ACME: use Cryptography (if a new enough version is available) instead of OpenSSL (#42170)

* Collecting PEM -> DER conversions. * Using cryptography instead of OpenSSL binary in some situations. * Moving key-to-disk writing for key content to parse_account_key. * Rename parse_account_key -> parse_key. * Move OpenSSL specific code for key parsing and request signing into global functions. * Also using cryptography for key parsing and request signing. * Remove assert statements. * Fixing handling of key contents for cryptography code path. * Allow to disable the use of cryptography. * Updating documentation. * 1.5 seems to work as well (earlier versions don't have EC sign function). Making Python 2.x adjustments. * Changing option to select_crypto_backend. * Python 2.6 compatibility. * Trying to test both backends separately for acme_account. * Also testing both backends separately for acme_certificate and acme_certificate_revoke. * Adding changelog entry which informs about select_crypto_backend option in case autodetect fails. * Fixing YAML.
2026-05-07 05:42:50 +00:00 · 2018-08-12 19:12:01 +02:00
parent 7f41f0168a
commit aef16ee195
13 changed files with 1031 additions and 671 deletions
--- a/test/integration/targets/acme_account/tasks/impl.yml
+++ b/test/integration/targets/acme_account/tasks/impl.yml
@@ -0,0 +1,157 @@
+- name: Generate account key
+  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem
+
+- name: Parse account key (to ease debugging some test failures)
+  command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text
+
+- name: Do not try to create account
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    state: present
+    allow_creation: no
+  ignore_errors: yes
+  register: account_not_created
+
+- name: Create it now
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    state: present
+    allow_creation: yes
+    terms_agreed: yes
+    contact:
+    - mailto:example@example.org
+  register: account_created
+
+- name: Change email address
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    account_key_content: "{{ lookup('file', output_dir ~ '/accountkey.pem') }}"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    state: present
+    # allow_creation: no
+    contact:
+    - mailto:example@example.com
+  register: account_modified
+
+- name: Change email address (idempotent)
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    state: present
+    # allow_creation: no
+    contact:
+    - mailto:example@example.com
+  register: account_modified_idempotent
+
+- name: Generate new account key
+  command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/accountkey2.pem
+
+- name: Parse account key (to ease debugging some test failures)
+  command: openssl ec -in {{ output_dir }}/accountkey2.pem -noout -text
+
+# Note that pebble has no change key endpoint implemented yet!
+# When it has (and the container was updated), uncomment the
+# uncomment the following tests, and delete the ones below the
+# out-commented ones.
+
+# - name: Change account key
+#   acme_account:
+#     select_crypto_backend: "{{ select_crypto_backend }}"
+#     account_key_src: "{{ output_dir }}/accountkey.pem"
+#     acme_version: 2
+#     acme_directory: https://{{ acme_host }}:14000/dir
+#     validate_certs: no
+#     new_account_key_src: "{{ output_dir }}/accountkey2.pem"
+#     state: changed_key
+#     contact:
+#     - mailto:example@example.com
+#   register: account_change_key
+
+# - name: Deactivate account
+#   acme_account:
+#     select_crypto_backend: "{{ select_crypto_backend }}"
+#     account_key_src: "{{ output_dir }}/accountkey2.pem"
+#     acme_version: 2
+#     acme_directory: https://{{ acme_host }}:14000/dir
+#     validate_certs: no
+#     state: absent
+#   register: account_deactivate
+
+# - name: Deactivate account (idempotent)
+#   acme_account:
+#     select_crypto_backend: "{{ select_crypto_backend }}"
+#     account_key_src: "{{ output_dir }}/accountkey2.pem"
+#     acme_version: 2
+#     acme_directory: https://{{ acme_host }}:14000/dir
+#     validate_certs: no
+#     state: absent
+#   register: account_deactivate_idempotent
+
+# - name: Do not try to create account II
+#   acme_account:
+#     select_crypto_backend: "{{ select_crypto_backend }}"
+#     account_key_src: "{{ output_dir }}/accountkey2.pem"
+#     acme_version: 2
+#     acme_directory: https://{{ acme_host }}:14000/dir
