Release 3.0.2.

Add old versions to stable-2.19 if not present yet.

.azure-pipelines/azure-pipelines.yml

@@ -61,6 +61,17 @@ stages:
               test: 'devel/sanity/1'
             - name: Units
               test: 'devel/units/1'
+  - stage: Ansible_2_19
+    displayName: Sanity & Units 2.19
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          targets:
+            - name: Sanity
+              test: '2.19/sanity/1'
+            - name: Units
+              test: '2.19/units/1'
   - stage: Ansible_2_18
     displayName: Sanity & Units 2.18
     dependsOn: []
@@ -92,10 +103,25 @@ stages:
         parameters:
           testFormat: devel/linux/{0}
           targets:
-            - name: Fedora 41
-              test: fedora41
+            - name: Fedora 42
+              test: fedora42
             - name: Ubuntu 24.04
               test: ubuntu2404
+            - name: Alpine 3.22
+              test: alpine322
+          groups:
+            - 1
+            - 2
+  - stage: Docker_2_19
+    displayName: Docker 2.19
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.19/linux/{0}
+          targets:
+            - name: Fedora 41
+              test: fedora41
             - name: Alpine 3.21
               test: alpine321
           groups:
@@ -164,10 +190,10 @@ stages:
         parameters:
           testFormat: devel/{0}
           targets:
-            - name: Alpine 3.21
-              test: alpine/3.21
-            - name: Fedora 41
-              test: fedora/41
+            - name: Alpine 3.22
+              test: alpine/3.22
+            - name: Fedora 42
+              test: fedora/42
             - name: Ubuntu 22.04
               test: ubuntu/22.04
             - name: Ubuntu 24.04
@@ -186,15 +212,32 @@ stages:
               test: macos/15.3
             - name: RHEL 10.0
               test: rhel/10.0
-            - name: RHEL 9.5
-              test: rhel/9.5
-            - name: FreeBSD 14.2
-              test: freebsd/14.2
+            - name: RHEL 9.6
+              test: rhel/9.6
+            - name: FreeBSD 14.3
+              test: freebsd/14.3
             - name: FreeBSD 13.5
               test: freebsd/13.5
           groups:
             - 1
             - 2
+  - stage: Remote_2_19
+    displayName: Remote 2.19
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.19/{0}
+          targets:
+            - name: RHEL 9.5
+              test: rhel/9.5
+            - name: RHEL 10.0
+              test: rhel/10.0
+            - name: FreeBSD 14.2
+              test: freebsd/14.2
+          groups:
+            - 1
+            - 2
   - stage: Remote_2_18
     displayName: Remote 2.18
     dependsOn: []
@@ -222,8 +265,8 @@ stages:
           targets:
             - name: RHEL 9.3
               test: rhel/9.3
-            - name: FreeBSD 13.3
-              test: freebsd/13.3
+            - name: FreeBSD 13.5
+              test: freebsd/13.5
           groups:
             - 1
             - 2
@@ -245,6 +288,20 @@ stages:
           groups:
             - 1
             - 2
+  - stage: Generic_2_19
+    displayName: Generic 2.19
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          nameFormat: Python {0}
+          testFormat: 2.19/generic/{0}
+          targets:
+            - test: "3.9"
+            - test: "3.13"
+          groups:
+            - 1
+            - 2
   - stage: Generic_2_18
     displayName: Generic 2.18
     dependsOn: []
@@ -280,18 +337,22 @@ stages:
     condition: succeededOrFailed()
     dependsOn:
       - Ansible_devel
+      - Ansible_2_19
       - Ansible_2_18
       - Ansible_2_17
       - Remote_devel_extra_vms
       - Remote_devel
       - Remote_2_18
+      - Remote_2_19
       - Remote_2_17
       - Docker_devel
       - Docker_2_18
+      - Docker_2_19
       - Docker_2_17
       - Docker_community_devel
       - Generic_devel
       - Generic_2_18
+      - Generic_2_19
       - Generic_2_17
     jobs:
       - template: templates/coverage.yml

