From 8935ab8fdc1b51f5c97016fb662bce7e3ad5e9aa Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Thu, 11 Jul 2024 22:44:23 +0200 Subject: [PATCH] Reformat and re-order changelogs/changelog.yaml. --- changelogs/changelog.yaml | 2197 +++++++++++++++++++------------------ changelogs/config.yaml | 34 +- 2 files changed, 1123 insertions(+), 1108 deletions(-) diff --git a/changelogs/changelog.yaml b/changelogs/changelog.yaml index 13eba21e1..f620488cb 100644 --- a/changelogs/changelog.yaml +++ b/changelogs/changelog.yaml @@ -1,528 +1,533 @@ +--- ancestor: null releases: 1.0.0: changes: bugfixes: - - 'ACME modules: fix bug in ACME v1 account update code' - - 'ACME modules: make sure some connection errors are handled properly' - - 'ACME modules: support Buypass'' ACME v1 endpoint' - - acme_certificate - fix crash when module is used with Python 2.x. - - acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account`` - set to ``false``. - - 'ecs_certificate - Always specify header ``connection: keep-alive`` for ECS - API connections.' - - ecs_certificate - Fix formatting of contents of ``full_chain_path``. - - get_certificate - Fix cryptography backend when pyopenssl is unavailable (https://github.com/ansible/ansible/issues/67900) - - openssh_keypair - add logic to avoid breaking password protected keys. - - openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969). - - openssh_keypair - public key's file attributes (permissions, owner, group, - etc.) are now set to the same values as the private key. - - openssl_* modules - prevent crash on fingerprint determination in FIPS mode - (https://github.com/ansible/ansible/issues/67213). - - 'openssl_certificate - When provider is ``entrust``, use a ``connection: keep-alive`` - header for ECS API connections.' - - openssl_certificate - ``provider`` option was documented as required, but - it was not checked whether it was provided. It is now only required when ``state`` - is ``present``. - - openssl_certificate - fix ``assertonly`` provider certificate verification, - causing 'private key mismatch' and 'subject mismatch' errors. - - openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support - for ``cryptography`` backend. This probably needs at least cryptography 2.8, - since older versions have problems with signing certificates or CSRs with - such keys. (https://github.com/ansible/ansible/issues/59039, PR https://github.com/ansible/ansible/pull/63984) - - openssl_csr - a warning is issued if an unsupported value for ``version`` - is used for the ``cryptography`` backend. - - openssl_csr - the module will now enforce that ``privatekey_path`` is specified - when ``state=present``. - - openssl_publickey - fix a module crash caused when pyOpenSSL is not installed - (https://github.com/ansible/ansible/issues/67035). + - 'ACME modules: fix bug in ACME v1 account update code' + - 'ACME modules: make sure some connection errors are handled properly' + - 'ACME modules: support Buypass'' ACME v1 endpoint' + - acme_certificate - fix crash when module is used with Python 2.x. + - acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account`` + set to ``false``. + - 'ecs_certificate - Always specify header ``connection: keep-alive`` for + ECS API connections.' + - ecs_certificate - Fix formatting of contents of ``full_chain_path``. + - get_certificate - Fix cryptography backend when pyopenssl is unavailable + (https://github.com/ansible/ansible/issues/67900) + - openssh_keypair - add logic to avoid breaking password protected keys. + - openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969). + - openssh_keypair - public key's file attributes (permissions, owner, group, + etc.) are now set to the same values as the private key. + - openssl_* modules - prevent crash on fingerprint determination in FIPS mode + (https://github.com/ansible/ansible/issues/67213). + - 'openssl_certificate - When provider is ``entrust``, use a ``connection: + keep-alive`` header for ECS API connections.' + - openssl_certificate - ``provider`` option was documented as required, but + it was not checked whether it was provided. It is now only required when + ``state`` is ``present``. + - openssl_certificate - fix ``assertonly`` provider certificate verification, + causing 'private key mismatch' and 'subject mismatch' errors. + - openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key + support for ``cryptography`` backend. This probably needs at least cryptography + 2.8, since older versions have problems with signing certificates or CSRs + with such keys. (https://github.com/ansible/ansible/issues/59039, PR https://github.com/ansible/ansible/pull/63984) + - openssl_csr - a warning is issued if an unsupported value for ``version`` + is used for the ``cryptography`` backend. + - openssl_csr - the module will now enforce that ``privatekey_path`` is specified + when ``state=present``. + - openssl_publickey - fix a module crash caused when pyOpenSSL is not installed + (https://github.com/ansible/ansible/issues/67035). deprecated_features: - - openssl_csr - all values for the ``version`` option except ``1`` are deprecated. - The value 1 denotes the current only standardized CSR version. + - openssl_csr - all values for the ``version`` option except ``1`` are deprecated. + The value 1 denotes the current only standardized CSR version. minor_changes: - - luks_device - accept ``passphrase``, ``new_passphrase`` and ``remove_passphrase``. - - luks_device - add ``keysize`` parameter to set key size at LUKS container - creation - - luks_device - added support to use UUIDs, and labels with LUKS2 containers - - luks_device - added the ``type`` option that allows user explicit define the - LUKS container format version - - openssh_keypair - instead of regenerating some broken or password protected - keys, fail the module. Keys can still be regenerated by calling the module - with ``force=yes``. - - openssh_keypair - the ``regenerate`` option allows to configure the module's - behavior when it should or needs to regenerate private keys. - - openssl_* modules - the cryptography backend now properly supports ``dirName``, - ``otherName`` and ``RID`` (Registered ID) names. - - openssl_certificate - Add option for changing which ACME directory to use - with acme-tiny. Set the default ACME directory to Let's Encrypt instead of - using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time - being, so no action should be necessary.) - - openssl_certificate - Change the required version of acme-tiny to >= 4.0.0 - - openssl_certificate - allow to provide content of some input files via the - ``csr_content``, ``privatekey_content``, ``ownca_privatekey_content`` and - ``ownca_content`` options. - - openssl_certificate - allow to return the existing/generated certificate directly - as ``certificate`` by setting ``return_content`` to ``yes``. - - openssl_certificate_info - allow to provide certificate content via ``content`` - option (https://github.com/ansible/ansible/issues/64776). - - openssl_csr - Add support for specifying the SAN ``otherName`` value in the - OpenSSL ASN.1 UTF8 string format, ``otherName:;UTF8:string value``. - - openssl_csr - allow to provide private key content via ``private_key_content`` - option. - - openssl_csr - allow to return the existing/generated CSR directly as ``csr`` - by setting ``return_content`` to ``yes``. - - openssl_csr_info - allow to provide CSR content via ``content`` option. - - openssl_dhparam - allow to return the existing/generated DH params directly - as ``dhparams`` by setting ``return_content`` to ``yes``. - - openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection - can be overwritten with the ``select_crypto_backend`` option. - - openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as - ``pkcs12`` by setting ``return_content`` to ``yes``. - - openssl_privatekey - add ``format`` and ``format_mismatch`` options. - - openssl_privatekey - allow to return the existing/generated private key directly - as ``privatekey`` by setting ``return_content`` to ``yes``. - - openssl_privatekey - the ``regenerate`` option allows to configure the module's - behavior when it should or needs to regenerate private keys. - - openssl_privatekey_info - allow to provide private key content via ``content`` - option. - - openssl_publickey - allow to provide private key content via ``private_key_content`` - option. - - openssl_publickey - allow to return the existing/generated public key directly - as ``publickey`` by setting ``return_content`` to ``yes``. + - luks_device - accept ``passphrase``, ``new_passphrase`` and ``remove_passphrase``. + - luks_device - add ``keysize`` parameter to set key size at LUKS container + creation + - luks_device - added support to use UUIDs, and labels with LUKS2 containers + - luks_device - added the ``type`` option that allows user explicit define + the LUKS container format version + - openssh_keypair - instead of regenerating some broken or password protected + keys, fail the module. Keys can still be regenerated by calling the module + with ``force=yes``. + - openssh_keypair - the ``regenerate`` option allows to configure the module's + behavior when it should or needs to regenerate private keys. + - openssl_* modules - the cryptography backend now properly supports ``dirName``, + ``otherName`` and ``RID`` (Registered ID) names. + - openssl_certificate - Add option for changing which ACME directory to use + with acme-tiny. Set the default ACME directory to Let's Encrypt instead + of using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the + time being, so no action should be necessary.) + - openssl_certificate - Change the required version of acme-tiny to >= 4.0.0 + - openssl_certificate - allow to provide content of some input files via the + ``csr_content``, ``privatekey_content``, ``ownca_privatekey_content`` and + ``ownca_content`` options. + - openssl_certificate - allow to return the existing/generated certificate + directly as ``certificate`` by setting ``return_content`` to ``yes``. + - openssl_certificate_info - allow to provide certificate content via ``content`` + option (https://github.com/ansible/ansible/issues/64776). + - openssl_csr - Add support for specifying the SAN ``otherName`` value in + the OpenSSL ASN.1 UTF8 string format, ``otherName:;UTF8:string value``. + - openssl_csr - allow to provide private key content via ``private_key_content`` + option. + - openssl_csr - allow to return the existing/generated CSR directly as ``csr`` + by setting ``return_content`` to ``yes``. + - openssl_csr_info - allow to provide CSR content via ``content`` option. + - openssl_dhparam - allow to return the existing/generated DH params directly + as ``dhparams`` by setting ``return_content`` to ``yes``. + - openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection + can be overwritten with the ``select_crypto_backend`` option. + - openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly + as ``pkcs12`` by setting ``return_content`` to ``yes``. + - openssl_privatekey - add ``format`` and ``format_mismatch`` options. + - openssl_privatekey - allow to return the existing/generated private key + directly as ``privatekey`` by setting ``return_content`` to ``yes``. + - openssl_privatekey - the ``regenerate`` option allows to configure the module's + behavior when it should or needs to regenerate private keys. + - openssl_privatekey_info - allow to provide private key content via ``content`` + option. + - openssl_publickey - allow to provide private key content via ``private_key_content`` + option. + - openssl_publickey - allow to return the existing/generated public key directly + as ``publickey`` by setting ``return_content`` to ``yes``. release_summary: 'This is the first proper release of the ``community.crypto`` collection. This changelog contains all changes to the modules in this collection that were added after the release of Ansible 2.9.0. ' removed_features: - - The ``letsencrypt`` module has been removed. Use ``acme_certificate`` instead. + - The ``letsencrypt`` module has been removed. Use ``acme_certificate`` instead. fragments: - - 1.0.0.yml - - 52408-luks-device.yaml - - 58973-luks_device_add-type-option.yml - - 58973_luks_device-add-label-and-uuid-support.yml - - 60388-openssl_privatekey-format.yml - - 61522-luks-device-add-option-to-define-keysize.yml - - 61658-openssh_keypair-public-key-permissions.yml - - 61693-acme-buypass-acme-v1.yml - - 61738-ecs-certificate-invalid-chain.yaml - - 62218-fix-to-entrust-api.yml - - 62790-openssl_certificate_fix_assert.yml - - 62991-openssl_dhparam-cryptography-backend.yml - - 63140-acme-fix-fetch-url-status-codes.yaml - - 63432-openssl_csr-version.yml - - 63984-openssl-ed25519-ed448.yml - - 64436-openssh_keypair-add-password-protected-key-check.yml - - 64501-fix-python2.x-backward-compatibility.yaml - - 64648-acme_certificate-acmev1.yml - - 65017-openssh_keypair-idempotence.yml - - 65400-openssl-output.yml - - 65435-openssl_csr-privatekey_path-required.yml - - 65633-crypto-argspec-fixup.yml - - 66384-openssl-content.yml - - 67036-openssl_publickey-backend.yml - - 67038-openssl-openssh-key-regenerate.yml - - 67109-openssl_certificate-acme-directory.yaml - - 67515-openssl-fingerprint-fips.yml - - 67669-cryptography-names.yml - - 67901-get_certificate-fix-cryptography.yml - - letsencrypt.yml - - openssl_csr-otherName.yml + - 1.0.0.yml + - 52408-luks-device.yaml + - 58973-luks_device_add-type-option.yml + - 58973_luks_device-add-label-and-uuid-support.yml + - 60388-openssl_privatekey-format.yml + - 61522-luks-device-add-option-to-define-keysize.yml + - 61658-openssh_keypair-public-key-permissions.yml + - 61693-acme-buypass-acme-v1.yml + - 61738-ecs-certificate-invalid-chain.yaml + - 62218-fix-to-entrust-api.yml + - 62790-openssl_certificate_fix_assert.yml + - 62991-openssl_dhparam-cryptography-backend.yml + - 63140-acme-fix-fetch-url-status-codes.yaml + - 63432-openssl_csr-version.yml + - 63984-openssl-ed25519-ed448.yml + - 64436-openssh_keypair-add-password-protected-key-check.yml + - 64501-fix-python2.x-backward-compatibility.yaml + - 64648-acme_certificate-acmev1.yml + - 65017-openssh_keypair-idempotence.yml + - 65400-openssl-output.yml + - 65435-openssl_csr-privatekey_path-required.yml + - 65633-crypto-argspec-fixup.yml + - 66384-openssl-content.yml + - 67036-openssl_publickey-backend.yml + - 67038-openssl-openssh-key-regenerate.yml + - 67109-openssl_certificate-acme-directory.yaml + - 67515-openssl-fingerprint-fips.yml + - 67669-cryptography-names.yml + - 67901-get_certificate-fix-cryptography.yml + - letsencrypt.yml + - openssl_csr-otherName.yml modules: - - description: Request validation of a domain with the Entrust Certificate Services - (ECS) API - name: ecs_domain - namespace: '' - - description: Generate Certificate Revocation Lists (CRLs) - name: x509_crl - namespace: '' - - description: Retrieve information on Certificate Revocation Lists (CRLs) - name: x509_crl_info - namespace: '' + - description: Request validation of a domain with the Entrust Certificate Services + (ECS) API + name: ecs_domain + namespace: '' + - description: Generate Certificate Revocation Lists (CRLs) + name: x509_crl + namespace: '' + - description: Retrieve information on Certificate Revocation Lists (CRLs) + name: x509_crl_info + namespace: '' release_date: '2020-07-03' 1.1.0: changes: bugfixes: - - acme_inspect - fix problem with Python 3.5 that JSON was not decoded (https://github.com/ansible-collections/community.crypto/issues/86). - - get_certificate - fix ``ca_cert`` option handling when ``proxy_host`` is used - (https://github.com/ansible-collections/community.crypto/pull/84). - - openssl_*, x509_* modules - fix handling of general names which refer to IP - networks and not IP addresses (https://github.com/ansible-collections/community.crypto/pull/92). + - acme_inspect - fix problem with Python 3.5 that JSON was not decoded (https://github.com/ansible-collections/community.crypto/issues/86). + - get_certificate - fix ``ca_cert`` option handling when ``proxy_host`` is + used (https://github.com/ansible-collections/community.crypto/pull/84). + - openssl_*, x509_* modules - fix handling of general names which refer to + IP networks and not IP addresses (https://github.com/ansible-collections/community.crypto/pull/92). minor_changes: - - acme_account - add ``external_account_binding`` option to allow creation of - ACME accounts with External Account Binding (https://github.com/ansible-collections/community.crypto/issues/89). - - 'acme_certificate - allow new selector ``test_certificates: first`` for ``select_chain`` - parameter (https://github.com/ansible-collections/community.crypto/pull/102).' - - cryptography backends - support arbitrary dotted OIDs (https://github.com/ansible-collections/community.crypto/issues/39). - - get_certificate - add support for SNI (https://github.com/ansible-collections/community.crypto/issues/69). - - luks_device - add support for encryption options on container creation (https://github.com/ansible-collections/community.crypto/pull/97). - - openssh_cert - add support for PKCS#11 tokens (https://github.com/ansible-collections/community.crypto/pull/95). - - openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness - for serial numbers, instead of a random number between 1000 and 99999. Please - note that this is not a high quality random number (https://github.com/ansible-collections/community.crypto/issues/76). - - openssl_csr - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46). - - openssl_csr_info - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46). + - acme_account - add ``external_account_binding`` option to allow