+#     validate_certs: no
+#     state: present
+#     allow_creation: no
+#   ignore_errors: yes
+#   register: account_not_created_2
+
+# - name: Do not try to create account III
+#   acme_account:
+#     select_crypto_backend: "{{ select_crypto_backend }}"
+#     account_key_src: "{{ output_dir }}/accountkey.pem"
+#     acme_version: 2
+#     acme_directory: https://{{ acme_host }}:14000/dir
+#     validate_certs: no
+#     state: present
+#     allow_creation: no
+#   ignore_errors: yes
+#   register: account_not_created_3
+
+- name: Deactivate account
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    state: absent
+  register: account_deactivate
+
+- name: Deactivate account (idempotent)
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    state: absent
+  register: account_deactivate_idempotent
+
+- name: Do not try to create account II
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    state: present
+    allow_creation: no
+  ignore_errors: yes
+  register: account_not_created_2
--- a/test/integration/targets/acme_account/tasks/main.yml
+++ b/test/integration/targets/acme_account/tasks/main.yml
@@ -1,152 +1,31 @@
 ---
 - block:
-  - name: Generate account key
-    command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem
-
-  - name: Parse account key (to ease debugging some test failures)
-    command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text
-
-  - name: Do not try to create account
-    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-      state: present
-      allow_creation: no
-    ignore_errors: yes
-    register: account_not_created
-
-  - name: Create it now
-    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-      state: present
-      allow_creation: yes
-      terms_agreed: yes
-      contact:
-      - mailto:example@example.org
-    register: account_created
-
-  - name: Change email address
-    acme_account:
-      account_key_content: "{{ lookup('file', output_dir ~ '/accountkey.pem') }}"
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-      state: present
-      # allow_creation: no
-      contact:
-      - mailto:example@example.com
-    register: account_modified
-
-  - name: Change email address (idempotent)
-    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-      state: present
-      # allow_creation: no
-      contact:
-      - mailto:example@example.com
-    register: account_modified_idempotent
-
-  - name: Generate new account key
-    command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/accountkey2.pem
-
-  - name: Parse account key (to ease debugging some test failures)
-    command: openssl ec -in {{ output_dir }}/accountkey2.pem -noout -text
-
-# Note that pebble has no change key endpoint implemented yet!
-# When it has (and the container was updated), uncomment the
-# uncomment the following tests, and delete the ones below the
-# out-commented ones.
-
-#  - name: Change account key
-#    acme_account:
-#      account_key_src: "{{ output_dir }}/accountkey.pem"
-#      acme_version: 2
-#      acme_directory: https://{{ acme_host }}:14000/dir
-#      validate_certs: no
-#      new_account_key_src: "{{ output_dir }}/accountkey2.pem"
-#      state: changed_key
-#      contact:
-#      - mailto:example@example.com
-#    register: account_change_key
-
-#  - name: Deactivate account
-#    acme_account:
-#      account_key_src: "{{ output_dir }}/accountkey2.pem"
-#      acme_version: 2
-#      acme_directory: https://{{ acme_host }}:14000/dir
-#      validate_certs: no
-#      state: absent
-#    register: account_deactivate
-
-#  - name: Deactivate account (idempotent)
-#    acme_account:
-#      account_key_src: "{{ output_dir }}/accountkey2.pem"
-#      acme_version: 2
-#      acme_directory: https://{{ acme_host }}:14000/dir
-#      validate_certs: no
-#      state: absent
-#    register: account_deactivate_idempotent
-
-#  - name: Do not try to create account II
-#    acme_account:
-#      account_key_src: "{{ output_dir }}/accountkey2.pem"
-#      acme_version: 2
-#      acme_directory: https://{{ acme_host }}:14000/dir
-#      validate_certs: no
-#      state: present
-#      allow_creation: no
-#    ignore_errors: yes
-#    register: account_not_created_2
-
-#  - name: Do not try to create account III
-#    acme_account:
-#      account_key_src: "{{ output_dir }}/accountkey.pem"
-#      acme_version: 2
-#      acme_directory: https://{{ acme_host }}:14000/dir
-#      validate_certs: no
-#      state: present
-#      allow_creation: no
-#    ignore_errors: yes
-#    register: account_not_created_3
-
-  - name: Deactivate account
-    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-      state: absent
-    register: account_deactivate
-
-  - name: Deactivate account (idempotent)
-    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-      state: absent
-    register: account_deactivate_idempotent
-
-  - name: Do not try to create account II
-    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-      state: present
-      allow_creation: no
-    ignore_errors: yes
-    register: account_not_created_2
+  - name: Running tests with OpenSSL backend
+    include_tasks: impl.yml
+    vars:
+      select_crypto_backend: openssl

  - import_tasks: ../tests/validate.yml

  # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
  when: openssl_version.stdout is version('1.0.0', '>=')
+
+- name: Remove output directory
+  file:
+    path: "{{ output_dir }}"
+    state: absent
+
+- name: Re-create output directory
+  file:
+    path: "{{ output_dir }}"
+    state: directory
+
+- block:
+  - name: Running tests with cryptography backend
+    include_tasks: impl.yml
+    vars:
+      select_crypto_backend: cryptography
+
+  - import_tasks: ../tests/validate.yml
+
+  when: cryptography_version.stdout is version('1.5', '>=')
--- a/test/integration/targets/acme_certificate/tasks/impl.yml
+++ b/test/integration/targets/acme_certificate/tasks/impl.yml
@@ -0,0 +1,240 @@
+---
+## SET UP ACCOUNT KEYS ########################################################################
+- name: Create ECC256 account key
+  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
+- name: Create ECC384 account key
+  command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
+- name: Create RSA-2048 account key
+  command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
+## SET UP ACCOUNTS ############################################################################
+- name: Make sure ECC256 account hasn't been created yet
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/account-ec256.pem"
+    state: absent
+- name: Create ECC384 account
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
+    state: present
+    allow_creation: yes
+    terms_agreed: yes
+    contact:
+    - mailto:example@example.org
+    - mailto:example@example.com
+- name: Create RSA-2048 account
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/account-rsa2048.pem"
+    state: present
+    allow_creation: yes
+    terms_agreed: yes
+    contact: []
+## OBTAIN CERTIFICATES ########################################################################
+- name: Obtain cert 1
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 1
+    certificate_name: cert-1
+    key_type: rsa
+    rsa_bits: 2048
+    subject_alt_name: "DNS:example.com"
+    subject_alt_name_critical: no
+    account_key: account-ec256
+    challenge: http-01
+    modify_account: yes
+    deactivate_authzs: no
+    force: no
+    remaining_days: 10
+    terms_agreed: yes
+    account_email: "example@example.org"
+- name: Obtain cert 2
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 2
+    certificate_name: cert-2
+    key_type: ec256
+    subject_alt_name: "DNS:*.example.com,DNS:example.com"
+    subject_alt_name_critical: yes
+    account_key: account-ec384
+    challenge: dns-01
+    modify_account: no
+    deactivate_authzs: yes
+    force: no
+    remaining_days: 10
+    terms_agreed: no
+    account_email: ""
+- name: Obtain cert 3
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 3
+    certificate_name: cert-3
+    key_type: ec384
+    subject_alt_name: "DNS:*.example.com,DNS:example.org,DNS:t1.example.com"
+    subject_alt_name_critical: no
+    account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa2048.pem') }}"
+    challenge: dns-01
+    modify_account: no
+    deactivate_authzs: no
+    force: no
+    remaining_days: 10
+    terms_agreed: no
+    account_email: ""
+- name: Obtain cert 4
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 4
+    certificate_name: cert-4
+    key_type: rsa
+    rsa_bits: 2048
+    subject_alt_name: "DNS:example.com,DNS:t1.example.com,DNS:test.t2.example.com,DNS:example.org,DNS:test.example.org"
