Anons79 Mini Shell

Directory : /lib/python2.7/site-packages/ansible/modules/crypto/acme/
Upload File :
Current File : //lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyo

�
�Udac@`s�ddlmZmZmZeZidd6dgd6dd6ZdZd	Zd
Z	ddl
mZmZm
Z
mZmZmZmZmZmZmZmZddlZddlZddlZddlZddlZddlZddlZddlZdd
lmZddlm Z ddl!m"Z"ddl#m$Z%d�Z&de'fd��YZ(d�Z)e*dkr|e)�ndS(i(tabsolute_importtdivisiontprint_functions1.1tmetadata_versiontpreviewtstatust	communitytsupported_bys�#
---
module: acme_certificate
author: "Michael Gruener (@mgruener)"
version_added: "2.2"
short_description: Create SSL/TLS certificates with the ACME protocol
description:
   - "Create and renew SSL/TLS certificates with a CA supporting the
      L(ACME protocol,https://tools.ietf.org/html/rfc8555),
      such as L(Let's Encrypt,https://letsencrypt.org/) or
      L(Buypass,https://www.buypass.com/). The current implementation
      supports the C(http-01), C(dns-01) and C(tls-alpn-01) challenges."
   - "To use this module, it has to be executed twice. Either as two
      different tasks in the same run or during two runs. Note that the output
      of the first run needs to be recorded and passed to the second run as the
      module argument C(data)."
   - "Between these two tasks you have to fulfill the required steps for the
      chosen challenge by whatever means necessary. For C(http-01) that means
      creating the necessary challenge file on the destination webserver. For
      C(dns-01) the necessary dns record has to be created. For C(tls-alpn-01)
      the necessary certificate has to be created and served.
      It is I(not) the responsibility of this module to perform these steps."
   - "For details on how to fulfill these challenges, you might have to read through
      L(the main ACME specification,https://tools.ietf.org/html/rfc8555#section-8)
      and the L(TLS-ALPN-01 specification,https://www.rfc-editor.org/rfc/rfc8737.html#section-3).
      Also, consider the examples provided for this module."
   - "The module includes experimental support for IP identifiers according to
      the L(RFC 8738,https://www.rfc-editor.org/rfc/rfc8738.html)."
notes:
   - "At least one of C(dest) and C(fullchain_dest) must be specified."
   - "This module includes basic account management functionality.
      If you want to have more control over your ACME account, use the M(acme_account)
      module and disable account management for this module using the C(modify_account)
      option."
   - "This module was called C(letsencrypt) before Ansible 2.6. The usage
      did not change."
seealso:
  - name: The Let's Encrypt documentation
    description: Documentation for the Let's Encrypt Certification Authority.
                 Provides useful information for example on rate limits.
    link: https://letsencrypt.org/docs/
  - name: Buypass Go SSL
    description: Documentation for the Buypass Certification Authority.
                 Provides useful information for example on rate limits.
    link: https://www.buypass.com/ssl/products/acme
  - name: Automatic Certificate Management Environment (ACME)
    description: The specification of the ACME protocol (RFC 8555).
    link: https://tools.ietf.org/html/rfc8555
  - name: ACME TLS ALPN Challenge Extension
    description: The specification of the C(tls-alpn-01) challenge (RFC 8737).
    link: https://www.rfc-editor.org/rfc/rfc8737.html-05
  - module: acme_challenge_cert_helper
    description: Helps preparing C(tls-alpn-01) challenges.
  - module: openssl_privatekey
    description: Can be used to create private keys (both for certificates and accounts).
  - module: openssl_csr
    description: Can be used to create a Certificate Signing Request (CSR).
  - module: certificate_complete_chain
    description: Allows to find the root certificate for the returned fullchain.
  - module: acme_certificate_revoke
    description: Allows to revoke certificates.
  - module: acme_account
    description: Allows to create, modify or delete an ACME account.
  - module: acme_inspect
    description: Allows to debug problems.
extends_documentation_fragment:
  - acme
options:
  account_email:
    description:
      - "The email address associated with this account."
      - "It will be used for certificate expiration warnings."
      - "Note that when C(modify_account) is not set to C(no) and you also
         used the M(acme_account) module to specify more than one contact
         for your account, this module will update your account and restrict
         it to the (at most one) contact email address specified here."
    type: str
  agreement:
    description:
      - "URI to a terms of service document you agree to when using the
         ACME v1 service at C(acme_directory)."
      - Default is latest gathered from C(acme_directory) URL.
      - This option will only be used when C(acme_version) is 1.
    type: str
  terms_agreed:
    description:
      - "Boolean indicating whether you agree to the terms of service document."
      - "ACME servers can require this to be true."
      - This option will only be used when C(acme_version) is not 1.
    type: bool
    default: no
    version_added: "2.5"
  modify_account:
    description:
      - "Boolean indicating whether the module should create the account if
         necessary, and update its contact data."
      - "Set to C(no) if you want to use the M(acme_account) module to manage
         your account instead, and to avoid accidental creation of a new account
         using an old key if you changed the account key with M(acme_account)."
      - "If set to C(no), C(terms_agreed) and C(account_email) are ignored."
    type: bool
    default: yes
    version_added: "2.6"
  challenge:
    description: The challenge to be performed.
    type: str
    default: 'http-01'
    choices: [ 'http-01', 'dns-01', 'tls-alpn-01' ]
  csr:
    description:
      - "File containing the CSR for the new certificate."
      - "Can be created with C(openssl req ...)."
      - "The CSR may contain multiple Subject Alternate Names, but each one
         will lead to an individual challenge that must be fulfilled for the
         CSR to be signed."
      - "I(Note): the private key used to create the CSR I(must not) be the
         account key. This is a bad idea from a security point of view, and
         the CA should not accept the CSR. The ACME server should return an
         error in this case."
    type: path
    required: true
    aliases: ['src']
  data:
    description:
      - "The data to validate ongoing challenges. This must be specified for
         the second run of the module only."
      - "The value that must be used here will be provided by a previous use
         of this module. See the examples for more details."
      - "Note that for ACME v2, only the C(order_uri) entry of C(data) will
         be used. For ACME v1, C(data) must be non-empty to indicate the
         second stage is active; all needed data will be taken from the
         CSR."
      - "I(Note): the C(data) option was marked as C(no_log) up to
         Ansible 2.5. From Ansible 2.6 on, it is no longer marked this way
         as it causes error messages to be come unusable, and C(data) does
         not contain any information which can be used without having
         access to the account key or which are not public anyway."
    type: dict
  dest:
    description:
      - "The destination file for the certificate."
      - "Required if C(fullchain_dest) is not specified."
    type: path
    aliases: ['cert']
  fullchain_dest:
    description:
      - "The destination file for the full chain (i.e. certificate followed
         by chain of intermediate certificates)."
      - "Required if C(dest) is not specified."
    type: path
    version_added: 2.5
    aliases: ['fullchain']
  chain_dest:
    description:
      - If specified, the intermediate certificate will be written to this file.
    type: path
    version_added: 2.5
    aliases: ['chain']
  remaining_days:
    description:
      - "The number of days the certificate must have left being valid.
         If C(cert_days < remaining_days), then it will be renewed.
         If the certificate is not renewed, module return values will not
         include C(challenge_data)."
      - "To make sure that the certificate is renewed in any case, you can
         use the C(force) option."
    type: int
    default: 10
  deactivate_authzs:
    description:
      - "Deactivate authentication objects (authz) after issuing a certificate,
         or when issuing the certificate failed."
      - "Authentication objects are bound to an account key and remain valid
         for a certain amount of time, and can be used to issue certificates
         without having to re-authenticate the domain. This can be a security
         concern."
    type: bool
    default: no
    version_added: 2.6
  force:
    description:
      - Enforces the execution of the challenge and validation, even if an
        existing certificate is still valid for more than C(remaining_days).
      - This is especially helpful when having an updated CSR e.g. with
        additional domains for which a new certificate is desired.
    type: bool
    default: no
    version_added: 2.6
  retrieve_all_alternates:
    description:
      - "When set to C(yes), will retrieve all alternate chains offered by the ACME CA.
         These will not be written to disk, but will be returned together with the main
         chain as C(all_chains). See the documentation for the C(all_chains) return
         value for details."
    type: bool
    default: no
    version_added: "2.9"
s�
### Example with HTTP challenge ###

