Implement profile option. (#835)

changelogs/fragments/835-acme-profiles.yml

@@ -0,0 +1,4 @@
+minor_changes:
+  - "acme_certificate - allow to chose a profile for certificate generation, in case the CA supports this using
+     Internet-Draft `draft-aaron-acme-profiles <https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/>`__
+     (https://github.com/ansible-collections/community.crypto/pull/835)."

plugins/module_utils/acme/orders.py

@@ -65,7 +65,7 @@ def from_url(cls, client, url):
         return result
 
     @classmethod
-    def create(cls, client, identifiers, replaces_cert_id=None):
+    def create(cls, client, identifiers, replaces_cert_id=None, profile=None):
         '''
         Start a new certificate order (ACME v2 protocol).
         https://tools.ietf.org/html/rfc8555#section-7.4
@@ -81,6 +81,8 @@ def create(cls, client, identifiers, replaces_cert_id=None):
         }
         if replaces_cert_id is not None:
             new_order["replaces"] = replaces_cert_id
+        if profile is not None:
+            new_order["profile"] = profile
         result, info = client.send_signed_request(
             client.directory['newOrder'], new_order, error_msg='Failed to start new order', expected_status_codes=[201])
         return cls.from_json(client, result, info['location'])

plugins/modules/acme_certificate.py

@@ -263,6 +263,14 @@
       - always
     default: never
     version_added: 2.20.0
+  profile:
+    description:
+      - Chose a specific profile for certificate selection. The available profiles depend on the CA.
+      - See L(a blog post by Let's Encrypt, https://letsencrypt.org/2025/01/09/acme-profiles/) and
+        L(draft-aaron-acme-profiles-00, https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/)
+        for more information.
+    type: str
+    version_added: 2.24.0
 """
 
 EXAMPLES = r"""
@@ -604,6 +612,7 @@ def __init__(self, module, backend):
         self.all_chains = None
         self.select_chain_matcher = []
         self.include_renewal_cert_id = module.params['include_renewal_cert_id']
+        self.profile = module.params['profile']
 
         if self.module.params['select_chain']:
             for criterium_idx, criterium in enumerate(self.module.params['select_chain']):
@@ -614,6 +623,13 @@ def __init__(self, module, backend):
                 except ValueError as exc:
                     self.module.warn('Error while parsing criterium: {error}. Ignoring criterium.'.format(error=exc))
 
+        if self.profile is not None:
+            meta_profiles = (self.directory.get('meta') or {}).get('profiles') or {}
+            if not meta_profiles:
+                raise ModuleFailException(msg='The ACME CA does not support profiles.')
+            if self.profile not in meta_profiles:
+                raise ModuleFailException(msg='The ACME CA does not support selected profile {0!r}.'.format(self.profile))
+
         # Make sure account exists
         modify_account = module.params['modify_account']
         if modify_account or self.version > 1:
@@ -696,7 +712,7 @@ def start_challenges(self):
                         cert_info=cert_info,
                         none_if_required_information_is_missing=True,
                     )
-            self.order = Order.create(self.client, self.identifiers, replaces_cert_id)
+            self.order = Order.create(self.client, self.identifiers, replaces_cert_id, profile=self.profile)
             self.order_uri = self.order.url
             self.order.load_authorizations(self.client)
             self.authorizations.update(self.order.authorizations)
@@ -882,6 +898,7 @@ def main():
             authority_key_identifier=dict(type='str'),
         )),
         include_renewal_cert_id=dict(type='str', choices=['never', 'when_ari_supported', 'always'], default='never'),
+        profile=dict(type='str'),
     )
     argument_spec.update(
         required_one_of=[