creation + of ACME accounts with External Account Binding (https://github.com/ansible-collections/community.crypto/issues/89). + - 'acme_certificate - allow new selector ``test_certificates: first`` for + ``select_chain`` parameter (https://github.com/ansible-collections/community.crypto/pull/102).' + - cryptography backends - support arbitrary dotted OIDs (https://github.com/ansible-collections/community.crypto/issues/39). + - get_certificate - add support for SNI (https://github.com/ansible-collections/community.crypto/issues/69). + - luks_device - add support for encryption options on container creation (https://github.com/ansible-collections/community.crypto/pull/97). + - openssh_cert - add support for PKCS#11 tokens (https://github.com/ansible-collections/community.crypto/pull/95). + - openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness + for serial numbers, instead of a random number between 1000 and 99999. Please + note that this is not a high quality random number (https://github.com/ansible-collections/community.crypto/issues/76). + - openssl_csr - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46). + - openssl_csr_info - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46). release_summary: 'Release for Ansible 2.10.0. ' fragments: - - 1.1.0.yml - - 100-acme-account-external-account-binding.yml - - 102-acme-certificate-select-chain-first.yml - - 87-acme_inspect-python-3.5.yml - - 90-cryptography-oids.yml - - 90-openssl_certificate-pyopenssl-serial.yml - - 92-ip-networks.yml - - 92-openssl_csr-name-constraints.yml - - get_certificate-add_support_for_SNI.yml - - luks_device-add_encryption_option_on_create.yml - - openssh_cert-pkcs11.yml + - 1.1.0.yml + - 100-acme-account-external-account-binding.yml + - 102-acme-certificate-select-chain-first.yml + - 87-acme_inspect-python-3.5.yml + - 90-cryptography-oids.yml + - 90-openssl_certificate-pyopenssl-serial.yml + - 92-ip-networks.yml + - 92-openssl_csr-name-constraints.yml + - get_certificate-add_support_for_SNI.yml + - luks_device-add_encryption_option_on_create.yml + - openssh_cert-pkcs11.yml modules: - - description: Sign data with openssl - name: openssl_signature - namespace: '' - - description: Verify signatures with openssl - name: openssl_signature_info - namespace: '' + - description: Sign data with openssl + name: openssl_signature + namespace: '' + - description: Verify signatures with openssl + name: openssl_signature_info + namespace: '' release_date: '2020-08-18' 1.1.1: changes: bugfixes: - - meta/runtime.yml - convert Ansible version numbers for old names of modules - to collection version numbers (https://github.com/ansible-collections/community.crypto/pull/108). - - openssl_csr - improve handling of IDNA errors (https://github.com/ansible-collections/community.crypto/issues/105). + - meta/runtime.yml - convert Ansible version numbers for old names of modules + to collection version numbers (https://github.com/ansible-collections/community.crypto/pull/108). + - openssl_csr - improve handling of IDNA errors (https://github.com/ansible-collections/community.crypto/issues/105). release_summary: Bugfixes for Ansible 2.10.0. fragments: - - 1.1.1.yml - - 106-openssl_csr-idna-errors.yml - - 108-meta-runtime-versions.yml + - 1.1.1.yml + - 106-openssl_csr-idna-errors.yml + - 108-meta-runtime-versions.yml release_date: '2020-09-14' 1.2.0: changes: bugfixes: - - openssl_pkcs12 - do not crash when reading PKCS#12 file which has no private - key and/or no main certificate (https://github.com/ansible-collections/community.crypto/issues/103). + - openssl_pkcs12 - do not crash when reading PKCS#12 file which has no private + key and/or no main certificate (https://github.com/ansible-collections/community.crypto/issues/103). minor_changes: - - acme_certificate - allow to pass CSR file as content with new option ``csr_content`` - (https://github.com/ansible-collections/community.crypto/pull/115). - - x509_certificate_info - add ``fingerprints`` return value which returns certificate - fingerprints (https://github.com/ansible-collections/community.crypto/pull/121). + - acme_certificate - allow to pass CSR file as content with new option ``csr_content`` + (https://github.com/ansible-collections/community.crypto/pull/115). + - x509_certificate_info - add ``fingerprints`` return value which returns + certificate fingerprints (https://github.com/ansible-collections/community.crypto/pull/121). release_summary: Please note that this release fixes a security issue (CVE-2020-25646). security_fixes: - - openssl_csr - the option ``privatekey_content`` was not marked as ``no_log``, - resulting in it being dumped into the system log by default, and returned - in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). - - openssl_privatekey_info - the option ``content`` was not marked as ``no_log``, - resulting in it being dumped into the system log by default, and returned - in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). - - openssl_publickey - the option ``privatekey_content`` was not marked as ``no_log``, - resulting in it being dumped into the system log by default, and returned - in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). - - openssl_signature - the option ``privatekey_content`` was not marked as ``no_log``, - resulting in it being dumped into the system log by default, and returned - in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). - - x509_certificate - the options ``privatekey_content`` and ``ownca_privatekey_content`` - were not marked as ``no_log``, resulting in it being dumped into the system - log by default, and returned in the registered results in the ``invocation`` - field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). - - x509_crl - the option ``privatekey_content`` was not marked as ``no_log``, - resulting in it being dumped into the system log by default, and returned - in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). + - openssl_csr - the option ``privatekey_content`` was not marked as ``no_log``, + resulting in it being dumped into the system log by default, and returned + in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). + - openssl_privatekey_info - the option ``content`` was not marked as ``no_log``, + resulting in it being dumped into the system log by default, and returned + in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). + - openssl_publickey - the option ``privatekey_content`` was not marked as + ``no_log``, resulting in it being dumped into the system log by default, + and returned in the registered results in the ``invocation`` field (CVE-2020-25646, + https://github.com/ansible-collections/community.crypto/pull/125). + - openssl_signature - the option ``privatekey_content`` was not marked as + ``no_log``, resulting in it being dumped into the system log by default, + and returned in the registered results in the ``invocation`` field (CVE-2020-25646, + https://github.com/ansible-collections/community.crypto/pull/125). + - x509_certificate - the options ``privatekey_content`` and ``ownca_privatekey_content`` + were not marked as ``no_log``, resulting in it being dumped into the system + log by default, and returned in the registered results in the ``invocation`` + field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). + - x509_crl - the option ``privatekey_content`` was not marked as ``no_log``, + resulting in it being dumped into the system log by default, and returned + in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). fragments: - - 1.2.0.yml - - 109-openssl_pkcs12-crash-no-cert-key.yml - - 115-acme_certificate-csr_content.yml - - 121-x509_certificate_info-fingerprints.yml - - cve-2020-25646.yml + - 1.2.0.yml + - 109-openssl_pkcs12-crash-no-cert-key.yml + - 115-acme_certificate-csr_content.yml + - 121-x509_certificate_info-fingerprints.yml + - cve-2020-25646.yml release_date: '2020-10-13' 1.3.0: changes: bugfixes: - - openssl_pkcs12 - report the correct state when ``action`` is ``parse`` (https://github.com/ansible-collections/community.crypto/issues/143). - - support code - improve handling of certificate and certificate signing request - (CSR) loading with the ``cryptography`` backend when errors occur (https://github.com/ansible-collections/community.crypto/issues/138, - https://github.com/ansible-collections/community.crypto/pull/139). - - x509_certificate - fix ``entrust`` provider, which was broken since community.crypto - 0.1.0 due to a feature added before the collection move (https://github.com/ansible-collections/community.crypto/pull/135). + - openssl_pkcs12 - report the correct state when ``action`` is ``parse`` (https://github.com/ansible-collections/community.crypto/issues/143). + - support code - improve handling of certificate and certificate signing request + (CSR) loading with the ``cryptography`` backend when errors occur (https://github.com/ansible-collections/community.crypto/issues/138, + https://github.com/ansible-collections/community.crypto/pull/139). + - x509_certificate - fix ``entrust`` provider, which was broken since community.crypto + 0.1.0 due to a feature added before the collection move (https://github.com/ansible-collections/community.crypto/pull/135). minor_changes: - - openssh_cert - add module parameter ``use_agent`` to enable using signing - keys stored in ssh-agent (https://github.com/ansible-collections/community.crypto/issues/116). - - openssl_csr - refactor module to allow code reuse by openssl_csr_pipe (https://github.com/ansible-collections/community.crypto/pull/123). - - openssl_privatekey - refactor module to allow code reuse by openssl_privatekey_pipe - (https://github.com/ansible-collections/community.crypto/pull/119). - - openssl_privatekey - the elliptic curve ``secp192r1`` now triggers a security - warning. Elliptic curves of at least 224 bits should be used for new keys; - see `here `_ - (https://github.com/ansible-collections/community.crypto/pull/132). - - x509_certificate - for the ``selfsigned`` provider, a CSR is not required - anymore. If no CSR is provided, the module behaves as if a minimal CSR which - only contains the public key has been provided (https://github.com/ansible-collections/community.crypto/issues/32, - https://github.com/ansible-collections/community.crypto/pull/129). - - x509_certificate - refactor module to allow code reuse by x509_certificate_pipe - (https://github.com/ansible-collections/community.crypto/pull/135). + - openssh_cert - add module parameter ``use_agent`` to enable using signing + keys stored in ssh-agent (https://github.com/ansible-collections/community.crypto/issues/116). + - openssl_csr - refactor module to allow code reuse by openssl_csr_pipe (https://github.com/ansible-collections/community.crypto/pull/123). + - openssl_privatekey - refactor module to allow code reuse by openssl_privatekey_pipe + (https://github.com/ansible-collections/community.crypto/pull/119). + - openssl_privatekey - the elliptic curve ``secp192r1`` now triggers a security + warning. Elliptic curves of at least 224 bits should be used for new keys; + see `here `_ + (https://github.com/ansible-collections/community.crypto/pull/132). + - x509_certificate - for the ``selfsigned`` provider, a CSR is not required + anymore. If no CSR is provided, the module behaves as if a minimal CSR which + only contains the public key has been provided (https://github.com/ansible-collections/community.crypto/issues/32, + https://github.com/ansible-collections/community.crypto/pull/129). + - x509_certificate - refactor module to allow code reuse by x509_certificate_pipe + (https://github.com/ansible-collections/community.crypto/pull/135). release_summary: 'Contains new modules ``openssl_privatekey_pipe``, ``openssl_csr_pipe`` and ``x509_certificate_pipe`` which allow to create or update private keys, CSRs and X.509 certificates without having to write them to disk. ' fragments: - - 1.3.0.yml - - 117-openssh_cert-use-ssh-agent.yml - - 129-x509_certificate-no-csr-selfsigned.yml - - 132-openssl_privatekey-ecc-order.yml - - 135-x509_certificate-entrust.yml - - 139-improve-error-handling.yml - - 145-add-check-for-parsed-pkcs12-files.yml - - privatekey-csr-certificate-refactoring.yml + - 1.3.0.yml + - 117-openssh_cert-use-ssh-agent.yml + - 129-x509_certificate-no-csr-selfsigned.yml + - 132-openssl_privatekey-ecc-order.yml + - 135-x509_certificate-entrust.yml + - 139-improve-error-handling.yml + - 145-add-check-for-parsed-pkcs12-files.yml + - privatekey-csr-certificate-refactoring.yml modules: - - description: Generate OpenSSL Certificate Signing Request (CSR) - name: openssl_csr_pipe - namespace: '' - - description: Generate OpenSSL private keys without disk access - name: openssl_privatekey_pipe - namespace: '' - - description: Generate and/or check OpenSSL certificates - name: x509_certificate_pipe - namespace: '' + - description: Generate OpenSSL Certificate Signing Request (CSR) + name: openssl_csr_pipe + namespace: '' + - description: Generate OpenSSL private keys without disk access + name: openssl_privatekey_pipe + namespace: '' + - description: Generate and/or check OpenSSL certificates + name: x509_certificate_pipe + namespace: '' release_date: '2020-11-24' 1.4.0: changes: bugfixes: - - acme_certificate - error when requested challenge type is not found for non-valid - challenges, instead of hanging on step 2 (https://github.com/ansible-collections/community.crypto/issues/171, - https://github.com/ansible-collections/community.crypto/pull/173). + - acme_certificate - error when requested challenge type is not found for + non-valid challenges, instead of hanging on step 2 (https://github.com/ansible-collections/community.crypto/issues/171, + https://github.com/ansible-collections/community.crypto/pull/173). minor_changes: - - The ACME module_utils has been relicensed back from the Simplified BSD License - (https://opensource.org/licenses/BSD-2-Clause) to the GPLv3+ (same license - used by most other code in this collection). This undoes a licensing change - when the original GPLv3+ licensed code was moved to module_utils in https://github.com/ansible/ansible/pull/40697 - (https://github.com/ansible-collections/community.crypto/pull/165). - - The ``crypto/identify.py`` module_utils has been renamed to ``crypto/pem.py`` - (https://github.com/ansible-collections/community.crypto/pull/166). - - luks_device - ``new_keyfile``, ``new_passphrase``, ``remove_keyfile`` and - ``remove_passphrase`` are now idempotent (https://github.com/ansible-collections/community.crypto/issues/19, - https://github.com/ansible-collections/community.crypto/pull/168). - - luks_device - allow to configure PBKDF (https://github.com/ansible-collections/community.crypto/pull/163). - - openssl_csr, openssl_csr_pipe - allow to specify CRL distribution endpoints - with ``crl_distribution_points`` (https://github.com/ansible-collections/community.crypto/issues/147, - https://github.com/ansible-collections/community.crypto/pull/167). - - openssl_pkcs12 - allow to specify certificate bundles in ``other_certificates`` - by using new option ``other_certificates_parse_all`` (https://github.com/ansible-collections/community.crypto/issues/149, - https://github.com/ansible-collections/community.crypto/pull/166). + - The ACME module_utils has been relicensed back from the Simplified BSD License + (https://opensource.org/licenses/BSD-2-Clause) to the GPLv3+ (same license + used by most other code in this collection). This undoes a licensing change + when the original GPLv3+ licensed code was moved to module_utils in https://github.com/ansible/ansible/pull/40697 + (https://github.com/ansible-collections/community.crypto/pull/165). + - The ``crypto/identify.py`` module_utils has been renamed to ``crypto/pem.py`` + (https://github.com/ansible-collections/community.crypto/pull/166). + - luks_device - ``new_keyfile``, ``new_passphrase``, ``remove_keyfile`` and + ``remove_passphrase`` are now idempotent (https://github.com/ansible-collections/community.crypto/issues/19, + https://github.com/ansible-collections/community.crypto/pull/168). + - luks_device - allow to configure PBKDF (https://github.com/ansible-collections/community.crypto/pull/163). + - openssl_csr, openssl_csr_pipe - allow to specify CRL distribution endpoints + with ``crl_distribution_points`` (https://github.com/ansible-collections/community.crypto/issues/147, + https://github.com/ansible-collections/community.crypto/pull/167). + - openssl_pkcs12 - allow to specify certificate bundles in ``other_certificates`` + by using new option ``other_certificates_parse_all`` (https://github.com/ansible-collections/community.crypto/issues/149, + https://github.com/ansible-collections/community.crypto/pull/166). release_summary: Release with several new features and bugfixes. fragments: - - 1.4.0.yml - - 163-luks-pbkdf.yml - - 166-openssl_pkcs12-certificate-bundles.yml - - 167-openssl_csr-crl-distribution-points.yml - - 168-luks_device-add-remove-idempotence.yml - - 173-acme_certificate-wrong-challenge.yml - - acme-module-utils-relicense.yml + - 1.4.0.yml + - 163-luks-pbkdf.yml + - 166-openssl_pkcs12-certificate-bundles.yml + - 167-openssl_csr-crl-distribution-points.yml + - 168-luks_device-add-remove-idempotence.yml + - 173-acme_certificate-wrong-challenge.yml + - acme-module-utils-relicense.yml release_date: '2021-01-26' 1.5.0: changes: bugfixes: - - openssl_csr - no longer fails when comparing CSR without basic constraint - when ``basic_constraints`` is specified (https://github.com/ansible-collections/community.crypto/issues/179, - https://github.com/ansible-collections/community.crypto/pull/180). + - openssl_csr - no longer fails when comparing CSR without