- name: Create a challenge for sample.com using a account key from a variable.
  acme_certificate:
    account_key_content: "{{ account_private_key }}"
    csr: /etc/pki/cert/csr/sample.com.csr
    dest: /etc/httpd/ssl/sample.com.crt
  register: sample_com_challenge

# Alternative first step:
- name: Create a challenge for sample.com using a account key from hashi vault.
  acme_certificate:
    account_key_content: "{{ lookup('hashi_vault', 'secret=secret/account_private_key:value') }}"
    csr: /etc/pki/cert/csr/sample.com.csr
    fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
  register: sample_com_challenge

# Alternative first step:
- name: Create a challenge for sample.com using a account key file.
  acme_certificate:
    account_key_src: /etc/pki/cert/private/account.key
    csr: /etc/pki/cert/csr/sample.com.csr
    dest: /etc/httpd/ssl/sample.com.crt
    fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
  register: sample_com_challenge

# perform the necessary steps to fulfill the challenge
# for example:
#
# - copy:
#     dest: /var/www/html/{{ sample_com_challenge['challenge_data']['sample.com']['http-01']['resource'] }}
#     content: "{{ sample_com_challenge['challenge_data']['sample.com']['http-01']['resource_value'] }}"
#     when: sample_com_challenge is changed and 'sample.com' in sample_com_challenge['challenge_data']
#
# Alternative way:
#
# - copy:
#     dest: /var/www/{{ item.key }}/{{ item.value['http-01']['resource'] }}
#     content: "{{ item.value['http-01']['resource_value'] }}"
#   loop: "{{ sample_com_challenge.challenge_data | dictsort }}"
#   when: sample_com_challenge is changed

- name: Let the challenge be validated and retrieve the cert and intermediate certificate
  acme_certificate:
    account_key_src: /etc/pki/cert/private/account.key
    csr: /etc/pki/cert/csr/sample.com.csr
    dest: /etc/httpd/ssl/sample.com.crt
    fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
    chain_dest: /etc/httpd/ssl/sample.com-intermediate.crt
    data: "{{ sample_com_challenge }}"

### Example with DNS challenge against production ACME server ###

- name: Create a challenge for sample.com using a account key file.
  acme_certificate:
    account_key_src: /etc/pki/cert/private/account.key
    account_email: [email protected]
    src: /etc/pki/cert/csr/sample.com.csr
    cert: /etc/httpd/ssl/sample.com.crt
    challenge: dns-01
    acme_directory: https://acme-v01.api.letsencrypt.org/directory
    # Renew if the certificate is at least 30 days old
    remaining_days: 60
  register: sample_com_challenge

# perform the necessary steps to fulfill the challenge
# for example:
#
# - route53:
#     zone: sample.com
#     record: "{{ sample_com_challenge.challenge_data['sample.com']['dns-01'].record }}"
#     type: TXT
#     ttl: 60
#     state: present
#     wait: yes
#     # Note: route53 requires TXT entries to be enclosed in quotes
#     value: "{{ sample_com_challenge.challenge_data['sample.com']['dns-01'].resource_value | regex_replace('^(.*)$', '\"\\1\"') }}"
#   when: sample_com_challenge is changed and 'sample.com' in sample_com_challenge.challenge_data
#
# Alternative way:
#
# - route53:
#     zone: sample.com
#     record: "{{ item.key }}"
#     type: TXT
#     ttl: 60
#     state: present
#     wait: yes
#     # Note: item.value is a list of TXT entries, and route53
#     # requires every entry to be enclosed in quotes
#     value: "{{ item.value | map('regex_replace', '^(.*)$', '\"\\1\"' ) | list }}"
#   loop: "{{ sample_com_challenge.challenge_data_dns | dictsort }}"
#   when: sample_com_challenge is changed

- name: Let the challenge be validated and retrieve the cert and intermediate certificate
  acme_certificate:
    account_key_src: /etc/pki/cert/private/account.key
    account_email: [email protected]
    src: /etc/pki/cert/csr/sample.com.csr
    cert: /etc/httpd/ssl/sample.com.crt
    fullchain: /etc/httpd/ssl/sample.com-fullchain.crt
    chain: /etc/httpd/ssl/sample.com-intermediate.crt
    challenge: dns-01
    acme_directory: https://acme-v01.api.letsencrypt.org/directory
    remaining_days: 60
    data: "{{ sample_com_challenge }}"
  when: sample_com_challenge is changed
s�

