Note
This plugin is part of the community.crypto collection (version 1.9.6).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.crypto.
To use it in a playbook, specify: community.crypto.get_certificate.
The below requirements are needed on the host that executes this module.
proxy_host
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| ca_cert path | A PEM file containing one or more root certificates; if present, the cert will be validated against these root certs. Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it. | |
| host string / required | The host to get the cert for (IP is fine) | |
| port integer / required | The port to connect to | |
| proxy_host string | Proxy host used when get a certificate. | |
| proxy_port integer | Default: 8080 | Proxy port used when get a certificate. |
| select_crypto_backend string |
| Determines which crypto backend to use. The default choice is auto, which tries to use cryptography if available, and falls back to pyopenssl.If set to pyopenssl, will try to use the pyOpenSSL library.If set to cryptography, will try to use the cryptography library. |
| server_name string added in 1.4.0 of community.crypto | Server name used for SNI (Server Name Indication) when hostname is an IP or is different from server name. | |
| starttls string added in 1.9.0 of community.crypto |
| Requests a secure connection for protocols which require clients to initiate encryption. Only available for mysql currently. |
| timeout integer | Default: 10 | The timeout in seconds |
Note
- name: Get the cert from an RDP port
community.crypto.get_certificate:
host: "1.2.3.4"
port: 3389
delegate_to: localhost
run_once: true
register: cert
- name: Get a cert from an https port
community.crypto.get_certificate:
host: "www.google.com"
port: 443
delegate_to: localhost
run_once: true
register: cert
- name: How many days until cert expires
debug:
msg: "cert expires in: {{ expire_days }} days."
vars:
expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | |
|---|---|---|---|
| cert string | success | The certificate retrieved from the port | |
| expired boolean | success | Boolean indicating if the cert is expired | |
| extensions list / elements=dictionary | success | Extensions applied to the cert | |
| asn1_data string | success | The Base64 encoded ASN.1 content of the extnesion. | |
| critical boolean | success | Whether the extension is critical. | |
| name string | success | The extension's name. | |
| issuer dictionary | success | Information about the issuer of the cert | |
| not_after string | success | Expiration date of the cert | |
| not_before string | success | Issue date of the cert | |
| serial_number string | success | The serial number of the cert | |
| signature_algorithm string | success | The algorithm used to sign the cert | |
| subject dictionary | success | Information about the subject of the cert (OU, CN, etc) | |
| version string | success | The version number of the certificate | |
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/crypto/get_certificate_module.html