+    subject_alt_name_critical: no
+    account_key: account-rsa2048
+    challenge: http-01
+    modify_account: no
+    deactivate_authzs: yes
+    force: yes
+    remaining_days: 10
+    terms_agreed: no
+    account_email: ""
+- name: Obtain cert 5
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 5, Iteration 1/4
+    certificate_name: cert-5
+    key_type: ec521
+    subject_alt_name: "DNS:t2.example.com"
+    subject_alt_name_critical: no
+    account_key: account-ec384
+    challenge: http-01
+    modify_account: no
+    deactivate_authzs: yes
+    force: yes
+    remaining_days: 10
+    terms_agreed: no
+    account_email: ""
+- name: Obtain cert 5 (should not, since already there and valid for more than 10 days)
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 5, Iteration 2/4
+    certificate_name: cert-5
+    key_type: ec521
+    subject_alt_name: "DNS:t2.example.com"
+    subject_alt_name_critical: no
+    account_key: account-ec384
+    challenge: http-01
+    modify_account: no
+    deactivate_authzs: yes
+    force: no
+    remaining_days: 10
+    terms_agreed: no
+    account_email: ""
+- set_fact:
+    cert_5_recreate_1: "{{ challenge_data is changed }}"
+- name: Obtain cert 5 (should again by less days)
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 5, Iteration 3/4
+    certificate_name: cert-5
+    key_type: ec521
+    subject_alt_name: "DNS:t2.example.com"
+    subject_alt_name_critical: no
+    account_key: account-ec384
+    challenge: http-01
+    modify_account: no
+    deactivate_authzs: yes
+    force: yes
+    remaining_days: 1000
+    terms_agreed: no
+    account_email: ""
+- set_fact:
+    cert_5_recreate_2: "{{ challenge_data is changed }}"
+- name: Obtain cert 5 (should again by force)
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 5, Iteration 4/4
+    certificate_name: cert-5
+    key_type: ec521
+    subject_alt_name: "DNS:t2.example.com"
+    subject_alt_name_critical: no
+    account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
+    challenge: http-01
+    modify_account: no
+    deactivate_authzs: yes
+    force: yes
+    remaining_days: 10
+    terms_agreed: no
+    account_email: ""
+- set_fact:
+    cert_5_recreate_3: "{{ challenge_data is changed }}"
+- name: Obtain cert 6
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 6
+    certificate_name: cert-6
+    key_type: rsa
+    rsa_bits: 2048
+    subject_alt_name: "DNS:example.org"
+    subject_alt_name_critical: no
+    account_key: account-ec256
+    challenge: tls-alpn-01
+    modify_account: yes
+    deactivate_authzs: no
+    force: no
+    remaining_days: 10
+    terms_agreed: yes
+    account_email: "example@example.org"
+## DISSECT CERTIFICATES #######################################################################
+# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
+- name: Verifying cert 1
+  command: openssl verify -CAfile "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"
+  ignore_errors: yes
+  register: cert_1_valid
+- name: Verifying cert 2
+  command: openssl verify -CAfile "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"
+  ignore_errors: yes
+  register: cert_2_valid
+- name: Verifying cert 3
+  command: openssl verify -CAfile "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"
+  ignore_errors: yes
+  register: cert_3_valid
+- name: Verifying cert 4
+  command: openssl verify -CAfile "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"
+  ignore_errors: yes
+  register: cert_4_valid
+- name: Verifying cert 5
+  command: openssl verify -CAfile "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"
+  ignore_errors: yes
+  register: cert_5_valid
+- name: Verifying cert 6
+  command: openssl verify -CAfile "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"
+  ignore_errors: yes
+  register: cert_6_valid
+# Dump certificate info
+- name: Dumping cert 1
+  command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text
+  register: cert_1_text
+- name: Dumping cert 2
+  command: openssl x509 -in "{{ output_dir }}/cert-2.pem" -noout -text
+  register: cert_2_text
+- name: Dumping cert 3
+  command: openssl x509 -in "{{ output_dir }}/cert-3.pem" -noout -text
+  register: cert_3_text
+- name: Dumping cert 4
+  command: openssl x509 -in "{{ output_dir }}/cert-4.pem" -noout -text
+  register: cert_4_text
+- name: Dumping cert 5