cert_days:
  description: The number of days the certificate remains valid.
  returned: success
  type: int
challenge_data:
  description:
    - Per identifier / challenge type challenge data.
    - Since Ansible 2.8.5, only challenges which are not yet valid are returned.
  returned: changed
  type: list
  elements: dict
  contains:
    resource:
      description: The challenge resource that must be created for validation.
      returned: changed
      type: str
      sample: .well-known/acme-challenge/evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA
    resource_original:
      description:
        - The original challenge resource including type identifier for C(tls-alpn-01)
          challenges.
      returned: changed and challenge is C(tls-alpn-01)
      type: str
      sample: DNS:example.com
      version_added: "2.8"
    resource_value:
      description:
        - The value the resource has to produce for the validation.
        - For C(http-01) and C(dns-01) challenges, the value can be used as-is.
        - "For C(tls-alpn-01) challenges, note that this return value contains a
           Base64 encoded version of the correct binary blob which has to be put
           into the acmeValidation x509 extension; see
           U(https://www.rfc-editor.org/rfc/rfc8737.html#section-3)
           for details. To do this, you might need the C(b64decode) Jinja filter
           to extract the binary blob from this return value."
      returned: changed
      type: str
      sample: IlirfxKKXA...17Dt3juxGJ-PCt92wr-oA
    record:
      description: The full DNS record's name for the challenge.
      returned: changed and challenge is C(dns-01)
      type: str
      sample: _acme-challenge.example.com
      version_added: "2.5"
challenge_data_dns:
  description:
    - List of TXT values per DNS record, in case challenge is C(dns-01).
    - Since Ansible 2.8.5, only challenges which are not yet valid are returned.
  returned: changed
  type: dict
  version_added: "2.5"
authorizations:
  description:
    - ACME authorization data.
    - Maps an identifier to ACME authorization objects. See U(https://tools.ietf.org/html/rfc8555#section-7.1.4).
  returned: changed
  type: dict
  sample: '{"example.com":{...}}'
order_uri:
  description: ACME order URI.
  returned: changed
  type: str
  version_added: "2.5"
finalization_uri:
  description: ACME finalization URI.
  returned: changed
  type: str
  version_added: "2.5"
account_uri:
  description: ACME account URI.
  returned: changed
  type: str
  version_added: "2.5"
all_chains:
  description:
    - When I(retrieve_all_alternates) is set to C(yes), the module will query the ACME server
      for alternate chains. This return value will contain a list of all chains returned,
      the first entry being the main chain returned by the server.
    - See L(Section 7.4.2 of RFC8555,https://tools.ietf.org/html/rfc8555#section-7.4.2) for details.
  returned: when certificate was retrieved and I(retrieve_all_alternates) is set to C(yes)
  type: list
  elements: dict
  contains:
    cert:
      description:
        - The leaf certificate itself, in PEM format.
      type: str
      returned: always
    chain:
      description:
        - The certificate chain, excluding the root, as concatenated PEM certificates.
      type: str
      returned: always
    full_chain:
      description:
        - The certificate chain, excluding the root, but including the leaf certificate,
          as concatenated PEM certificates.
      type: str
      returned: always
(tModuleFailExceptiont
write_filet	nopad_b64t
pem_to_dertACMEAccounttHAS_CURRENT_CRYPTOGRAPHYt cryptography_get_csr_identifierstopenssl_get_csr_identifierstcryptography_get_cert_daystset_crypto_backendt
process_linksN(tdatetime(t
AnsibleModule(tto_bytes(t	ipaddressc	C`s(trt||�Stjj|�s)dS|jdt�}|dd|ddg}|j|dtdd�\}}}yLt	j
d	|jd
��jd�}t
jtjtj|d���}WnKtk
r�td
j|���n&tk
rtdj|���nXt
j�}||jS(s�
    Return the days the certificate in cert_file remains valid and -1
    if the file was not found. If cert_file contains more than one
    certificate, only the first one will be considered.
    i����topenssltx509s-ins-noouts-texttcheck_rctencodings\s+Not After\s*:\s+(.*)tutf8is%b %d %H:%M:%S %Y %Zs No 'Not after' date found in {0}s'Failed to parse 'Not after' date of {0}N(R
Rtostpathtexiststget_bin_pathtTruetrun_commandtNonetretsearchtdecodetgroupRt
fromtimestampttimetmktimetstrptimetAttributeErrorRtformatt
ValueErrortutcnowtdays(	tmodulet	cert_filetopenssl_bintopenssl_cert_cmdtdummytoutt
not_after_strt	not_aftertnow((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt
get_cert_days�s 
$$(

t
ACMEClientcB`s�eZdZd�Zd�Zd�Zd�Zd�Zd�Zd�Z	d�Z
d	�Zd
�Zd�Z
d�Zd
�Zd�Zd�Zd�Zd�Zd�ZRS(s�
    ACME client class. Uses an ACME account object and a CSR to
    start and validate ACME challenges and download the respective
    certificates.
    c	C`s1||_|jd|_|jd|_|jd|_|jjd�|_|jjd�|_|jjd�|_t	|�|_
|j
j|_|jd|_d|_d|_|jr�|jjd	�nd|_d|_|jd
}|s|jdkr�g}|jdr5|jd
|jd�n|j
j|d|jjd�d|jjd�d|�\}}|dkr�tdd��nt}|r�|r�|r�|j
j||�\}}n|p�||_ntjj|j�s	td|j��n|jdt�|_|j�|_dS(Ntacme_versiont	challengetcsrtdesttfullchain_destt
chain_desttdatai����t	order_uritmodify_accountit
account_emailsmailto:t	agreementtterms_agreedtallow_creationtmsgs)Account does not exist or is deactivated.sCSR %s not foundR( R0tparamstversionR<R=tgetR>R?R@Rtaccountt	directoryRAR"tauthorizationst	cert_daysRBtfinalize_uritappendt
setup_accountRtFalsetupdate_accounttchangedRRRRR t_openssl_bint_get_csr_identifierstidentifiers(tselfR0RCtcontacttcreatedtaccount_datatupdated((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt__init__�sD			$	

		cC`s6trt|j|j�St|j|j|j�SdS(sL
        Parse the CSR and return the list of requested identifiers
        N(R
RR0R=RRV(RY((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyRWscC`s=|jj|d|�|kr$tS||j|d|<tS(s�
        Add or update the given authorization in the global authorizations list.
        Return True if the auth was updated/added and False if no change was
        necessary.
        t:(RNRKRSR (RYtidentifier_typet
identifiertauth((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt_add_or_update_auth!s cC`s�idd6i|d6|d6d6}|jj|jd|�\}}|dd
krstd	j|d|���n|d
|d<|SdS(s�
        Create a new authorization for the given identifier.
        Return the authorization object of the new authorization
        https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-6.4
        s	new-authztresourcettypetvalueRaRi�i�s2Error requesting challenges: CODE: {0} RESULT: {1}tlocationturiN(i�i�(RLtsend_signed_requestRMRR,(RYR`Rat	new_authztresulttinfo((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt
_new_authz_v1,s"cC`s�i}x�|dD]�}|d}tjdd|d�}|jj|�}|dkr}d|}	i|	d6|d	6||<q|d
kr|dkr�qnd}	ttjt|��j��}
|j	d
�r�|	|dn|	d|}i|	d6|
d	6|d6||<q|dkr|dkrXt
j|�j}	|	j
d�s^|	d7}	q^n|}	tjtjt|��j��}
i|	d6|d|d6|
d	6||<qqqW|S(s~
        Returns a dict with the data for all proposed (and supported) challenges
        of the given authorization.
        t
challengesRes[^A-Za-z0-9_\-]t_ttokenshttp-01s.well-known/acme-challenge/Rdtresource_valuesdns-01tdnss_acme-challenges*.it.trecordstls-alpn-01tipR_tresource_original(R#tsubRLtget_keyauthorizationR
thashlibtsha256Rtdigestt
startswithtcompat_ipaddresst
ip_addresstreverse_pointertendswithtbase64t	b64encode(RYRbR`RaRAR<tchallenge_typeRptkeyauthorizationRdRfRt((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt_get_challenge_data>s2

!+"$*cC`s�d}xp|dD]d}|ddkr|dj|d�7}d|krh|dj|dd	�7}qu|d
7}qqWtdj|j|d|�|���d
S(s?
        Aborts with a specific error for a challenge.
        tRnRtinvalids CHALLENGE: {0}Reterrors DETAILS: {0};tdetailt;s{0}: {1}R_N(R,R(RYR`RaRbR�t
error_detailsR<((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt_fail_challengeisc
C`s�x�|dD]�}|j|dkr*qn|jdkrC|dn|d}i}|jdkr�tjdd|d�}|jj|�}d	|d
<||d<|j|d<n|jj||�\}	}
|
ddkrtdj|
d|	���qqWd}x�|dkr�|jj	|d�\}	}|d|	d<|j
|||	�r_t|_n|jdkr�d|	kr�d}n
|	d}t
jd�qW|dkr�|j|||	d�n|dkS(s�
        Validate the authorization provided in the auth dict. Returns True
        when the validation was successful and False when it was not.
        RnReiRhturls[^A-Za-z0-9_\-]RoRpR<RdtkeyAuthorizationRi�i�s1Error validating challenge: CODE: {0} RESULT: {1}R�tvalidR�trevokedtpendingis&Authorization for {0} returned invalid(i�i�(R�sinvalidR�(R<RJR#RwRLRxRiRR,tget_requestRcR RUR(tsleepR�(
RYR`RaRbR<Rhtchallenge_responseRpR�RkRlRR4((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt_validate_challengesys6#

#	
cC`s�t|j�}it|�d6}|jj|j|�\}}|dd
krotdj|d|���n|d}xB|dkr�tj	d�|jj
|j�\}}|d}q|W|dkr�tdj|d||���n|d	S(s�
        Create a new certificate based on the csr.
        Return the certificate object as dict
        https://tools.ietf.org/html/rfc8555#section-7.4
        R=Ri�s%Error new cert: CODE: {0} RESULT: {1}R�R�is1Error new cert: CODE: {0} STATUS: {1} RESULT: {2}tcertificate(i�(svalidsinvalid(RR=R
RLRiRPRR,R(R�R�RB(RYR=tnew_certRkRlRR4((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt_finalize_cert�s

"cC`s4djdjtjtj|�jd�d���S(ss
        Convert the DER format certificate in der_cert to a PEM format
        certificate and return it.
        s:-----BEGIN CERTIFICATE-----
{0}
-----END CERTIFICATE-----
s
Ri@(R,tjointtextwraptwrapR�R�R%(RYtder_cert((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt_der_to_pem�sc	`sx�jj|dtdidd6�\}}|sF|djd�rdtdj|||���nd}g�|jd�jt	�}g}xv|D]n}|j
�r�|j|�n|jd�r�|dkr�d	j|�}n�jd	j|��g}q�q�Wg����fd
�}t
||�|dksA|r_tdj|||���ni|d6�d
6�d6S(su
        Download and parse the certificate chain.
        https://tools.ietf.org/html/rfc8555#section-7.4.2
        tparse_json_resulttheaderss!application/pem-certificate-chaintAcceptscontent-types>Cannot download certificate chain from {0}: {1} (headers: {2})sutf-8s-----END CERTIFICATE-----R�c`s|dkr_�s{�jj|dt�\}}|ddkr\�j�j|��q\q{n|dkr{�j|�ndS(NtupR�Ri�i�t	alternate(i�i�(RLR�RSRQR�(tlinktrelationtchain_resultt
chain_info(t
alternatestchainRY(sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pytf�ssGFailed to parse certificate chain download from {0}: {1} (headers: {2})tcertR�R�N(RLR�RSR|RR,R"R%t
splitlinesR tstripRQR�R(	RYR�tcontentRlR�tlinestcurrenttlineR�((R�R�RYsP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt_download_cert�s*+



c`s�t�j�}idd6t|�d6}�jj�jd|�\}}g���fd�}t||�|ddkr�tdj|d|���n&i�j	|�d	6|d
d6�d6Sd
S(s�
        Create a new certificate based on the CSR (ACME v1 protocol).
        Return the certificate object as dict
        https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-6.5
        snew-certRdR=c`s^|dkrZ�jj|dt�\}}|ddkrZ�2�j�j|��qZndS(NR�R�Ri�i�(i�i�(RLR�RSRQR�(R�R�R�R�(R�RY(sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyR�s
Ri�i�s%Error new cert: CODE: {0} RESULT: {1}R�RgRhR�N(i�i�(
RR=R
RLRiRMRRR,R�(RYR=R�RkRlR�((R�RYsP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt_new_cert_v1�s"
c
C`sCg}x2|jD]'\}}|ji|d6|d6�qWi|d6}|jj|jd|�\}}|ddkr�tdj|d|���nx�|dD]}}|jj|�\}}	||d	<|d
d}|d
d}|jdt	�rdj|�}n||j
|d
|<q�W|d|_|d|_dS(s{
        Start a new certificate order (ACME v2 protocol).
        https://tools.ietf.org/html/rfc8555#section-7.4
        ReRfRXtnewOrderRi�s&Error new order: CODE: {0} RESULT: {1}RNRhRatwildcards*.{0}R_RgtfinalizeN(i�(
RXRQRLRiRMRR,R�RKRSRNRBRP(
RYRXR`Rat	new_orderRkRltauth_urit	auth_dataR4((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt
_new_order_v2s(	
"