.github/workflows/ee.yml

@@ -1,172 +0,0 @@
----
-# Copyright (c) Ansible Project
-# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-name: execution environment
-'on':
-  # Run CI against all pushes (direct commits, also merged PRs), Pull Requests
-  push:
-    branches:
-      - main
-      - stable-*
-  pull_request:
-  # Run CI once per day (at 09:00 UTC)
-  # This ensures that even if there haven't been commits that we are still testing against latest version of ansible-builder
-  schedule:
-    - cron: '0 9 * * *'
-
-env:
-  NAMESPACE: community
-  COLLECTION_NAME: crypto
-
-jobs:
-  build:
-    name: Build and test EE (${{ matrix.name }})
-    strategy:
-      fail-fast: false
-      matrix:
-        name:
-          - ''
-        ansible_core:
-          - ''
-        ansible_runner:
-          - ''
-        base_image:
-          - ''
-        pre_base:
-          - ''
-        extra_vars:
-          - ''
-        other_deps:
-          - ''
-        exclude:
-          - ansible_core: ''
-        include:
-          - name: ansible-core devel @ RHEL UBI 9
-            ansible_core: https://github.com/ansible/ansible/archive/devel.tar.gz
-            ansible_runner: ansible-runner
-            other_deps: |2
-                python_interpreter:
-                  package_system: python3.12 python3.12-pip python3.12-wheel python3.12-cryptography
-                  python_path: "/usr/bin/python3.12"
-            base_image: docker.io/redhat/ubi9:latest
-            pre_base: '"#"'
-          - name: ansible-core 2.17 @ Rocky Linux 9
-            ansible_core: https://github.com/ansible/ansible/archive/stable-2.17.tar.gz
-            ansible_runner: ansible-runner
-            other_deps: |2
-                python_interpreter:
-                  package_system: python3.11 python3.11-pip python3.11-wheel python3.11-cryptography
-                  python_path: "/usr/bin/python3.11"
-            base_image: quay.io/rockylinux/rockylinux:9
-            pre_base: RUN dnf install -y epel-release
-          - name: ansible-core 2.18 @ CentOS Stream 9
-            ansible_core: https://github.com/ansible/ansible/archive/stable-2.18.tar.gz
-            ansible_runner: ansible-runner
-            other_deps: |2
-                python_interpreter:
-                  package_system: python3.11 python3.11-pip python3.11-wheel python3.11-cryptography
-                  python_path: "/usr/bin/python3.11"
-            base_image: quay.io/centos/centos:stream9
-            pre_base: '"#"'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          path: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
-          persist-credentials: false
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.11'
-
-      - name: Install ansible-builder and ansible-navigator
-        run: pip install ansible-builder ansible-navigator
-
-      - name: Verify requirements
-        run: ansible-builder introspect --sanitize .
-
-      - name: Make sure galaxy.yml has version entry
-        run: >-
-          python -c
-          'import yaml ;
-          f = open("galaxy.yml", "rb") ;
-          data = yaml.safe_load(f) ;
-          f.close() ;
-          data["version"] = data.get("version") or "0.0.1" ;
-          f = open("galaxy.yml", "wb") ;
-          f.write(yaml.dump(data).encode("utf-8")) ;
-          f.close() ;
-          '
-        working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
-
-      - name: Build collection
-        run: |
-          ansible-galaxy collection build --output-path ../../../
-        working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
-
-      - name: Create files for building execution environment
-        run: |
-          COLLECTION_FILENAME="$(ls "${NAMESPACE}-${COLLECTION_NAME}"-*.tar.gz)"
-
-          # EE config
-          cat > execution-environment.yml <<EOF
-          ---
-          version: 3
-          dependencies:
-            ansible_core:
-              package_pip: ${{ matrix.ansible_core }}
-            ansible_runner:
-              package_pip: ${{ matrix.ansible_runner }}
-            galaxy: requirements.yml
-          ${{ matrix.other_deps }}
-
-          images:
-            base_image:
-              name: ${{ matrix.base_image }}
-
-          additional_build_files:
-            - src: ${COLLECTION_FILENAME}
-              dest: src
-
-          additional_build_steps:
-            prepend_base:
-              - ${{ matrix.pre_base }}
-          EOF
-          echo "::group::execution-environment.yml"
-          cat execution-environment.yml
-          echo "::endgroup::"
-
-          # Requirements
-          cat > requirements.yml <<EOF
-          ---
-          collections:
-            - name: src/${COLLECTION_FILENAME}
-              type: file
-          EOF
-          echo "::group::requirements.yml"
-          cat requirements.yml
-          echo "::endgroup::"
-
-      - name: Build image based on ${{ matrix.base_image }}
-        run: |
-          ansible-builder build --verbosity 3 --tag test-ee:latest --container-runtime podman
-
-      - name: Show images
-        run: podman image ls
-
-      - name: Run basic tests
-        run: >
-          ansible-navigator run
-          --mode stdout
-          --container-engine podman
-          --pull-policy never
-          --set-environment-variable ANSIBLE_PRIVATE_ROLE_VARS=true
-          --execution-environment-image test-ee:latest
-          -v
-          all.yml
-          ${{ matrix.extra_vars }}
-        working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}/tests/ee

.github/workflows/nox.yml

@@ -26,3 +26,6 @@ jobs:
           persist-credentials: false
       - name: Run nox
         uses: ansible-community/antsibull-nox@main
+
+  ansible-test:
+    uses: ansible-community/antsibull-nox/.github/workflows/reusable-nox-matrix.yml@main

.yamllint-extra-docs

@@ -0,0 +1,53 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+extends: default
+
+ignore: |
+  /changelogs/
+
+rules:
+  line-length:
+    max: 160
+    level: error
+  document-start: disable
+  document-end:
+    present: false
+  truthy:
+    level: error
+    allowed-values:
+      - 'true'
+      - 'false'
+  indentation:
+    spaces: 2
+    indent-sequences: true
+  key-duplicates: enable
+  trailing-spaces: enable
+  new-line-at-end-of-file: disable
+  hyphens:
+    max-spaces-after: 1
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false

CHANGELOG.rst

@@ -4,53 +4,45 @@ Community Crypto Release Notes
 
 .. contents:: Topics
 
-v3.0.0-rc1
-==========
+v3.0.2
+======
 
 Release Summary
 ---------------
 
-First release candidate for new major 3.0.0 release. Contains two bugfixes and some refactorings.
-
-Minor Changes
--------------
-
-- Remove various no longer needed abstraction layers for multiple backends (https://github.com/ansible-collections/community.crypto/pull/912).
-- Various code refactorings (https://github.com/ansible-collections/community.crypto/pull/905, https://github.com/ansible-collections/community.crypto/pull/909, https://github.com/ansible-collections/community.crypto/pull/911, https://github.com/ansible-collections/community.crypto/pull/913, https://github.com/ansible-collections/community.crypto/pull/914, https://github.com/ansible-collections/community.crypto/pull/917).
+Bugfix release.
 
 Bugfixes
 --------
 
-- acme_account - make work with CAs that do not accept any account request without External Account Binding data (https://github.com/ansible-collections/community.crypto/issues/918, https://github.com/ansible-collections/community.crypto/pull/919).
-- openssl_csr, openssl_csr_pipe - avoid accessing internal members of cryptography's ``KeyUsage`` extension object (https://github.com/ansible-collections/community.crypto/pull/910).
+- Improve error message when loading a private key fails due to correct private key files or wrong passwords. Also include the original cryptography error since it likely contains more helpful information (https://github.com/ansible-collections/community.crypto/issues/936, https://github.com/ansible-collections/community.crypto/pull/939).
 
-v3.0.0-a2
-=========
+v3.0.1
+======
 
 Release Summary
 ---------------
 
-Second pre-release for community.crypto 3.0.0.
+Bugfix release.
 
-This release removes all Entrust content.
+Bugfixes
+--------
 
-Removed Features (previously deprecated)
-----------------------------------------
+- openssl_csr and openssl_csr_pipe - the idempotency check for ``key_usage`` resulted in a crash if ``Key Agreement``/``keyAgreement`` was not set (https://github.com/ansible-collections/community.crypto/issues/934, https://github.com/ansible-collections/community.crypto/pull/935).
 
-- All Entrust content is being removed since the Entrust service in currently being sunsetted after the sale of Entrust's Public Certificates Business to Sectigo; see `the announcement with key dates <https://www.entrust.com/tls-certificate-information-center>`__ and `the migration brief for customers <https://www.sectigo.com/uploads/resources/EOL_Migration-Brief-End-Customer.pdf>`__ for details. Since this process will be completed in 2025, we decided to remove all Entrust content from community.general 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
-- ecs_certificate - the module has been removed. Please use community.crypto 2.x.y if you need this module (https://github.com/ansible-collections/community.crypto/pull/900).
-- ecs_domain - the module has been removed. Please use community.crypto 2.x.y if you need this module (https://github.com/ansible-collections/community.crypto/pull/900).
-- x509_certificate - the ``entrust`` provider has been removed. Please use community.crypto 2.x.y if you need this provider (https://github.com/ansible-collections/community.crypto/pull/900).
-- x509_certificate_pipe - the ``entrust`` provider has been removed. Please use community.crypto 2.x.y if you need this provider (https://github.com/ansible-collections/community.crypto/pull/900).
-
-v3.0.0-a1
-=========
+v3.0.0
+======
 
 Release Summary
 ---------------
 
-First pre-release for community.crypto 3.0.0.
-This release drops compatibility for ansible-core before 2.17, for Python before 3.7, and for cryptography before 3.3.
+New major release of community.crypto with a lot of code modernization.
+This release drops compatibility for ansible-core before 2.17, for Python
+before 3.7, and for cryptography before 3.3.
+It also removes all Entrust modules, and the Entrust provider for the
+``community.crypto.x509_certificate*`` modules.
+
+See below for a more detailled list of changes.
 
 Minor Changes
 -------------
@@ -66,7 +58,9 @@ Minor Changes
 - Python code modernization: use f-strings instead of ``%`` and ``str.format()`` (https://github.com/ansible-collections/community.crypto/pull/875).
 - Remove ``backend`` parameter from internal code whenever possible (https://github.com/ansible-collections/community.crypto/pull/883).
 - Remove various compatibility code for cryptography < 3.3 (https://github.com/ansible-collections/community.crypto/pull/878).
+- Remove various no longer needed abstraction layers for multiple backends (https://github.com/ansible-collections/community.crypto/pull/912).
 - Remove vendored copy of ``distutils.version`` in favor of vendored copy included with ansible-core 2.12+ (https://github.com/ansible-collections/community.crypto/pull/371).
+- Various code refactorings (https://github.com/ansible-collections/community.crypto/pull/905, https://github.com/ansible-collections/community.crypto/pull/909, https://github.com/ansible-collections/community.crypto/pull/911, https://github.com/ansible-collections/community.crypto/pull/913, https://github.com/ansible-collections/community.crypto/pull/914, https://github.com/ansible-collections/community.crypto/pull/917).
 - acme_* modules - improve parsing of ``Retry-After`` reply headers in regular ACME requests (https://github.com/ansible-collections/community.crypto/pull/890).
 - action_module plugin utils - remove compatibility with older ansible-core/ansible-base/Ansible versions (https://github.com/ansible-collections/community.crypto/pull/872).
 - x509_certificate, x509_certificate_pipe - the ``ownca_version`` and ``selfsigned_version`` parameters explicitly only allow the value ``3``. The module already failed for other values in the past, now this is validated as part of the module argument spec (https://github.com/ansible-collections/community.crypto/pull/890).
@@ -86,11 +80,13 @@ Deprecated Features
 -------------------
 
 - acme_certificate - deprecate the ``agreement`` option which has no more effect. It will be removed from community.crypto 4.0.0 (https://github.com/ansible-collections/community.crypto/pull/891).
+- acme_certificate - the option ``modify_account``'s default value ``true`` has been deprecated. It will change to ``false`` in community.crypto 4.0.0. We recommend to set the option to an explicit value to avoid deprecation warnings, and to prefer setting it to ``false`` already now. Better use the ``community.crypto.acme_account`` module instead (https://github.com/ansible-collections/community.crypto/issues/924).
 - openssl_pkcs12 - deprecate the ``maciter_size`` option which has no more effect. It will be removed from community.crypto 4.0.0 (https://github.com/ansible-collections/community.crypto/pull/891).
 
 Removed Features (previously deprecated)
 ----------------------------------------
 
+- All Entrust content is being removed since the Entrust service in currently being sunsetted after the sale of Entrust's Public Certificates Business to Sectigo; see `the announcement with key dates <https://www.entrust.com/tls-certificate-information-center>`__ and `the migration brief for customers <https://www.sectigo.com/uploads/resources/EOL_Migration-Brief-End-Customer.pdf>`__ for details. Since this process will be completed in 2025, we decided to remove all Entrust content from community.general 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
 - The collection no longer supports cryptography < 3.3 (https://github.com/ansible-collections/community.crypto/pull/878, https://github.com/ansible-collections/community.crypto/pull/882).
 - acme.acme module utils - the ``get_default_argspec()`` function has been removed. Use ``create_default_argspec()`` instead (https://github.com/ansible-collections/community.crypto/pull/873).
 - acme.backends module utils - the methods ``get_ordered_csr_identifiers()`` and ``get_cert_information()`` of ``CryptoBackend`` now must be implemented (https://github.com/ansible-collections/community.crypto/pull/873).
@@ -101,13 +97,23 @@ Removed Features (previously deprecated)
 - crypto.cryptography_support module utils - remove ``cryptography_serial_number_of_cert()`` helper function (https://github.com/ansible-collections/community.crypto/pull/878).
 - crypto.module_backends.common module utils - this module utils has been removed. Use the ``argspec`` module utils instead (https://github.com/ansible-collections/community.crypto/pull/873).
 - crypto.support module utils - remove ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/874).
+- ecs_certificate - the module has been removed. Please use community.crypto 2.x.y if you need this module (https://github.com/ansible-collections/community.crypto/pull/900).
+- ecs_domain - the module has been removed. Please use community.crypto 2.x.y if you need this module (https://github.com/ansible-collections/community.crypto/pull/900).
 - execution environment dependencies - remove PyOpenSSL dependency (https://github.com/ansible-collections/community.crypto/pull/874).
 - openssl_csr_pipe - the module now ignores check mode and will always behave as if check mode is not active (https://github.com/ansible-collections/community.crypto/pull/873).
 - openssl_pkcs12 - support for the ``pyopenssl`` backend has been removed (https://github.com/ansible-collections/community.crypto/pull/873).
 - openssl_privatekey_pipe - the module now ignores check mode and will always behave as if check mode is not active (https://github.com/ansible-collections/community.crypto/pull/873).
 - time module utils - remove ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/874).
+- x509_certificate - the ``entrust`` provider has been removed. Please use community.crypto 2.x.y if you need this provider (https://github.com/ansible-collections/community.crypto/pull/900).
+- x509_certificate_pipe - the ``entrust`` provider has been removed. Please use community.crypto 2.x.y if you need this provider (https://github.com/ansible-collections/community.crypto/pull/900).
 - x509_certificate_pipe - the module now ignores check mode and will always behave as if check mode is not active (https://github.com/ansible-collections/community.crypto/pull/873).
 
