate
+      openssh_cert:
+        type: user
+        path: "{{ certificate_path }}"
+        public_key: "{{ public_key }}"
+        signing_key: "{{ signing_key }}"
+        valid_from: always
+        valid_to: forever
+        regenerate: always
+  when: openssh_version is version("7.3", ">=")
+
 - name: Generate cert with new signing key
   openssh_cert:
     type: user

tests/integration/targets/openssh_cert/tests/ssh-agent.yml

@@ -12,7 +12,7 @@
         type: user
         signing_key: "{{ signing_key }}"
         public_key: "{{ public_key }}"
-        path: '{{ output_dir }}/id_cert_with_agent'
+        path: '{{ remote_tmp_dir }}/id_cert_with_agent'
         use_agent: true
         valid_from: always
         valid_to: forever
@@ -33,7 +33,7 @@
         type: user
         signing_key: "{{ signing_key }}"
         public_key: "{{ public_key }}"
-        path: '{{ output_dir }}/id_cert_with_agent'
+        path: '{{ remote_tmp_dir }}/id_cert_with_agent'
         use_agent: true
         valid_from: always
         valid_to: forever
@@ -44,7 +44,7 @@
         type: user
         signing_key: "{{ signing_key }}"
         public_key: "{{ public_key }}"
-        path: '{{ output_dir }}/id_cert_with_agent'
+        path: '{{ remote_tmp_dir }}/id_cert_with_agent'
         use_agent: true
         valid_from: always
         valid_to: forever
@@ -54,7 +54,7 @@
         type: user
         signing_key: "{{ signing_key }}"
         public_key: "{{ public_key }}"
-        path: '{{ output_dir }}/id_cert_with_agent'
+        path: '{{ remote_tmp_dir }}/id_cert_with_agent'
         use_agent: true
         valid_from: always
         valid_to: forever
@@ -71,7 +71,7 @@
         type: user
         signing_key: "{{ signing_key }}"
         public_key: "{{ public_key }}"
-        path: '{{ output_dir }}/id_cert_with_agent'
+        path: '{{ remote_tmp_dir }}/id_cert_with_agent'
         use_agent: true
         valid_from: always
         valid_to: forever
@@ -80,4 +80,4 @@
     - name: Remove certificate
       openssh_cert:
         state: absent
-        path: '{{ output_dir }}/id_cert_with_agent'
+        path: '{{ remote_tmp_dir }}/id_cert_with_agent'

tests/integration/targets/openssh_keypair/meta/main.yml

@@ -2,3 +2,4 @@ dependencies:
   - setup_ssh_keygen
   - setup_openssl
   - setup_bcrypt
+  - setup_remote_tmp_dir

tests/integration/targets/openssh_keypair/tasks/main.yml

@@ -6,7 +6,7 @@
 
 - name: Backend auto-detection test
   openssh_keypair:
-    path: '{{ output_dir }}/auto_backend_key'
+    path: '{{ remote_tmp_dir }}/auto_backend_key'
     state: "{{ item }}"
   loop: ['present', 'absent']
 

tests/integration/targets/openssh_keypair/tests/core.yml

@@ -6,7 +6,7 @@
 
 - name: "({{ backend }}) Generate key (check mode)"
   openssh_keypair:
-    path: "{{ output_dir }}/core"
+    path: "{{ remote_tmp_dir }}/core"
     size: 2048
     backend: "{{ backend }}"
   register: check_core_output
@@ -14,14 +14,14 @@
 
 - name: "({{ backend }}) Generate key"
   openssh_keypair:
-    path: "{{ output_dir }}/core"
+    path: "{{ remote_tmp_dir }}/core"
     size: 2048
     backend: "{{ backend }}"
   register: core_output
 
 - name: "({{ backend }}) Generate key (check mode idempotent)"
   openssh_keypair:
-    path: "{{ output_dir }}/core"
+    path: "{{ remote_tmp_dir }}/core"
     size: 2048
     backend: "{{ backend }}"
   register: idempotency_check_core_output
@@ -29,7 +29,7 @@
 
 - name: "({{ backend }}) Generate key (idempotent)"
   openssh_keypair:
-    path: '{{ output_dir }}/core'
+    path: '{{ remote_tmp_dir }}/core'
     size: 2048
     backend: "{{ backend }}"
   register: idempotency_core_output
@@ -74,7 +74,7 @@
       - core_output['type'] == 'rsa'
 
 - name: "({{ backend }}) Retrieve key size from 'ssh-keygen'"
-  shell: "ssh-keygen -lf {{ output_dir }}/core | grep -o -E '^[0-9]+'"
+  shell: "ssh-keygen -lf {{ remote_tmp_dir }}/core | grep -o -E '^[0-9]+'"
   register: core_size_ssh_keygen
 
 - name: "({{ backend }}) Assert key size matches 'ssh-keygen' output"
@@ -82,13 +82,18 @@
     that:
       - core_size_ssh_keygen.stdout == '2048'
 
+- name: "({{ backend }}) Read core.pub"
+  slurp:
+    src: '{{ remote_tmp_dir }}/core.pub'
+  register: slurp
+
 - name: "({{ backend }}) Assert public key module return equal to the public key content"
   assert:
     that:
-      - "core_output.public_key == lookup('file', output_dir ~ '/core.pub').strip('\n')"
+      - "core_output.public_key == (slurp.content | b64decode).strip('\n ')"
 
 - name: "({{ backend }}) Remove key"
   openssh_keypair:
-    path: '{{ output_dir }}/core'
+    path: '{{ remote_tmp_dir }}/core'
     backend: "{{ backend }}"
     state: absent

tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml

@@ -1,10 +1,10 @@
 ---
 - name: Generate a password protected key
-  command: 'ssh-keygen -f {{ output_dir }}/password_protected -N {{ passphrase }}'
+  command: 'ssh-keygen -f {{ remote_tmp_dir }}/password_protected -N {{ passphrase }}'
 
 - name: Modify the password protected key with passphrase
   openssh_keypair:
-    path: '{{ output_dir }}/password_protected'
+    path: '{{ remote_tmp_dir }}/password_protected'
     size: 1024
     passphrase: "{{ passphrase }}"
     backend: cryptography
@@ -12,14 +12,14 @@
 
 - name: Check password protected key idempotency
   openssh_keypair:
-    path: '{{ output_dir }}/password_protected'
+    path: '{{ remote_tmp_dir }}/password_protected'
     size: 1024
     passphrase: "{{ passphrase }}"
     backend: cryptography
   register: password_protected_idempotency_output
 
 - name: Ensure that ssh-keygen can read keys generated with passphrase
-  command: 'ssh-keygen -yf {{ output_dir }}/password_protected -P {{ passphrase }}'
+  command: 'ssh-keygen -yf {{ remote_tmp_dir }}/password_protected -P {{ passphrase }}'
   register: password_protected_ssh_keygen_output
 
 - name: Check that password protected key with passphrase was regenerated
@@ -31,18 +31,18 @@
 
 - name: Remove password protected key
   openssh_keypair:
-    path: '{{ output_dir }}/password_protected'
+    path: '{{ remote_tmp_dir }}/password_protected'
     backend: cryptography
     state: absent
 
 - name: Generate an unprotected key
   openssh_keypair:
-    path: '{{ output_dir }}/unprotected'
+    path: '{{ remote_tmp_dir }}/unprotected'
     backend: cryptography
 
 - name: Modify unprotected key with passphrase
   openssh_keypair:
-    path: '{{ output_dir }}/unprotected'
+    path: '{{ remote_tmp_dir }}/unprotected'
     size: 2048
     passphrase: "{{ passphrase }}"
     backend: cryptography
@@ -51,7 +51,7 @@
 
 - name: Modify unprotected key with passphrase (force)
   openssh_keypair:
-    path: '{{ output_dir }}/unprotected'
+    path: '{{ remote_tmp_dir }}/unprotected'
     size: 2048
     passphrase: "{{ passphrase }}"
     force: true
@@ -66,16 +66,16 @@
 
 - name: Remove unprotected key
   openssh_keypair:
-    path: '{{ output_dir }}/unprotected'
+    path: '{{ remote_tmp_dir }}/unprotected'
     backend: cryptography
     state: absent
 
 - name: Generate PEM encoded key with passphrase
-  command: 'ssh-keygen -b 4096 -f {{ output_dir }}/pem_encoded -N {{ passphrase }} -m PEM'
+  command: 'ssh-keygen -b 4096 -f {{ remote_tmp_dir }}/pem_encoded -N {{ passphrase }} -m PEM'
 
 - name: Try to verify a PEM encoded key
   openssh_keypair:
-    path: '{{ output_dir }}/pem_encoded'
+    path: '{{ remote_tmp_dir }}/pem_encoded'
     passphrase: "{{ passphrase }}"
     backend: cryptography
   register: pem_encoded_output
@@ -87,6 +87,6 @@
 
 - name: Remove PEM encoded key
   openssh_keypair:
-    path: '{{ output_dir }}/pem_encoded'
+    path: '{{ remote_tmp_dir }}/pem_encoded'
     backend: cryptography
     state: absent

tests/integration/targets/openssh_keypair/tests/invalid.yml

@@ -10,12 +10,12 @@
     content: ''
     mode: '0700'
   loop:
-    - "{{ output_dir }}/broken"
+    - "{{ remote_tmp_dir }}/broken"
-    - "{{ output_dir }}/broken.pub"
+    - "{{ remote_tmp_dir }}/broken.pub"
 
 - name: "({{ backend }}) Regenerate key - broken"
   openssh_keypair:
-    path: "{{ output_dir }}/broken"
+    path: "{{ remote_tmp_dir }}/broken"
     backend: "{{ backend }}"
   register: broken_output
   ignore_errors: true
@@ -28,7 +28,7 @@
 