+  command: openssl x509 -in "{{ output_dir }}/cert-5.pem" -noout -text
+  register: cert_5_text
+- name: Dumping cert 6
+  command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text
+  register: cert_6_text
--- a/test/integration/targets/acme_certificate/tasks/main.yml
+++ b/test/integration/targets/acme_certificate/tasks/main.yml
@@ -1,243 +1,31 @@
 ---
 - block:
-  ## SET UP ACCOUNT KEYS ########################################################################
-  - name: Create ECC256 account key
-    command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
-  - name: Create ECC384 account key
-    command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
-  - name: Create RSA-2048 account key
-    command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
-  ## SET UP ACCOUNTS ############################################################################
-  - name: Make sure ECC256 account hasn't been created yet
-    acme_account:
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-      account_key_src: "{{ output_dir }}/account-ec256.pem"
-      state: absent
-  - name: Create ECC384 account
-    acme_account:
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-      account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
-      state: present
-      allow_creation: yes
-      terms_agreed: yes
-      contact:
-      - mailto:example@example.org
-      - mailto:example@example.com
-  - name: Create RSA-2048 account
-    acme_account:
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-      account_key_src: "{{ output_dir }}/account-rsa2048.pem"
-      state: present
-      allow_creation: yes
-      terms_agreed: yes
-      contact: []
-  ## OBTAIN CERTIFICATES ########################################################################
-  - name: Obtain cert 1
-    include_tasks: obtain-cert.yml
+  - name: Running tests with OpenSSL backend
+    include_tasks: impl.yml
    vars:
-      certgen_title: Certificate 1
-      certificate_name: cert-1
-      key_type: rsa
-      rsa_bits: 2048
-      subject_alt_name: "DNS:example.com"
-      subject_alt_name_critical: no
-      account_key: account-ec256
-      challenge: http-01
-      modify_account: yes
-      deactivate_authzs: no
-      force: no
-      remaining_days: 10
-      terms_agreed: yes
-      account_email: "example@example.org"
-  - name: Obtain cert 2
-    include_tasks: obtain-cert.yml
-    vars:
-      certgen_title: Certificate 2
-      certificate_name: cert-2
-      key_type: ec256
-      subject_alt_name: "DNS:*.example.com,DNS:example.com"
-      subject_alt_name_critical: yes
-      account_key: account-ec384
-      challenge: dns-01
-      modify_account: no
-      deactivate_authzs: yes
-      force: no
-      remaining_days: 10
-      terms_agreed: no
-      account_email: ""
-  - name: Obtain cert 3
-    include_tasks: obtain-cert.yml
-    vars:
-      certgen_title: Certificate 3
-      certificate_name: cert-3
-      key_type: ec384
-      subject_alt_name: "DNS:*.example.com,DNS:example.org,DNS:t1.example.com"
-      subject_alt_name_critical: no
-      account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa2048.pem') }}"
-      challenge: dns-01
-      modify_account: no
-      deactivate_authzs: no
-      force: no
-      remaining_days: 10
-      terms_agreed: no
-      account_email: ""
-  - name: Obtain cert 4
-    include_tasks: obtain-cert.yml
-    vars:
-      certgen_title: Certificate 4
-      certificate_name: cert-4
-      key_type: rsa
-      rsa_bits: 2048
-      subject_alt_name: "DNS:example.com,DNS:t1.example.com,DNS:test.t2.example.com,DNS:example.org,DNS:test.example.org"
-      subject_alt_name_critical: no
-      account_key: account-rsa2048
-      challenge: http-01
-      modify_account: no
-      deactivate_authzs: yes
-      force: yes
-      remaining_days: 10
-      terms_agreed: no
-      account_email: ""
-  - name: Obtain cert 5
-    include_tasks: obtain-cert.yml
-    vars:
-      certgen_title: Certificate 5, Iteration 1/4
-      certificate_name: cert-5
-      key_type: ec521
-      subject_alt_name: "DNS:t2.example.com"
-      subject_alt_name_critical: no
-      account_key: account-ec384
-      challenge: http-01
-      modify_account: no
-      deactivate_authzs: yes
-      force: yes
-      remaining_days: 10
-      terms_agreed: no
-      account_email: ""