cC`s;|jdkrtS|jdkr*|jS|jdkSdS(s�
        Return True if this is the first execution of this module, i.e. if a
        sufficient data object from a first run has not been provided.
        iN(RAR"R RJRB(RY((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt
is_first_step-s
cC`s�i|_|jdkr�x2|jD]'\}}|dkr"td��q"q"WxI|jD]1\}}|j||�}|j|||�qWWn
|j�t|_dS(s
        Create new authorizations for all identifiers of the CSR,
        respectively start a new order for ACME v2.
        iRrs&ACME v1 only supports DNS identifiers!N(	RNRJRXRRmRcR�R RU(RYR`Ratnew_auth((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pytstart_challenges<s	
c	C`s'i}xq|jj�D]`\}}|jdd�\}}|j|}|ddkr]qn|j|||�||<qWi}|jdkrx�|j�D]z\}}|j|kr�|j||jd�}|dkr�g}||||jd<n|j||jd�q�q�Wn||fS(	s�
        Get challenge details for the chosen challenge type.
        Return a tuple of generic challenge details, and specialized DNS challenge details.
        R_iRR�sdns-01RtRqN(RNtitemstsplitR�R<RKR"RQ(	RYRAttype_identifierRbR`Ratdata_dnsRntvalues((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pytget_challenges_dataMs"
"cC`s�i|_|jdkrZxI|jD]1\}}|j||�}|j|||�q"Wn
|jj|j�\}}|s�tdj	|j||���n|ddkr�tdj	|d|���nx�|dD]}}|jj|�\}}||d<|dd	}|dd
}|j
dt�r>dj	|�}n||j|d
|<q�W|d|_x[|jj
�D]J\}	}
|
ddkrt|	jd
d�\}}|j|||
�qtqtWdS(sC
        Verify challenges for all identifiers of the CSR.
        is2Cannot download order from {0}: {1} (headers: {2})Ri�s1Error on downloading order: CODE: {0} RESULT: {1}RNRhRaReRfR�s*.{0}R_R�R�N(i�(RNRJRXRmRcRLR�RBRR,RKRSRPR�R�R�(RYR`RaR�RkRlR�R�R4R�Rb((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pytfinish_challengesis.	!

c	`s�x��jD]�\}}�jj|d|�}|dkr\tdj|d|���nd|kr��j|||d�n|ddkr
�j|||dt|d��q
q
W�jdkr��j	�}n��j
�}�j|�}�jj
dr�g}xg|d	D][}y�j|�}Wn2tk
rc}	�jjd
j||	��qnX|j|�qWg�_�fd�}
|
|�x|D]}|
|�q�Wn|ddk	r�|d}g|jd
g�D]}
|
^q�}�jrBt�j�j|jd��rBt�j�j��_t�_n�jr�t�j�j|dj|�jd��r�t�j�j��_t�_n�jr�t�j�jdj|�jd��r�t�_q�ndS(s�
        Request a new certificate and write it to the destination file.
        First verifies whether all authorizations are valid; if not, aborts
        with an error.
        R_s-Found no authorization information for "{0}"!Rs(Authorization for {0} returned no statusR�s&Authorization for {0} returned status itretrieve_all_alternatesR�s8Error while downloading alternative certificate {0}: {1}c`sz�jjtd|djd�ddj|jdg��jd�d|ddj|jdg��jd���dS(NR�RR�s
t
full_chain(t
all_chainsRQtdicttencodeR�RK(t	cert_data(RY(sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt_append_all_chains�s$R�R�Rs
N(RXRNRKR"RR,R�tstrRJR�R�R�R0RItwarnRQR�R>R	R�R9ROR RUR?R�R@(RYR`RaRbR�tcert_uritalternate_chainsR�talt_certteR�t	alt_chaintpem_certR�R�((RYsP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pytget_certificate�sJ +	