+Bugfixes
+--------
+
+- acme_account - make work with CAs that do not accept any account request without External Account Binding data (https://github.com/ansible-collections/community.crypto/issues/918, https://github.com/ansible-collections/community.crypto/pull/919).
+- openssl_csr, openssl_csr_pipe - avoid accessing internal members of cryptography's ``KeyUsage`` extension object (https://github.com/ansible-collections/community.crypto/pull/910).
+
 v2.26.1
 =======
 

antsibull-nox.toml

@@ -20,6 +20,7 @@ run_yamllint = true
 yamllint_config = ".yamllint"
 yamllint_config_plugins = ".yamllint-docs"
 yamllint_config_plugins_examples = ".yamllint-examples"
+yamllint_config_extra_docs = ".yamllint-extra-docs"
 run_mypy = true
 mypy_ansible_core_package = "ansible-core>=2.19.0b4"
 mypy_config = ".mypy.ini"
@@ -31,6 +32,14 @@ mypy_extra_deps = [
 
 [sessions.docs_check]
 validate_collection_refs="all"
+codeblocks_restrict_types = [
+    "ansible-output",
+    "yaml",
+    "yaml+jinja",
+]
+codeblocks_restrict_type_exact_case = true
+codeblocks_allow_without_type = false
+codeblocks_allow_literal_blocks = false
 
 [sessions.license_check]
 run_reuse = true
@@ -47,6 +56,7 @@ no_trailing_whitespace_skip_paths = [
 no_trailing_whitespace_skip_directories = [
     "tests/unit/plugins/module_utils/_acme/fixtures/",
 ]
+run_avoid_characters = true
 
 [[sessions.extra_checks.action_groups_config]]
 name = "acme"
@@ -58,7 +68,47 @@ exclusions = [
 ]
 doc_fragment = "community.crypto._attributes.actiongroup_acme"
 
+[[sessions.extra_checks.avoid_character_group]]
+name = "tab"
+regex = "\\x09"
+skip_paths = [
+    "tests/integration/targets/luks_device/files/keyfile3",
+]
+
 [sessions.build_import_check]
 run_galaxy_importer = true
 
 [sessions.ansible_lint]
+
+[[sessions.ee_check.execution_environments]]
+name = "devel-ubi-9"
+description = "ansible-core devel @ RHEL UBI 9"
+test_playbooks = ["tests/ee/all.yml"]
+config.images.base_image.name = "docker.io/redhat/ubi9:latest"
+config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/devel.tar.gz"
+config.dependencies.ansible_runner.package_pip = "ansible-runner"
+config.dependencies.python_interpreter.package_system = "python3.12 python3.12-pip python3.12-wheel python3.12-cryptography"
+config.dependencies.python_interpreter.python_path = "/usr/bin/python3.12"
+runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
+
+[[sessions.ee_check.execution_environments]]
+name = "2.15-rocky-9"
+description = "ansible-core 2.17 @ Rocky Linux 9"
+test_playbooks = ["tests/ee/all.yml"]
+config.images.base_image.name = "quay.io/rockylinux/rockylinux:9"
+config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/stable-2.17.tar.gz"
+config.dependencies.ansible_runner.package_pip = "ansible-runner"
+config.dependencies.python_interpreter.package_system = "python3.11 python3.11-pip python3.11-wheel python3.11-cryptography"
+config.dependencies.python_interpreter.python_path = "/usr/bin/python3.11"
+runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
+
+[[sessions.ee_check.execution_environments]]
+name = "2.14-centos-stream-9"
+description = "ansible-core 2.18 @ CentOS Stream 9"
+test_playbooks = ["tests/ee/all.yml"]
+config.images.base_image.name = "quay.io/centos/centos:stream9"
+config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/stable-2.18.tar.gz"
+config.dependencies.ansible_runner.package_pip = "ansible-runner"
+config.dependencies.python_interpreter.package_system = "python3.11 python3.11-pip python3.11-wheel python3.11-cryptography"
+config.dependencies.python_interpreter.python_path = "/usr/bin/python3.11"
+runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}