basic constraint + when ``basic_constraints`` is specified (https://github.com/ansible-collections/community.crypto/issues/179, + https://github.com/ansible-collections/community.crypto/pull/180). deprecated_features: - - acme_account_info - when ``retrieve_orders=url_list``, ``orders`` will no - longer be returned in community.crypto 2.0.0. Use ``order_uris`` instead (https://github.com/ansible-collections/community.crypto/pull/178). + - acme_account_info - when ``retrieve_orders=url_list``, ``orders`` will no + longer be returned in community.crypto 2.0.0. Use ``order_uris`` instead + (https://github.com/ansible-collections/community.crypto/pull/178). minor_changes: - - acme_account_info - when ``retrieve_orders`` is not ``ignore`` and the ACME - server allows to query orders, the new return value ``order_uris`` is always - populated with a list of URIs (https://github.com/ansible-collections/community.crypto/pull/178). - - luks_device - allow to specify sector size for LUKS2 containers with new ``sector_size`` - parameter (https://github.com/ansible-collections/community.crypto/pull/193). + - acme_account_info - when ``retrieve_orders`` is not ``ignore`` and the ACME + server allows to query orders, the new return value ``order_uris`` is always + populated with a list of URIs (https://github.com/ansible-collections/community.crypto/pull/178). + - luks_device - allow to specify sector size for LUKS2 containers with new + ``sector_size`` parameter (https://github.com/ansible-collections/community.crypto/pull/193). release_summary: Regular feature and bugfix release. Deprecates a return value. fragments: - - 1.5.0.yml - - 178-acme_account_info-orders-urls.yml - - 179-openssl-csr-basic-constraint.yml - - 193-luks_device-sector_size.yml + - 1.5.0.yml + - 178-acme_account_info-orders-urls.yml + - 179-openssl-csr-basic-constraint.yml + - 193-luks_device-sector_size.yml release_date: '2021-03-08' 1.6.0: changes: bugfixes: - - action_module plugin helper - make compatible with latest changes in ansible-core - 2.11.0b3 (https://github.com/ansible-collections/community.crypto/pull/202). - - openssl_privatekey_pipe - make compatible with latest changes in ansible-core - 2.11.0b3 (https://github.com/ansible-collections/community.crypto/pull/202). + - action_module plugin helper - make compatible with latest changes in ansible-core + 2.11.0b3 (https://github.com/ansible-collections/community.crypto/pull/202). + - openssl_privatekey_pipe - make compatible with latest changes in ansible-core + 2.11.0b3 (https://github.com/ansible-collections/community.crypto/pull/202). deprecated_features: - - acme module_utils - the ``acme`` module_utils (``ansible_collections.community.crypto.plugins.module_utils.acme``) - is deprecated and will be removed in community.crypto 2.0.0. Use the new Python - modules in the ``acme`` package instead (``ansible_collections.community.crypto.plugins.module_utils.acme.xxx``) - (https://github.com/ansible-collections/community.crypto/pull/184). + - acme module_utils - the ``acme`` module_utils (``ansible_collections.community.crypto.plugins.module_utils.acme``) + is deprecated and will be removed in community.crypto 2.0.0. Use the new + Python modules in the ``acme`` package instead (``ansible_collections.community.crypto.plugins.module_utils.acme.xxx``) + (https://github.com/ansible-collections/community.crypto/pull/184). minor_changes: - - acme module_utils - the ``acme`` module_utils has been split up into several - Python modules (https://github.com/ansible-collections/community.crypto/pull/184). - - acme_* modules - codebase refactor which should not be visible to end-users - (https://github.com/ansible-collections/community.crypto/pull/184). - - acme_* modules - support account key passphrases for ``cryptography`` backend - (https://github.com/ansible-collections/community.crypto/issues/197, https://github.com/ansible-collections/community.crypto/pull/207). - - acme_certificate_revoke - support revoking by private keys that are passphrase - protected for ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/pull/207). - - acme_challenge_cert_helper - add ``private_key_passphrase`` parameter (https://github.com/ansible-collections/community.crypto/pull/207). + - acme module_utils - the ``acme`` module_utils has been split up into several + Python modules (https://github.com/ansible-collections/community.crypto/pull/184). + - acme_* modules - codebase refactor which should not be visible to end-users + (https://github.com/ansible-collections/community.crypto/pull/184). + - acme_* modules - support account key passphrases for ``cryptography`` backend + (https://github.com/ansible-collections/community.crypto/issues/197, https://github.com/ansible-collections/community.crypto/pull/207). + - acme_certificate_revoke - support revoking by private keys that are passphrase + protected for ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/pull/207). + - acme_challenge_cert_helper - add ``private_key_passphrase`` parameter (https://github.com/ansible-collections/community.crypto/pull/207). release_summary: Fixes compatibility issues with the latest ansible-core 2.11 beta, and contains a lot of internal refactoring for the ACME modules and support for private key passphrases for them. fragments: - - 1.6.0.yml - - 184-acme-refactor.yml - - 202-actionmodule-plugin-utils-ansible-core-2.11.yml - - 207-acme-account-key-passphrase.yml + - 1.6.0.yml + - 184-acme-refactor.yml + - 202-actionmodule-plugin-utils-ansible-core-2.11.yml + - 207-acme-account-key-passphrase.yml release_date: '2021-03-22' 1.6.1: changes: bugfixes: - - acme_* modules - fix wrong usages of ``ACMEProtocolException`` (https://github.com/ansible-collections/community.crypto/pull/216, - https://github.com/ansible-collections/community.crypto/pull/217). + - acme_* modules - fix wrong usages of ``ACMEProtocolException`` (https://github.com/ansible-collections/community.crypto/pull/216, + https://github.com/ansible-collections/community.crypto/pull/217). release_summary: Bugfix release. fragments: - - 1.6.1.yml - - 217-acme-exceptions.yml + - 1.6.1.yml + - 217-acme-exceptions.yml release_date: '2021-04-11' 1.6.2: changes: bugfixes: - - acme_* modules - avoid crashing for ACME servers where the ``meta`` directory - key is not present (https://github.com/ansible-collections/community.crypto/issues/220, - https://github.com/ansible-collections/community.crypto/pull/221). + - acme_* modules - avoid crashing for ACME servers where the ``meta`` directory + key is not present (https://github.com/ansible-collections/community.crypto/issues/220, + https://github.com/ansible-collections/community.crypto/pull/221). release_summary: Bugfix release. Fixes compatibility issue of ACME modules with step-ca. fragments: - - 1.6.2.yml - - 221-acme-meta.yml + - 1.6.2.yml + - 221-acme-meta.yml release_date: '2021-04-28' 1.7.0: changes: bugfixes: - - openssh_keypair - fix ``check_mode`` to populate return values for existing - keypairs (https://github.com/ansible-collections/community.crypto/issues/113, - https://github.com/ansible-collections/community.crypto/pull/230). - - various modules - prevent crashes when modules try to set attributes on not - yet existing files in check mode. This will be fixed in ansible-core 2.12, - but it is not backported to every Ansible version we support (https://github.com/ansible-collections/community.crypto/issue/242, - https://github.com/ansible-collections/community.crypto/pull/243). - - x509_certificate - fix crash when ``assertonly`` provider is used and some - error conditions should be reported (https://github.com/ansible-collections/community.crypto/issues/240, - https://github.com/ansible-collections/community.crypto/pull/241). + - openssh_keypair - fix ``check_mode`` to populate return values for existing + keypairs (https://github.com/ansible-collections/community.crypto/issues/113, + https://github.com/ansible-collections/community.crypto/pull/230). + - various modules - prevent crashes when modules try to set attributes on + not yet existing files in check mode. This will be fixed in ansible-core + 2.12, but it is not backported to every Ansible version we support (https://github.com/ansible-collections/community.crypto/issue/242, + https://github.com/ansible-collections/community.crypto/pull/243). + - x509_certificate - fix crash when ``assertonly`` provider is used and some + error conditions should be reported (https://github.com/ansible-collections/community.crypto/issues/240, + https://github.com/ansible-collections/community.crypto/pull/241). minor_changes: - - cryptography_openssh module utils - new module_utils for managing asymmetric - keypairs and OpenSSH formatted/encoded asymmetric keypairs (https://github.com/ansible-collections/community.crypto/pull/213). - - openssh_keypair - added ``backend`` parameter for selecting between the cryptography - library or the OpenSSH binary for the execution of actions performed by ``openssh_keypair`` - (https://github.com/ansible-collections/community.crypto/pull/236). - - openssh_keypair - added ``passphrase`` parameter for encrypting/decrypting - OpenSSH private keys (https://github.com/ansible-collections/community.crypto/pull/225). - - openssl_csr - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, - https://github.com/ansible-collections/community.crypto/pull/150). - - openssl_csr_info - now returns ``public_key_type`` and ``public_key_data`` - (https://github.com/ansible-collections/community.crypto/pull/233). - - openssl_csr_info - refactor module to allow code reuse for diff mode (https://github.com/ansible-collections/community.crypto/pull/204). - - openssl_csr_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, - https://github.com/ansible-collections/community.crypto/pull/150). - - openssl_pkcs12 - added option ``select_crypto_backend`` and a ``cryptography`` - backend. This requires cryptography 3.0 or newer, and does not support the - ``iter_size`` and ``maciter_size`` options (https://github.com/ansible-collections/community.crypto/pull/234). - - openssl_privatekey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, - https://github.com/ansible-collections/community.crypto/pull/150). - - openssl_privatekey_info - refactor module to allow code reuse for diff mode - (https://github.com/ansible-collections/community.crypto/pull/205). - - openssl_privatekey_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, - https://github.com/ansible-collections/community.crypto/pull/150). - - openssl_publickey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, - https://github.com/ansible-collections/community.crypto/pull/150). - - x509_certificate - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, - https://github.com/ansible-collections/community.crypto/pull/150). - - x509_certificate_info - now returns ``public_key_type`` and ``public_key_data`` - (https://github.com/ansible-collections/community.crypto/pull/233). - - x509_certificate_info - refactor module to allow code reuse for diff mode - (https://github.com/ansible-collections/community.crypto/pull/206). - - x509_certificate_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, - https://github.com/ansible-collections/community.crypto/pull/150). - - x509_crl - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, - https://github.com/ansible-collections/community.crypto/pull/150). - - x509_crl_info - add ``list_revoked_certificates`` option to avoid enumerating - all revoked certificates (https://github.com/ansible-collections/community.crypto/pull/232). - - x509_crl_info - refactor module to allow code reuse for diff mode (https://github.com/ansible-collections/community.crypto/pull/203). + - cryptography_openssh module utils - new module_utils for managing asymmetric + keypairs and OpenSSH formatted/encoded asymmetric keypairs (https://github.com/ansible-collections/community.crypto/pull/213). + - openssh_keypair - added ``backend`` parameter for selecting between the + cryptography library or the OpenSSH binary for the execution of actions + performed by ``openssh_keypair`` (https://github.com/ansible-collections/community.crypto/pull/236). + - openssh_keypair - added ``passphrase`` parameter for encrypting/decrypting + OpenSSH private keys (https://github.com/ansible-collections/community.crypto/pull/225). + - openssl_csr - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, + https://github.com/ansible-collections/community.crypto/pull/150). + - openssl_csr_info - now returns ``public_key_type`` and ``public_key_data`` + (https://github.com/ansible-collections/community.crypto/pull/233). + - openssl_csr_info - refactor module to allow code reuse for diff mode (https://github.com/ansible-collections/community.crypto/pull/204). + - openssl_csr_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, + https://github.com/ansible-collections/community.crypto/pull/150). + - openssl_pkcs12 - added option ``select_crypto_backend`` and a ``cryptography`` + backend. This requires cryptography 3.0 or newer, and does not support the + ``iter_size`` and ``maciter_size`` options (https://github.com/ansible-collections/community.crypto/pull/234). + - openssl_privatekey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, + https://github.com/ansible-collections/community.crypto/pull/150). + - openssl_privatekey_info - refactor module to allow code reuse for diff mode + (https://github.com/ansible-collections/community.crypto/pull/205). + - openssl_privatekey_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, + https://github.com/ansible-collections/community.crypto/pull/150). + - openssl_publickey - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, + https://github.com/ansible-collections/community.crypto/pull/150). + - x509_certificate - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, + https://github.com/ansible-collections/community.crypto/pull/150). + - x509_certificate_info - now returns ``public_key_type`` and ``public_key_data`` + (https://github.com/ansible-collections/community.crypto/pull/233). + - x509_certificate_info - refactor module to allow code reuse for diff mode + (https://github.com/ansible-collections/community.crypto/pull/206). + - x509_certificate_pipe - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, + https://github.com/ansible-collections/community.crypto/pull/150). + - x509_crl - add diff mode (https://github.com/ansible-collections/community.crypto/issues/38, + https://github.com/ansible-collections/community.crypto/pull/150). + - x509_crl_info - add ``list_revoked_certificates`` option to avoid enumerating + all revoked certificates (https://github.com/ansible-collections/community.crypto/pull/232). + - x509_crl_info - refactor module to allow code reuse for diff mode (https://github.com/ansible-collections/community.crypto/pull/203). release_summary: Regular feature and bugfix release. fragments: - - 1.7.0.yml - - 150-diff.yml - - 203-x509_crl_info.yml - - 204-openssl_csr_info.yml - - 205-openssl_privatekey_info.yml - - 206-x509_certificate_info.yml - - 213-cryptography-openssh-module-utils.yml - - 225-openssh-keypair-passphrase.yml - - 230-openssh_keypair-check_mode-return-values.yml - - 232-x509_crl_info-list_revoked_certificates.yml - - 233-public-key-info.yml - - 234-openssl_pkcs12-cryptography.yml - - 236-openssh_keypair-backends.yml - - 241-x509_certificate-assertonly.yml - - 243-permission-check-crash.yml + - 1.7.0.yml + - 150-diff.yml + - 203-x509_crl_info.yml + - 204-openssl_csr_info.yml + - 205-openssl_privatekey_info.yml + - 206-x509_certificate_info.yml + - 213-cryptography-openssh-module-utils.yml + - 225-openssh-keypair-passphrase.yml + - 230-openssh_keypair-check_mode-return-values.yml + - 232-x509_crl_info-list_revoked_certificates.yml + - 233-public-key-info.yml + - 234-openssl_pkcs12-cryptography.yml + - 236-openssh_keypair-backends.yml + - 241-x509_certificate-assertonly.yml + - 243-permission-check-crash.yml modules: - - description: Provide information for OpenSSL public keys - name: openssl_publickey_info - namespace: '' + - description: Provide information for OpenSSL public keys + name: openssl_publickey_info + namespace: '' release_date: '2021-06-02' 1.7.1: changes: bugfixes: - - openssl_pkcs12 - fix crash when loading passphrase-protected PKCS#12 files - with ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/issues/247, - https://github.com/ansible-collections/community.crypto/pull/248). + - openssl_pkcs12 - fix crash when loading passphrase-protected PKCS#12 files + with ``cryptography`` backend (https://github.com/ansible-collections/community.crypto/issues/247, + https://github.com/ansible-collections/community.crypto/pull/248). release_summary: Bugfix release. fragments: - - 1.7.1.yml - - 248-openssl_pkcs12-passphrase-fix.yml + - 1.7.1.yml + - 248-openssl_pkcs12-passphrase-fix.yml release_date: '2021-06-11' 1.8.0: changes: bugfixes: - - openssh_cert - fixed certificate generation to restore original certificate - if an error is encountered (https://github.com/ansible-collections/community.crypto/pull/255). - - openssh_keypair - fixed a bug that prevented custom file attributes being - applied to public keys (https://github.com/ansible-collections/community.crypto/pull/257). + - openssh_cert - fixed certificate generation to restore original certificate + if an error is encountered (https://github.com/ansible-collections/community.crypto/pull/255). + - openssh_keypair - fixed a bug that prevented custom file attributes being + applied to public keys (https://github.com/ansible-collections/community.crypto/pull/257). minor_changes: - - Avoid internal ansible-core module_utils in favor of equivalent