Release 2.26.2.

* Announce removal of Entrust content from community.crypto 3.0.0.

* Add more information on Entrust removal.

.azure-pipelines/azure-pipelines.yml

@@ -212,6 +212,8 @@ stages:
           targets:
             - name: macOS 15.3
               test: macos/15.3
+            - name: RHEL 10.0
+              test: rhel/10.0
             - name: RHEL 9.5
               test: rhel/9.5
             - name: FreeBSD 14.2

CHANGELOG.rst

@@ -4,6 +4,23 @@ Community Crypto Release Notes
 
 .. contents:: Topics
 
+v2.26.2
+=======
+
+Release Summary
+---------------
+
+Maintenance release announcing removal of the Entrust content from community.crypto 3.0.0.
+
+Deprecated Features
+-------------------
+
+- The Entrust service in currently being sunsetted after the sale of Entrust's Public Certificates Business to Sectigo; see `the announcement with key dates <https://www.entrust.com/tls-certificate-information-center>`__ and `the migration brief for customers <https://www.sectigo.com/uploads/resources/EOL_Migration-Brief-End-Customer.pdf>`__ for details (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
+- ecs_certificate - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
+- ecs_domain - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
+- x509_certificate - the ``entrust`` provider will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
+- x509_certificate_pipe - the ``entrust`` provider will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
+
 v2.26.1
 =======
 

README.md

@@ -7,9 +7,9 @@ SPDX-License-Identifier: GPL-3.0-or-later
 # Ansible Community Crypto Collection
 
 [![Documentation](https://img.shields.io/badge/docs-brightgreen.svg)](https://docs.ansible.com/ansible/devel/collections/community/crypto/)
-[![Build Status](https://dev.azure.com/ansible/community.crypto/_apis/build/status/CI?branchName=main)](https://dev.azure.com/ansible/community.crypto/_build?definitionId=21)
-[![EOL CI](https://github.com/ansible-collections/community.crypto/actions/workflows/ansible-test.yml/badge.svg?branch=main)](https://github.com/ansible-collections/community.crypto/actions)
-[![Nox CI](https://github.com/ansible-collections/community.crypto/actions/workflows/nox.yml/badge.svg?branch=main)](https://github.com/ansible-collections/community.crypto/actions)
+[![Build Status](https://dev.azure.com/ansible/community.crypto/_apis/build/status/CI?branchName=stable-2)](https://dev.azure.com/ansible/community.crypto/_build?definitionId=21)
+[![EOL CI](https://github.com/ansible-collections/community.crypto/actions/workflows/ansible-test.yml/badge.svg?branch=stable-2)](https://github.com/ansible-collections/community.crypto/actions)
+[![Nox CI](https://github.com/ansible-collections/community.crypto/actions/workflows/nox.yml/badge.svg?branch=stable-2)](https://github.com/ansible-collections/community.crypto/actions)
 [![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/community.crypto)](https://codecov.io/gh/ansible-collections/community.crypto)
 [![REUSE status](https://api.reuse.software/badge/github.com/ansible-collections/community.crypto)](https://api.reuse.software/info/github.com/ansible-collections/community.crypto)
 
@@ -54,7 +54,7 @@ Browsing the [**latest** collection documentation](https://docs.ansible.com/ansi
 
 Browsing the [**devel** collection documentation](https://docs.ansible.com/ansible/devel/collections/community/crypto) shows docs for the _latest version released on Galaxy_.
 
-We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.crypto/branch/main/) which shows docs for the _latest commit in the `main` branch_.
+We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.crypto/branch/stable-2/) which shows docs for the _latest commit in the `stable-2` branch_.
 
 If you use the Ansible package and do not update collections independently, use **latest**. If you install or update this collection directly from Galaxy, use **devel**. If you are looking to contribute, use **latest commit**.
 
@@ -109,7 +109,7 @@ If you use the Ansible package and do not update collections independently, use
   - luks_device module
   - parse_serial and to_serial filters
 
-You can also find a list of all modules and plugins with documentation on the [Ansible docs site](https://docs.ansible.com/ansible/latest/collections/community/crypto/), or the [latest commit collection documentation](https://ansible-collections.github.io/community.crypto/branch/main/).
+You can also find a list of all modules and plugins with documentation on the [Ansible docs site](https://docs.ansible.com/ansible/latest/collections/community/crypto/), or the [latest commit collection documentation](https://ansible-collections.github.io/community.crypto/branch/stable-2/).
 
 ## Using this collection
 
@@ -141,19 +141,15 @@ See [Ansible's dev guide](https://docs.ansible.com/ansible/devel/dev_guide/devel
 
 ## Release notes
 
-See the [changelog](https://github.com/ansible-collections/community.crypto/blob/main/CHANGELOG.md).
+See the [changelog](https://github.com/ansible-collections/community.crypto/blob/stable-2/CHANGELOG.md).
 
 ## Roadmap
 
 We plan to regularly release minor and patch versions, whenever new features are added or bugs fixed. Our collection follows [semantic versioning](https://semver.org/), so breaking changes will only happen in major releases.
 
-Most modules will drop PyOpenSSL support in version 2.0.0 of the collection, i.e. in the next major version. We currently plan to release 2.0.0 somewhen during 2021. Around then, the supported versions of the most common distributions will contain a new enough version of ``cryptography``.
-
-Once 2.0.0 has been released, bugfixes will still be backported to 1.0.0 for some time, and some features might also be backported. If we do not want to backport something ourselves because we think it is not worth the effort, backport PRs by non-maintainers are usually accepted.
-
-In 2.0.0, the following notable features will be removed:
-* PyOpenSSL backends of all modules, except ``openssl_pkcs12`` which does not have a ``cryptography`` backend due to lack of support of PKCS#12 functionality in ``cryptography``.
-* The ``assertonly`` provider of ``x509_certificate`` will be removed.
+In 2.0.0, the following notable features have been removed:
+* PyOpenSSL backends of all modules, except ``openssl_pkcs12`` which did now have a ``cryptography`` backend for a long time due to lack of support of PKCS#12 functionality in ``cryptography``. (This changed.)
+* The ``assertonly`` provider of ``x509_certificate`` has been removed.
 
 ## More information
 
@@ -166,8 +162,8 @@ In 2.0.0, the following notable features will be removed:
 
 This collection is primarily licensed and distributed as a whole under the GNU General Public License v3.0 or later.
 
-See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.crypto/blob/main/COPYING) for the full text.
+See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.crypto/blob/stable-2/COPYING) for the full text.
 
-Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/Apache-2.0.txt) (`plugins/module_utils/crypto/_obj2txt.py` and `plugins/module_utils/crypto/_objects_data.py`), the [BSD 2-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-2-Clause.txt) (`plugins/module_utils/ecs/api.py`), the [BSD 3-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-3-Clause.txt) (`plugins/module_utils/crypto/_obj2txt.py`, `tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py`), and the [PSF 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/PSF-2.0.txt) (`plugins/module_utils/_version.py`). This only applies to vendored files in ``plugins/module_utils/`` and to the ECS module utils.
+Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/Apache-2.0.txt) (`plugins/module_utils/crypto/_obj2txt.py` and `plugins/module_utils/crypto/_objects_data.py`), the [BSD 2-Clause license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/BSD-2-Clause.txt) (`plugins/module_utils/ecs/api.py`), the [BSD 3-Clause license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/BSD-3-Clause.txt) (`plugins/module_utils/crypto/_obj2txt.py`, `tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py`), and the [PSF 2.0 license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/PSF-2.0.txt) (`plugins/module_utils/_version.py`). This only applies to vendored files in ``plugins/module_utils/`` and to the ECS module utils.
 