changelogs/changelog.yaml

@@ -1804,3 +1804,52 @@ releases:
       - 919-acme_account-ear.yml
       - refactoring.yml
     release_date: '2025-06-14'
+  3.0.0:
+    changes:
+      deprecated_features:
+        - acme_certificate - the option ``modify_account``'s default value ``true``
+          has been deprecated. It will change to ``false`` in community.crypto 4.0.0.
+          We recommend to set the option to an explicit value to avoid deprecation
+          warnings, and to prefer setting it to ``false`` already now. Better use
+          the ``community.crypto.acme_account`` module instead (https://github.com/ansible-collections/community.crypto/issues/924).
+      release_summary: 'New major release of community.crypto with a lot of code modernization.
+
+        This release drops compatibility for ansible-core before 2.17, for Python
+
+        before 3.7, and for cryptography before 3.3.
+
+        It also removes all Entrust modules, and the Entrust provider for the
+
+        ``community.crypto.x509_certificate*`` modules.
+
+
+        See below for a more detailled list of changes.
+
+        '
+    fragments:
+      - 3.0.0.yml
+      - 924-acme_certificate-modify_account.yml
+    release_date: '2025-07-02'
+  3.0.1:
+    changes:
+      bugfixes:
+        - openssl_csr and openssl_csr_pipe - the idempotency check for ``key_usage``
+          resulted in a crash if ``Key Agreement``/``keyAgreement`` was not set (https://github.com/ansible-collections/community.crypto/issues/934,
+          https://github.com/ansible-collections/community.crypto/pull/935).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.0.1.yml
+      - 395-csr-key_usage.yml
+    release_date: '2025-07-17'
+  3.0.2:
+    changes:
+      bugfixes:
+        - Improve error message when loading a private key fails due to correct private
+          key files or wrong passwords. Also include the original cryptography error
+          since it likely contains more helpful information (https://github.com/ansible-collections/community.crypto/issues/936,
+          https://github.com/ansible-collections/community.crypto/pull/939).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.0.2.yml
+      - 939-private-key-errors.yml
+    release_date: '2025-07-26'

docs/docsite/rst/guide_ownca.rst

@@ -51,7 +51,7 @@ The following instructions show how to set up a simple self-signed CA certificat
 Use the CA to sign a certificate
 --------------------------------
 
-To sign a certificate, you must pass a CSR to the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>` or :ref:`community.crypto.x509_certificate_pipe module <ansible_collections.community.crypto.x509_certificate_pipe_module>`.
+To sign a certificate, you must pass a CSR to the :ansplugin:`community.crypto.x509_certificate module <community.crypto.x509_certificate#module>` or :ansplugin:`community.crypto.x509_certificate_pipe module <community.crypto.x509_certificate_pipe#module>`.
 
 In the following example, we assume that the certificate to sign (including its private key) are on ``server_1``, while our CA certificate is on ``server_2``. We do not want any key material to leave each respective server.
 
@@ -94,7 +94,7 @@ In the following example, we assume that the certificate to sign (including its
       delegate_to: server_1
       run_once: true
 
-Please note that the above procedure is **not idempotent**. The following extended example reads the existing certificate from ``server_1`` (if exists) and provides it to the :ref:`community.crypto.x509_certificate_pipe module <ansible_collections.community.crypto.x509_certificate_pipe_module>`, and only writes the result back if it was changed:
+Please note that the above procedure is **not idempotent**. The following extended example reads the existing certificate from ``server_1`` (if exists) and provides it to the :ansplugin:`community.crypto.x509_certificate_pipe module <community.crypto.x509_certificate_pipe#module>`, and only writes the result back if it was changed:
 
 .. code-block:: yaml+jinja
 

docs/docsite/rst/guide_selfsigned.rst

@@ -10,7 +10,7 @@ How to create self-signed certificates
 
 The `community.crypto collection <https://galaxy.ansible.com/ui/repo/published/community/crypto/>`_ offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create self-signed certificates.
 
-For creating any kind of certificate, you always have to start with a private key. You can use the :ref:`community.crypto.openssl_privatekey module <ansible_collections.community.crypto.openssl_privatekey_module>` to create a private key. If you only specify :ansopt:`community.crypto.openssl_privatekey#module:path`, the default parameters will be used. This will result in a 4096 bit RSA private key:
+For creating any kind of certificate, you always have to start with a private key. You can use the :ansplugin:`community.crypto.openssl_privatekey module <community.crypto.openssl_privatekey#module>` to create a private key. If you only specify :ansopt:`community.crypto.openssl_privatekey#module:path`, the default parameters will be used. This will result in a 4096 bit RSA private key:
 
 .. code-block:: yaml+jinja
 
@@ -28,7 +28,7 @@ You can specify :ansopt:`community.crypto.openssl_privatekey#module:type` to sel
         type: X25519
         passphrase: changeme
 
-To create a very simple self-signed certificate with no specific information, you can proceed directly with the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>`:
+To create a very simple self-signed certificate with no specific information, you can proceed directly with the :ansplugin:`community.crypto.x509_certificate module <community.crypto.x509_certificate#module>`:
 
 .. code-block:: yaml+jinja
 
@@ -42,7 +42,7 @@ To create a very simple self-signed certificate with no specific information, yo
 
 You can use :ansopt:`community.crypto.x509_certificate#module:selfsigned_not_after` to define when the certificate expires (default: in roughly 10 years), and :ansopt:`community.crypto.x509_certificate#module:selfsigned_not_before` to define from when the certificate is valid (default: now).
 
-To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>`. If you do not need the CSR file, you can use the :ref:`community.crypto.openssl_csr_pipe module <ansible_collections.community.crypto.openssl_csr_pipe_module>` as in the example below. (To store it to disk, use the :ref:`community.crypto.openssl_csr module <ansible_collections.community.crypto.openssl_csr_module>` instead.)
+To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the :ansplugin:`community.crypto.x509_certificate module <community.crypto.x509_certificate#module>`. If you do not need the CSR file, you can use the :ansplugin:`community.crypto.openssl_csr_pipe module <community.crypto.openssl_csr_pipe#module>` as in the example below. (To store it to disk, use the :ansplugin:`community.crypto.openssl_csr module <community.crypto.openssl_csr#module>` instead.)
 
 .. code-block:: yaml+jinja
 

galaxy.yml

@@ -5,7 +5,7 @@
 
 namespace: community
 name: crypto
-version: 3.0.0-rc1
+version: 3.0.2
 readme: README.md
 authors:
   - Ansible (github.com/ansible)

plugins/module_utils/_crypto/module_backends/csr.py

@@ -546,7 +546,14 @@ class CertificateSigningRequestBackend:
                 return False
             params = cryptography_parse_key_usage_params(self.key_usage)
             for param, value in params.items():
-                if getattr(current_keyusage_ext.value, param) != value:
+                try:
+                    # param in ('encipher_only', 'decipher_only') can result in ValueError()
+                    # being raised if key_agreement == False.
+                    current_value = getattr(current_keyusage_ext.value, param)
+                except ValueError:
+                    # In that case, assume that the value is False.
+                    current_value = False
+                if current_value != value:
                     return False
             return current_keyusage_ext.critical == self.key_usage_critical
 

plugins/module_utils/_crypto/support.py

@@ -25,6 +25,7 @@ from ansible_collections.community.crypto.plugins.module_utils._crypto.pem impor
 
 try:
     from cryptography import x509
+    from cryptography.exceptions import UnsupportedAlgorithm
     from cryptography.hazmat.primitives import hashes, serialization
     from cryptography.hazmat.primitives.serialization import load_pem_private_key
 except ImportError:
@@ -168,13 +169,15 @@ def load_privatekey(
             priv_key_detail,
             None if passphrase is None else to_bytes(passphrase),
         )
+    except UnsupportedAlgorithm as exc:
+        raise OpenSSLBadPassphraseError(f"Unsupported private key type: {exc}") from exc
     except TypeError as exc:
         raise OpenSSLBadPassphraseError(
             "Wrong or empty passphrase provided for private key"
         ) from exc
     except ValueError as exc:
         raise OpenSSLBadPassphraseError(
-            "Wrong passphrase provided for private key"
+            f"Wrong passphrase provided for private key, or private key cannot be parsed: {exc}"
         ) from exc
 
 

plugins/modules/acme_ari_info.py

@@ -14,8 +14,7 @@ short_description: Retrieves ACME Renewal Information (ARI) for a certificate
 description:
   - Allows to retrieve renewal information on a certificate obtained with the L(ACME protocol,https://tools.ietf.org/html/rfc8555).
   - This module only works with the ACME v2 protocol, and requires the ACME server to support the ARI extension
-    (U(https://datatracker.ietf.org/doc/draft-ietf-acme-ari/)).
-    This module implements version 3 of the ARI draft.
+    (L(RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html)).
 extends_documentation_fragment:
   - community.crypto._acme.basic
   - community.crypto._acme.no_account
@@ -54,7 +53,7 @@ EXAMPLES = r"""
 
 RETURN = r"""
 renewal_info:
-  description: The ARI renewal info object (U(https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-4.2)).
+  description: The ARI renewal info object (U(https://www.rfc-editor.org/rfc/rfc9773.html#section-4.2)).
   returned: success
   type: dict
   contains:

plugins/modules/acme_certificate.py

@@ -111,8 +111,8 @@ options:
       - Set to V(false) if you want to use the M(community.crypto.acme_account) module to manage your account instead, and
         to avoid accidental creation of a new account using an old key if you changed the account key with M(community.crypto.acme_account).
       - If set to V(false), O(terms_agreed) and O(account_email) are ignored.
+      - The current default V(true) is B(deprecated) and will change to V(false) in community.crypto 4.0.0.
     type: bool
-    default: true
   challenge:
     description:
       - The challenge to be performed.
@@ -236,8 +236,8 @@ options:
         type: str
   include_renewal_cert_id:
     description:
-      - Determines whether to request renewal of an existing certificate according to L(the ACME ARI draft 3,
-        https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-5).
+      - Determines whether to request renewal of an existing certificate according to L(Section 5 of RFC 9773,
+        https://www.rfc-editor.org/rfc/rfc9773.html#section-5).
       - This is only used when the certificate specified in O(dest) or O(fullchain_dest) already exists.
       - Generally you should use V(when_ari_supported) if you know that the ACME service supports a compatible draft (or final
         version, once it is out) of the ARI extension. V(always) should never be necessary. If you are not sure, or if you
@@ -306,6 +306,7 @@ EXAMPLES = r"""
     account_key_content: "{{ account_private_key }}"
     csr: /etc/pki/cert/csr/sample.com.csr
     dest: /etc/httpd/ssl/sample.com.crt
+    modify_account: false
   register: sample_com_challenge
 
 # Alternative first step:
@@ -315,6 +316,7 @@ EXAMPLES = r"""
       {{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/account_private_key:value') }}
     csr: /etc/pki/cert/csr/sample.com.csr
     fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
+    modify_account: false
   register: sample_com_challenge
 
 # Alternative first step:
@@ -324,6 +326,7 @@ EXAMPLES = r"""
     csr_content: "{{ lookup('file', '/etc/pki/cert/csr/sample.com.csr') }}"
     dest: /etc/httpd/ssl/sample.com.crt
     fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
+    modify_account: false
   register: sample_com_challenge
 
 # perform the necessary steps to fulfill the challenge
@@ -352,6 +355,7 @@ EXAMPLES = r"""
     fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
     chain_dest: /etc/httpd/ssl/sample.com-intermediate.crt
     data: "{{ sample_com_challenge }}"
+    modify_account: false
 
 ---
 ### Example with DNS challenge against production ACME server ###
@@ -366,6 +370,7 @@ EXAMPLES = r"""
     acme_directory: https://acme-v01.api.letsencrypt.org/directory
     # Renew if the certificate is at least 30 days old
     remaining_days: 60
+    modify_account: false
   register: sample_com_challenge
 
 # perform the necessary steps to fulfill the challenge
@@ -411,6 +416,7 @@ EXAMPLES = r"""
     acme_directory: https://acme-v01.api.letsencrypt.org/directory
     remaining_days: 60
     data: "{{ sample_com_challenge }}"
+    modify_account: false
   when: sample_com_challenge is changed
 
 # Alternative second step:
@@ -437,6 +443,7 @@ EXAMPLES = r"""
         issuer:
           CN: DST Root CA X3
           O: Digital Signature Trust Co.
+    modify_account: false
   when: sample_com_challenge is changed
 """
 
@@ -671,6 +678,18 @@ class ACMECertificateClient:
 
         # Make sure account exists
         modify_account = module.params["modify_account"]
+        if modify_account is None:
+            module.deprecate(
+                "The default 'true' for modify_account has been deprecated."
+                " The default will change to 'false' in community.crypto 4.0.0."
+                " We suggest to explicitly set this option to a value to avoid"
+                " this warning. We also recommend to not set it to 'true',"
+                " but to use the community.crypto.acme_account module instead.",
+                version="4.0.0",
+                collection_name="community.crypto",
+            )
+
+            modify_account = True
         contact = []
         if module.params["account_email"]:
             contact.append("mailto:" + module.params["account_email"])
@@ -949,7 +968,7 @@ def main() -> t.NoReturn:
     argument_spec = create_default_argspec(with_certificate=True)
     argument_spec.argument_spec["csr"]["aliases"] = ["src"]
     argument_spec.update_argspec(
-        modify_account={"type": "bool", "default": True},
+        modify_account={"type": "bool"},
         account_email={"type": "str"},
         agreement={
             "type": "str",

plugins/modules/acme_certificate_order_create.py

@@ -106,9 +106,9 @@ options:
   replaces_cert_id:
     description:
       - If provided, will request the order to replace the certificate identified by this certificate ID
-        according to L(the ACME ARI draft 3, https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-5).
+        according to L(Section 5 of RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html#section-5).
       - This certificate ID must be computed as specified in
-        L(the ACME ARI draft 3, https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-4.1).
+        L(Section 4.1 of RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html#section-4.1).
         It is returned as return value RV(community.crypto.acme_certificate_renewal_info#module:cert_id) of the
         M(community.crypto.acme_certificate_renewal_info) module.
       - ACME servers might refuse to create new orders that indicate to replace a certificate for which

plugins/modules/acme_certificate_order_info.py

@@ -175,10 +175,10 @@ order:
     replaces:
       description:
         - If the order was created to replace an existing certificate using the C(replaces) mechanism from
-          L(draft-ietf-acme-ari, https://datatracker.ietf.org/doc/draft-ietf-acme-ari/), this provides the
+          L(RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html), this provides the
           certificate ID of the certificate that will be replaced by this order.
       type: str
-      returned: when the certificate order is replacing a certificate through draft-ietf-acme-ari
+      returned: when the certificate order is replacing a certificate through RFC 9773
     profile:
       description:
         - If the ACME CA supports profiles through the L(draft-aaron-acme-profiles,

plugins/modules/acme_certificate_renewal_info.py

@@ -13,8 +13,8 @@ version_added: 2.20.0
 short_description: Determine whether a certificate should be renewed or not
 description:
   - Uses various information to determine whether a certificate should be renewed or not.
-  - If available, the ARI extension (ACME Renewal Information, U(https://datatracker.ietf.org/doc/draft-ietf-acme-ari/)) is
-    used. This module implements version 3 of the ARI draft.".
+  - If available, the ARI extension (ACME Renewal Information, L(RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html)) is
+    used.
 extends_documentation_fragment:
   - community.crypto._acme.basic
   - community.crypto._acme.no_account
@@ -49,7 +49,7 @@ options:
     description:
       - If ARI information is used, selects which algorithm is used to determine whether to renew now.
       - V(standard) selects the L(algorithm provided in the the ARI specification,
-        https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#name-renewalinfo-objects).
+        https://www.rfc-editor.org/rfc/rfc9773.html#section-4.2).
       - V(start) returns RV(should_renew=true) once the start of the renewal interval has been reached.
     type: str
     choices:
@@ -152,7 +152,7 @@ supports_ari:
 
 cert_id:
   description:
-    - The certificate ID according to the L(ARI specification, https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-4.1).
+    - The certificate ID according to L(Section 4.1 in RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html#section-4.1).
   returned: success, the certificate exists, and has an Authority Key Identifier X.509 extension
   type: str
   sample: aYhba4dGQEHhs3uEe6CuLN4ByNQ.AIdlQyE

plugins/modules/acme_challenge_cert_helper.py

@@ -77,6 +77,7 @@ EXAMPLES = r"""
     challenge: tls-alpn-01
     csr: /etc/pki/cert/csr/sample.com.csr
     dest: /etc/httpd/ssl/sample.com.crt
+    modify_account: false
   register: sample_com_challenge
 
 - name: Create certificates for challenges
@@ -110,6 +111,7 @@ EXAMPLES = r"""
     csr: /etc/pki/cert/csr/sample.com.csr
     dest: /etc/httpd/ssl/sample.com.crt
     data: "{{ sample_com_challenge }}"
+    modify_account: false
 """
 
 RETURN = r"""

plugins/modules/acme_inspect.py

@@ -123,6 +123,7 @@ EXAMPLES = r"""
     csr: /etc/pki/cert/csr/sample.com.csr
     fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
     challenge: http-01
+    modify_account: false
   register: certificate_request
 
 # Assume something went wrong. certificate_request.order_uri contains

plugins/modules/openssh_keypair.py

@@ -159,6 +159,13 @@ EXAMPLES = r"""
     path: /tmp/id_ssh_rsa
     force: true
 
+- name: Regenerate SSH keypair only if format or options mismatch
+  community.crypto.openssh_keypair:
+    path: /home/devops/.ssh/id_ed25519
+    type: ed25519
+    regenerate: full_idempotence
+    private_key_format: ssh
+
 - name: Generate an OpenSSH keypair with a different algorithm (dsa)
   community.crypto.openssh_keypair:
     path: /tmp/id_ssh_dsa

plugins/plugin_utils/_action_module.py

@@ -227,7 +227,7 @@ class ActionModuleBase(ActionBase, metaclass=abc.ABCMeta):
         module.fail_json(msg="Not implemented.")
 
     def run(
-        self, tmp: None = None, task_vars: dict[str, t.Any] | None = None
+        self, tmp: str | None = None, task_vars: dict[str, t.Any] | None = None
     ) -> dict[str, t.Any]:
         if task_vars is None:
             task_vars = {}

tests/integration/targets/openssl_csr/tasks/impl.yml

@@ -165,6 +165,21 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: csr_ku_xku_change_2
 
+- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (idempotency 2)"
+  community.crypto.openssl_csr:
+    path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
+    subject:
+      commonName: 'www.ansible.com'
+    keyUsage:
+      - digitalSignature
+    extendedKeyUsage:
+      - ipsecUser
+      - qcStatements
+      - Biometric Info
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_ku_xku_change_2_idempotency
+
 - name: "({{ select_crypto_backend }}) Generate CSR with old API"
   community.crypto.openssl_csr:
     path: '{{ remote_tmp_dir }}/csr_oldapi.csr'

tests/integration/targets/openssl_csr/tests/validate.yml

@@ -56,6 +56,7 @@
       - csr_ku_xku is not changed
       - csr_ku_xku_change is changed
       - csr_ku_xku_change_2 is changed
+      - csr_ku_xku_change_2_idempotency is not changed
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)"
   ansible.builtin.command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"

tests/integration/targets/openssl_privatekey_info/tasks/impl.yml

@@ -90,6 +90,32 @@
       - "'public_data' not in result"
       - "'private_data' not in result"
 
+- name: ({{ select_crypto_backend }}) Get key 3 info (with wrong passphrase)
+  community.crypto.openssl_privatekey_info:
+    path: '{{ remote_tmp_dir }}/privatekey_3.pem'
+    return_private_key_data: true
+    select_crypto_backend: '{{ select_crypto_backend }}'
+    passphrase: blabla
+  ignore_errors: true
+  register: result
+
+- name: Check that loading passphrase protected key with wrong passphrase failed
+  ansible.builtin.assert:
+    that:
+      - result is failed
+      # Check that return values are there
+      - result.can_load_key is defined
+      - result.can_parse_key is defined
+      # Check that return values are correct
+      - result.can_load_key
+      - not result.can_parse_key
+      # Check that additional data isn't there
+      - "'pulic_key' not in result"
+      - "'pulic_key_fingerprints' not in result"
+      - "'type' not in result"
+      - "'public_data' not in result"
+      - "'private_data' not in result"
+
 - name: ({{ select_crypto_backend }}) Get key 3 info (with passphrase)
   community.crypto.openssl_privatekey_info:
     path: '{{ remote_tmp_dir }}/privatekey_3.pem'
@@ -155,3 +181,53 @@
       - "result.public_data.y > 2"
       - "'private_data' in result"
       - "result.private_data.x > 2"
+
+- name: ({{ select_crypto_backend }}) Get empty key info
+  community.crypto.openssl_privatekey_info:
+    content: ''
+    return_private_key_data: true
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: result
+  ignore_errors: true
+
+- name: Check that empty key loading failed
+  ansible.builtin.assert:
+    that:
+      - result is failed
+      # Check that return values are there
+      - result.can_load_key is defined
+      - result.can_parse_key is defined
+      # Check that return values are correct
+      - result.can_load_key
+      - not result.can_parse_key
+      # Check that additional data isn't there
+      - "'pulic_key' not in result"
+      - "'pulic_key_fingerprints' not in result"
+      - "'type' not in result"
+      - "'public_data' not in result"
+      - "'private_data' not in result"
+
+- name: ({{ select_crypto_backend }}) Get corrupt key info
+  community.crypto.openssl_privatekey_info:
+    content: C0RRUPT
+    return_private_key_data: true
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: result
+  ignore_errors: true
+
+- name: Check that corrupt key loading failed
+  ansible.builtin.assert:
+    that:
+      - result is failed
+      # Check that return values are there
+      - result.can_load_key is defined
+      - result.can_parse_key is defined
+      # Check that return values are correct
+      - result.can_load_key
+      - not result.can_parse_key
+      # Check that additional data isn't there
+      - "'pulic_key' not in result"
+      - "'pulic_key_fingerprints' not in result"
+      - "'type' not in result"
+      - "'public_data' not in result"
+      - "'private_data' not in result"

tests/sanity/ignore-2.17.txt

@@ -1,4 +1,3 @@
-meta/runtime.yml runtime-metadata  # Bug in ansible-test: https://github.com/ansible/ansible/pull/85198
 plugins/module_utils/_acme/account.py pep8:E704
 plugins/module_utils/_acme/acme.py pep8:E704
 plugins/module_utils/_acme/acme.py pylint:unpacking-non-sequence

tests/sanity/ignore-2.18.txt

@@ -1,4 +1,3 @@
-meta/runtime.yml runtime-metadata  # Bug in ansible-test: https://github.com/ansible/ansible/pull/85198
 plugins/module_utils/_acme/account.py pep8:E704
 plugins/module_utils/_acme/acme.py pep8:E704
 plugins/module_utils/_acme/backend_openssl_cli.py pep8:E704

tests/sanity/ignore-2.19.txt

@@ -1,4 +1,3 @@
-meta/runtime.yml runtime-metadata  # Bug in ansible-test: https://github.com/ansible/ansible/pull/85198
 plugins/module_utils/_crypto/module_backends/certificate.py no-assert
 plugins/module_utils/_crypto/module_backends/certificate_acme.py no-assert
 plugins/module_utils/_crypto/module_backends/certificate_ownca.py no-assert

tests/sanity/ignore-2.20.txt

@@ -0,0 +1,12 @@
+plugins/module_utils/_crypto/module_backends/certificate.py no-assert
+plugins/module_utils/_crypto/module_backends/certificate_acme.py no-assert
+plugins/module_utils/_crypto/module_backends/certificate_ownca.py no-assert
+plugins/module_utils/_crypto/module_backends/certificate_selfsigned.py no-assert
+plugins/module_utils/_crypto/module_backends/csr.py no-assert
+plugins/module_utils/_crypto/module_backends/privatekey_convert.py no-assert
+plugins/module_utils/_openssh/backends/keypair_backend.py no-assert
+plugins/modules/acme_certificate.py no-assert
+plugins/modules/luks_device.py no-assert
+plugins/modules/openssl_pkcs12.py no-assert
+tests/ee/roles/smoke/library/smoke_ipaddress.py shebang
+tests/ee/roles/smoke/library/smoke_pyyaml.py shebang

tests/sanity/ignore-2.20.txt.license

@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project