-  - name: Obtain cert 5 (should not, since already there and valid for more than 10 days)
-    include_tasks: obtain-cert.yml
-    vars:
-      certgen_title: Certificate 5, Iteration 2/4
-      certificate_name: cert-5
-      key_type: ec521
-      subject_alt_name: "DNS:t2.example.com"
-      subject_alt_name_critical: no
-      account_key: account-ec384
-      challenge: http-01
-      modify_account: no
-      deactivate_authzs: yes
-      force: no
-      remaining_days: 10
-      terms_agreed: no
-      account_email: ""
-  - set_fact:
-      cert_5_recreate_1: "{{ challenge_data is changed }}"
-  - name: Obtain cert 5 (should again by less days)
-    include_tasks: obtain-cert.yml
-    vars:
-      certgen_title: Certificate 5, Iteration 3/4
-      certificate_name: cert-5
-      key_type: ec521
-      subject_alt_name: "DNS:t2.example.com"
-      subject_alt_name_critical: no
-      account_key: account-ec384
-      challenge: http-01
-      modify_account: no
-      deactivate_authzs: yes
-      force: yes
-      remaining_days: 1000
-      terms_agreed: no
-      account_email: ""
-  - set_fact:
-      cert_5_recreate_2: "{{ challenge_data is changed }}"
-  - name: Obtain cert 5 (should again by force)
-    include_tasks: obtain-cert.yml
-    vars:
-      certgen_title: Certificate 5, Iteration 4/4
-      certificate_name: cert-5
-      key_type: ec521
-      subject_alt_name: "DNS:t2.example.com"
-      subject_alt_name_critical: no
-      account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
-      challenge: http-01
-      modify_account: no
-      deactivate_authzs: yes
-      force: yes
-      remaining_days: 10
-      terms_agreed: no
-      account_email: ""
-  - set_fact:
-      cert_5_recreate_3: "{{ challenge_data is changed }}"
-  - name: Obtain cert 6
-    include_tasks: obtain-cert.yml
-    vars:
-      certgen_title: Certificate 6
-      certificate_name: cert-6
-      key_type: rsa
-      rsa_bits: 2048
-      subject_alt_name: "DNS:example.org"
-      subject_alt_name_critical: no
-      account_key: account-ec256
-      challenge: tls-alpn-01
-      modify_account: yes
-      deactivate_authzs: no
-      force: no
-      remaining_days: 10
-      terms_agreed: yes
-      account_email: "example@example.org"
-  ## DISSECT CERTIFICATES #######################################################################
-  # Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
-  - name: Verifying cert 1
-    command: openssl verify -CAfile "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"
-    ignore_errors: yes
-    register: cert_1_valid
-  - name: Verifying cert 2
-    command: openssl verify -CAfile "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"
-    ignore_errors: yes
-    register: cert_2_valid
-  - name: Verifying cert 3
-    command: openssl verify -CAfile "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"
-    ignore_errors: yes
-    register: cert_3_valid
-  - name: Verifying cert 4
-    command: openssl verify -CAfile "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"
-    ignore_errors: yes
-    register: cert_4_valid
-  - name: Verifying cert 5
-    command: openssl verify -CAfile "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"
-    ignore_errors: yes
-    register: cert_5_valid
-  - name: Verifying cert 6
-    command: openssl verify -CAfile "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"
-    ignore_errors: yes
-    register: cert_6_valid
-  # Dump certificate info
-  - name: Dumping cert 1
-    command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text
-    register: cert_1_text
-  - name: Dumping cert 2
-    command: openssl x509 -in "{{ output_dir }}/cert-2.pem" -noout -text
-    register: cert_2_text
-  - name: Dumping cert 3
-    command: openssl x509 -in "{{ output_dir }}/cert-3.pem" -noout -text
-    register: cert_3_text
-  - name: Dumping cert 4
-    command: openssl x509 -in "{{ output_dir }}/cert-4.pem" -noout -text
-    register: cert_4_text
-  - name: Dumping cert 5
-    command: openssl x509 -in "{{ output_dir }}/cert-5.pem" -noout -text
-    register: cert_5_text
-  - name: Dumping cert 6
-    command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text
-    register: cert_6_text
+      select_crypto_backend: openssl

  - import_tasks: ../tests/validate.yml

  # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
  when: openssl_version.stdout is version('1.0.0', '>=')
+
+- name: Remove output directory
+  file:
+    path: "{{ output_dir }}"
+    state: absent
+
+- name: Re-create output directory
+  file:
+    path: "{{ output_dir }}"
+    state: directory
+
+- block:
+  - name: Running tests with cryptography backend
+    include_tasks: impl.yml
+    vars:
+      select_crypto_backend: cryptography
+
+  - import_tasks: ../tests/validate.yml
+
+  when: cryptography_version.stdout is version('1.5', '>=')
--- a/test/integration/targets/acme_certificate_revoke/tasks/impl.yml
+++ b/test/integration/targets/acme_certificate_revoke/tasks/impl.yml
@@ -0,0 +1,89 @@
+---
+## SET UP ACCOUNT KEYS ########################################################################
+- name: Create ECC256 account key
+  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
+- name: Create ECC384 account key
+  command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
+- name: Create RSA-2048 account key
+  command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
+## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
+- name: Obtain cert 1
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 1 for revocation
+    certificate_name: cert-1
+    key_type: rsa
+    rsa_bits: 2048
+    subject_alt_name: "DNS:example.com"
+    subject_alt_name_critical: no
+    account_key_content: "{{ lookup('file', output_dir ~ '/account-ec256.pem') }}"
+    challenge: http-01
+    modify_account: yes
+    deactivate_authzs: no
+    force: no
+    remaining_days: 10
+    terms_agreed: yes
+    account_email: "example@example.org"
+- name: Obtain cert 2
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 2 for revocation
+    certificate_name: cert-2
+    key_type: ec256
+    subject_alt_name: "DNS:*.example.com"
+    subject_alt_name_critical: yes
+    account_key: account-ec384
+    challenge: dns-01
+    modify_account: yes
+    deactivate_authzs: yes
+    force: no
+    remaining_days: 10
+    terms_agreed: yes
+    account_email: "example@example.org"
+- name: Obtain cert 3
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 3 for revocation
+    certificate_name: cert-3
+    key_type: ec384
+    subject_alt_name: "DNS:t1.example.com"
+    subject_alt_name_critical: no
+    account_key: account-rsa2048
+    challenge: dns-01
+    modify_account: yes
+    deactivate_authzs: no
+    force: no
+    remaining_days: 10
+    terms_agreed: yes
+    account_email: "example@example.org"
+## REVOKE CERTIFICATES ########################################################################
+- name: Revoke certificate 1 via account key
+  acme_certificate_revoke:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    account_key_src: "{{ output_dir }}/account-ec256.pem"
+    certificate: "{{ output_dir }}/cert-1.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+  ignore_errors: yes
+  register: cert_1_revoke
+- name: Revoke certificate 2 via certificate private key
+  acme_certificate_revoke:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    private_key_src: "{{ output_dir }}/cert-2.key"
+    certificate: "{{ output_dir }}/cert-2.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+  ignore_errors: yes
+  register: cert_2_revoke
+- name: Revoke certificate 3 via account key (fullchain)
+  acme_certificate_revoke:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa2048.pem') }}"
+    certificate: "{{ output_dir }}/cert-3-fullchain.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+  ignore_errors: yes
+  register: cert_3_revoke
--- a/test/integration/targets/acme_certificate_revoke/tasks/main.yml
+++ b/test/integration/targets/acme_certificate_revoke/tasks/main.yml
@@ -1,92 +1,31 @@
 ---
 - block:
-  ## SET UP ACCOUNT KEYS ########################################################################
-  - name: Create ECC256 account key
-    command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
-  - name: Create ECC384 account key
-    command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
-  - name: Create RSA-2048 account key
-    command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
-  ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
-  - name: Obtain cert 1
-    include_tasks: obtain-cert.yml
+  - name: Running tests with OpenSSL backend
+    include_tasks: impl.yml
    vars:
-      certgen_title: Certificate 1 for revocation
-      certificate_name: cert-1
-      key_type: rsa
-      rsa_bits: 2048
-      subject_alt_name: "DNS:example.com"
-      subject_alt_name_critical: no
-      account_key_content: "{{ lookup('file', output_dir ~ '/account-ec256.pem') }}"
-      challenge: http-01
-      modify_account: yes
-      deactivate_authzs: no
-      force: no
-      remaining_days: 10
-      terms_agreed: yes
-      account_email: "example@example.org"
-  - name: Obtain cert 2
-    include_tasks: obtain-cert.yml
-    vars:
-      certgen_title: Certificate 2 for revocation
-      certificate_name: cert-2
-      key_type: ec256
-      subject_alt_name: "DNS:*.example.com"
-      subject_alt_name_critical: yes
-      account_key: account-ec384
-      challenge: dns-01
-      modify_account: yes
-      deactivate_authzs: yes
-      force: no
-      remaining_days: 10
-      terms_agreed: yes
-      account_email: "example@example.org"
-  - name: Obtain cert 3
-    include_tasks: obtain-cert.yml
-    vars:
-      certgen_title: Certificate 3 for revocation
-      certificate_name: cert-3
-      key_type: ec384
-      subject_alt_name: "DNS:t1.example.com"
-      subject_alt_name_critical: no
-      account_key: account-rsa2048
-      challenge: dns-01
-      modify_account: yes
-      deactivate_authzs: no
-      force: no
-      remaining_days: 10
-      terms_agreed: yes
-      account_email: "example@example.org"
-  ## REVOKE CERTIFICATES ########################################################################
-  - name: Revoke certificate 1 via account key
-    acme_certificate_revoke:
-      account_key_src: "{{ output_dir }}/account-ec256.pem"
-      certificate: "{{ output_dir }}/cert-1.pem"
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-    ignore_errors: yes
-    register: cert_1_revoke
-  - name: Revoke certificate 2 via certificate private key
-    acme_certificate_revoke:
-      private_key_src: "{{ output_dir }}/cert-2.key"
-      certificate: "{{ output_dir }}/cert-2.pem"
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-    ignore_errors: yes
-    register: cert_2_revoke
-  - name: Revoke certificate 3 via account key (fullchain)
-    acme_certificate_revoke:
-      account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa2048.pem') }}"
-      certificate: "{{ output_dir }}/cert-3-fullchain.pem"
-      acme_version: 2
-      acme_directory: https://{{ acme_host }}:14000/dir
-      validate_certs: no
-    ignore_errors: yes
-    register: cert_3_revoke
+      select_crypto_backend: openssl

  - import_tasks: ../tests/validate.yml

  # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
  when: openssl_version.stdout is version('1.0.0', '>=')
+
+- name: Remove output directory
+  file:
+    path: "{{ output_dir }}"
+    state: absent
+
+- name: Re-create output directory
+  file:
+    path: "{{ output_dir }}"
+    state: directory
+
+- block:
+  - name: Running tests with cryptography backend
+    include_tasks: impl.yml
+    vars:
+      select_crypto_backend: cryptography
+
+  - import_tasks: ../tests/validate.yml
+
+  when: cryptography_version.stdout is version('1.5', '>=')
--- a/test/integration/targets/setup_acme/tasks/obtain-cert.yml
+++ b/test/integration/targets/setup_acme/tasks/obtain-cert.yml
@@ -22,6 +22,7 @@
 ## ACME STEP 1 ################################################################################
 - name: ({{ certgen_title }}) Obtain cert, step 1
  acme_certificate:
+    select_crypto_backend: "{{ select_crypto_backend }}"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: no
@@ -41,6 +42,7 @@
  when: account_key_content is not defined
 - name: ({{ certgen_title }}) Obtain cert, step 1 (using account key data)
  acme_certificate:
+    select_crypto_backend: "{{ select_crypto_backend }}"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: no
@@ -96,6 +98,7 @@
 ## ACME STEP 2 ################################################################################
 - name: ({{ certgen_title }}) Obtain cert, step 2
  acme_certificate:
+    select_crypto_backend: "{{ select_crypto_backend }}"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: no
@@ -115,6 +118,7 @@
  when: challenge_data is changed and account_key_content is not defined
 - name: ({{ certgen_title }}) Obtain cert, step 2 (using account key data)
  acme_certificate:
+    select_crypto_backend: "{{ select_crypto_backend }}"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: no