 All files have a machine readable `SDPX-License-Identifier:` comment denoting its respective license(s) or an equivalent entry in an accompanying `.license` file. Only changelog fragments (which will not be part of a release) are covered by a blanket statement in `REUSE.toml`. This conforms to the [REUSE specification](https://reuse.software/spec/).

changelogs/changelog.yaml

@@ -1643,3 +1643,28 @@ releases:
       - 867-passphrase-encoding-nolog.yml
       - 868-luks-remove-keyslot.yml
     release_date: '2025-04-28'
+  2.26.2:
+    changes:
+      deprecated_features:
+        - The Entrust service in currently being sunsetted after the sale of Entrust's
+          Public Certificates Business to Sectigo; see `the announcement with key
+          dates <https://www.entrust.com/tls-certificate-information-center>`__ and
+          `the migration brief for customers <https://www.sectigo.com/uploads/resources/EOL_Migration-Brief-End-Customer.pdf>`__
+          for details (https://github.com/ansible-collections/community.crypto/issues/895,
+          https://github.com/ansible-collections/community.crypto/pull/901).
+        - ecs_certificate - the module will be removed from community.crypto 3.0.0
+          (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
+        - ecs_domain - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
+          https://github.com/ansible-collections/community.crypto/pull/901).
+        - x509_certificate - the ``entrust`` provider will be removed from community.crypto
+          3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
+          https://github.com/ansible-collections/community.crypto/pull/901).
+        - x509_certificate_pipe - the ``entrust`` provider will be removed from community.crypto
+          3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
+          https://github.com/ansible-collections/community.crypto/pull/901).
+      release_summary: Maintenance release announcing removal of the Entrust content
+        from community.crypto 3.0.0.
+    fragments:
+      - 2.26.2.yml
+      - 901-remove-entrust.yml
+    release_date: '2025-05-22'

galaxy.yml

@@ -5,7 +5,7 @@
 
 namespace: community
 name: crypto
-version: 2.26.1
+version: 2.26.2
 readme: README.md
 authors:
   - Ansible (github.com/ansible)

plugins/doc_fragments/acme.py

@@ -192,7 +192,8 @@ options:
       - Mutually exclusive with O(account_key_content).
       - Required if O(account_key_content) is not used.
     type: path
-    aliases: [account_key]
+    aliases:
+      - account_key
   account_key_content:
     description:
       - Content of the ACME account RSA or Elliptic Curve key.

plugins/doc_fragments/module_certificate.py

@@ -377,7 +377,8 @@ options:
       - This is only used by the V(selfsigned) provider.
     type: str
     default: +0s
-    aliases: [ selfsigned_notBefore ]
+    aliases:
+      - selfsigned_notBefore
 
   selfsigned_not_after:
     description:
@@ -395,7 +396,8 @@ options:
         Please see U(https://support.apple.com/en-us/HT210176) for more details.
     type: str
     default: +3650d
-    aliases: [ selfsigned_notAfter ]
+    aliases:
+      - selfsigned_notAfter
 
   selfsigned_create_subject_key_identifier:
     description:

plugins/doc_fragments/module_csr.py

@@ -75,37 +75,51 @@ options:
     description:
       - The countryName field of the certificate signing request subject.
     type: str
-    aliases: [C, countryName]
+    aliases:
+      - C
+      - countryName
   state_or_province_name:
     description:
       - The stateOrProvinceName field of the certificate signing request subject.
     type: str
-    aliases: [ST, stateOrProvinceName]
+    aliases:
+      - ST
+      - stateOrProvinceName
   locality_name:
     description:
       - The localityName field of the certificate signing request subject.
     type: str
-    aliases: [L, localityName]
+    aliases:
+      - L
+      - localityName
   organization_name:
     description:
       - The organizationName field of the certificate signing request subject.
     type: str
-    aliases: [O, organizationName]
+    aliases:
+      - O
+      - organizationName
   organizational_unit_name:
     description:
       - The organizationalUnitName field of the certificate signing request subject.
     type: str
-    aliases: [OU, organizationalUnitName]
+    aliases:
+      - OU
+      - organizationalUnitName
   common_name:
     description:
       - The commonName field of the certificate signing request subject.
     type: str
-    aliases: [CN, commonName]
+    aliases:
+      - CN
+      - commonName
   email_address:
     description:
       - The emailAddress field of the certificate signing request subject.
     type: str
-    aliases: [E, emailAddress]
+    aliases:
+      - E
+      - emailAddress
   subject_alt_name:
     description:
       - Subject Alternative Name (SAN) extension to attach to the certificate signing request.
@@ -116,63 +130,75 @@ options:
       - More at U(https://tools.ietf.org/html/rfc5280#section-4.2.1.6).
     type: list
     elements: str
-    aliases: [subjectAltName]
+    aliases:
+      - subjectAltName
   subject_alt_name_critical:
     description:
       - Should the subjectAltName extension be considered as critical.
     type: bool
     default: false
-    aliases: [subjectAltName_critical]
+    aliases:
+      - subjectAltName_critical
   use_common_name_for_san:
     description:
       - If set to V(true), the module will fill the common name in for O(subject_alt_name) with C(DNS:) prefix if no SAN is
         specified.
     type: bool
     default: true
-    aliases: [useCommonNameForSAN]
+    aliases:
+      - useCommonNameForSAN
   key_usage:
     description:
       - This defines the purpose (for example encipherment, signature, certificate signing) of the key contained in the certificate.
     type: list
     elements: str
-    aliases: [keyUsage]
+    aliases:
+      - keyUsage
   key_usage_critical:
     description:
       - Should the keyUsage extension be considered as critical.
     type: bool
     default: false
-    aliases: [keyUsage_critical]
+    aliases:
+      - keyUsage_critical
   extended_key_usage:
     description:
       - Additional restrictions (for example client authentication, server authentication) on the allowed purposes for which
         the public key may be used.
     type: list
     elements: str
-    aliases: [extKeyUsage, extendedKeyUsage]
+    aliases:
+      - extKeyUsage
+      - extendedKeyUsage
   extended_key_usage_critical:
     description:
       - Should the extkeyUsage extension be considered as critical.
     type: bool
     default: false
-    aliases: [extKeyUsage_critical, extendedKeyUsage_critical]
+    aliases:
+      - extKeyUsage_critical
+      - extendedKeyUsage_critical
   basic_constraints:
     description:
       - Indicates basic constraints, such as if the certificate is a CA.
     type: list
     elements: str
-    aliases: [basicConstraints]
+    aliases:
+      - basicConstraints
   basic_constraints_critical:
     description:
       - Should the basicConstraints extension be considered as critical.
     type: bool
     default: false
-    aliases: [basicConstraints_critical]
+    aliases:
+      - basicConstraints_critical
   ocsp_must_staple:
     description:
       - Indicates that the certificate should contain the OCSP Must Staple extension (U(https://tools.ietf.org/html/rfc7633)).
     type: bool
     default: false
-    aliases: [ocspMustStaple]
+    aliases:
+      - ocspMustStaple
   ocsp_must_staple_critical:
     description:
       - Should the OCSP Must Staple extension be considered as critical.
@@ -180,7 +206,8 @@ options:
         OCSP Must Staple are required to reject such certificates (see U(https://tools.ietf.org/html/rfc7633#section-4)).
     type: bool
     default: false
-    aliases: [ocspMustStaple_critical]
+    aliases:
+      - ocspMustStaple_critical
   name_constraints_permitted:
     description:
       - For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is allowed

tests/integration/targets/prepare_http_tests/tasks/default.yml

@@ -3,9 +3,13 @@
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-- name: RedHat - Enable the dynamic CA configuration feature
+- name: RedHat - Enable the dynamic CA configuration feature (RHEL up to 9)
   command: update-ca-trust force-enable
-  when: ansible_os_family == 'RedHat' and ansible_distribution != "Fedora"
+  when: ansible_os_family == 'RedHat' and ansible_distribution != "Fedora" and (ansible_distribution_major_version | int) < 10
+
+- name: RedHat - Enable the dynamic CA configuration feature (RHEL 10+)
+  command: update-ca-trust
+  when: ansible_os_family == 'RedHat' and ansible_distribution != "Fedora" and (ansible_distribution_major_version | int) >= 10
 
 - name: RedHat - Retrieve test cacert
   get_url:

tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml

@@ -101,7 +101,7 @@
   when: select_crypto_backend != 'cryptography'
 
 - block:
-    - name: (Selfsigned validateion, {{ select_crypto_backend }} Validate certificate v2 is failed
+    - name: (Selfsigned validation, {{ select_crypto_backend }} Validate certificate v2 is failed
       assert:
         that:
           - selfsigned_v2_cert is failed