%*73c	C`sGidd6}|jdkr)d|d<n|jrCx|jD]\}}|jj|d|�}|d
ks<|jd�dkr�q<nye|jj|d|�\}}d	|dko�d
knr�|jd�dkr�d|d<nWntk
r}nX|jd�dkr<|jj	ddj
|d��q<q<Wnd
S(s�
        Deactivates all valid authz's. Does not raise exceptions.
        https://community.letsencrypt.org/t/authorization-deactivation/19860/2
        https://tools.ietf.org/html/rfc8555#section-7.5.2
        tdeactivatedRitauthzRdR_R�Rhi�i,twarnings&Could not deactivate authz object {0}.N(RJRNRXRKR"RLRit	ExceptionR0R�R,(RYtauthz_deactivateR`RaRbRkRlR4((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pytdeactivate_authzs�s"

	!5(t__name__t
__module__t__doc__R^RWRcRmR�R�R�R�R�R�R�R�R�R�R�R�R�R�(((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyR:�s&	2					+		+			,						)	:c
5C`s�tdtdtddddg�dtddd	t�d
tdd�dtddd
t�dtddd
d�dtddd
ddddg�dtd
tdd�dtdd�dtdd�dtddd
t�dtddd
dddddg�dtdddtddg�d tdd!�d"tdddd#g�d$tdddd%g�d&tdddd'g�d(tddd
d)�d*tddd
t�d+tddd
t�d,tddd
t�d-tddd
d.dd.d/d0g��d1ddgd"d$gfd2ddgfd3t�}|jd4krD|jd5d6d7�nt|�td8d9d:d9d;d9d<d9�|_tj	tj
d9�|jjd�s�|j
d=d>d?d@�ny�|jjd"�r�t||jd"�}nt||jd$�}|jd+s||jd(kru|jrD|jdAtdBidCidD|�q�t|�}||_t�}|j�r{|j�nSz5|j�|j�|jd,r�|j|dE<nWd|jd*r�|j�nX|j�\}}t�}x7|jj�D]&\}}|||jdFd�d<q�W|jdA|jdB|dG|jdH|jd
|j j!dC|dI|dD|j|�n|jdAtdD|�Wn t"k
r�}	|	j#|�nXdS(JNt
argument_spectaccount_key_srcReRtaliasestaccount_keytaccount_key_contentR�tno_logtaccount_uriRCtbooltdefaulttacme_directorys2https://acme-staging.api.letsencrypt.org/directoryR;tintitchoicesitvalidate_certsRDRERFR<shttp-01sdns-01stls-alpn-01R=trequiredtsrcRAR�R>R�R?t	fullchainR@R�tremaining_daysi
R�tforceR�tselect_crypto_backendtautoRtcryptographytrequired_one_oftmutually_exclusivetsupports_check_modetletsencrypts<The 'letsencrypt' module is being renamed 'acme_certificate'RJs2.10tLANGtCtLC_ALLtLC_MESSAGEStLC_CTYPER�sHDisabling certificate validation for communications with ACME endpoint. sEThis should only be done for testing against a local ACME server for s:development purposes, but *never* for production purposes.RURNtchallenge_dataROR�R_RPRBtchallenge_data_dns($RR�R RSt_namet	deprecateRtrun_command_environ_updatetlocalet	setlocaleR�RIRKR�R9t
check_modet	exit_jsonR:ROR�R�R�R�R�R�R�RNR�R�RURPRBRLRhRtdo_fail(
R0ROtclienttotherRAR�tauthstktvR�((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pytmain�s�!$'		
$	 	%		




					
t__main__(+t
__future__RRRRet
__metaclass__tANSIBLE_METADATAt
DOCUMENTATIONtEXAMPLEStRETURNtansible.module_utils.acmeRR	R
RRR
RRRRRR�RyRRR#R�R(turllibRtansible.module_utils.basicRtansible.module_utils._textRtansible.module_utils.compatRR}R9tobjectR:R
R�(((sP/usr/lib/python2.7/site-packages/ansible/modules/crypto/acme/acme_certificate.pyt<module>s6


�nfL	��
	c

Anons79 File Manager Version 1.0, Coded By Anons79
Email: [email protected]