 - name: "({{ backend }}) Regenerate key with force - broken"
   openssh_keypair:
-    path: "{{ output_dir }}/broken"
+    path: "{{ remote_tmp_dir }}/broken"
     backend: "{{ backend }}"
     force: true
   register: force_broken_output
@@ -40,24 +40,24 @@
 
 - name: "({{ backend }}) Remove key - broken"
   openssh_keypair:
-    path: "{{ output_dir }}/broken"
+    path: "{{ remote_tmp_dir }}/broken"
     backend: "{{ backend }}"
     state: absent
 
 - name: "({{ backend }}) Generate key - write-only"
   openssh_keypair:
-    path: "{{ output_dir }}/write-only"
+    path: "{{ remote_tmp_dir }}/write-only"
     mode: "0200"
     backend: "{{ backend }}"
 
 - name: "({{ backend }}) Check private key status - write-only"
   stat:
-    path: '{{ output_dir }}/write-only'
+    path: '{{ remote_tmp_dir }}/write-only'
   register: write_only_private_key
 
 - name: "({{ backend }}) Check public key status - write-only"
   stat:
-    path: '{{ output_dir }}/write-only.pub'
+    path: '{{ remote_tmp_dir }}/write-only.pub'
   register: write_only_public_key
 
 - name: "({{ backend }}) Assert that private and public keys match permissions - write-only"
@@ -68,14 +68,14 @@
 
 - name: "({{ backend }}) Regenerate key with force - write-only"
   openssh_keypair:
-    path: "{{ output_dir }}/write-only"
+    path: "{{ remote_tmp_dir }}/write-only"
     backend: "{{ backend }}"
     force: true
   register: write_only_output
 
 - name: "({{ backend }}) Check private key status after regeneration - write-only"
   stat:
-    path: '{{ output_dir }}/write-only'
+    path: '{{ remote_tmp_dir }}/write-only'
   register: write_only_private_key_after
 
 - name: "({{ backend }}) Assert key is regenerated - write-only"
@@ -90,16 +90,16 @@
 
 - name: "({{ backend }}) Remove key - write-only"
   openssh_keypair:
-    path: "{{ output_dir }}/write-only"
+    path: "{{ remote_tmp_dir }}/write-only"
     backend: "{{ backend }}"
     state: absent
 
 - name: "({{ backend }}) Generate key with ssh-keygen - password_protected"
-  command: "ssh-keygen -f {{ output_dir }}/password_protected -N {{ passphrase }}"
+  command: "ssh-keygen -f {{ remote_tmp_dir }}/password_protected -N {{ passphrase }}"
 
 - name: "({{ backend }}) Modify key - password_protected"
   openssh_keypair:
-    path: "{{ output_dir }}/password_protected"
+    path: "{{ remote_tmp_dir }}/password_protected"
     size: 2048
     backend: "{{ backend }}"
   register: password_protected_output
@@ -113,7 +113,7 @@
 
 - name: "({{ backend }}) Modify key with 'force=true' - password_protected"
   openssh_keypair:
-    path: "{{ output_dir }}/password_protected"
+    path: "{{ remote_tmp_dir }}/password_protected"
     size: 2048
     backend: "{{ backend }}"
     force: true
@@ -126,6 +126,6 @@
 
 - name: "({{ backend }}) Remove key - password_protected"
   openssh_keypair:
-    path: "{{ output_dir }}/password_protected"
+    path: "{{ remote_tmp_dir }}/password_protected"
     backend: "{{ backend }}"
     state: absent

tests/integration/targets/openssh_keypair/tests/options.yml

@@ -12,13 +12,13 @@
 
 - name: "({{ backend }}) Generate keys with default size - size"
   openssh_keypair:
-    path: "{{ output_dir }}/default_size_{{ item }}"
+    path: "{{ remote_tmp_dir }}/default_size_{{ item }}"
     type: "{{ item }}"
     backend: "{{ backend }}"
   loop: "{{ key_types }}"
 
 - name: "({{ backend }}) Retrieve key size from 'ssh-keygen' - size"
-  shell: "ssh-keygen -lf {{ output_dir }}/default_size_{{ item }} | grep -o -E '^[0-9]+'"
+  shell: "ssh-keygen -lf {{ remote_tmp_dir }}/default_size_{{ item }} | grep -o -E '^[0-9]+'"
   loop: "{{ key_types }}"
   register: key_size_output
 
@@ -31,19 +31,19 @@
 
 - name: "({{ backend }}) Remove keys - size"
   openssh_keypair:
-    path: "{{ output_dir }}/default_size_{{ item }}"
+    path: "{{ remote_tmp_dir }}/default_size_{{ item }}"
     state: absent
   loop: "{{ key_types }}"
 
 - block:
     - name: "({{ backend }}) Generate ed25519 key with default size - size"
       openssh_keypair:
-        path: "{{ output_dir }}/default_size_ed25519"
+        path: "{{ remote_tmp_dir }}/default_size_ed25519"
         type: ed25519
         backend: "{{ backend }}"
 
     - name: "({{ backend }}) Retrieve ed25519 key size from 'ssh-keygen' - size"
-      shell: "ssh-keygen -lf {{ output_dir }}/default_size_ed25519 | grep -o -E '^[0-9]+'"
+      shell: "ssh-keygen -lf {{ remote_tmp_dir }}/default_size_ed25519 | grep -o -E '^[0-9]+'"
       register: ed25519_key_size_output
 
     - name: "({{ backend }}) Assert ed25519 key size matches default size - size"
@@ -53,20 +53,20 @@
 
     - name: "({{ backend }}) Remove ed25519 key - size"
       openssh_keypair:
-        path: "{{ output_dir }}/default_size_ed25519"
+        path: "{{ remote_tmp_dir }}/default_size_ed25519"
         state: absent
   # Support for ed25519 keys was added in OpenSSH 6.5
   when: not (backend == 'opensshbin' and openssh_version is version('6.5', '<'))
 
 - name: "({{ backend }}) Generate key - force"
   openssh_keypair:
-    path: "{{ output_dir }}/force"
+    path: "{{ remote_tmp_dir }}/force"
     type: rsa
     backend: "{{ backend }}"
 
 - name: "({{ backend }}) Regenerate key - force"
   openssh_keypair:
-    path: "{{ output_dir }}/force"
+    path: "{{ remote_tmp_dir }}/force"
     type: rsa
     force: true
     backend: "{{ backend }}"
@@ -79,20 +79,20 @@
 
 - name: "({{ backend }}) Remove key - force"
   openssh_keypair:
-    path: "{{ output_dir }}/force"
+    path: "{{ remote_tmp_dir }}/force"
     state: absent
     backend: "{{ backend }}"
 
 - name: "({{ backend }}) Generate key - comment"
   openssh_keypair:
-    path: "{{ output_dir }}/comment"
+    path: "{{ remote_tmp_dir }}/comment"
     comment: "test@comment"
     backend: "{{ backend }}"
   register: comment_output
 
 - name: "({{ backend }}) Modify comment - comment"
   openssh_keypair:
-    path: "{{ output_dir }}/comment"
+    path: "{{ remote_tmp_dir }}/comment"
     comment: "test_modified@comment"
     backend: "{{ backend }}"
   register: modified_comment_output
@@ -112,6 +112,6 @@
 
 - name: "({{ backend }}) Remove key - comment"
   openssh_keypair:
-    path: "{{ output_dir }}/comment"
+    path: "{{ remote_tmp_dir }}/comment"
     state: absent
     backend: "{{ backend }}"

tests/integration/targets/openssh_keypair/tests/regenerate.yml

@@ -5,27 +5,33 @@
 ####################################################################
 
 # Ensures no conflicts from previous test runs
+- name: "({{ backend }}) Find old test artifacts"
+  ansible.builtin.find:
+    paths: "{{ remote_tmp_dir }}"
+    patterns:
+      - "regenerate*"
+  register: old_test_artifacts
+
 - name: "({{ backend }}) Cleanup Output Directory"
   ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ item.path }}"
     state: absent
-  with_fileglob:
+  loop: "{{ old_test_artifacts.files }}"
-    - "{{ output_dir }}/regenerate*"
 
 - name: "({{ backend }}) Regenerate - setup simple keys"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-a-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
     type: rsa
     size: 1024
     backend: "{{ backend }}"
   loop: "{{ regenerate_values }}"
 - name: "({{ backend }}) Regenerate - setup password protected keys"
-  command: 'ssh-keygen -f {{ output_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}'
+  command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}'
   loop: "{{ regenerate_values }}"
 
 - name: "({{ backend }}) Regenerate - setup broken keys"
   copy:
-    dest: '{{ output_dir }}/regenerate-c-{{ item.0 }}{{ item.1 }}'
+    dest: '{{ remote_tmp_dir }}/regenerate-c-{{ item.0 }}{{ item.1 }}'
     content: 'broken key'
     mode: '0700'
   with_nested:
@@ -33,12 +39,12 @@
     - [ '', '.pub' ]
 
 - name: "({{ backend }}) Regenerate - setup password protected keys for passphrse test"
-  command: 'ssh-keygen -f {{ output_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}'
+  command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}'
   loop: "{{ regenerate_values }}"
 
 - name: "({{ backend }}) Regenerate - modify broken keys (check mode)"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-c-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-c-{{ item }}'
     type: rsa
     size: 1024
     regenerate: '{{ item }}'
@@ -60,7 +66,7 @@
 
 - name: "({{ backend }}) Regenerate - modify broken keys"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-c-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-c-{{ item }}'
     type: rsa
     size: 1024
     regenerate: '{{ item }}'
@@ -81,7 +87,7 @@
 
