ACME: new helper module for ACME challenges which need TLS certs (#43756)

* Added helper module for generating ACME challenge certificates.

* Soft-fail on missing cryptography. Also check version.

* Adding integration test.

* Move acme_challenge_cert_helper from web_infrastructure to crypto/acme.

* Adjusting to draft-05.

* The cryptography branch has already been merged.

test/integration/targets/acme_challenge_cert_helper/aliases

@@ -0,0 +1,2 @@
+shippable/cloud/group1
+cloud/acme

test/integration/targets/acme_challenge_cert_helper/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - setup_acme

test/integration/targets/acme_challenge_cert_helper/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- block:
+  - name: Create ECC256 account key
+    command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
+  - name: Obtain cert 1
+    include_tasks: obtain-cert.yml
+    vars:
+      select_crypto_backend: auto
+      certgen_title: Certificate 1
+      certificate_name: cert-1
+      key_type: rsa
+      rsa_bits: 2048
+      subject_alt_name: "DNS:example.com"
+      subject_alt_name_critical: no
+      account_key: account-ec256
+      challenge: tls-alpn-01
+      challenge_alpn_tls: acme_challenge_cert_helper
+      modify_account: yes
+      deactivate_authzs: no
+      force: no
+      remaining_days: 10
+      terms_agreed: yes
+      account_email: "example@example.org"
+
+  when: openssl_version.stdout is version('1.0.0', '>=') or cryptography_version.stdout is version('1.5', '>=')

test/integration/targets/acme_challenge_cert_helper/tasks/obtain-cert.yml

@@ -0,0 +1 @@
+../../setup_acme/tasks/obtain-cert.yml

test/integration/targets/setup_acme/tasks/obtain-cert.yml

@@ -85,7 +85,25 @@
     body: "{{ item.value }}"
   with_dict: "{{ challenge_data.challenge_data_dns }}"
   when: "challenge_data is changed and challenge == 'dns-01'"
-- name: ({{ certgen_title }}) Create TLS ALPN challenges
+- name: ({{ certgen_title }}) Create TLS ALPN challenges (acm_challenge_cert_helper)
+  acme_challenge_cert_helper:
+    challenge: tls-alpn-01
+    challenge_data: "{{ item.value['tls-alpn-01'] }}"
+    private_key_src: "{{ output_dir }}/{{ certificate_name }}.key"
+  with_dict: "{{ challenge_data.challenge_data }}"
+  register: tls_alpn_challenges
+  when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is defined and challenge_alpn_tls == 'acme_challenge_cert_helper')"
+- name: ({{ certgen_title }}) Set TLS ALPN challenges (acm_challenge_cert_helper)
+  uri:
+    url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.domain }}/certificate-and-key"
+    method: PUT
+    body_format: raw
+    body: "{{ item.challenge_certificate }}\n{{ lookup('file', output_dir ~ '/' ~ certificate_name ~ '.key') }}"
+    headers:
+      content-type: "application/pem-certificate-chain"
+  with_items: "{{ tls_alpn_challenges.results }}"
+  when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is defined and challenge_alpn_tls == 'acme_challenge_cert_helper')"
+- name: ({{ certgen_title }}) Create TLS ALPN challenges (der-value-b64)
   uri:
     url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.value['tls-alpn-01'].resource }}/der-value-b64"
     method: PUT
@@ -94,7 +112,7 @@
     headers:
       content-type: "application/octet-stream"
   with_dict: "{{ challenge_data.challenge_data }}"
-  when: "challenge_data is changed and challenge == 'tls-alpn-01'"
+  when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is not defined or challenge_alpn_tls == 'der-value-b64')"
 ## ACME STEP 2 ################################################################################
 - name: ({{ certgen_title }}) Obtain cert, step 2
   acme_certificate: