certificate_complete_chain - Complete certificate chain given a set of untrusted and root certificates¶
New in version 2.7.
Synopsis¶
- This module completes a given chain of certificates in PEM format by finding intermediate certificates from a given set of certificates, until it finds a root certificate in another given set of certificates.
- This can for example be used to find the root certificate for a certificate chain returned by acme_certificate.
- Note that this module does not check for validity of the chains. It only checks that issuer and subject match, and that the signature is correct. It ignores validity dates and key usage completely. If you need to verify that a generated chain is valid, please use
openssl verify ....
Requirements¶
The below requirements are needed on the host that executes this module.
- cryptography >= 1.5
Parameters¶
| Parameter | Choices/Defaults | Comments |
|---|---|---|
|
input_chain
required |
A concatenated set of certificates in PEM format forming a chain.
The module will try to complete this chain.
|
|
|
intermediate_certificates
list |
Default: []
|
A list of filenames or directories.
A filename is assumed to point to a file containing one or more certificates in PEM format. All certificates in this file will be added to the set of root certificates.
If a directory name is given, all files in the directory and its subdirectories will be scanned and tried to be parsed as concatenated certificates in PEM format.
Symbolic links will be followed.
|
|
root_certificates
list required |
A list of filenames or directories.
A filename is assumed to point to a file containing one or more certificates in PEM format. All certificates in this file will be added to the set of root certificates.
If a directory name is given, all files in the directory and its subdirectories will be scanned and tried to be parsed as concatenated certificates in PEM format.
Symbolic links will be followed.
|
Examples¶
# Given a leaf certificate for www.ansible.com and one or more intermediate
# certificates, finds the associated root certificate.
- name: Find root certificate
certificate_complete_chain:
input_chain: "{{ lookup('file', '/etc/ssl/csr/www.ansible.com-fullchain.pem') }}"
root_certificates:
- /etc/ca-certificates/
register: www_ansible_com
- name: Write root certificate to disk
copy:
dest: /etc/ssl/csr/www.ansible.com-root.pem
content: "{{ www_ansible_com.root }}"
# Given a leaf certificate for www.ansible.com, and a list of intermediate
# certificates, finds the associated root certificate.
- name: Find root certificate
certificate_complete_chain:
input_chain: "{{ lookup('file', '/etc/ssl/csr/www.ansible.com.pem') }}"
intermediate_certificates:
- /etc/ssl/csr/www.ansible.com-chain.pem
root_certificates:
- /etc/ca-certificates/
register: www_ansible_com
- name: Write complete chain to disk
copy:
dest: /etc/ssl/csr/www.ansible.com-completechain.pem
content: "{{ ''.join(www_ansible_com.complete_chain) }}"
- name: Write root chain (intermediates and root) to disk
copy:
dest: /etc/ssl/csr/www.ansible.com-rootchain.pem
content: "{{ ''.join(www_ansible_com.chain) }}"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
chain
list
|
success |
The chain added to the given input chain. Includes the root certificate.
Returned as a list of PEM certificates.
|
|
complete_chain
list
|
success |
The completed chain, including leaf, all intermediates, and root.
Returned as a list of PEM certificates.
|
|
root
string
|
success |
The root certificate in PEM format.
|
Status¶
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
Maintenance¶
This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.
For a list of other modules that are also maintained by the Ansible Community, see here.
Author¶
- Felix Fontein (@felixfontein)
Hint
If you notice any issues in this documentation you can edit this document to improve it.