 - name: "({{ backend }}) Regenerate - modify password protected keys (check mode)"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-b-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}'
     type: rsa
     size: 1024
     regenerate: '{{ item }}'
@@ -103,7 +109,7 @@
 
 - name: "({{ backend }}) Regenerate - modify password protected keys with passphrase (check mode)"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-b-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}'
     type: rsa
     size: 1024
     passphrase: "{{ passphrase }}"
@@ -127,7 +133,7 @@
 
 - name: "({{ backend }}) Regenerate - modify password protected keys"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-b-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}'
     type: rsa
     size: 1024
     regenerate: '{{ item }}'
@@ -148,7 +154,7 @@
 
 - name: "({{ backend }}) Regenerate - modify password protected keys with passphrase"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-d-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-d-{{ item }}'
     type: rsa
     size: 1024
     passphrase: "{{ passphrase }}"
@@ -171,7 +177,7 @@
 
 - name: "({{ backend }}) Regenerate - not modify regular keys (check mode)"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-a-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
     type: rsa
     size: 1024
     regenerate: '{{ item }}'
@@ -189,7 +195,7 @@
 
 - name: "({{ backend }}) Regenerate - not modify regular keys"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-a-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
     type: rsa
     size: 1024
     regenerate: '{{ item }}'
@@ -206,7 +212,7 @@
 
 - name: "({{ backend }}) Regenerate - adjust key size (check mode)"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-a-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
     type: rsa
     size: 1048
     regenerate: '{{ item }}'
@@ -226,7 +232,7 @@
 
 - name: "({{ backend }}) Regenerate - adjust key size"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-a-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
     type: rsa
     size: 1048
     regenerate: '{{ item }}'
@@ -245,8 +251,8 @@
 
 - name: "({{ backend }}) Regenerate - redistribute keys"
   copy:
-    src: '{{ output_dir }}/regenerate-a-always{{ item.1 }}'
+    src: '{{ remote_tmp_dir }}/regenerate-a-always{{ item.1 }}'
-    dest: '{{ output_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
+    dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
     remote_src: true
   with_nested:
     - "{{ regenerate_values }}"
@@ -255,7 +261,7 @@
 
 - name: "({{ backend }}) Regenerate - adjust key type (check mode)"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-a-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
     type: dsa
     size: 1024
     regenerate: '{{ item }}'
@@ -275,7 +281,7 @@
 
 - name: "({{ backend }}) Regenerate - adjust key type"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-a-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
     type: dsa
     size: 1024
     regenerate: '{{ item }}'
@@ -294,8 +300,8 @@
 
 - name: "({{ backend }}) Regenerate - redistribute keys"
   copy:
-    src: '{{ output_dir }}/regenerate-a-always{{ item.1 }}'
+    src: '{{ remote_tmp_dir }}/regenerate-a-always{{ item.1 }}'
-    dest: '{{ output_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
+    dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
     remote_src: true
   with_nested:
     - "{{ regenerate_values }}"
@@ -304,7 +310,7 @@
 
 - name: "({{ backend }}) Regenerate - adjust comment (check mode)"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-a-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
     type: dsa
     size: 1024
     comment: test comment
@@ -320,7 +326,7 @@
 
 - name: "({{ backend }}) Regenerate - adjust comment"
   openssh_keypair:
-    path: '{{ output_dir }}/regenerate-a-{{ item }}'
+    path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
     type: dsa
     size: 1024
     comment: test comment

tests/integration/targets/openssh_keypair/tests/state.yml

@@ -6,36 +6,36 @@
 
 - name: "({{ backend }}) Generate key"
   openssh_keypair:
-    path: '{{ output_dir }}/removed'
+    path: '{{ remote_tmp_dir }}/removed'
     backend: "{{ backend }}"
     state: present
 
 - name: "({{ backend }}) Generate key (idempotency)"
   openssh_keypair:
-    path: '{{ output_dir }}/removed'
+    path: '{{ remote_tmp_dir }}/removed'
     backend: "{{ backend }}"
     state: present
 
 - name: "({{ backend }}) Remove key"
   openssh_keypair:
     state: absent
-    path: '{{ output_dir }}/removed'
+    path: '{{ remote_tmp_dir }}/removed'
     backend: "{{ backend }}"
 
 - name: "({{ backend }}) Remove key (idempotency)"
   openssh_keypair:
     state: absent
-    path: '{{ output_dir }}/removed'
+    path: '{{ remote_tmp_dir }}/removed'
     backend: "{{ backend }}"
 
 - name: "({{ backend }}) Check private key status"
   stat:
-    path: '{{ output_dir }}/removed'
+    path: '{{ remote_tmp_dir }}/removed'
   register: removed_private_key
 
 - name: "({{ backend }}) Check public key status"
   stat:
-    path: '{{ output_dir }}/removed.pub'
+    path: '{{ remote_tmp_dir }}/removed.pub'
   register: removed_public_key
 
 - name: "({{ backend }}) Assert key pair files are removed"

tests/integration/targets/openssl_csr/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_csr/meta/main.yml

@@ -1,3 +1,4 @@
 dependencies:
   - setup_openssl
   - setup_pyopenssl
+  - setup_remote_tmp_dir

tests/integration/targets/openssl_csr/tasks/impl.yml

@@ -1,13 +1,13 @@
 ---
 - name: "({{ select_crypto_backend }}) Generate privatekey"
   openssl_privatekey:
-    path: '{{ output_dir }}/privatekey.pem'
+    path: '{{ remote_tmp_dir }}/privatekey.pem'
     size: '{{ default_rsa_key_size }}'
 
 - name: "({{ select_crypto_backend }}) Generate CSR (check mode)"
   openssl_csr:
-    path: '{{ output_dir }}/csr.csr'
+    path: '{{ remote_tmp_dir }}/csr.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -17,8 +17,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR"
   openssl_csr:
-    path: '{{ output_dir }}/csr.csr'
+    path: '{{ remote_tmp_dir }}/csr.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -27,8 +27,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
   openssl_csr:
-    path: '{{ output_dir }}/csr.csr'
+    path: '{{ remote_tmp_dir }}/csr.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -37,8 +37,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR (idempotent, check mode)"
   openssl_csr:
-    path: '{{ output_dir }}/csr.csr'
+    path: '{{ remote_tmp_dir }}/csr.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -48,8 +48,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR without SAN (check mode)"
   openssl_csr:
-    path: '{{ output_dir }}/csr-nosan.csr'
+    path: '{{ remote_tmp_dir }}/csr-nosan.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     useCommonNameForSAN: no
@@ -59,8 +59,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR without SAN"
   openssl_csr:
-    path: '{{ output_dir }}/csr-nosan.csr'
+    path: '{{ remote_tmp_dir }}/csr-nosan.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     useCommonNameForSAN: no
@@ -69,8 +69,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR without SAN (idempotent)"
   openssl_csr:
-    path: '{{ output_dir }}/csr-nosan.csr'
+    path: '{{ remote_tmp_dir }}/csr-nosan.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     useCommonNameForSAN: no
@@ -79,8 +79,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR without SAN (idempotent, check mode)"
   openssl_csr:
-    path: '{{ output_dir }}/csr-nosan.csr'
+    path: '{{ remote_tmp_dir }}/csr-nosan.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     useCommonNameForSAN: no
@@ -94,8 +94,8 @@
 # and vice-versa for biometricInfo
 - name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ku_xku.csr'
+    path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       CN: www.ansible.com
     keyUsage:
@@ -110,8 +110,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (test idempotency)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ku_xku.csr'
+    path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: 'www.ansible.com'
     keyUsage:
@@ -127,8 +127,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (test XKU change)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ku_xku.csr'
+    path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: 'www.ansible.com'
     keyUsage:
@@ -143,8 +143,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (test KU change)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ku_xku.csr'
+    path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: 'www.ansible.com'
     keyUsage:
@@ -158,15 +158,15 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with old API"
   openssl_csr:
-    path: '{{ output_dir }}/csr_oldapi.csr'
+    path: '{{ remote_tmp_dir }}/csr_oldapi.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
 
 - name: "({{ select_crypto_backend }}) Generate CSR with invalid SAN (1/2)"
   openssl_csr:
-    path: '{{ output_dir }}/csrinvsan.csr'
+    path: '{{ remote_tmp_dir }}/csrinvsan.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject_alt_name: invalid-san.example.com
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: generate_csr_invalid_san
@@ -174,8 +174,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with invalid SAN (2/2)"
   openssl_csr:
-    path: '{{ output_dir }}/csrinvsan2.csr'
+    path: '{{ remote_tmp_dir }}/csrinvsan2.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject_alt_name: "DNS:system:kube-controller-manager"
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: generate_csr_invalid_san_2
@@ -183,16 +183,16 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with OCSP Must Staple"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ocsp.csr'
+    path: '{{ remote_tmp_dir }}/csr_ocsp.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject_alt_name: "DNS:www.ansible.com"
     ocsp_must_staple: true
     select_crypto_backend: '{{ select_crypto_backend }}'
 
 - name: "({{ select_crypto_backend }}) Generate CSR with OCSP Must Staple (test idempotency)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ocsp.csr'
+    path: '{{ remote_tmp_dir }}/csr_ocsp.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject_alt_name: "DNS:www.ansible.com"
     ocsp_must_staple: true
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -200,22 +200,22 @@
 
 - name: "({{ select_crypto_backend }}) Generate ECC privatekey"
   openssl_privatekey:
-    path: '{{ output_dir }}/privatekey2.pem'
+    path: '{{ remote_tmp_dir }}/privatekey2.pem'
     type: ECC
     curve: secp384r1
 
 - name: "({{ select_crypto_backend }}) Generate CSR with ECC privatekey"
   openssl_csr:
-    path: '{{ output_dir }}/csr2.csr'
+    path: '{{ remote_tmp_dir }}/csr2.csr'
-    privatekey_path: '{{ output_dir }}/privatekey2.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
 
 - name: "({{ select_crypto_backend }}) Generate CSR with text common name"
   openssl_csr:
-    path: '{{ output_dir }}/csr3.csr'
+    path: '{{ remote_tmp_dir }}/csr3.csr'
-    privatekey_path: '{{ output_dir }}/privatekey2.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
     subject:
       commonName: This is for Ansible
     useCommonNameForSAN: no
@@ -223,24 +223,24 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with country name"
   openssl_csr:
-    path: '{{ output_dir }}/csr4.csr'
+    path: '{{ remote_tmp_dir }}/csr4.csr'
-    privatekey_path: '{{ output_dir }}/privatekey2.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
     country_name: de
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: country_idempotent_1
 
 - name: "({{ select_crypto_backend }}) Generate CSR with country name (idempotent)"
   openssl_csr:
-    path: '{{ output_dir }}/csr4.csr'
+    path: '{{ remote_tmp_dir }}/csr4.csr'
-    privatekey_path: '{{ output_dir }}/privatekey2.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
     country_name: de
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: country_idempotent_2
 
 - name: "({{ select_crypto_backend }}) Generate CSR with country name (idempotent 2)"
   openssl_csr:
-    path: '{{ output_dir }}/csr4.csr'
+    path: '{{ remote_tmp_dir }}/csr4.csr'
-    privatekey_path: '{{ output_dir }}/privatekey2.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
     subject:
       C: de
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -248,8 +248,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with country name (bad country name)"
   openssl_csr:
-    path: '{{ output_dir }}/csr4.csr'
+    path: '{{ remote_tmp_dir }}/csr4.csr'
-    privatekey_path: '{{ output_dir }}/privatekey2.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
     subject:
       C: dex
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -258,7 +258,7 @@
 
 - name: "({{ select_crypto_backend }}) Generate privatekey with password"
   openssl_privatekey:
-    path: '{{ output_dir }}/privatekeypw.pem'
+    path: '{{ remote_tmp_dir }}/privatekeypw.pem'
     passphrase: hunter2
     cipher: auto
     select_crypto_backend: cryptography
@@ -266,16 +266,16 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with privatekey passphrase"
   openssl_csr:
-    path: '{{ output_dir }}/csr_pw.csr'
+    path: '{{ remote_tmp_dir }}/csr_pw.csr'
-    privatekey_path: '{{ output_dir }}/privatekeypw.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
     privatekey_passphrase: hunter2
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: passphrase_1
 
 - name: "({{ select_crypto_backend }}) Generate CSR (failed passphrase 1)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_pw1.csr'
+    path: '{{ remote_tmp_dir }}/csr_pw1.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     privatekey_passphrase: hunter2
     select_crypto_backend: '{{ select_crypto_backend }}'
   ignore_errors: yes
@@ -283,8 +283,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR (failed passphrase 2)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_pw2.csr'
+    path: '{{ remote_tmp_dir }}/csr_pw2.csr'
-    privatekey_path: '{{ output_dir }}/privatekeypw.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
     privatekey_passphrase: wrong_password
     select_crypto_backend: '{{ select_crypto_backend }}'
   ignore_errors: yes
@@ -292,20 +292,20 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR (failed passphrase 3)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_pw3.csr'
+    path: '{{ remote_tmp_dir }}/csr_pw3.csr'
-    privatekey_path: '{{ output_dir }}/privatekeypw.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
     select_crypto_backend: '{{ select_crypto_backend }}'
   ignore_errors: yes
   register: passphrase_error_3
 
 - name: "({{ select_crypto_backend }}) Create broken CSR"
   copy:
-    dest: "{{ output_dir }}/csrbroken.csr"
+    dest: "{{ remote_tmp_dir }}/csrbroken.csr"
     content: "broken"
 - name: "({{ select_crypto_backend }}) Regenerate broken CSR"
   openssl_csr:
-    path: '{{ output_dir }}/csrbroken.csr'
+    path: '{{ remote_tmp_dir }}/csrbroken.csr'
-    privatekey_path: '{{ output_dir }}/privatekey2.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
     subject:
       commonName: This is for Ansible
     useCommonNameForSAN: no
@@ -314,8 +314,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR"
   openssl_csr:
-    path: '{{ output_dir }}/csr_backup.csr'
+    path: '{{ remote_tmp_dir }}/csr_backup.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     backup: yes
@@ -323,8 +323,8 @@
   register: csr_backup_1
 - name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_backup.csr'
+    path: '{{ remote_tmp_dir }}/csr_backup.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     backup: yes
@@ -332,8 +332,8 @@
   register: csr_backup_2
 - name: "({{ select_crypto_backend }}) Generate CSR (change)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_backup.csr'
+    path: '{{ remote_tmp_dir }}/csr_backup.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: ansible.com
     backup: yes
@@ -341,7 +341,7 @@
   register: csr_backup_3
 - name: "({{ select_crypto_backend }}) Generate CSR (remove)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_backup.csr'
+    path: '{{ remote_tmp_dir }}/csr_backup.csr'
     state: absent
     backup: yes
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -349,7 +349,7 @@
   register: csr_backup_4
 - name: "({{ select_crypto_backend }}) Generate CSR (remove, idempotent)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_backup.csr'
+    path: '{{ remote_tmp_dir }}/csr_backup.csr'
     state: absent
     backup: yes
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -357,8 +357,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ski.csr'
+    path: '{{ remote_tmp_dir }}/csr_ski.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     subject_key_identifier: "00:11:22:33"
@@ -368,8 +368,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (idempotency)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ski.csr'
+    path: '{{ remote_tmp_dir }}/csr_ski.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     subject_key_identifier: "00:11:22:33"
@@ -379,8 +379,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (change)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ski.csr'
+    path: '{{ remote_tmp_dir }}/csr_ski.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     subject_key_identifier: "44:55:66:77:88"
@@ -390,8 +390,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (auto-create)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ski.csr'
+    path: '{{ remote_tmp_dir }}/csr_ski.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     create_subject_key_identifier: yes
@@ -401,8 +401,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (auto-create idempotency)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ski.csr'
+    path: '{{ remote_tmp_dir }}/csr_ski.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     create_subject_key_identifier: yes
@@ -412,8 +412,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (remove)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_ski.csr'
+    path: '{{ remote_tmp_dir }}/csr_ski.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -422,8 +422,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier"
   openssl_csr:
-    path: '{{ output_dir }}/csr_aki.csr'
+    path: '{{ remote_tmp_dir }}/csr_aki.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     authority_key_identifier: "00:11:22:33"
@@ -433,8 +433,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (idempotency)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_aki.csr'
+    path: '{{ remote_tmp_dir }}/csr_aki.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     authority_key_identifier: "00:11:22:33"
@@ -444,8 +444,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (change)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_aki.csr'
+    path: '{{ remote_tmp_dir }}/csr_aki.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     authority_key_identifier: "44:55:66:77:88"
@@ -455,8 +455,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (remove)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_aki.csr'
+    path: '{{ remote_tmp_dir }}/csr_aki.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -465,8 +465,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number"
   openssl_csr:
-    path: '{{ output_dir }}/csr_acisn.csr'
+    path: '{{ remote_tmp_dir }}/csr_acisn.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     authority_cert_issuer:
@@ -479,8 +479,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (idempotency)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_acisn.csr'
+    path: '{{ remote_tmp_dir }}/csr_acisn.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     authority_cert_issuer:
@@ -493,8 +493,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (change issuer)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_acisn.csr'
+    path: '{{ remote_tmp_dir }}/csr_acisn.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     authority_cert_issuer:
@@ -507,8 +507,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (change serial number)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_acisn.csr'
+    path: '{{ remote_tmp_dir }}/csr_acisn.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     authority_cert_issuer:
@@ -521,8 +521,8 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (remove)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_acisn.csr'
+    path: '{{ remote_tmp_dir }}/csr_acisn.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
   when: select_crypto_backend != 'pyopenssl'
@@ -530,20 +530,20 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with everything"
   openssl_csr:
-    path: '{{ output_dir }}/csr_everything.csr'
+    path: '{{ remote_tmp_dir }}/csr_everything.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.example.com
       C: de
       L: Somewhere
-      ST: Zurich
+      ST: Zürich
-      streetAddress: Welcome Street
+      streetAddress: Welcome Street N° 5
-      O: Ansible
+      O: Ansiblé
-      organizationalUnitName: Crypto Department
+      organizationalUnitName: Crÿpto Depârtment ☺
       serialNumber: "1234"
-      SN: Last Name
+      SN: Last Name Which Happens To Be A Very Løng String With A Lot Of Spaces, Jr.
       GN: First Name
-      title: Chief
+      title: Chïeff
       pseudonym: test
       UID: asdf
       emailAddress: test@example.com
@@ -638,20 +638,20 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with everything (idempotent, check mode)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_everything.csr'
+    path: '{{ remote_tmp_dir }}/csr_everything.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
-      commonName: www.example.com
+      CN: www.example.com
-      C: de
+      countryName: de
       L: Somewhere
-      ST: Zurich
+      ST: Zürich
-      streetAddress: Welcome Street
+      streetAddress: Welcome Street N° 5
-      O: Ansible
+      organizationName: Ansiblé
-      organizationalUnitName: Crypto Department
+      organizationalUnitName: Crÿpto Depârtment ☺
       serialNumber: "1234"
-      SN: Last Name
+      SN: Last Name Which Happens To Be A Very Løng String With A Lot Of Spaces, Jr.
       GN: First Name
-      title: Chief
+      title: Chïeff
       pseudonym: test
       UID: asdf
       emailAddress: test@example.com
@@ -747,20 +747,20 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR with everything (idempotent)"
   openssl_csr:
-    path: '{{ output_dir }}/csr_everything.csr'
+    path: '{{ remote_tmp_dir }}/csr_everything.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
-      commonName: www.example.com
+      CN: www.example.com
-      C: de
+      countryName: de
       L: Somewhere
-      ST: Zurich
+      ST: Zürich
-      streetAddress: Welcome Street
+      streetAddress: Welcome Street N° 5
-      O: Ansible
+      organizationName: Ansiblé
-      organizationalUnitName: Crypto Department
+      organizationalUnitName: Crÿpto Depârtment ☺
       serialNumber: "1234"
-      SN: Last Name
+      SN: Last Name Which Happens To Be A Very Løng String With A Lot Of Spaces, Jr.
       GN: First Name
-      title: Chief
+      title: Chïeff
       pseudonym: test
       UID: asdf
       emailAddress: test@example.com
@@ -855,7 +855,7 @@
 
 - name: "({{ select_crypto_backend }}) Get info from CSR with everything"
   community.crypto.openssl_csr_info:
-    path: '{{ output_dir }}/csr_everything.csr'
+    path: '{{ remote_tmp_dir }}/csr_everything.csr'
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: everything_info
 
@@ -863,7 +863,7 @@
   block:
     - name: "({{ select_crypto_backend }}) Generate privatekeys"
       openssl_privatekey:
-        path: '{{ output_dir }}/privatekey_{{ item }}.pem'
+        path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
         type: '{{ item }}'
       loop:
         - Ed25519
@@ -877,8 +877,8 @@
 
         - name: "({{ select_crypto_backend }}) Generate CSR"
           openssl_csr:
-            path: '{{ output_dir }}/csr_{{ item }}.csr'
+            path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
-            privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem'
+            privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
             subject:
               commonName: www.ansible.com
             select_crypto_backend: '{{ select_crypto_backend }}'
@@ -890,8 +890,8 @@
 
         - name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
           openssl_csr:
-            path: '{{ output_dir }}/csr_{{ item }}.csr'
+            path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
-            privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem'
+            privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
             subject:
               commonName: www.ansible.com
             select_crypto_backend: '{{ select_crypto_backend }}'
@@ -907,8 +907,8 @@
   block:
     - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints"
       openssl_csr:
-        path: '{{ output_dir }}/csr_crl_d_e.csr'
+        path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
         subject:
           commonName: www.ansible.com
         crl_distribution_points:
@@ -930,8 +930,8 @@
 
     - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (idempotence)"
       openssl_csr:
-        path: '{{ output_dir }}/csr_crl_d_e.csr'
+        path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
         subject:
           commonName: www.ansible.com
         crl_distribution_points:
@@ -953,8 +953,8 @@
 
     - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (change)"
       openssl_csr:
-        path: '{{ output_dir }}/csr_crl_d_e.csr'
+        path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
         subject:
           commonName: www.ansible.com
         crl_distribution_points:
@@ -975,8 +975,8 @@
 
     - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (no endpoints)"
       openssl_csr:
-        path: '{{ output_dir }}/csr_crl_d_e.csr'
+        path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
         subject:
           commonName: www.ansible.com
         select_crypto_backend: '{{ select_crypto_backend }}'
@@ -984,8 +984,8 @@
 
     - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints"
       openssl_csr:
-        path: '{{ output_dir }}/csr_crl_d_e.csr'
+        path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
-        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
         subject:
           commonName: www.ansible.com
         crl_distribution_points:

tests/integration/targets/openssl_csr/tasks/main.yml

@@ -6,12 +6,12 @@
 
 - name: Prepare private key for backend autodetection test
   openssl_privatekey:
-    path: '{{ output_dir }}/privatekey_backend_selection.pem'
+    path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
     size: '{{ default_rsa_key_size }}'
 - name: Run module with backend autodetection
   openssl_csr:
-    path: '{{ output_dir }}/csr_backend_selection.csr'
+    path: '{{ remote_tmp_dir }}/csr_backend_selection.csr'
-    privatekey_path: '{{ output_dir }}/privatekey_backend_selection.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
     subject:
       commonName: www.ansible.com
 
@@ -29,12 +29,12 @@
 
 - name: Remove output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: absent
 
 - name: Re-create output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: directory
 
 - block:

tests/integration/targets/openssl_csr/tests/validate.yml

@@ -1,14 +1,14 @@
 ---
 - name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
+  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
   register: privatekey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
-  shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq"
+  shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr.csr -nameopt oneline,-space_eq"
   register: csr_cn
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
-  shell: '{{ openssl_binary }} req -noout -modulus -in {{ output_dir }}/csr.csr'
+  shell: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr.csr'
   register: csr_modulus
 
 - name: "({{ select_crypto_backend }}) Validate CSR (assert)"
@@ -25,11 +25,16 @@
       - generate_csr_idempotent is not changed
       - generate_csr_idempotent_check is not changed
 
+- name: "({{ select_crypto_backend }}) Read CSR"
+  slurp:
+    src: '{{ remote_tmp_dir }}/csr.csr'
+  register: slurp
+
 - name: "({{ select_crypto_backend }}) Validate CSR (data retrieval)"
   assert:
     that:
       - generate_csr_check.csr is none
-      - generate_csr.csr == lookup('file', output_dir ~ '/csr.csr', rstrip=False)
+      - generate_csr.csr == (slurp.content | b64decode)
       - generate_csr.csr == generate_csr_idempotent.csr
       - generate_csr.csr == generate_csr_idempotent_check.csr
 
@@ -49,11 +54,11 @@
       - csr_ku_xku_change_2 is changed
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)"
-  shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
+  shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
   register: csr_oldapi_cn
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - csr modulus)"
-  shell: '{{ openssl_binary }} req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr'
+  shell: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr_oldapi.csr'
   register: csr_oldapi_modulus
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (assert)"
@@ -78,7 +83,7 @@
   when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.0', '<')
 
 - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)"
-  shell: "{{ openssl_binary }} req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
+  shell: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text"
   register: csr_ocsp
 
 - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (assert)"
@@ -93,15 +98,15 @@
       - csr_ocsp_idempotency is not changed
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - privatekey's public key)"
-  shell: '{{ openssl_binary }} ec -pubout -in {{ output_dir }}/privatekey2.pem'
+  shell: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey2.pem'
   register: privatekey_ecc_key
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - Common Name)"
-  shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq"
+  shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr2.csr -nameopt oneline,-space_eq"
   register: csr_ecc_cn
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - CSR pubkey)"
-  shell: '{{ openssl_binary }} req -noout -pubkey -in {{ output_dir }}/csr2.csr'
+  shell: '{{ openssl_binary }} req -noout -pubkey -in {{ remote_tmp_dir }}/csr2.csr'
   register: csr_ecc_pubkey
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (assert)"
@@ -111,7 +116,7 @@
       - csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout
 
 - name: "({{ select_crypto_backend }}) Validate CSR (text common name - Common Name)"
-  shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq"
+  shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr3.csr -nameopt oneline,-space_eq"
   register: csr3_cn
 
 - name: "({{ select_crypto_backend }}) Validate CSR (assert)"
@@ -219,16 +224,16 @@
       - everything_info.subject.emailAddress == "test@example.com"
       - everything_info.subject.givenName == "First Name"
       - everything_info.subject.localityName == "Somewhere"
-      - everything_info.subject.organizationName == "Ansible"
+      - everything_info.subject.organizationName == "Ansiblé"
-      - everything_info.subject.organizationalUnitName == "Crypto Department"
+      - everything_info.subject.organizationalUnitName == "Crÿpto Depârtment ☺"
       - everything_info.subject.postalAddress == "1234 Somewhere"
       - everything_info.subject.postalCode == "1234"
       - everything_info.subject.pseudonym == "test"
       - everything_info.subject.serialNumber == "1234"
-      - everything_info.subject.stateOrProvinceName == "Zurich"
+      - everything_info.subject.stateOrProvinceName == "Zürich"
-      - everything_info.subject.streetAddress == "Welcome Street"
+      - everything_info.subject.streetAddress == "Welcome Street N° 5"
-      - everything_info.subject.surname == "Last Name"
+      - everything_info.subject.surname == "Last Name Which Happens To Be A Very Løng String With A Lot Of Spaces, Jr."
-      - everything_info.subject.title == "Chief"
+      - everything_info.subject.title == "Chïeff"
       - everything_info.subject.userId == "asdf"
       - everything_info.subject | length == 16
       - everything_info.subject_alt_name_critical == false

tests/integration/targets/openssl_csr_info/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_csr_info/meta/main.yml

@@ -1,3 +1,5 @@
 dependencies:
   - setup_openssl
   - setup_pyopenssl
+  - setup_remote_tmp_dir
+  - prepare_jinja2_compat

tests/integration/targets/openssl_csr_info/tasks/impl.yml

@@ -4,11 +4,11 @@
 
 - name: "({{ select_crypto_backend }}) Get CSR info"
   openssl_csr_info:
-    path: '{{ output_dir }}/csr_1.csr'
+    path: '{{ remote_tmp_dir }}/csr_1.csr'
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result
 