public API - available since at least Ansible 2.9 (https://github.com/ansible-collections/community.crypto/pull/253). - - openssh certificate module utils - new module_utils for parsing OpenSSH certificates - (https://github.com/ansible-collections/community.crypto/pull/246). - - openssh_cert - added ``regenerate`` option to validate additional certificate - parameters which trigger regeneration of an existing certificate (https://github.com/ansible-collections/community.crypto/pull/256). - - openssh_cert - adding ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/255). + - Avoid internal ansible-core module_utils in favor of equivalent public API + available since at least Ansible 2.9 (https://github.com/ansible-collections/community.crypto/pull/253). + - openssh certificate module utils - new module_utils for parsing OpenSSH + certificates (https://github.com/ansible-collections/community.crypto/pull/246). + - openssh_cert - added ``regenerate`` option to validate additional certificate + parameters which trigger regeneration of an existing certificate (https://github.com/ansible-collections/community.crypto/pull/256). + - openssh_cert - adding ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/255). release_summary: Regular bugfix and feature release. fragments: - - 1.8.0.yml - - 246-openssh-certificate-module-utils.yml - - 255-openssh_cert-adding-diff-support.yml - - 256-openssh_cert-adding-idempotency-option.yml - - 257-openssh-keypair-fix-pubkey-permissions.yml - - ansible-core-_text.yml + - 1.8.0.yml + - 246-openssh-certificate-module-utils.yml + - 255-openssh_cert-adding-diff-support.yml + - 256-openssh_cert-adding-idempotency-option.yml + - 257-openssh-keypair-fix-pubkey-permissions.yml + - ansible-core-_text.yml release_date: '2021-08-10' 1.9.0: changes: bugfixes: - - keypair_backend module utils - simplify code to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263). - - openssh_keypair - fixed ``cryptography`` backend to preserve original file - permissions when regenerating a keypair requires existing files to be overwritten - (https://github.com/ansible-collections/community.crypto/pull/260). - - openssh_keypair - fixed error handling to restore original keypair if regeneration - fails (https://github.com/ansible-collections/community.crypto/pull/260). - - x509_crl - restore inherited function signature to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263). + - keypair_backend module utils - simplify code to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263). + - openssh_keypair - fixed ``cryptography`` backend to preserve original file + permissions when regenerating a keypair requires existing files to be overwritten + (https://github.com/ansible-collections/community.crypto/pull/260). + - openssh_keypair - fixed error handling to restore original keypair if regeneration + fails (https://github.com/ansible-collections/community.crypto/pull/260). + - x509_crl - restore inherited function signature to pass sanity tests (https://github.com/ansible-collections/community.crypto/pull/263). minor_changes: - - get_certificate - added ``starttls`` option to retrieve certificates from - servers which require clients to request an encrypted connection (https://github.com/ansible-collections/community.crypto/pull/264). - - openssh_keypair - added ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/260). + - get_certificate - added ``starttls`` option to retrieve certificates from + servers which require clients to request an encrypted connection (https://github.com/ansible-collections/community.crypto/pull/264). + - openssh_keypair - added ``diff`` support (https://github.com/ansible-collections/community.crypto/pull/260). release_summary: Regular feature release. fragments: - - 1.9.0.yml - - 260-openssh_keypair-diff-support.yml - - 263-sanity.yml - - 264-get_certificate-add-starttls-option.yml + - 1.9.0.yml + - 260-openssh_keypair-diff-support.yml + - 263-sanity.yml + - 264-get_certificate-add-starttls-option.yml release_date: '2021-08-30' 1.9.1: changes: @@ -533,93 +538,95 @@ releases: release_summary: Bugfix release to fix the changelog. No other change compared to 1.9.0. fragments: - - 1.9.2.yml + - 1.9.2.yml release_date: '2021-08-30' 1.9.3: changes: bugfixes: - - openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used - to compare strings with the cryptography backend. This fixes idempotency problems - with non-ASCII letters on Python 2 (https://github.com/ansible-collections/community.crypto/issues/270, - https://github.com/ansible-collections/community.crypto/pull/271). + - openssl_csr and openssl_csr_pipe - make sure that Unicode strings are used + to compare strings with the cryptography backend. This fixes idempotency + problems with non-ASCII letters on Python 2 (https://github.com/ansible-collections/community.crypto/issues/270, + https://github.com/ansible-collections/community.crypto/pull/271). release_summary: Regular bugfix release. fragments: - - 1.9.3.yml - - 271-openssl_csr-utf8.yml + - 1.9.3.yml + - 271-openssl_csr-utf8.yml release_date: '2021-09-14' 1.9.4: changes: bugfixes: - - acme_* modules - fix commands composed for OpenSSL backend to retrieve information - on CSRs and certificates from stdin to use ``/dev/stdin`` instead of ``-``. - This is needed for OpenSSL 1.0.1 and 1.0.2, apparently (https://github.com/ansible-collections/community.crypto/pull/279). - - acme_challenge_cert_helper - only return exception when cryptography is not - installed, not when a too old version of it is installed. This prevents Ansible's - callback to crash (https://github.com/ansible-collections/community.crypto/pull/281). + - acme_* modules - fix commands composed for OpenSSL backend to retrieve information + on CSRs and certificates from stdin to use ``/dev/stdin`` instead of ``-``. + This is needed for OpenSSL 1.0.1 and 1.0.2, apparently (https://github.com/ansible-collections/community.crypto/pull/279). + - acme_challenge_cert_helper - only return exception when cryptography is + not installed, not when a too old version of it is installed. This prevents + Ansible's callback to crash (https://github.com/ansible-collections/community.crypto/pull/281). release_summary: Regular bugfix release. fragments: - - 1.9.4.yml - - 279-acme-openssl.yml - - 282-acme_challenge_cert_helper-error.yml + - 1.9.4.yml + - 279-acme-openssl.yml + - 282-acme_challenge_cert_helper-error.yml release_date: '2021-09-28' 2.0.0: changes: breaking_changes: - - Adjust ``dirName`` text parsing and to text converting code to conform to - `Sections 2 and 3 of RFC 4514 `_. - This is similar to how `cryptography handles this `_ - (https://github.com/ansible-collections/community.crypto/pull/274). - - acme module utils - removing compatibility code (https://github.com/ansible-collections/community.crypto/pull/290). - - acme_* modules - removed vendored copy of the Python library ``ipaddress``. - If you are using Python 2.x, please make sure to install the library (https://github.com/ansible-collections/community.crypto/pull/287). - - compatibility module_utils - removed vendored copy of the Python library ``ipaddress`` - (https://github.com/ansible-collections/community.crypto/pull/287). - - crypto module utils - removing compatibility code (https://github.com/ansible-collections/community.crypto/pull/290). - - get_certificate, openssl_csr_info, x509_certificate_info - depending on the - ``cryptography`` version used, the modules might not return the ASN.1 value - for an extension as contained in the certificate respectively CSR, but a re-encoded - version of it. This should usually be identical to the value contained in - the source file, unless the value was malformed. For extensions not handled - by C(cryptography) the value contained in the source file is always returned - unaltered (https://github.com/ansible-collections/community.crypto/pull/318). - - module_utils - removed various PyOpenSSL support functions and default backend - values that are not needed for the openssl_pkcs12 module (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_csr, openssl_csr_pipe, x509_crl - the ``subject`` respectively ``issuer`` - fields no longer ignore empty values, but instead fail when encountering them - (https://github.com/ansible-collections/community.crypto/pull/316). - - openssl_privatekey_info - by default consistency checks are not run; they - need to be explicitly requested by passing ``check_consistency=true`` (https://github.com/ansible-collections/community.crypto/pull/309). - - x509_crl - for idempotency checks, the ``issuer`` order is ignored. If order - is important, use the new ``issuer_ordered`` option (https://github.com/ansible-collections/community.crypto/pull/316). + - Adjust ``dirName`` text parsing and to text converting code to conform to + `Sections 2 and 3 of RFC 4514 `_. + This is similar to how `cryptography handles this `_ + (https://github.com/ansible-collections/community.crypto/pull/274). + - acme module utils - removing compatibility code (https://github.com/ansible-collections/community.crypto/pull/290). + - acme_* modules - removed vendored copy of the Python library ``ipaddress``. + If you are using Python 2.x, please make sure to install the library (https://github.com/ansible-collections/community.crypto/pull/287). + - compatibility module_utils - removed vendored copy of the Python library + ``ipaddress`` (https://github.com/ansible-collections/community.crypto/pull/287). + - crypto module utils - removing compatibility code (https://github.com/ansible-collections/community.crypto/pull/290). + - get_certificate, openssl_csr_info, x509_certificate_info - depending on + the ``cryptography`` version used, the modules might not return the ASN.1 + value for an extension as contained in the certificate respectively CSR, + but a re-encoded version of it. This should usually be identical to the + value contained in the source file, unless the value was malformed. For + extensions not handled by C(cryptography) the value contained in the source + file is always returned unaltered (https://github.com/ansible-collections/community.crypto/pull/318). + - module_utils - removed various PyOpenSSL support functions and default backend + values that are not needed for the openssl_pkcs12 module (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_csr, openssl_csr_pipe, x509_crl - the ``subject`` respectively ``issuer`` + fields no longer ignore empty values, but instead fail when encountering + them (https://github.com/ansible-collections/community.crypto/pull/316). + - openssl_privatekey_info - by default consistency checks are not run; they + need to be explicitly requested by passing ``check_consistency=true`` (https://github.com/ansible-collections/community.crypto/pull/309). + - x509_crl - for idempotency checks, the ``issuer`` order is ignored. If order + is important, use the new ``issuer_ordered`` option (https://github.com/ansible-collections/community.crypto/pull/316). bugfixes: - - cryptography backend - improve Unicode handling for Python 2 (https://github.com/ansible-collections/community.crypto/pull/313). - - get_certificate - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/294). - - openssl_csr_info - fix compatibility with the cryptography 35.0.0 release - (https://github.com/ansible-collections/community.crypto/pull/294). - - openssl_pkcs12 - fix compatibility with the cryptography 35.0.0 release (https://github.com/ansible-collections/community.crypto/pull/296). - - x509_certificate_info - fix compatibility with the cryptography 35.0.0 release - (https://github.com/ansible-collections/community.crypto/pull/294). + - cryptography backend - improve Unicode handling for Python 2 (https://github.com/ansible-collections/community.crypto/pull/313). + - get_certificate - fix compatibility with the cryptography 35.0.0 release + (https://github.com/ansible-collections/community.crypto/pull/294). + - openssl_csr_info - fix compatibility with the cryptography 35.0.0 release + (https://github.com/ansible-collections/community.crypto/pull/294). + - openssl_pkcs12 - fix compatibility with the cryptography 35.0.0 release + (https://github.com/ansible-collections/community.crypto/pull/296). + - x509_certificate_info - fix compatibility with the cryptography 35.0.0 release + (https://github.com/ansible-collections/community.crypto/pull/294). deprecated_features: - - acme_* modules - ACME version 1 is now deprecated and support for it will - be removed in community.crypto 2.0.0 (https://github.com/ansible-collections/community.crypto/pull/288). + - acme_* modules - ACME version 1 is now deprecated and support for it will + be removed in community.crypto 2.0.0 (https://github.com/ansible-collections/community.crypto/pull/288). minor_changes: - - acme_certificate - the ``subject`` and ``issuer`` fields in in the ``select_chain`` - entries are now more strictly validated (https://github.com/ansible-collections/community.crypto/pull/316). - - openssl_csr, openssl_csr_pipe - provide a new ``subject_ordered`` option if - the order of the components in the subject is of importance (https://github.com/ansible-collections/community.crypto/issues/291, - https://github.com/ansible-collections/community.crypto/pull/316). - - openssl_csr, openssl_csr_pipe - there is now stricter validation of the values - of the ``subject`` option (https://github.com/ansible-collections/community.crypto/pull/316). - - openssl_privatekey_info - add ``check_consistency`` option to request private - key consistency checks to be done (https://github.com/ansible-collections/community.crypto/pull/309). - - x509_certificate, x509_certificate_pipe - add ``ignore_timestamps`` option - which allows to enable idempotency for 'not before' and 'not after' options - (https://github.com/ansible-collections/community.crypto/issues/295, https://github.com/ansible-collections/community.crypto/pull/317). - - x509_crl - provide a new ``issuer_ordered`` option if the order of the components - in the issuer is of importance (https://github.com/ansible-collections/community.crypto/issues/291, - https://github.com/ansible-collections/community.crypto/pull/316). - - x509_crl - there is now stricter validation of the values of the ``issuer`` - option (https://github.com/ansible-collections/community.crypto/pull/316). + - acme_certificate - the ``subject`` and ``issuer`` fields in in the ``select_chain`` + entries are now more strictly validated (https://github.com/ansible-collections/community.crypto/pull/316). + - openssl_csr, openssl_csr_pipe - provide a new ``subject_ordered`` option + if the order of the components in the subject is of importance (https://github.com/ansible-collections/community.crypto/issues/291, + https://github.com/ansible-collections/community.crypto/pull/316). + - openssl_csr, openssl_csr_pipe - there is now stricter validation of the + values of the ``subject`` option (https://github.com/ansible-collections/community.crypto/pull/316). + - openssl_privatekey_info - add ``check_consistency`` option to request private + key consistency checks to be done (https://github.com/ansible-collections/community.crypto/pull/309). + - x509_certificate, x509_certificate_pipe - add ``ignore_timestamps`` option + which allows to enable idempotency for 'not before' and 'not after' options + (https://github.com/ansible-collections/community.crypto/issues/295, https://github.com/ansible-collections/community.crypto/pull/317). + - x509_crl - provide a new ``issuer_ordered`` option if the order of the components + in the issuer is of importance (https://github.com/ansible-collections/community.crypto/issues/291, + https://github.com/ansible-collections/community.crypto/pull/316). + - x509_crl - there is now stricter validation of the values of the ``issuer`` + option (https://github.com/ansible-collections/community.crypto/pull/316). release_summary: 'A new major release of the ``community.crypto`` collection. The main changes are removal of the PyOpenSSL backends for almost all modules (``openssl_pkcs12`` being the only exception), and removal of the ``assertonly`` @@ -629,246 +636,536 @@ releases: ' removed_features: - - acme_* modules - the ``acme_directory`` option is now required (https://github.com/ansible-collections/community.crypto/pull/290). - - acme_* modules - the ``acme_version`` option is now required (https://github.com/ansible-collections/community.crypto/pull/290). - - acme_account_facts - the deprecated redirect has been removed. Use community.crypto.acme_account_info - instead (https://github.com/ansible-collections/community.crypto/pull/290). - - acme_account_info - ``retrieve_orders=url_list`` no longer returns the return - value ``orders``. Use the ``order_uris`` return value instead (https://github.com/ansible-collections/community.crypto/pull/290). - - crypto.info module utils - the deprecated redirect has been removed. Use ``crypto.pem`` - instead (https://github.com/ansible-collections/community.crypto/pull/290). - - get_certificate - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_certificate - the deprecated redirect has been removed. Use community.crypto.x509_certificate - instead (https://github.com/ansible-collections/community.crypto/pull/290). - - openssl_certificate_info - the deprecated redirect has been removed. Use community.crypto.x509_certificate_info - instead (https://github.com/ansible-collections/community.crypto/pull/290). - - openssl_csr - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_csr and openssl_csr_pipe - ``version`` now only accepts the (default) - value 1 (https://github.com/ansible-collections/community.crypto/pull/290). - - openssl_csr_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_csr_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_privatekey - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_privatekey_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_privatekey_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_publickey - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_publickey_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_signature - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - openssl_signature_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - x509_certificate - remove ``assertonly`` provider (https://github.com/ansible-collections/community.crypto/pull/289). - - x509_certificate - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - x509_certificate_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). - - x509_certificate_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - acme_* modules - the ``acme_directory`` option is now required (https://github.com/ansible-collections/community.crypto/pull/290). + - acme_* modules - the ``acme_version`` option is now required (https://github.com/ansible-collections/community.crypto/pull/290). + - acme_account_facts - the deprecated redirect has been removed. Use community.crypto.acme_account_info + instead (https://github.com/ansible-collections/community.crypto/pull/290). + - acme_account_info - ``retrieve_orders=url_list`` no longer returns the return + value ``orders``. Use the ``order_uris`` return value instead (https://github.com/ansible-collections/community.crypto/pull/290). + - crypto.info module utils - the deprecated redirect has been removed. Use + ``crypto.pem`` instead (https://github.com/ansible-collections/community.crypto/pull/290). + - get_certificate - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_certificate - the deprecated redirect has been removed. Use community.crypto.x509_certificate + instead (https://github.com/ansible-collections/community.crypto/pull/290). + - openssl_certificate_info - the deprecated redirect has been removed. Use + community.crypto.x509_certificate_info instead (https://github.com/ansible-collections/community.crypto/pull/290). + - openssl_csr - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_csr and openssl_csr_pipe - ``version`` now only accepts the (default) + value 1 (https://github.com/ansible-collections/community.crypto/pull/290). + - openssl_csr_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_csr_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_privatekey - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_privatekey_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_privatekey_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_publickey - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_publickey_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_signature - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - openssl_signature_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - x509_certificate - remove ``assertonly`` provider (https://github.com/ansible-collections/community.crypto/pull/289). + - x509_certificate - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - x509_certificate_info - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). + - x509_certificate_pipe - removed the ``pyopenssl`` backend (https://github.com/ansible-collections/community.crypto/pull/273). fragments: - - 2.0.0.yml - - 273-pyopenssl-removal.yml - - 274-dirname-rfc4514.yml - - 287-remove-ipaddress.yml - - 288-depecate-acme-v1.yml - - 289-assertonly-removed.yml - - 290-remove-deprecations.yml - - 294-cryptography-35.0.0.yml - - 296-openssl_pkcs12-cryptography-35.yml - - 309-openssl_privatekey_info-consistency.yml - - 313-unicode-names.yml - - 315-ordered-names.yml - - 317-ignore-timestamps.yml - - 318-extension-value-note.yml + - 2.0.0.yml + - 273-pyopenssl-removal.yml + - 274-dirname-rfc4514.yml + - 287-remove-ipaddress.yml + - 288-depecate-acme-v1.yml + - 289-assertonly-removed.yml + - 290-remove-deprecations.yml + - 294-cryptography-35.0.0.yml + - 296-openssl_pkcs12-cryptography-35.yml + - 309-openssl_privatekey_info-consistency.yml + - 313-unicode-names.yml + - 315-ordered-names.yml + - 317-ignore-timestamps.yml + - 318-extension-value-note.yml release_date: '2021-11-01' 2.0.1: changes: bugfixes: - - acme_certificate - avoid passing multiple certificates to ``cryptography``'s - X.509 certificate loader when ``fullchain_dest`` is used (https://github.com/ansible-collections/community.crypto/pull/324). - - get_certificate, openssl_csr_info, x509_certificate_info - add fallback code - for extension parsing that works with cryptography 36.0.0 and newer. This - code re-serializes de-serialized extensions and thus can return slightly different - values if the extension in the original CSR resp. certificate was not canonicalized - correctly. This code is currently used as a fallback if the existing code - stops working, but we will switch it to be the main code in a future release - (https://github.com/ansible-collections/community.crypto/pull/331). - - luks_device - now also runs a built-in LUKS signature cleaner on ``state=absent`` - to make sure that also the secondary LUKS2 header is wiped when older versions - of wipefs are used (https://github.com/ansible-collections/community.crypto/issues/326, - https://github.com/ansible-collections/community.crypto/pull/327). - - openssl_pkcs12 - use new PKCS#12 deserialization infrastructure from cryptography - 36.0.0 if available (https://github.com/ansible-collections/community.crypto/pull/302). + - acme_certificate - avoid passing multiple certificates to ``cryptography``'s + X.509 certificate loader when ``fullchain_dest`` is used (https://github.com/ansible-collections/community.crypto/pull/324). + - get_certificate, openssl_csr_info, x509_certificate_info - add fallback + code for extension parsing that works with cryptography 36.0.0 and newer. + This code re-serializes de-serialized extensions and thus can return slightly + different values if the extension in the original CSR resp. certificate + was not canonicalized correctly. This code is currently used as a fallback + if the existing code stops working, but we will switch it to be the main + code in a future release (https://github.com/ansible-collections/community.crypto/pull/331). + - luks_device - now also runs a built-in LUKS signature cleaner on ``state=absent`` + to make sure that also the secondary LUKS2 header is wiped when older versions + of wipefs are used (https://github.com/ansible-collections/community.crypto/issues/326, + https://github.com/ansible-collections/community.crypto/pull/327). + - openssl_pkcs12 - use new PKCS#12 deserialization infrastructure from cryptography + 36.0.0 if available (https://github.com/ansible-collections/community.crypto/pull/302). minor_changes: - - acme_* modules - fix usage of ``fetch_url`` with changes in latest ansible-core - ``devel`` branch (https://github.com/ansible-collections/community.crypto/pull/339). + - acme_* modules - fix usage of ``fetch_url`` with changes in latest ansible-core + ``devel`` branch (https://github.com/ansible-collections/community.crypto/pull/339). release_summary: Bugfix release with extra forward compatibility for newer versions of cryptography. fragments: - - 2.0.1.yml - - 302-openssl_pkcs12-cryptography-36.0.0.yml - - 324-acme_certificate-fullchain.yml - - 327-luks_device-wipe.yml - - 331-cryptography-extensions.yml - - fetch_url-devel.yml + - 2.0.1.yml + - 302-openssl_pkcs12-cryptography-36.0.0.yml + - 324-acme_certificate-fullchain.yml + - 327-luks_device-wipe.yml + - 331-cryptography-extensions.yml + - fetch_url-devel.yml release_date: '2021-11-22' 2.0.2: changes: release_summary: Documentation fix release. No actual code changes. fragments: - - 2.0.2.yml + - 2.0.2.yml release_date: '2021-12-20' 2.1.0: changes: bugfixes: - - Various modules and plugins - use vendored version of ``distutils.version`` - instead of the deprecated Python standard library ``distutils`` (https://github.com/ansible-collections/community.crypto/pull/353). - - certificate_complete_chain - do not append root twice if the chain already - ends with a root certificate (https://github.com/ansible-collections/community.crypto/pull/360). - - certificate_complete_chain - do not hang when infinite loop is found (https://github.com/ansible-collections/community.crypto/issues/355, - https://github.com/ansible-collections/community.crypto/pull/360). + - Various modules and plugins - use vendored version of ``distutils.version`` + instead of the deprecated Python standard library ``distutils`` (https://github.com/ansible-collections/community.crypto/pull/353). + - certificate_complete_chain - do not append root twice if the chain already + ends with a root certificate (https://github.com/ansible-collections/community.crypto/pull/360). + - certificate_complete_chain - do not hang when infinite loop is found (https://github.com/ansible-collections/community.crypto/issues/355, + https://github.com/ansible-collections/community.crypto/pull/360). minor_changes: - - Adjust error messages that indicate ``cryptography`` is not installed from - ``Can't`` to ``Cannot`` (https://github.com/ansible-collections/community.crypto/pull/374). + - Adjust error messages that indicate ``cryptography`` is not installed from + ``Can't`` to ``Cannot`` (https://github.com/ansible-collections/community.crypto/pull/374). release_summary: Feature and bugfix release. fragments: - - 2.1.0.yml - - 353-distutils.version.yml - - 360-certificate_complete_chain-loop.yml - - 374-docs.yml + - 2.1.0.yml + - 353-distutils.version.yml + - 360-certificate_complete_chain-loop.yml + - 374-docs.yml modules: - - description: Retrieve cryptographic capabilities - name: crypto_info - namespace: '' - - description: Convert OpenSSL private keys - name: openssl_privatekey_convert - namespace: '' + - description: Retrieve cryptographic capabilities + name: crypto_info + namespace: '' + - description: Convert OpenSSL private keys + name: openssl_privatekey_convert + namespace: '' release_date: '2022-01-10' + 2.2.0: + changes: + bugfixes: + - luks_devices - set ``LANG`` and similar environment variables to avoid translated + output, which can break some of the module's functionality like key management + (https://github.com/ansible-collections/community.crypto/pull/388, https://github.com/ansible-collections/community.crypto/issues/385). + minor_changes: + - openssh_cert - added ``ignore_timestamps`` parameter so it can be used semi-idempotent + with relative timestamps in ``valid_to``/``valid_from`` (https://github.com/ansible-collections/community.crypto/issues/379). + release_summary: Regular bugfix and feature release. + fragments: + - 2.2.0.yml + - 381_openssh_cert_add_ignore_timestamps.yml + - 388-luks_device-i18n.yml + release_date: '2022-02-01' + 2.2.1: + changes: + bugfixes: + - openssh_cert - fixed false ``changed`` status for ``host`` certificates + when using ``full_idempotence`` (https://github.com/ansible-collections/community.crypto/issues/395, + https://github.com/ansible-collections/community.crypto/pull/396). + release_summary: Bugfix release. + fragments: + - 2.2.1.yml + - 396-openssh_cert-host-cert-idempotence-fix.yml + release_date: '2022-02-05' + 2.2.2: + changes: + bugfixes: + - certificate_complete_chain - allow multiple potential intermediate certificates + to have the same subject (https://github.com/ansible-collections/community.crypto/issues/399, + https://github.com/ansible-collections/community.crypto/pull/403). + - x509_certificate - for the ``ownca`` provider, check whether the CA private + key actually belongs to the CA certificate (https://github.com/ansible-collections/community.crypto/pull/407). + - x509_certificate - regenerate certificate when the CA's public key changes + for ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/pull/407). + - x509_certificate - regenerate certificate when the CA's subject changes + for ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/issues/400, + https://github.com/ansible-collections/community.crypto/pull/402). + - x509_certificate - regenerate certificate when the private key changes for + ``provider=selfsigned`` (https://github.com/ansible-collections/community.crypto/pull/407). + release_summary: 'Regular bugfix release. + + + In this release, we extended the test matrix to include Alpine 3, ArchLinux, + Debian Bullseye, and CentOS Stream 8. CentOS 8 was removed from the test matrix. + + ' + fragments: + - 2.2.2.yml + - 402-x509_certificate-ownca-subject.yml + - 403-certificate_complete_chain-same-subject.yml + - 407-x509_certificate-signature.yml + release_date: '2022-02-21' + 2.2.3: + changes: + bugfixes: + - luks_device - fix parsing of ``lsblk`` output when device name ends with + ``crypt`` (https://github.com/ansible-collections/community.crypto/issues/409, + https://github.com/ansible-collections/community.crypto/pull/410). + release_summary: Regular bugfix release. + fragments: + - 2.2.3.yml + - 410-luks_device-lsblk-parsing.yml + release_date: '2022-03-04' + 2.2.4: + changes: + bugfixes: + - openssh_* modules - fix exception handling to report traceback to users + for enhanced traceability (https://github.com/ansible-collections/community.crypto/pull/417). + release_summary: Regular maintenance release. + fragments: + - 2.2.4.yml + - 417-openssh_modules-fix-exception-reporting.yml + release_date: '2022-03-22' + 2.3.0: + changes: + bugfixes: + - Make collection more robust when PyOpenSSL is used with an incompatible + cryptography version (https://github.com/ansible-collections/community.crypto/pull/445). + - x509_crl - fix crash when ``issuer`` for a revoked certificate is specified + (https://github.com/ansible-collections/community.crypto/pull/441). + minor_changes: + - Prepare collection for inclusion in an Execution Environment by declaring + its dependencies. Please note that system packages are used for cryptography + and PyOpenSSL, which can be rather limited. If you need features from newer + cryptography versions, you will have to manually force a newer version to + be installed by pip by specifying something like ``cryptography >= 37.0.0`` + in your Execution Environment's Python dependencies file (https://github.com/ansible-collections/community.crypto/pull/440). + - Support automatic conversion for Internalionalized Domain Names (IDNs). + When passing general names, for example Subject Alternative Names to ``community.crypto.openssl_csr``, + these will automatically be converted to IDNA. Conversion will be done per + label to IDNA2008 if possible, and IDNA2003 if IDNA2008 conversion fails + for that label. Note that IDNA conversion requires `the Python idna library + `_ to be installed. Please note that depending + on which versions of the cryptography library are used, it could try to + process the converted IDNA another time with the Python ``idna`` library + and reject IDNA2003 encoded values. Using a new enough ``cryptography`` + version avoids this (https://github.com/ansible-collections/community.crypto/issues/426, + https://github.com/ansible-collections/community.crypto/pull/436). + - acme_* modules - add parameter ``request_timeout`` to manage HTTP(S) request + timeout (https://github.com/ansible-collections/community.crypto/issues/447, + https://github.com/ansible-collections/community.crypto/pull/448). + - luks_devices - added ``perf_same_cpu_crypt``, ``perf_submit_from_crypt_cpus``, + ``perf_no_read_workqueue``, ``perf_no_write_workqueue`` for performance + tuning when opening LUKS2 containers (https://github.com/ansible-collections/community.crypto/issues/427). + - luks_devices - added ``persistent`` option when opening LUKS2 containers + (https://github.com/ansible-collections/community.crypto/pull/434). + - openssl_csr_info - add ``name_encoding`` option to control the encoding + (IDNA, Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436). + - openssl_pkcs12 - allow to provide the private key as text instead of having + to read it from a file. This allows to store the private key in an encrypted + form, for example in Ansible Vault (https://github.com/ansible-collections/community.crypto/pull/452). + - x509_certificate_info - add ``name_encoding`` option to control the encoding + (IDNA, Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436). + - x509_crl - add ``name_encoding`` option to control the encoding (IDNA, Unicode) + used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436). + - x509_crl_info - add ``name_encoding`` option to control the encoding (IDNA, + Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436). + release_summary: Feature and bugfix release. + fragments: + - 2.3.0.yml + - 434-add-persistent-and-perf-options.yml + - 436-idns.yml + - 440-ee.yml + - 441-x509-crl-cert-issuer.yml + - 445-fix.yml + - 448-acme-request-timeouts.yml + - 452-openssl_pkcs12-private-key-content.yml + release_date: '2022-05-09' + 2.3.1: + changes: + bugfixes: + - Include ``PSF-license.txt`` file for ``plugins/module_utils/_version.py``. + release_summary: Maintenance release. + fragments: + - 2.3.1.yml + - psf-license.yml + release_date: '2022-05-16' + 2.3.2: + changes: + bugfixes: + - Include ``simplified_bsd.txt`` license file for the ECS module utils. + - certificate_complete_chain - do not stop execution if an unsupported signature + algorithm is encountered; warn instead (https://github.com/ansible-collections/community.crypto/pull/457). + release_summary: Maintenance and bugfix release. + fragments: + - 2.3.2.yml + - 457-certificate_complete_chain-unsupported-algorithm.yml + - simplified-bsd-license.yml + release_date: '2022-06-02' + 2.3.3: + changes: + bugfixes: + - Include ``Apache-2.0.txt`` file for ``plugins/module_utils/crypto/_obj2txt.py`` + and ``plugins/module_utils/crypto/_objects_data.py``. + - openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees + must be a non-empty list or None' if only one of ``name_constraints_permitted`` + and ``name_constraints_excluded`` is provided (https://github.com/ansible-collections/community.crypto/issues/481). + - x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473, + https://github.com/ansible-collections/community.crypto/pull/474). + release_summary: Bugfix release. + fragments: + - 2.3.3.yml + - 474-x509_crl-ed25519-ed448.yml + - 481-fix-excluded_subtrees-must-be-a-non-empty-list-or-None.yml + - apache-license.yml + release_date: '2022-06-17' + 2.3.4: + changes: + release_summary: 'Re-release of what was intended to be 2.3.3. + + + A mistake during the release process caused the 2.3.3 tag to end up on the + + commit for 1.9.17, which caused the release pipeline to re-publish 1.9.17 + + as 2.3.3. + + + This release is identical to what should have been 2.3.3, except that the + + version number has been bumped to 2.3.4 and this changelog entry for 2.3.4 + + has been added. + + ' + fragments: + - 2.3.4.yml + release_date: '2022-06-21' + 2.4.0: + changes: + bugfixes: + - openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying + to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486, + https://github.com/ansible-collections/community.crypto/pull/487). + deprecated_features: + - Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be + removed in the next major release (community.crypto 3.0.0). Some modules + might still work with these versions afterwards, but we will no longer keep + compatibility code that was needed to support them (https://github.com/ansible-collections/community.crypto/pull/460). + release_summary: Deprecation and bugfix release. No new features this time. + fragments: + - 2.4.0.yml + - 487-openssl_pkcs12-other-certs-crash.yml + - deprecate-ansible-2.9-2.10.yml + release_date: '2022-07-09' + 2.5.0: + changes: + minor_changes: + - All software licenses are now in the ``LICENSES/`` directory of the collection + root. Moreover, ``SPDX-License-Identifier:`` is used to declare the applicable + license for every file that is not automatically generated (https://github.com/ansible-collections/community.crypto/pull/491). + release_summary: Maintenance release with improved licensing declaration and + documentation fixes. + fragments: + - 2.5.0.yml + - 491-licenses.yml + release_date: '2022-08-04' + 2.6.0: + changes: + minor_changes: + - acme* modules - support the HTTP 429 Too Many Requests response status (https://github.com/ansible-collections/community.crypto/pull/508). + - openssh_keypair - added ``pkcs1``, ``pkcs8``, and ``ssh`` to the available + choices for the ``private_key_format`` option (https://github.com/ansible-collections/community.crypto/pull/511). + release_summary: Feature release. + fragments: + - 2.6.0.yml + - 508-acme-429.yml + - 511-openssh_keypair-private_key_format_options.yml + release_date: '2022-09-19' + 2.7.0: + changes: + bugfixes: + - openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core + (https://github.com/ansible-collections/community.crypto/pull/515). + minor_changes: + - acme* modules - also support the HTTP 503 Service Unavailable and 408 Request + Timeout response status for automatic retries (https://github.com/ansible-collections/community.crypto/pull/513). + release_summary: Feature release. + fragments: + - 2.7.0.yml + - 513-acme-503.yml + - 515-action-module-compat.yml + release_date: '2022-09-23' + 2.7.1: + changes: + bugfixes: + - acme_* modules - improve feedback when importing ``cryptography`` does not + work (https://github.com/ansible-collections/community.crypto/issues/518, + https://github.com/ansible-collections/community.crypto/pull/519). + release_summary: Maintenance release. + fragments: + - 2.7.1.yml + - 519-acme-cryptography.yml + release_date: '2022-10-17' + 2.8.0: + changes: + minor_changes: + - acme_* modules - handle more gracefully if CA's new nonce call does not + return a nonce (https://github.com/ansible-collections/community.crypto/pull/525). + - acme_* modules - include symbolic HTTP status codes in error and log messages + when available (https://github.com/ansible-collections/community.crypto/pull/524). + - openssl_pkcs12 - add option ``encryption_level`` which allows to chose ``compatibility2022`` + when cryptography >= 38.0.0 is used to enable a more backwards compatible + encryption algorithm. If cryptography uses OpenSSL 3.0.0 or newer, the default + algorithm is not compatible with older software (https://github.com/ansible-collections/community.crypto/pull/523). + release_summary: Feature release. + fragments: + - 2.8.0.yml + - 523-pkcs12-compat.yml + - 524-acme-http-errors.yml + - 525-acme-no-nonce.yml + release_date: '2022-11-02' + 2.8.1: + changes: + release_summary: Maintenance release with improved documentation. + fragments: + - 2.8.1.yml + release_date: '2022-11-06' + 2.9.0: + changes: + minor_changes: + - x509_certificate_info - adds ``issuer_uri`` field in return value based + on Authority Information Access data (https://github.com/ansible-collections/community.crypto/pull/530). + release_summary: Regular feature release. + fragments: + - 2.9.0.yml + - aia_issuer.yaml + release_date: '2022-11-27' 2.10.0: changes: bugfixes: - - openssl_csr, openssl_csr_pipe - prevent invalid values for ``crl_distribution_points`` - that do not have one of ``full_name``, ``relative_name``, and ``crl_issuer`` - (https://github.com/ansible-collections/community.crypto/pull/560). - - openssl_publickey_info - do not crash with internal error when public key - cannot be parsed (https://github.com/ansible-collections/community.crypto/pull/551). + - openssl_csr, openssl_csr_pipe - prevent invalid values for ``crl_distribution_points`` + that do not have one of ``full_name``, ``relative_name``, and ``crl_issuer`` + (https://github.com/ansible-collections/community.crypto/pull/560). + - openssl_publickey_info - do not crash with internal error when public key + cannot be parsed (https://github.com/ansible-collections/community.crypto/pull/551). release_summary: Bugfix and feature release. fragments: - - 2.10.0.yml - - 551-publickey-info.yml - - 560-openssl_csr-crl_distribution_points.yml + - 2.10.0.yml + - 551-publickey-info.yml + - 560-openssl_csr-crl_distribution_points.yml plugins: filter: - - description: Retrieve information from OpenSSL Certificate Signing Requests - (CSR) - name: openssl_csr_info - namespace: null - - description: Retrieve information from OpenSSL private keys - name: openssl_privatekey_info - namespace: null - - description: Retrieve information from OpenSSL public keys in PEM format - name: openssl_publickey_info - namespace: null - - description: Split PEM file contents into multiple objects - name: split_pem - namespace: null - - description: Retrieve information from X.509 certificates in PEM format - name: x509_certificate_info - namespace: null - - description: Retrieve information from X.509 CRLs in PEM format - name: x509_crl_info - namespace: null + - description: Retrieve information from OpenSSL Certificate Signing Requests + (CSR) + name: openssl_csr_info + namespace: null + - description: Retrieve information from OpenSSL private keys + name: openssl_privatekey_info + namespace: null + - description: Retrieve information from OpenSSL public keys in PEM format + name: openssl_publickey_info + namespace: null + - description: Split PEM file contents into multiple objects + name: split_pem + namespace: null + - description: Retrieve information from X.509 certificates in PEM format + name: x509_certificate_info + namespace: null + - description: Retrieve information from X.509 CRLs in PEM format + name: x509_crl_info + namespace: null release_date: '2023-01-02' 2.11.0: changes: bugfixes: - - action plugin helper - fix handling of deprecations for ansible-core 2.14.2 - (https://github.com/ansible-collections/community.crypto/pull/572). - - execution environment binary dependencies (bindep.txt) - fix ``python3-pyOpenSSL`` - dependency resolution on RHEL 9+ / CentOS Stream 9+ platforms (https://github.com/ansible-collections/community.crypto/pull/575). - - various plugins - remove unnecessary imports (https://github.com/ansible-collections/community.crypto/pull/569). + - action plugin helper - fix handling of deprecations for ansible-core 2.14.2 + (https://github.com/ansible-collections/community.crypto/pull/572). + - execution environment binary dependencies (bindep.txt) - fix ``python3-pyOpenSSL`` + dependency resolution on RHEL 9+ / CentOS Stream 9+ platforms (https://github.com/ansible-collections/community.crypto/pull/575). + - various plugins - remove unnecessary imports (https://github.com/ansible-collections/community.crypto/pull/569). minor_changes: - - get_certificate - adds ``ciphers`` option for custom cipher selection (https://github.com/ansible-collections/community.crypto/pull/571). + - get_certificate - adds ``ciphers`` option for custom cipher selection (https://github.com/ansible-collections/community.crypto/pull/571). release_summary: Feature and bugfix release. fragments: - - 2.11.0.yml - - 571_get_certificate_ciphers.yaml - - 572-action-module.yml - - 575-bindep-python3-pyOpenSSL.yml - - remove-unneeded-imports.yml + - 2.11.0.yml + - 571_get_certificate_ciphers.yaml + - 572-action-module.yml + - 575-bindep-python3-pyOpenSSL.yml + - remove-unneeded-imports.yml release_date: '2023-02-23' 2.11.1: changes: release_summary: Maintenance release with improved documentation. fragments: - - 2.11.1.yml + - 2.11.1.yml release_date: '2023-03-24' 2.12.0: changes: minor_changes: - - get_certificate - add ``asn1_base64`` option to control whether the ASN.1 - included in the ``extensions`` return value is binary data or Base64 encoded - (https://github.com/ansible-collections/community.crypto/pull/592). + - get_certificate - add ``asn1_base64`` option to control whether the ASN.1 + included in the ``extensions`` return value is binary data or Base64 encoded + (https://github.com/ansible-collections/community.crypto/pull/592). release_summary: Feature release. fragments: - - 2.12.0.yml - - 592-get_certificate-base64.yml + - 2.12.0.yml + - 592-get_certificate-base64.yml release_date: '2023-04-16' 2.13.0: changes: bugfixes: - - openssh_keypair - always generate a new key pair if the private key does not - exist. Previously, the module would fail when ``regenerate=fail`` without - an existing key, contradicting the documentation (https://github.com/ansible-collections/community.crypto/pull/598). - - x509_crl - remove problem with ansible-core 2.16 due to ``AnsibleModule`` - is now validating the ``mode`` parameter's values (https://github.com/ansible-collections/community.crypto/issues/596). + - openssh_keypair - always generate a new key pair if the private key does + not exist. Previously, the module would fail when ``regenerate=fail`` without + an existing key, contradicting the documentation (https://github.com/ansible-collections/community.crypto/pull/598). + - x509_crl - remove problem with ansible-core 2.16 due to ``AnsibleModule`` + is now validating the ``mode`` parameter's values (https://github.com/ansible-collections/community.crypto/issues/596). deprecated_features: - - x509_crl - the ``mode`` option is deprecated; use ``crl_mode`` instead. The - ``mode`` option will change its meaning in community.crypto 3.0.0, and will - refer to the CRL file's mode instead (https://github.com/ansible-collections/community.crypto/issues/596). + - x509_crl - the ``mode`` option is deprecated; use ``crl_mode`` instead. + The ``mode`` option will change its meaning in community.crypto 3.0.0, and + will refer to the CRL file's mode instead (https://github.com/ansible-collections/community.crypto/issues/596). minor_changes: - - x509_crl - the ``crl_mode`` option has been added to replace the existing - ``mode`` option (https://github.com/ansible-collections/community.crypto/issues/596). + - x509_crl - the ``crl_mode`` option has been added to replace the existing + ``mode`` option (https://github.com/ansible-collections/community.crypto/issues/596). release_summary: Bugfix and maintenance release. fragments: - - 2.13.0.yml - - 596-x509_crl-mode.yml - - 598-openssh_keypair-generate-new-key.yml + - 2.13.0.yml + - 596-x509_crl-mode.yml + - 598-openssh_keypair-generate-new-key.yml release_date: '2023-05-01' 2.13.1: changes: bugfixes: - - execution environment definition - fix installation of ``python3-pyOpenSSL`` - package on CentOS and RHEL (https://github.com/ansible-collections/community.crypto/pull/606). - - execution environment definition - fix source of ``python3-pyOpenSSL`` package - for Rocky Linux 9+ (https://github.com/ansible-collections/community.crypto/pull/606). + - execution environment definition - fix installation of ``python3-pyOpenSSL`` + package on CentOS and RHEL (https://github.com/ansible-collections/community.crypto/pull/606). + - execution environment definition - fix source of ``python3-pyOpenSSL`` package + for Rocky Linux 9+ (https://github.com/ansible-collections/community.crypto/pull/606). release_summary: Bugfix release. fragments: - - 2.13.1.yml - - 606-ee-rocky.yml + - 2.13.1.yml + - 606-ee-rocky.yml release_date: '2023-05-21' 2.14.0: changes: minor_changes: - - acme_certificate - allow to use no challenge by providing ``no challenge`` - for the ``challenge`` option. This is needed for ACME servers where validation - is done without challenges (https://github.com/ansible-collections/community.crypto/issues/613, - https://github.com/ansible-collections/community.crypto/pull/615). - - acme_certificate - validate and wait for challenges in parallel instead handling - them one after another (https://github.com/ansible-collections/community.crypto/pull/617). - - x509_certificate_info - added support for certificates in DER format when - using ``path`` parameter (https://github.com/ansible-collections/community.crypto/issues/603). + - acme_certificate - allow to use no challenge by providing ``no challenge`` + for the ``challenge`` option. This is needed for ACME servers where validation + is done without challenges (https://github.com/ansible-collections/community.crypto/issues/613, + https://github.com/ansible-collections/community.crypto/pull/615). + - acme_certificate - validate and wait for challenges in parallel instead + handling them one after another (https://github.com/ansible-collections/community.crypto/pull/617). + - x509_certificate_info - added support for certificates in DER format when + using ``path`` parameter (https://github.com/ansible-collections/community.crypto/issues/603). release_summary: Feature release. fragments: - - 2.14.0.yml - - 615-no-challenge.yml - - 617-acme_certificate-parallel.yml - - 622-der-format-support.yml + - 2.14.0.yml + - 615-no-challenge.yml + - 617-acme_certificate-parallel.yml + - 622-der-format-support.yml release_date: '2023-06-15' 2.14.1: changes: bugfixes: - - Fix PEM detection/identification to also accept random other lines before - the line starting with ``-----BEGIN`` (https://github.com/ansible-collections/community.crypto/issues/627, - https://github.com/ansible-collections/community.crypto/pull/628). + - Fix PEM detection/identification to also accept random other lines before + the line starting with ``-----BEGIN`` (https://github.com/ansible-collections/community.crypto/issues/627, + https://github.com/ansible-collections/community.crypto/pull/628). known_issues: - - Ansible markup will show up in raw form on ansible-doc text output for ansible-core - before 2.15. If you have trouble deciphering the documentation markup, please - upgrade to ansible-core 2.15 (or newer), or read the HTML documentation on - https://docs.ansible.com/ansible/devel/collections/community/crypto/. + - Ansible markup will show up in raw form on ansible-doc text output for ansible-core + before 2.15. If you have trouble deciphering the documentation markup, please + upgrade to ansible-core 2.15 (or newer), or read the HTML documentation + on https://docs.ansible.com/ansible/devel/collections/community/crypto/. release_summary: 'Bugfix and maintenance release with updated documentation. @@ -893,306 +1190,235 @@ releases: ' fragments: - - 2.14.1.yml - - 628-pem-detection.yml - - semantic-markup.yml + - 2.14.1.yml + - 628-pem-detection.yml + - semantic-markup.yml release_date: '2023-06-27' 2.15.0: changes: bugfixes: - - openssh_cert, openssh_keypair - the modules ignored return codes of ``ssh`` - and ``ssh-keygen`` in some cases (https://github.com/ansible-collections/community.crypto/issues/645, - https://github.com/ansible-collections/community.crypto/pull/646). - - openssh_keypair - fix comment updating for OpenSSH before 6.5 (https://github.com/ansible-collections/community.crypto/pull/646). + - openssh_cert, openssh_keypair - the modules ignored return codes of ``ssh`` + and ``ssh-keygen`` in some cases (https://github.com/ansible-collections/community.crypto/issues/645, + https://github.com/ansible-collections/community.crypto/pull/646). + - openssh_keypair - fix comment updating for OpenSSH before 6.5 (https://github.com/ansible-collections/community.crypto/pull/646). deprecated_features: - - get_certificate - the default ``false`` of the ``asn1_base64`` option is deprecated - and will change to ``true`` in community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/pull/600). + - get_certificate - the default ``false`` of the ``asn1_base64`` option is + deprecated and will change to ``true`` in community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/pull/600). minor_changes: - - openssh_keypair - fail when comment cannot be updated (https://github.com/ansible-collections/community.crypto/pull/646). + - openssh_keypair - fail when comment cannot be updated (https://github.com/ansible-collections/community.crypto/pull/646). release_summary: Bugfix and feature release. fragments: - - 2.15.0.yml - - 600-get_certificate-asn1_base64.yml - - 646-openssh-rc.yml + - 2.15.0.yml + - 600-get_certificate-asn1_base64.yml + - 646-openssh-rc.yml plugins: filter: - - description: Retrieve a GPG fingerprint from a GPG public or private key - name: gpg_fingerprint - namespace: null + - description: Retrieve a GPG fingerprint from a GPG public or private key + name: gpg_fingerprint + namespace: null lookup: - - description: Retrieve a GPG fingerprint from a GPG public or private key file - name: gpg_fingerprint - namespace: null + - description: Retrieve a GPG fingerprint from a GPG public or private key + file + name: gpg_fingerprint + namespace: null release_date: '2023-08-12' 2.15.1: changes: bugfixes: - - acme_* modules - correctly handle error documents without ``type`` (https://github.com/ansible-collections/community.crypto/issues/651, - https://github.com/ansible-collections/community.crypto/pull/652). + - acme_* modules - correctly handle error documents without ``type`` (https://github.com/ansible-collections/community.crypto/issues/651, + https://github.com/ansible-collections/community.crypto/pull/652). release_summary: Bugfix release. fragments: - - 2.15.1.yml - - 652-problem-type.yml + - 2.15.1.yml + - 652-problem-type.yml release_date: '2023-08-22' 2.16.0: changes: bugfixes: - - openssl_pkcs12 - modify autodetect to not detect pyOpenSSL >= 23.3.0, which - removed PKCS#12 support (https://github.com/ansible-collections/community.crypto/pull/666). + - openssl_pkcs12 - modify autodetect to not detect pyOpenSSL >= 23.3.0, which + removed PKCS#12 support (https://github.com/ansible-collections/community.crypto/pull/666). minor_changes: - - luks_devices - add new options ``keyslot``, ``new_keyslot``, and ``remove_keyslot`` - to allow adding/removing keys to/from specific keyslots (https://github.com/ansible-collections/community.crypto/pull/664). + - luks_devices - add new options ``keyslot``, ``new_keyslot``, and ``remove_keyslot`` + to allow adding/removing keys to/from specific keyslots (https://github.com/ansible-collections/community.crypto/pull/664). release_summary: Bugfix release. fragments: - - 2.16.0.yml - - 664-luks_device-keyslot.yml - - pkcs12.yml + - 2.16.0.yml + - 664-luks_device-keyslot.yml + - pkcs12.yml release_date: '2023-10-29' 2.16.1: changes: bugfixes: - - acme_* modules - also retry requests in case of socket errors, bad status - lines, and unknown connection errors; improve error messages in these cases - (https://github.com/ansible-collections/community.crypto/issues/680). + - acme_* modules - also retry requests in case of socket errors, bad status + lines, and unknown connection errors; improve error messages in these cases + (https://github.com/ansible-collections/community.crypto/issues/680). release_summary: Bugfix release. fragments: - - 2.16.1.yml - - 680-acme-retry.yml + - 2.16.1.yml + - 680-acme-retry.yml release_date: '2023-12-04' 2.16.2: changes: bugfixes: - - acme_* modules - directly react on bad return data for account creation/retrieval/updating - requests (https://github.com/ansible-collections/community.crypto/pull/682). - - acme_* modules - fix improved error reporting in case of socket errors, bad - status lines, and unknown connection errors (https://github.com/ansible-collections/community.crypto/pull/684). - - acme_* modules - increase number of retries from 5 to 10 to increase stability - with unstable ACME endpoints (https://github.com/ansible-collections/community.crypto/pull/685). - - acme_* modules - make account registration handling more flexible to accept - 404 instead of 400 send by DigiCert's ACME endpoint when an account does not - exist (https://github.com/ansible-collections/community.crypto/pull/681). + - acme_* modules - directly react on bad return data for account creation/retrieval/updating + requests (https://github.com/ansible-collections/community.crypto/pull/682). + - acme_* modules - fix improved error reporting in case of socket errors, + bad status lines, and unknown connection errors (https://github.com/ansible-collections/community.crypto/pull/684). + - acme_* modules - increase number of retries from 5 to 10 to increase stability + with unstable ACME endpoints (https://github.com/ansible-collections/community.crypto/pull/685). + - acme_* modules - make account registration handling more flexible to accept + 404 instead of 400 send by DigiCert's ACME endpoint when an account does + not exist (https://github.com/ansible-collections/community.crypto/pull/681). release_summary: Bugfix release. fragments: - - 2.16.2.yml - - 681-acme-account.yml - - 682-acme-errors.yml - - 684-info-code.yml - - 685-acme-retry.yml + - 2.16.2.yml + - 681-acme-account.yml + - 682-acme-errors.yml + - 684-info-code.yml + - 685-acme-retry.yml release_date: '2023-12-08' 2.17.0: changes: minor_changes: - - luks_device - add allow discards option (https://github.com/ansible-collections/community.crypto/pull/693). + - luks_device - add allow discards option (https://github.com/ansible-collections/community.crypto/pull/693). release_summary: Feature release. fragments: - - 2.17.0.yml - - 693-allow-discards.yaml + - 2.17.0.yml + - 693-allow-discards.yaml release_date: '2024-01-21' 2.17.1: changes: bugfixes: - - openssl_dhparam - was using an internal function instead of the public API - to load DH param files when using the ``cryptography`` backend. The internal - function was removed in cryptography 42.0.0. The module now uses the public - API, which has been available since support for DH params was added to cryptography - (https://github.com/ansible-collections/community.crypto/pull/698). - - openssl_privatekey_info - ``check_consistency=true`` no longer works for RSA - keys with cryptography 42.0.0+ (https://github.com/ansible-collections/community.crypto/pull/701). - - openssl_privatekey_info - ``check_consistency=true`` now reports a warning - if it cannot determine consistency (https://github.com/ansible-collections/community.crypto/pull/705). + - openssl_dhparam - was using an internal function instead of the public API + to load DH param files when using the ``cryptography`` backend. The internal + function was removed in cryptography 42.0.0. The module now uses the public + API, which has been available since support for DH params was added to cryptography + (https://github.com/ansible-collections/community.crypto/pull/698). + - openssl_privatekey_info - ``check_consistency=true`` no longer works for + RSA keys with cryptography 42.0.0+ (https://github.com/ansible-collections/community.crypto/pull/701). + - openssl_privatekey_info - ``check_consistency=true`` now reports a warning + if it cannot determine consistency (https://github.com/ansible-collections/community.crypto/pull/705). release_summary: Bugfix release for compatibility with cryptography 42.0.0. fragments: - - 2.17.1.yml - - 698-openssl_dhparam-cryptography.yml - - 701-private_key_info-consistency.yml - - 705-openssl_privatekey_info-consistency.yml + - 2.17.1.yml + - 698-openssl_dhparam-cryptography.yml + - 701-private_key_info-consistency.yml + - 705-openssl_privatekey_info-consistency.yml release_date: '2024-01-27' 2.18.0: changes: bugfixes: - - luks_device - fixed module a bug that prevented using ``remove_keyslot`` with - the value ``0`` (https://github.com/ansible-collections/community.crypto/pull/710). - - luks_device - fixed module falsely outputting ``changed=false`` when trying - to add a new slot with a key that is already present in another slot. The - module now rejects adding keys that are already present in another slot (https://github.com/ansible-collections/community.crypto/pull/710). - - luks_device - fixed testing of LUKS passphrases in when specifying a keyslot - for cryptsetup version 2.0.3. The output of this cryptsetup version slightly - differs from later versions (https://github.com/ansible-collections/community.crypto/pull/710). + - luks_device - fixed module a bug that prevented using ``remove_keyslot`` + with the value ``0`` (https://github.com/ansible-collections/community.crypto/pull/710). + - luks_device - fixed module falsely outputting ``changed=false`` when trying + to add a new slot with a key that is already present in another slot. The + module now rejects adding keys that are already present in another slot + (https://github.com/ansible-collections/community.crypto/pull/710). + - luks_device - fixed testing of LUKS passphrases in when specifying a keyslot + for cryptsetup version 2.0.3. The output of this cryptsetup version slightly + differs from later versions (https://github.com/ansible-collections/community.crypto/pull/710). deprecated_features: - - 'openssl_csr_pipe, openssl_privatekey_pipe, x509_certificate_pipe - the current - behavior of check mode is deprecated and will change in community.crypto 3.0.0. - The current behavior is similar to the modules without ``_pipe``: if the object - needs to be (re-)generated, only the ``changed`` status is set, but the object - is not updated. From community.crypto 3.0.0 on, the modules will ignore check - mode and always act as if check mode is not active. This behavior can already - achieved now by adding ``check_mode: false`` to the task. If you think this - breaks your use-case of this module, please `create an issue in the community.crypto - repository `__ - (https://github.com/ansible-collections/community.crypto/issues/712, https://github.com/ansible-collections/community.crypto/pull/714).' + - 'openssl_csr_pipe, openssl_privatekey_pipe, x509_certificate_pipe - the + current behavior of check mode is deprecated and will change in community.crypto + 3.0.0. The current behavior is similar to the modules without ``_pipe``: + if the object needs to be (re-)generated, only the ``changed`` status is + set, but the object is not updated. From community.crypto 3.0.0 on, the + modules will ignore check mode and always act as if check mode is not active. + This behavior can already achieved now by adding ``check_mode: false`` to + the task. If you think this breaks your use-case of this module, please + `create an issue in the community.crypto repository `__ + (https://github.com/ansible-collections/community.crypto/issues/712, https://github.com/ansible-collections/community.crypto/pull/714).' minor_changes: - - x509_crl - the new option ``serial_numbers`` allow to configure in which format - serial numbers can be provided to ``revoked_certificates[].serial_number``. - The default is as integers (``serial_numbers=integer``) for backwards compatibility; - setting ``serial_numbers=hex-octets`` allows to specify colon-separated hex - octet strings like ``00:11:22:FF`` (https://github.com/ansible-collections/community.crypto/issues/687, - https://github.com/ansible-collections/community.crypto/pull/715). + - x509_crl - the new option ``serial_numbers`` allow to configure in which + format serial numbers can be provided to ``revoked_certificates[].serial_number``. + The default is as integers (``serial_numbers=integer``) for backwards compatibility; + setting ``serial_numbers=hex-octets`` allows to specify colon-separated + hex octet strings like ``00:11:22:FF`` (https://github.com/ansible-collections/community.crypto/issues/687, + https://github.com/ansible-collections/community.crypto/pull/715). release_summary: Bugfix and feature release. fragments: - - 2.18.0.yml - - 710-luks_device-keyslot-fixes.yml - - 714-pipe-check-mode-deprecation.yml - - 715-x509_crl-serial.yml + - 2.18.0.yml + - 710-luks_device-keyslot-fixes.yml + - 714-pipe-check-mode-deprecation.yml + - 715-x509_crl-serial.yml plugins: filter: - - description: Convert a serial number as a colon-separated list of hex numbers - to an integer - name: parse_serial - namespace: null - - description: Convert an integer to a colon-separated list of hex numbers - name: to_serial - namespace: null + - description: Convert a serial number as a colon-separated list of hex numbers + to an integer + name: parse_serial + namespace: null + - description: Convert an integer to a colon-separated list of hex numbers + name: to_serial + namespace: null release_date: '2024-02-25' 2.19.0: changes: bugfixes: - - acme_certificate - respect the order of the CNAME and SAN identifiers that - are passed on when creating an ACME order (https://github.com/ansible-collections/community.crypto/issues/723, - https://github.com/ansible-collections/community.crypto/pull/725). + - acme_certificate - respect the order of the CNAME and SAN identifiers that + are passed on when creating an ACME order (https://github.com/ansible-collections/community.crypto/issues/723, + https://github.com/ansible-collections/community.crypto/pull/725). deprecated_features: - - acme.backends module utils - from community.crypto on, all implementations - of ``CryptoBackend`` must override ``get_ordered_csr_identifiers()``. The - current default implementation, which simply sorts the result of ``get_csr_identifiers()``, - will then be removed (https://github.com/ansible-collections/community.crypto/pull/725). + - acme.backends module utils - from community.crypto on, all implementations + of ``CryptoBackend`` must override ``get_ordered_csr_identifiers()``. The + current default implementation, which simply sorts the result of ``get_csr_identifiers()``, + will then be removed (https://github.com/ansible-collections/community.crypto/pull/725). minor_changes: - - When using cryptography >= 42.0.0, use offset-aware ``datetime.datetime`` - objects (with timezone UTC) instead of offset-naive UTC timestamps (https://github.com/ansible-collections/community.crypto/issues/726, - https://github.com/ansible-collections/community.crypto/pull/727). - - openssh_cert - avoid UTC functions deprecated in Python 3.12 when using Python - 3 (https://github.com/ansible-collections/community.crypto/pull/727). + - When using cryptography >= 42.0.0, use offset-aware ``datetime.datetime`` + objects (with timezone UTC) instead of offset-naive UTC timestamps (https://github.com/ansible-collections/community.crypto/issues/726, + https://github.com/ansible-collections/community.crypto/pull/727). + - openssh_cert - avoid UTC functions deprecated in Python 3.12 when using + Python 3 (https://github.com/ansible-collections/community.crypto/pull/727). release_summary: Bugfix and feature release. fragments: - - 2.19.0.yml - - 725-acme_certificate-order.yml - - 727-cryptography-utc.yml + - 2.19.0.yml + - 725-acme_certificate-order.yml + - 727-cryptography-utc.yml modules: - - description: Convert X.509 certificates - name: x509_certificate_convert - namespace: '' + - description: Convert X.509 certificates + name: x509_certificate_convert + namespace: '' release_date: '2024-04-20' 2.19.1: changes: bugfixes: - - crypto.math module utils - change return values for ``quick_is_not_prime()`` - and ``convert_int_to_bytes(0, 0)`` for special cases that do not appear when - using the collection (https://github.com/ansible-collections/community.crypto/pull/733). - - ecs_certificate - fixed ``csr`` option to be empty and allow renewal of a - specific certificate according to the Renewal Information specification (https://github.com/ansible-collections/community.crypto/pull/740). - - x509_certificate - since community.crypto 2.19.0 the module was no longer - idempotent with respect to ``not_before`` and ``not_after`` times. This is - now fixed (https://github.com/ansible-collections/community.crypto/issues/753, - https://github.com/ansible-collections/community.crypto/pull/754). + - crypto.math module utils - change return values for ``quick_is_not_prime()`` + and ``convert_int_to_bytes(0, 0)`` for special cases that do not appear + when using the collection (https://github.com/ansible-collections/community.crypto/pull/733). + - ecs_certificate - fixed ``csr`` option to be empty and allow renewal of + a specific certificate according to the Renewal Information specification + (https://github.com/ansible-collections/community.crypto/pull/740). + - x509_certificate - since community.crypto 2.19.0 the module was no longer + idempotent with respect to ``not_before`` and ``not_after`` times. This + is now fixed (https://github.com/ansible-collections/community.crypto/issues/753, + https://github.com/ansible-collections/community.crypto/pull/754). release_summary: Bugfix release. fragments: - - 2.19.1.yml - - 733-math-prime.yml - - 740-ecs_certificate-renewal-without-csr.yml - - 754-x509_certificate-time.yml + - 2.19.1.yml + - 733-math-prime.yml + - 740-ecs_certificate-renewal-without-csr.yml + - 754-x509_certificate-time.yml release_date: '2024-05-11' - 2.2.0: - changes: - bugfixes: - - luks_devices - set ``LANG`` and similar environment variables to avoid translated - output, which can break some of the module's functionality like key management - (https://github.com/ansible-collections/community.crypto/pull/388, https://github.com/ansible-collections/community.crypto/issues/385). - minor_changes: - - openssh_cert - added ``ignore_timestamps`` parameter so it can be used semi-idempotent - with relative timestamps in ``valid_to``/``valid_from`` (https://github.com/ansible-collections/community.crypto/issues/379). - release_summary: Regular bugfix and feature release. - fragments: - - 2.2.0.yml - - 381_openssh_cert_add_ignore_timestamps.yml - - 388-luks_device-i18n.yml - release_date: '2022-02-01' - 2.2.1: - changes: - bugfixes: - - openssh_cert - fixed false ``changed`` status for ``host`` certificates when - using ``full_idempotence`` (https://github.com/ansible-collections/community.crypto/issues/395, - https://github.com/ansible-collections/community.crypto/pull/396). - release_summary: Bugfix release. - fragments: - - 2.2.1.yml - - 396-openssh_cert-host-cert-idempotence-fix.yml - release_date: '2022-02-05' - 2.2.2: - changes: - bugfixes: - - certificate_complete_chain - allow multiple potential intermediate certificates - to have the same subject (https://github.com/ansible-collections/community.crypto/issues/399, - https://github.com/ansible-collections/community.crypto/pull/403). - - x509_certificate - for the ``ownca`` provider, check whether the CA private - key actually belongs to the CA certificate (https://github.com/ansible-collections/community.crypto/pull/407). - - x509_certificate - regenerate certificate when the CA's public key changes - for ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/pull/407). - - x509_certificate - regenerate certificate when the CA's subject changes for - ``provider=ownca`` (https://github.com/ansible-collections/community.crypto/issues/400, - https://github.com/ansible-collections/community.crypto/pull/402). - - x509_certificate - regenerate certificate when the private key changes for - ``provider=selfsigned`` (https://github.com/ansible-collections/community.crypto/pull/407). - release_summary: 'Regular bugfix release. - - - In this release, we extended the test matrix to include Alpine 3, ArchLinux, - Debian Bullseye, and CentOS Stream 8. CentOS 8 was removed from the test matrix. - - ' - fragments: - - 2.2.2.yml - - 402-x509_certificate-ownca-subject.yml - - 403-certificate_complete_chain-same-subject.yml - - 407-x509_certificate-signature.yml - release_date: '2022-02-21' - 2.2.3: - changes: - bugfixes: - - luks_device - fix parsing of ``lsblk`` output when device name ends with ``crypt`` - (https://github.com/ansible-collections/community.crypto/issues/409, https://github.com/ansible-collections/community.crypto/pull/410). - release_summary: Regular bugfix release. - fragments: - - 2.2.3.yml - - 410-luks_device-lsblk-parsing.yml - release_date: '2022-03-04' - 2.2.4: - changes: - bugfixes: - - openssh_* modules - fix exception handling to report traceback to users for - enhanced traceability (https://github.com/ansible-collections/community.crypto/pull/417). - release_summary: Regular maintenance release. - fragments: - - 2.2.4.yml - - 417-openssh_modules-fix-exception-reporting.yml - release_date: '2022-03-22' 2.20.0: changes: bugfixes: - - x509_crl, x509_certificate, x509_certificate_info - when parsing absolute - timestamps which omitted the second count, the first digit of the minutes - was used as a one-digit minutes count, and the second digit of the minutes - as a one-digit second count (https://github.com/ansible-collections/community.crypto/pull/745). + - x509_crl, x509_certificate, x509_certificate_info - when parsing absolute + timestamps which omitted the second count, the first digit of the minutes + was used as a one-digit minutes count, and the second digit of the minutes + as a one-digit second count (https://github.com/ansible-collections/community.crypto/pull/745). deprecated_features: - - acme documentation fragment - the default ``community.crypto.acme[.documentation]`` - docs fragment is deprecated and will be removed from community.crypto 3.0.0. - Replace it with both the new ``community.crypto.acme.basic`` and ``community.crypto.acme.account`` - fragments (https://github.com/ansible-collections/community.crypto/pull/735). - - acme.backends module utils - the ``get_cert_information()`` method for a ACME - crypto backend must be implemented from community.crypto 3.0.0 on (https://github.com/ansible-collections/community.crypto/pull/736). - - crypto.module_backends.common module utils - the ``crypto.module_backends.common`` - module utils is deprecated and will be removed from community.crypto 3.0.0. - Use the improved ``argspec`` module util instead (https://github.com/ansible-collections/community.crypto/pull/749). + - acme documentation fragment - the default ``community.crypto.acme[.documentation]`` + docs fragment is deprecated and will be removed from community.crypto 3.0.0. + Replace it with both the new ``community.crypto.acme.basic`` and ``community.crypto.acme.account`` + fragments (https://github.com/ansible-collections/community.crypto/pull/735). + - acme.backends module utils - the ``get_cert_information()`` method for a + ACME crypto backend must be implemented from community.crypto 3.0.0 on (https://github.com/ansible-collections/community.crypto/pull/736). + - crypto.module_backends.common module utils - the ``crypto.module_backends.common`` + module utils is deprecated and will be removed from community.crypto 3.0.0. + Use the improved ``argspec`` module util instead (https://github.com/ansible-collections/community.crypto/pull/749). minor_changes: - - acme_certificate - add ``include_renewal_cert_id`` option to allow requesting - renewal of a specific certificate according to the current ACME Renewal Information - specification draft (https://github.com/ansible-collections/community.crypto/pull/739). + - acme_certificate - add ``include_renewal_cert_id`` option to allow requesting + renewal of a specific certificate according to the current ACME Renewal + Information specification draft (https://github.com/ansible-collections/community.crypto/pull/739). release_summary: 'Feature and bugfix release. @@ -1203,233 +1429,20 @@ releases: ' fragments: - - 2.20.0.yml - - 735-acme-docs-fragment.yml - - 736-cert-info.yml - - 739-acme_certificate-include_renewal_cert_id.yml - - 745-absolute-time.yml - - 749-argspec.yml + - 2.20.0.yml + - 735-acme-docs-fragment.yml + - 736-cert-info.yml + - 739-acme_certificate-include_renewal_cert_id.yml + - 745-absolute-time.yml + - 749-argspec.yml modules: - - description: Retrieves ACME Renewal Information (ARI) for a certificate. - name: acme_ari_info - namespace: '' - - description: Deactivate all authz for an ACME v2 order. - name: acme_certificate_deactivate_authz - namespace: '' - - description: Determine whether a certificate should be renewed or not. - name: acme_certificate_renewal_info - namespace: '' + - description: Retrieves ACME Renewal Information (ARI) for a certificate. + name: acme_ari_info + namespace: '' + - description: Deactivate all authz for an ACME v2 order. + name: acme_certificate_deactivate_authz + namespace: '' + - description: Determine whether a certificate should be renewed or not. + name: acme_certificate_renewal_info + namespace: '' release_date: '2024-05-20' - 2.3.0: - changes: - bugfixes: - - Make collection more robust when PyOpenSSL is used with an incompatible cryptography - version (https://github.com/ansible-collections/community.crypto/pull/445). - - x509_crl - fix crash when ``issuer`` for a revoked certificate is specified - (https://github.com/ansible-collections/community.crypto/pull/441). - minor_changes: - - Prepare collection for inclusion in an Execution Environment by declaring - its dependencies. Please note that system packages are used for cryptography - and PyOpenSSL, which can be rather limited. If you need features from newer - cryptography versions, you will have to manually force a newer version to - be installed by pip by specifying something like ``cryptography >= 37.0.0`` - in your Execution Environment's Python dependencies file (https://github.com/ansible-collections/community.crypto/pull/440). - - Support automatic conversion for Internalionalized Domain Names (IDNs). When - passing general names, for example Subject Alternative Names to ``community.crypto.openssl_csr``, - these will automatically be converted to IDNA. Conversion will be done per - label to IDNA2008 if possible, and IDNA2003 if IDNA2008 conversion fails for - that label. Note that IDNA conversion requires `the Python idna library `_ - to be installed. Please note that depending on which versions of the cryptography - library are used, it could try to process the converted IDNA another time - with the Python ``idna`` library and reject IDNA2003 encoded values. Using - a new enough ``cryptography`` version avoids this (https://github.com/ansible-collections/community.crypto/issues/426, - https://github.com/ansible-collections/community.crypto/pull/436). - - acme_* modules - add parameter ``request_timeout`` to manage HTTP(S) request - timeout (https://github.com/ansible-collections/community.crypto/issues/447, - https://github.com/ansible-collections/community.crypto/pull/448). - - luks_devices - added ``perf_same_cpu_crypt``, ``perf_submit_from_crypt_cpus``, - ``perf_no_read_workqueue``, ``perf_no_write_workqueue`` for performance tuning - when opening LUKS2 containers (https://github.com/ansible-collections/community.crypto/issues/427). - - luks_devices - added ``persistent`` option when opening LUKS2 containers (https://github.com/ansible-collections/community.crypto/pull/434). - - openssl_csr_info - add ``name_encoding`` option to control the encoding (IDNA, - Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436). - - openssl_pkcs12 - allow to provide the private key as text instead of having - to read it from a file. This allows to store the private key in an encrypted - form, for example in Ansible Vault (https://github.com/ansible-collections/community.crypto/pull/452). - - x509_certificate_info - add ``name_encoding`` option to control the encoding - (IDNA, Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436). - - x509_crl - add ``name_encoding`` option to control the encoding (IDNA, Unicode) - used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436). - - x509_crl_info - add ``name_encoding`` option to control the encoding (IDNA, - Unicode) used to return domain names in general names (https://github.com/ansible-collections/community.crypto/pull/436). - release_summary: Feature and bugfix release. - fragments: - - 2.3.0.yml - - 434-add-persistent-and-perf-options.yml - - 436-idns.yml - - 440-ee.yml - - 441-x509-crl-cert-issuer.yml - - 445-fix.yml - - 448-acme-request-timeouts.yml - - 452-openssl_pkcs12-private-key-content.yml - release_date: '2022-05-09' - 2.3.1: - changes: - bugfixes: - - Include ``PSF-license.txt`` file for ``plugins/module_utils/_version.py``. - release_summary: Maintenance release. - fragments: - - 2.3.1.yml - - psf-license.yml - release_date: '2022-05-16' - 2.3.2: - changes: - bugfixes: - - Include ``simplified_bsd.txt`` license file for the ECS module utils. - - certificate_complete_chain - do not stop execution if an unsupported signature - algorithm is encountered; warn instead (https://github.com/ansible-collections/community.crypto/pull/457). - release_summary: Maintenance and bugfix release. - fragments: - - 2.3.2.yml - - 457-certificate_complete_chain-unsupported-algorithm.yml - - simplified-bsd-license.yml - release_date: '2022-06-02' - 2.3.3: - changes: - bugfixes: - - Include ``Apache-2.0.txt`` file for ``plugins/module_utils/crypto/_obj2txt.py`` - and ``plugins/module_utils/crypto/_objects_data.py``. - - openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees - must be a non-empty list or None' if only one of ``name_constraints_permitted`` - and ``name_constraints_excluded`` is provided (https://github.com/ansible-collections/community.crypto/issues/481). - - x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473, - https://github.com/ansible-collections/community.crypto/pull/474). - release_summary: Bugfix release. - fragments: - - 2.3.3.yml - - 474-x509_crl-ed25519-ed448.yml - - 481-fix-excluded_subtrees-must-be-a-non-empty-list-or-None.yml - - apache-license.yml - release_date: '2022-06-17' - 2.3.4: - changes: - release_summary: 'Re-release of what was intended to be 2.3.3. - - - A mistake during the release process caused the 2.3.3 tag to end up on the - - commit for 1.9.17, which caused the release pipeline to re-publish 1.9.17 - - as 2.3.3. - - - This release is identical to what should have been 2.3.3, except that the - - version number has been bumped to 2.3.4 and this changelog entry for 2.3.4 - - has been added. - - ' - fragments: - - 2.3.4.yml - release_date: '2022-06-21' - 2.4.0: - changes: - bugfixes: - - openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying - to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486, - https://github.com/ansible-collections/community.crypto/pull/487). - deprecated_features: - - Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be removed - in the next major release (community.crypto 3.0.0). Some modules might still - work with these versions afterwards, but we will no longer keep compatibility - code that was needed to support them (https://github.com/ansible-collections/community.crypto/pull/460). - release_summary: Deprecation and bugfix release. No new features this time. - fragments: - - 2.4.0.yml - - 487-openssl_pkcs12-other-certs-crash.yml - - deprecate-ansible-2.9-2.10.yml - release_date: '2022-07-09' - 2.5.0: - changes: - minor_changes: - - All software licenses are now in the ``LICENSES/`` directory of the collection - root. Moreover, ``SPDX-License-Identifier:`` is used to declare the applicable - license for every file that is not automatically generated (https://github.com/ansible-collections/community.crypto/pull/491). - release_summary: Maintenance release with improved licensing declaration and - documentation fixes. - fragments: - - 2.5.0.yml - - 491-licenses.yml - release_date: '2022-08-04' - 2.6.0: - changes: - minor_changes: - - acme* modules - support the HTTP 429 Too Many Requests response status (https://github.com/ansible-collections/community.crypto/pull/508). - - openssh_keypair - added ``pkcs1``, ``pkcs8``, and ``ssh`` to the available - choices for the ``private_key_format`` option (https://github.com/ansible-collections/community.crypto/pull/511). - release_summary: Feature release. - fragments: - - 2.6.0.yml - - 508-acme-429.yml - - 511-openssh_keypair-private_key_format_options.yml - release_date: '2022-09-19' - 2.7.0: - changes: - bugfixes: - - openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core - (https://github.com/ansible-collections/community.crypto/pull/515). - minor_changes: - - acme* modules - also support the HTTP 503 Service Unavailable and 408 Request - Timeout response status for automatic retries (https://github.com/ansible-collections/community.crypto/pull/513). - release_summary: Feature release. - fragments: - - 2.7.0.yml - - 513-acme-503.yml - - 515-action-module-compat.yml - release_date: '2022-09-23' - 2.7.1: - changes: - bugfixes: - - acme_* modules - improve feedback when importing ``cryptography`` does not - work (https://github.com/ansible-collections/community.crypto/issues/518, - https://github.com/ansible-collections/community.crypto/pull/519). - release_summary: Maintenance release. - fragments: - - 2.7.1.yml - - 519-acme-cryptography.yml - release_date: '2022-10-17' - 2.8.0: - changes: - minor_changes: - - acme_* modules - handle more gracefully if CA's new nonce call does not return - a nonce (https://github.com/ansible-collections/community.crypto/pull/525). - - acme_* modules - include symbolic HTTP status codes in error and log messages - when available (https://github.com/ansible-collections/community.crypto/pull/524). - - openssl_pkcs12 - add option ``encryption_level`` which allows to chose ``compatibility2022`` - when cryptography >= 38.0.0 is used to enable a more backwards compatible - encryption algorithm. If cryptography uses OpenSSL 3.0.0 or newer, the default - algorithm is not compatible with older software (https://github.com/ansible-collections/community.crypto/pull/523). - release_summary: Feature release. - fragments: - - 2.8.0.yml - - 523-pkcs12-compat.yml - - 524-acme-http-errors.yml - - 525-acme-no-nonce.yml - release_date: '2022-11-02' - 2.8.1: - changes: - release_summary: Maintenance release with improved documentation. - fragments: - - 2.8.1.yml - release_date: '2022-11-06' - 2.9.0: - changes: - minor_changes: - - x509_certificate_info - adds ``issuer_uri`` field in return value based on - Authority Information Access data (https://github.com/ansible-collections/community.crypto/pull/530). - release_summary: Regular feature release. - fragments: - - 2.9.0.yml - - aia_issuer.yaml - release_date: '2022-11-27' diff --git a/changelogs/config.yaml b/changelogs/config.yaml index c4cf310cf..c9fafa165 100644 --- a/changelogs/config.yaml +++ b/changelogs/config.yaml @@ -17,23 +17,25 @@ output_formats: prelude_section_name: release_summary prelude_section_title: Release Summary sections: -- - major_changes - - Major Changes -- - minor_changes - - Minor Changes -- - breaking_changes - - Breaking Changes / Porting Guide -- - deprecated_features - - Deprecated Features -- - removed_features - - Removed Features (previously deprecated) -- - security_fixes - - Security Fixes -- - bugfixes - - Bugfixes -- - known_issues - - Known Issues + - - major_changes + - Major Changes + - - minor_changes + - Minor Changes + - - breaking_changes + - Breaking Changes / Porting Guide + - - deprecated_features + - Deprecated Features + - - removed_features + - Removed Features (previously deprecated) + - - security_fixes + - Security Fixes + - - bugfixes + - Bugfixes + - - known_issues + - Known Issues title: Community Crypto trivial_section_name: trivial use_fqcn: true add_plugin_period: true +changelog_nice_yaml: true +changelog_sort: version