-- name: "({{ select_crypto_backend }}) Check whether subject behaves as expected"
+- name: "({{ select_crypto_backend }}) Check whether subject and extensions behaves as expected"
   assert:
     that:
       - result.subject.organizationalUnitName == 'ACME Department'
@@ -16,6 +16,21 @@
       - "['organizationalUnitName', 'ACME Department'] in result.subject_ordered"
       - result.public_key_type == 'RSA'
       - result.public_key_data.size == default_rsa_key_size
+      # TLS Feature
+      - result.extensions_by_oid['1.3.6.1.5.5.7.1.24'].critical == false
+      - result.extensions_by_oid['1.3.6.1.5.5.7.1.24'].value == 'MAMCAQU='
+      # Key Usage
+      - result.extensions_by_oid['2.5.29.15'].critical == true
+      - result.extensions_by_oid['2.5.29.15'].value in ['AwMA/4A=', 'AwMH/4A=']
+      # Subject Alternative Names
+      - result.extensions_by_oid['2.5.29.17'].critical == false
+      - result.extensions_by_oid['2.5.29.17'].value == 'MGCCD3d3dy5hbnNpYmxlLmNvbYcEAQIDBIcQAAAAAAAAAAAAAAAAAAAAAYEQdGVzdEBleGFtcGxlLm9yZ4YjaHR0cHM6Ly9leGFtcGxlLm9yZy90ZXN0L2luZGV4Lmh0bWw='
+      # Basic Constraints
+      - result.extensions_by_oid['2.5.29.19'].critical == true
+      - result.extensions_by_oid['2.5.29.19'].value == 'MAYBAf8CARc='
+      # Extended Key Usage
+      - result.extensions_by_oid['2.5.29.37'].critical == false
+      - result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
 
 - name: "({{ select_crypto_backend }}) Check SubjectKeyIdentifier and AuthorityKeyIdentifier"
   assert:
@@ -24,6 +39,10 @@
       - result.authority_key_identifier == "44:55:66:77"
       - result.authority_cert_issuer == expected_authority_cert_issuer
       - result.authority_cert_serial_number == 12345
+      # Subject Key Identifier
+      - result.extensions_by_oid['2.5.29.14'].critical == false
+      # Authority Key Identifier
+      - result.extensions_by_oid['2.5.29.35'].critical == false
   vars:
     expected_authority_cert_issuer:
       - "DNS:ca.example.org"
@@ -34,9 +53,14 @@
   set_fact:
     info_results: "{{ info_results + [result] }}"
 
+- name: "({{ select_crypto_backend }}) Read CSR"
+  slurp:
+    src: '{{ remote_tmp_dir }}/csr_1.csr'
+  register: slurp
+
 - name: "({{ select_crypto_backend }}) Get CSR info directly"
   openssl_csr_info:
-    content: '{{ lookup("file", output_dir ~ "/csr_1.csr") }}'
+    content: '{{ slurp.content | b64decode }}'
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result_direct
 
@@ -47,7 +71,7 @@
 
 - name: "({{ select_crypto_backend }}) Get CSR info"
   openssl_csr_info:
-    path: '{{ output_dir }}/csr_2.csr'
+    path: '{{ remote_tmp_dir }}/csr_2.csr'
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result
 
@@ -57,7 +81,7 @@
 
 - name: "({{ select_crypto_backend }}) Get CSR info"
   openssl_csr_info:
-    path: '{{ output_dir }}/csr_3.csr'
+    path: '{{ remote_tmp_dir }}/csr_3.csr'
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result
 
@@ -79,7 +103,7 @@
 
 - name: "({{ select_crypto_backend }}) Get CSR info"
   openssl_csr_info:
-    path: '{{ output_dir }}/csr_4.csr'
+    path: '{{ remote_tmp_dir }}/csr_4.csr'
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: result
 

tests/integration/targets/openssl_csr_info/tasks/main.yml

@@ -6,12 +6,12 @@
 
 - name: Generate privatekey
   openssl_privatekey:
-    path: '{{ output_dir }}/privatekey.pem'
+    path: '{{ remote_tmp_dir }}/privatekey.pem'
     size: '{{ default_rsa_key_size }}'
 
 - name: Generate privatekey with password
   openssl_privatekey:
-    path: '{{ output_dir }}/privatekeypw.pem'
+    path: '{{ remote_tmp_dir }}/privatekeypw.pem'
     passphrase: hunter2
     cipher: auto
     select_crypto_backend: cryptography
@@ -19,8 +19,8 @@
 
 - name: Generate CSR 1
   openssl_csr:
-    path: '{{ output_dir }}/csr_1.csr'
+    path: '{{ remote_tmp_dir }}/csr_1.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.example.com
       C: de
@@ -87,8 +87,8 @@
 
 - name: Generate CSR 2
   openssl_csr:
-    path: '{{ output_dir }}/csr_2.csr'
+    path: '{{ remote_tmp_dir }}/csr_2.csr'
-    privatekey_path: '{{ output_dir }}/privatekeypw.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
     privatekey_passphrase: hunter2
     useCommonNameForSAN: no
     basic_constraints:
@@ -96,8 +96,8 @@
 
 - name: Generate CSR 3
   openssl_csr:
-    path: '{{ output_dir }}/csr_3.csr'
+    path: '{{ remote_tmp_dir }}/csr_3.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     useCommonNameForSAN: no
     subject_alt_name:
       - "DNS:*.ansible.com"
@@ -114,8 +114,8 @@
 
 - name: Generate CSR 4
   openssl_csr:
-    path: '{{ output_dir }}/csr_4.csr'
+    path: '{{ remote_tmp_dir }}/csr_4.csr'
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     useCommonNameForSAN: no
     authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
 

tests/integration/targets/openssl_csr_info/test_plugins/jinja_compatibility.py

@@ -1,15 +0,0 @@
-from __future__ import (absolute_import, division, print_function)
-__metaclass__ = type
-
-
-def compatibility_in_test(a, b):
-    return a in b
-
-
-class TestModule:
-    ''' Ansible math jinja2 tests '''
-
-    def tests(self):
-        return {
-            'in': compatibility_in_test,
-        }

tests/integration/targets/openssl_csr_pipe/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_csr_pipe/meta/main.yml

@@ -1,3 +1,4 @@
 dependencies:
   - setup_openssl
   - setup_pyopenssl
+  - setup_remote_tmp_dir

tests/integration/targets/openssl_csr_pipe/tasks/impl.yml

@@ -1,12 +1,12 @@
 ---
 - name: "({{ select_crypto_backend }}) Generate privatekey"
   openssl_privatekey:
-    path: '{{ output_dir }}/privatekey.pem'
+    path: '{{ remote_tmp_dir }}/privatekey.pem'
     size: '{{ default_rsa_key_size }}'
 
 - name: "({{ select_crypto_backend }}) Generate CSR (check mode)"
   openssl_csr_pipe:
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -15,7 +15,7 @@
 
 - name: "({{ select_crypto_backend }}) Generate CSR"
   openssl_csr_pipe:
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -24,7 +24,7 @@
 - name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
   openssl_csr_pipe:
     content: "{{ generate_csr.csr }}"
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -33,7 +33,7 @@
 - name: "({{ select_crypto_backend }}) Generate CSR (idempotent, check mode)"
   openssl_csr_pipe:
     content: "{{ generate_csr.csr }}"
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: www.ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -43,7 +43,7 @@
 - name: "({{ select_crypto_backend }}) Generate CSR (changed)"
   openssl_csr_pipe:
     content: "{{ generate_csr.csr }}"
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -52,7 +52,7 @@
 - name: "({{ select_crypto_backend }}) Generate CSR (changed, check mode)"
   openssl_csr_pipe:
     content: "{{ generate_csr.csr }}"
-    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     subject:
       commonName: ansible.com
     select_crypto_backend: '{{ select_crypto_backend }}'
@@ -60,7 +60,7 @@
   register: generate_csr_changed_check
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
+  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
   register: privatekey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"

tests/integration/targets/openssl_csr_pipe/tasks/main.yml

@@ -6,11 +6,11 @@
 
 - name: Prepare private key for backend autodetection test
   openssl_privatekey:
-    path: '{{ output_dir }}/privatekey_backend_selection.pem'
+    path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
     size: '{{ default_rsa_key_size }}'
 - name: Run module with backend autodetection
   openssl_csr_pipe:
-    privatekey_path: '{{ output_dir }}/privatekey_backend_selection.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
     subject:
       commonName: www.ansible.com
 
@@ -24,12 +24,12 @@
 
 - name: Remove output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: absent
 
 - name: Re-create output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: directory
 
 - block:

tests/integration/targets/openssl_dhparam/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_dhparam/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_remote_tmp_dir

tests/integration/targets/openssl_dhparam/tasks/impl.yml

@@ -4,7 +4,7 @@
 - name: "[{{ select_crypto_backend }}] Generate parameter (check mode)"
   openssl_dhparam:
     size: 768
-    path: '{{ output_dir }}/dh768.pem'
+    path: '{{ remote_tmp_dir }}/dh768.pem'
     select_crypto_backend: "{{ select_crypto_backend }}"
     return_content: yes
   check_mode: true
@@ -13,7 +13,7 @@
 - name: "[{{ select_crypto_backend }}] Generate parameter"
   openssl_dhparam:
     size: 768
-    path: '{{ output_dir }}/dh768.pem'
+    path: '{{ remote_tmp_dir }}/dh768.pem'
     select_crypto_backend: "{{ select_crypto_backend }}"
     return_content: yes
   register: dhparam
@@ -21,7 +21,7 @@
 - name: "[{{ select_crypto_backend }}] Don't regenerate parameters with no change (check mode)"
   openssl_dhparam:
     size: 768
-    path: '{{ output_dir }}/dh768.pem'
+    path: '{{ remote_tmp_dir }}/dh768.pem'
     select_crypto_backend: "{{ select_crypto_backend }}"
     return_content: yes
   check_mode: true
@@ -30,39 +30,39 @@
 - name: "[{{ select_crypto_backend }}] Don't regenerate parameters with no change"
   openssl_dhparam:
     size: 768
-    path: '{{ output_dir }}/dh768.pem'
+    path: '{{ remote_tmp_dir }}/dh768.pem'
     select_crypto_backend: "{{ select_crypto_backend }}"
     return_content: yes
   register: dhparam_changed
 
 - name: "[{{ select_crypto_backend }}] Generate parameters with size option"
   openssl_dhparam:
-    path: '{{ output_dir }}/dh512.pem'
+    path: '{{ remote_tmp_dir }}/dh512.pem'
     size: 512
     select_crypto_backend: "{{ select_crypto_backend }}"
 
 - name: "[{{ select_crypto_backend }}] Don't regenerate parameters with size option and no change"
   openssl_dhparam:
-    path: '{{ output_dir }}/dh512.pem'
+    path: '{{ remote_tmp_dir }}/dh512.pem'
     size: 512
     select_crypto_backend: "{{ select_crypto_backend }}"
   register: dhparam_changed_512
 
 - copy:
-    src: '{{ output_dir }}/dh768.pem'
+    src: '{{ remote_tmp_dir }}/dh768.pem'
     remote_src: yes
-    dest: '{{ output_dir }}/dh512.pem'
+    dest: '{{ remote_tmp_dir }}/dh512.pem'
 
 - name: "[{{ select_crypto_backend }}] Re-generate if size is different"
   openssl_dhparam:
-    path: '{{ output_dir }}/dh512.pem'
+    path: '{{ remote_tmp_dir }}/dh512.pem'
     size: 512
     select_crypto_backend: "{{ select_crypto_backend }}"
   register: dhparam_changed_to_512
 
 - name: "[{{ select_crypto_backend }}] Force re-generate parameters with size option"
   openssl_dhparam:
-    path: '{{ output_dir }}/dh512.pem'
+    path: '{{ remote_tmp_dir }}/dh512.pem'
     size: 512
     force: yes
     select_crypto_backend: "{{ select_crypto_backend }}"
@@ -70,11 +70,11 @@
 
 - name: "[{{ select_crypto_backend }}] Create broken params"
   copy:
-    dest: "{{ output_dir }}/dhbroken.pem"
+    dest: "{{ remote_tmp_dir }}/dhbroken.pem"
     content: "broken"
 - name: "[{{ select_crypto_backend }}] Regenerate broken params"
   openssl_dhparam:
-    path: '{{ output_dir }}/dhbroken.pem'
+    path: '{{ remote_tmp_dir }}/dhbroken.pem'
     size: 512
     force: yes
     select_crypto_backend: "{{ select_crypto_backend }}"
@@ -82,21 +82,21 @@
 
 - name: "[{{ select_crypto_backend }}] Generate params"
   openssl_dhparam:
-    path: '{{ output_dir }}/dh_backup.pem'
+    path: '{{ remote_tmp_dir }}/dh_backup.pem'
     size: 512
     backup: yes
     select_crypto_backend: "{{ select_crypto_backend }}"
   register: dhparam_backup_1
 - name: "[{{ select_crypto_backend }}] Generate params (idempotent)"
   openssl_dhparam:
-    path: '{{ output_dir }}/dh_backup.pem'
+    path: '{{ remote_tmp_dir }}/dh_backup.pem'
     size: 512
     backup: yes
     select_crypto_backend: "{{ select_crypto_backend }}"
   register: dhparam_backup_2
 - name: "[{{ select_crypto_backend }}] Generate params (change)"
   openssl_dhparam:
-    path: '{{ output_dir }}/dh_backup.pem'
+    path: '{{ remote_tmp_dir }}/dh_backup.pem'
     size: 512
     force: yes
     backup: yes
@@ -104,7 +104,7 @@
   register: dhparam_backup_3
 - name: "[{{ select_crypto_backend }}] Generate params (remove)"
   openssl_dhparam:
-    path: '{{ output_dir }}/dh_backup.pem'
+    path: '{{ remote_tmp_dir }}/dh_backup.pem'
     state: absent
     backup: yes
     select_crypto_backend: "{{ select_crypto_backend }}"
@@ -112,7 +112,7 @@
   register: dhparam_backup_4
 - name: "[{{ select_crypto_backend }}] Generate params (remove, idempotent)"
   openssl_dhparam:
-    path: '{{ output_dir }}/dh_backup.pem'
+    path: '{{ remote_tmp_dir }}/dh_backup.pem'
     state: absent
     backup: yes
     select_crypto_backend: "{{ select_crypto_backend }}"

tests/integration/targets/openssl_dhparam/tasks/main.yml

@@ -9,7 +9,7 @@
 
 - name: Run module with backend autodetection
   openssl_dhparam:
-    path: '{{ output_dir }}/dh_backend_selection.pem'
+    path: '{{ remote_tmp_dir }}/dh_backend_selection.pem'
     size: 512
 
 - block:
@@ -24,12 +24,12 @@
 
 - name: Remove output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: absent
 
 - name: Re-create output directory
   file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
     state: directory
 
 - block:

tests/integration/targets/openssl_dhparam/tests/validate.yml

@@ -1,12 +1,12 @@
 ---
 - name: "[{{ select_crypto_backend }}] Validate generated params"
-  shell: '{{ openssl_binary }} dhparam -in {{ output_dir }}/{{ item }}.pem -noout -check'
+  shell: '{{ openssl_binary }} dhparam -in {{ remote_tmp_dir }}/{{ item }}.pem -noout -check'
   with_items:
     - dh768
     - dh512
 
 - name: "[{{ select_crypto_backend }}] Get bit size of 768"
-  shell: '{{ openssl_binary }} dhparam -noout -in {{ output_dir }}/dh768.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
+  shell: '{{ openssl_binary }} dhparam -noout -in {{ remote_tmp_dir }}/dh768.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
   register: bit_size_dhparam
 
 - name: "[{{ select_crypto_backend }}] Check bit size of default"
@@ -15,7 +15,7 @@
       - bit_size_dhparam.stdout == "768"
 
 - name: "[{{ select_crypto_backend }}] Get bit size of 512"
-  shell: '{{ openssl_binary }} dhparam -noout -in {{ output_dir }}/dh512.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
+  shell: '{{ openssl_binary }} dhparam -noout -in {{ remote_tmp_dir }}/dh512.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
   register: bit_size_dhparam_512
 
 - name: "[{{ select_crypto_backend }}] Check bit size of default"
@@ -34,10 +34,15 @@
       - dhparam_changed_to_512 is changed
       - dhparam_changed_force is changed
 
+- name: "[{{ select_crypto_backend }}] Read result"
+  slurp:
+    src: '{{ remote_tmp_dir }}/dh768.pem'
+  register: slurp
+
 - name: "[{{ select_crypto_backend }}] Make sure correct values are returned"
   assert:
     that:
-      - dhparam.dhparams == lookup('file', output_dir ~ '/dh768.pem', rstrip=False)
+      - dhparam.dhparams == (slurp.content | b64decode)
       - dhparam.dhparams == dhparam_changed.dhparams
 
 - name: "[{{ select_crypto_backend }}] Verify that broken params will be regenerated"

tests/integration/targets/openssl_pkcs12/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_pkcs12/meta/main.yml

@@ -1,3 +1,4 @@
 dependencies:
   - setup_openssl
   - setup_pyopenssl
+  - setup_remote_tmp_dir

tests/integration/targets/openssl_pkcs12/tasks/impl.yml

@@ -2,10 +2,10 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (check mode)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible.p12'
+      path: '{{ remote_tmp_dir }}/ansible.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
       return_content: true
     check_mode: true
@@ -14,10 +14,10 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible.p12'
+      path: '{{ remote_tmp_dir }}/ansible.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
       return_content: true
     register: p12_standard
@@ -25,10 +25,10 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (check mode)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible.p12'
+      path: '{{ remote_tmp_dir }}/ansible.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
       return_content: true
     check_mode: true
@@ -37,17 +37,17 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible.p12'
+      path: '{{ remote_tmp_dir }}/ansible.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
       return_content: true
     register: p12_standard_idempotency
 
   - name: "({{ select_crypto_backend }}) Read ansible.p12"
     slurp:
-      src: '{{ output_dir }}/ansible.p12'
+      src: '{{ remote_tmp_dir }}/ansible.p12'
     register: ansible_p12_content
 
   - name: "({{ select_crypto_backend }}) Validate PKCS#12"
@@ -59,10 +59,10 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (force)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible.p12'
+      path: '{{ remote_tmp_dir }}/ansible.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
       force: true
     register: p12_force
@@ -70,10 +70,10 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (force + change mode)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible.p12'
+      path: '{{ remote_tmp_dir }}/ansible.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
       force: true
       mode: '0644'
@@ -82,8 +82,8 @@
   - name: "({{ select_crypto_backend }}) Dump PKCS#12"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      src: '{{ output_dir }}/ansible.p12'
+      src: '{{ remote_tmp_dir }}/ansible.p12'
-      path: '{{ output_dir }}/ansible_parse.pem'
+      path: '{{ remote_tmp_dir }}/ansible_parse.pem'
       action: parse
       state: present
     register: p12_dumped
@@ -91,8 +91,8 @@
   - name: "({{ select_crypto_backend }}) Dump PKCS#12 file again, idempotency"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      src: '{{ output_dir }}/ansible.p12'
+      src: '{{ remote_tmp_dir }}/ansible.p12'
-      path: '{{ output_dir }}/ansible_parse.pem'
+      path: '{{ remote_tmp_dir }}/ansible_parse.pem'
       action: parse
       state: present
     register: p12_dumped_idempotency
@@ -100,8 +100,8 @@
   - name: "({{ select_crypto_backend }}) Dump PKCS#12, check mode"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      src: '{{ output_dir }}/ansible.p12'
+      src: '{{ remote_tmp_dir }}/ansible.p12'
-      path: '{{ output_dir }}/ansible_parse.pem'
+      path: '{{ remote_tmp_dir }}/ansible_parse.pem'
       action: parse
       state: present
     check_mode: true
@@ -110,36 +110,36 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file with multiple certs and passphrase"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_multi_certs.p12'
+      path: '{{ remote_tmp_dir }}/ansible_multi_certs.p12'
       friendly_name: abracadabra
       passphrase: hunter3
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       other_certificates:
-      - '{{ output_dir }}/ansible2.crt'
+      - '{{ remote_tmp_dir }}/ansible2.crt'
-      - '{{ output_dir }}/ansible3.crt'
+      - '{{ remote_tmp_dir }}/ansible3.crt'
       state: present
     register: p12_multiple_certs
 
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file with multiple certs and passphrase, again (idempotency)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_multi_certs.p12'
+      path: '{{ remote_tmp_dir }}/ansible_multi_certs.p12'
       friendly_name: abracadabra
       passphrase: hunter3
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       other_certificates:
-      - '{{ output_dir }}/ansible2.crt'
+      - '{{ remote_tmp_dir }}/ansible2.crt'
-      - '{{ output_dir }}/ansible3.crt'
+      - '{{ remote_tmp_dir }}/ansible3.crt'
       state: present
     register: p12_multiple_certs_idempotency
 
   - name: "({{ select_crypto_backend }}) Dump PKCS#12 with multiple certs and passphrase"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      src: '{{ output_dir }}/ansible_multi_certs.p12'
+      src: '{{ remote_tmp_dir }}/ansible_multi_certs.p12'
-      path: '{{ output_dir }}/ansible_parse_multi_certs.pem'
+      path: '{{ remote_tmp_dir }}/ansible_parse_multi_certs.pem'
       passphrase: hunter3
       action: parse
       state: present
@@ -147,11 +147,11 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 1)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_pw1.p12'
+      path: '{{ remote_tmp_dir }}/ansible_pw1.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
       privatekey_passphrase: hunter2
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
     ignore_errors: true
     register: passphrase_error_1
@@ -159,11 +159,11 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 2)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_pw2.p12'
+      path: '{{ remote_tmp_dir }}/ansible_pw2.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/privatekeypw.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
       privatekey_passphrase: wrong_password
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
     ignore_errors: true
     register: passphrase_error_2
@@ -171,10 +171,10 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 3)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_pw3.p12'
+      path: '{{ remote_tmp_dir }}/ansible_pw3.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/privatekeypw.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
     ignore_errors: true
     register: passphrase_error_3
@@ -182,24 +182,24 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file, no privatekey"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_no_pkey.p12'
+      path: '{{ remote_tmp_dir }}/ansible_no_pkey.p12'
       friendly_name: abracadabra
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
     register: p12_no_pkey
 
   - name: "({{ select_crypto_backend }}) Create broken PKCS#12"
     copy:
-      dest: '{{ output_dir }}/broken.p12'
+      dest: '{{ remote_tmp_dir }}/broken.p12'
       content: broken
 
   - name: "({{ select_crypto_backend }}) Regenerate broken PKCS#12"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/broken.p12'
+      path: '{{ remote_tmp_dir }}/broken.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
       force: true
       mode: '0644'
@@ -208,10 +208,10 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_backup.p12'
+      path: '{{ remote_tmp_dir }}/ansible_backup.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
       backup: true
     register: p12_backup_1
@@ -219,10 +219,10 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (idempotent)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_backup.p12'
+      path: '{{ remote_tmp_dir }}/ansible_backup.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
       backup: true
     register: p12_backup_2
@@ -230,10 +230,10 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (change)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_backup.p12'
+      path: '{{ remote_tmp_dir }}/ansible_backup.p12'
       friendly_name: abra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
       force: true
       backup: true
@@ -242,7 +242,7 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (remove)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_backup.p12'
+      path: '{{ remote_tmp_dir }}/ansible_backup.p12'
       state: absent
       backup: true
       return_content: true
@@ -251,7 +251,7 @@
   - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (remove, idempotent)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_backup.p12'
+      path: '{{ remote_tmp_dir }}/ansible_backup.p12'
       state: absent
       backup: true
     register: p12_backup_5
@@ -259,11 +259,11 @@
   - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_empty.p12'
+      path: '{{ remote_tmp_dir }}/ansible_empty.p12'
       friendly_name: abracadabra
       other_certificates:
-      - '{{ output_dir }}/ansible2.crt'
+      - '{{ remote_tmp_dir }}/ansible2.crt'
-      - '{{ output_dir }}/ansible3.crt'
+      - '{{ remote_tmp_dir }}/ansible3.crt'
       state: present
     register: p12_empty
 
@@ -271,21 +271,21 @@
   - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_empty.p12'
+      path: '{{ remote_tmp_dir }}/ansible_empty.p12'
       friendly_name: abracadabra
       other_certificates:
-      - '{{ output_dir }}/ansible3.crt'
+      - '{{ remote_tmp_dir }}/ansible3.crt'
-      - '{{ output_dir }}/ansible2.crt'
+      - '{{ remote_tmp_dir }}/ansible2.crt'
       state: present
     register: p12_empty_idem
 
   - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent, concatenated other certificates)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      path: '{{ output_dir }}/ansible_empty.p12'
+      path: '{{ remote_tmp_dir }}/ansible_empty.p12'
       friendly_name: abracadabra
       other_certificates:
-      - '{{ output_dir }}/ansible23.crt'
+      - '{{ remote_tmp_dir }}/ansible23.crt'
       other_certificates_parse_all: true
       state: present
     register: p12_empty_concat_idem
@@ -293,8 +293,8 @@
   - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (parse)"
     openssl_pkcs12:
       select_crypto_backend: '{{ select_crypto_backend }}'
-      src: '{{ output_dir }}/ansible_empty.p12'
+      src: '{{ remote_tmp_dir }}/ansible_empty.p12'
-      path: '{{ output_dir }}/ansible_empty.pem'
+      path: '{{ remote_tmp_dir }}/ansible_empty.pem'
       action: parse
 
   - import_tasks: ../tests/validate.yml
@@ -303,7 +303,7 @@
   - name: "({{ select_crypto_backend }}) Delete PKCS#12 file"
     openssl_pkcs12:
       state: absent
-      path: '{{ output_dir }}/{{ item }}.p12'
+      path: '{{ remote_tmp_dir }}/{{ item }}.p12'
     loop:
     - ansible
     - ansible_no_pkey

tests/integration/targets/openssl_pkcs12/tasks/main.yml

@@ -7,50 +7,56 @@
 - block:
   - name: Generate private keys
     openssl_privatekey:
-      path: '{{ output_dir }}/ansible_pkey{{ item }}.pem'
+      path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem'
       size: '{{ default_rsa_key_size_certifiates }}'
     loop: "{{ range(1, 4) | list }}"
 
   - name: Generate privatekey with password
     openssl_privatekey:
-      path: '{{ output_dir }}/privatekeypw.pem'
+      path: '{{ remote_tmp_dir }}/privatekeypw.pem'
       passphrase: hunter2
       cipher: auto
       size: '{{ default_rsa_key_size }}'
 
   - name: Generate CSRs
     openssl_csr:
-      path: '{{ output_dir }}/ansible{{ item }}.csr'
+      path: '{{ remote_tmp_dir }}/ansible{{ item }}.csr'
-      privatekey_path: '{{ output_dir }}/ansible_pkey{{ item }}.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem'
       commonName: www{{ item }}.ansible.com
     loop: "{{ range(1, 4) | list }}"
 
   - name: Generate certificate
     x509_certificate:
-      path: '{{ output_dir }}/ansible{{ item }}.crt'
+      path: '{{ remote_tmp_dir }}/ansible{{ item }}.crt'
-      privatekey_path: '{{ output_dir }}/ansible_pkey{{ item }}.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem'
-      csr_path: '{{ output_dir }}/ansible{{ item }}.csr'
+      csr_path: '{{ remote_tmp_dir }}/ansible{{ item }}.csr'
       provider: selfsigned
     loop: "{{ range(1, 4) | list }}"
 
+  - name: Read files
+    slurp:
+      src: '{{ item }}'
+    loop:
+      - "{{ remote_tmp_dir ~ '/ansible2.crt' }}"
+      - "{{ remote_tmp_dir ~ '/ansible3.crt' }}"
+    register: slurp
+
   - name: Generate concatenated PEM file
     copy:
-      dest: '{{ output_dir }}/ansible23.crt'
+      dest: '{{ remote_tmp_dir }}/ansible23.crt'
-      content: |
+      content: '{{ slurp.results[0].content | b64decode }}{{ slurp.results[1].content | b64decode }}'
-        {{ lookup("file", output_dir ~ "/ansible2.crt") }}
-        {{ lookup("file", output_dir ~ "/ansible3.crt") }}
 
   - name: Generate PKCS#12 file with backend autodetection
     openssl_pkcs12:
-      path: '{{ output_dir }}/ansible.p12'
+      path: '{{ remote_tmp_dir }}/ansible.p12'
       friendly_name: abracadabra
-      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
-      certificate_path: '{{ output_dir }}/ansible1.crt'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
       state: present
 
   - name: Delete result
     file:
-      path: '{{ output_dir }}/ansible.p12'
+      path: '{{ remote_tmp_dir }}/ansible.p12'
       state: absent
 
   - block: