Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New gpg_keypair module to manage GPG keys. #743

Draft
wants to merge 78 commits into
base: main
Choose a base branch
from

Conversation

austinlucaslake
Copy link
Contributor

@austinlucaslake austinlucaslake commented May 1, 2024

SUMMARY

New gpg_keypair module to manage GPG keys.

Fixes #238

ISSUE TYPE
  • New Module Pull Request
COMPONENT NAME

gpg_keypair

ADDITIONAL INFORMATION

Unattended GPG key generation

Example usage:

community.crypto.gpg_keypair:
  state: present
  key_type: RSA
  key_length: 4096
  subkeys:
    - { subkey_type: RSA, subkey_length: 4096 }
  name: {{ name }}
  comment: {{ comment }}
  email: {{ email }}
  passphrase: {{ passphrase }}

Copy link
Contributor

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution! I've added some first comments below.

One thing that should be discussed is idempotence. I.e. what does happen if parameters like key_type do not match the existing key (if state=present).

Generally Ansible should ensure the state, i.e. if the existing key has the wrong type, size, key usage, ..., it should be modified to the module's parameters. For objects such as private keys (or disk partitions etc.), destructive operations are generally a bad idea, so it makes sense to make that configurable, but other changes (like key usage) can be made without cycling the private key. For the private key handling modules in this collection, we usually make this behavior configurable (consider for example the regenerate option of community.crypto.openssl_privatekey).

Do you already have plans (after all this PR is marked as a draft)?

plugins/modules/gpg_keypair.py Show resolved Hide resolved
plugins/modules/gpg_keypair.py Show resolved Hide resolved
plugins/modules/gpg_keypair.py Outdated Show resolved Hide resolved
plugins/modules/gpg_keypair.py Outdated Show resolved Hide resolved
plugins/modules/gpg_keypair.py Outdated Show resolved Hide resolved
plugins/modules/gpg_keypair.py Outdated Show resolved Hide resolved
plugins/modules/gpg_keypair.py Outdated Show resolved Hide resolved
plugins/modules/gpg_keypair.py Outdated Show resolved Hide resolved
plugins/modules/gpg_keypair.py Outdated Show resolved Hide resolved
plugins/modules/gpg_keypair.py Outdated Show resolved Hide resolved
@austinlucaslake
Copy link
Contributor Author

Thanks for your contribution! I've added some first comments below.

One thing that should be discussed is idempotence. I.e. what does happen if parameters like key_type do not match the existing key (if state=present).

Generally Ansible should ensure the state, i.e. if the existing key has the wrong type, size, key usage, ..., it should be modified to the module's parameters. For objects such as private keys (or disk partitions etc.), destructive operations are generally a bad idea, so it makes sense to make that configurable, but other changes (like key usage) can be made without cycling the private key. For the private key handling modules in this collection, we usually make this behavior configurable (consider for example the regenerate option of community.crypto.openssl_privatekey).

Do you already have plans (after all this PR is marked as a draft)?

Thanks for the comments! Regeneration as you described, would be great. However there is a problem when matching against specific key types. The key_type parameter can't always be extracted when listing keys. For clarification, please take a look at the example outputs below when listing keys...

This is the output for an ECDSA key using the secp256k1 curve:

sec   secp256k1/44A9910642E57A60 2024-05-01 [SCA]
      CF68D75C4321667AE7E815F244A9910642E57A60
uid                 [ultimate] name (comment) <[email protected]>

This the output for an ECDSA key using the brainpoolP512r1 curve:

sec   brainpoolP512r1/5A6CA22A7DA2FE9C 2024-05-01 [SCA]
      F6892C47B20B59ACB652F3B95A6CA22A7DA2FE9C
uid                 [ultimate] name (comment) <[email protected]>

This is the output for an ECDSA key with an ECDH subkey, both of which use brainpoolP521r1 curve:

sec   brainpoolP512r1/AA5C22A75FD5B23D 2024-05-01 [SCA]
      E2280C64B089AEBCD7CE4EBEAA5C22A75FD5B23D
uid                 [ultimate] name (comment) <[email protected]>
ssb   brainpoolP512r1/836D4694DAF4DE3B 2024-05-01 [E]

This problem really only applies for when trying to decipher between ECDSA and ECDH keys. RSA, DSA, and ELG keys all include their key_type tags in the output along with the bit length. And EDDSA is output as ed25519 as thats the only curve its compatible with. Now that I think about it, it may be possible to differentiate between ECDSA and ECDH if I factor in the key usage as well. I'll see what I can do in that regard in the next couple of days.

@felixfontein
Copy link
Contributor

Did you try to look at the --with-colons output?

@austinlucaslake
Copy link
Contributor Author

Did you try to look at the --with-colons output?

Just took a look at that now. That should work. From what I see from the output, the OpenPGP algorithm id numbers can be parsed. I can convert those into the corresponding values for the key_type or subkey_type parameters input by users of the module.

@austinlucaslake
Copy link
Contributor Author

Will be working on conditional regeneration over the next couple of days. Should be ready for review once that is fleshed out.

plugins/modules/gpg_keypair.py Outdated Show resolved Hide resolved
import re

from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.crypto.plugins.plugin_utils.gnupg.py import PluginGPGRunner
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First, the .py shouldn't be there, and second, this import does not work for modules, only for non-module plugins. Modules can only import things from module_utils.

For modules you'll need to create a new GPGRunner impementation (in module_utils/gnupg/, say a new file module_runner.py) that uses AnsibleModule.run_command().

Copy link
Contributor Author

@austinlucaslake austinlucaslake May 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick question on your PluginGPGRunner code. I notice that its a child class that derives from the abstract bass class of GPGRunner, which you also wrote. What's the reasoning for doing that? Why not just put the functionality PluginGPGRunner in GPGRunner?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PluginGPGRunner is only acceptable for plugins, not for modules, since it doesn't (and cannot) use AnsibleModule.run_command.

Copy link

github-actions bot commented May 5, 2024

Docs Build 📝

Thank you for contribution!✨

The docs for this PR have been published here:
https://ansible-collections.github.io/community.crypto/pr/743

You can compare to the docs for the main branch here:
https://ansible-collections.github.io/community.crypto/branch/main

The docsite for this PR is also available for download as an artifact from this run:
https://github.com/ansible-collections/community.crypto/actions/runs/9238994576

File changes:

Click to see the diff comparison.

NOTE: only file modifications are shown here. New and deleted files are excluded.
See the file list and check the published docs to see those files.

The diff output was truncated because it exceeded the maximum size.

diff --git a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_account_facts_module.html b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_account_facts_module.html
index e2915de..5c9e65b 100644
--- a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_account_facts_module.html
+++ b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_account_facts_module.html
@@ -85,6 +85,8 @@
 <li class="toctree-l1"><a class="reference internal" href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_ari_info_module.html">community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <code class="docutils literal notranslate"><span class="pre">tls-alpn-01</span></code></a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
@@ -93,6 +95,7 @@
 <li class="toctree-l1"><a class="reference internal" href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
+<li class="toctree-l1"><a class="reference internal" href="gpg_keypair_module.html">community.crypto.gpg_keypair module – Generate or delete GPG private and public keys</a></li>
 <li class="toctree-l1"><a class="reference internal" href="luks_device_module.html">community.crypto.luks_device module – Manage encrypted (LUKS) devices</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
@@ -161,7 +164,7 @@
 <h1>community.crypto.acme_account_facts<a class="headerlink" href="#community-crypto-acme-account-facts" title="Link to this heading"></a></h1>
 <div class="admonition note">
 <p class="admonition-title">Note</p>
-<p>This plugin was part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.20.0).</p>
+<p>This plugin was part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.21.0).</p>
 </div>
 <p>This module has been removed
 in version 2.0.0 of community.crypto.
diff --git a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_account_info_module.html b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_account_info_module.html
index 0467309..1c41777 100644
--- a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_account_info_module.html
+++ b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_account_info_module.html
@@ -101,6 +101,8 @@
 </li>
 <li class="toctree-l1"><a class="reference internal" href="acme_ari_info_module.html">community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <code class="docutils literal notranslate"><span class="pre">tls-alpn-01</span></code></a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
@@ -109,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
+<li class="toctree-l1"><a class="reference internal" href="gpg_keypair_module.html">community.crypto.gpg_keypair module – Generate or delete GPG private and public keys</a></li>
 <li class="toctree-l1"><a class="reference internal" href="luks_device_module.html">community.crypto.luks_device module – Manage encrypted (LUKS) devices</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
@@ -179,7 +182,7 @@
 <h1>community.crypto.acme_account_info module – Retrieves information on ACME accounts<a class="headerlink" href="#community-crypto-acme-account-info-module-retrieves-information-on-acme-accounts" title="Link to this heading"></a></h1>
 <div class="admonition note">
 <p class="admonition-title">Note</p>
-<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.20.0).</p>
+<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.21.0).</p>
 <p>It is not included in <code class="docutils literal notranslate"><span class="pre">ansible-core</span></code>.
 To check whether it is installed, run <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">list</span></code>.</p>
 <p>To install it, use: <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">install</span> <span class="pre">community.crypto</span></code>.
diff --git a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_account_module.html b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_account_module.html
index 6f04fb8..4660a40 100644
--- a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_account_module.html
+++ b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_account_module.html
@@ -101,6 +101,8 @@
 <li class="toctree-l1"><a class="reference internal" href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_ari_info_module.html">community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <code class="docutils literal notranslate"><span class="pre">tls-alpn-01</span></code></a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
@@ -109,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
+<li class="toctree-l1"><a class="reference internal" href="gpg_keypair_module.html">community.crypto.gpg_keypair module – Generate or delete GPG private and public keys</a></li>
 <li class="toctree-l1"><a class="reference internal" href="luks_device_module.html">community.crypto.luks_device module – Manage encrypted (LUKS) devices</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
@@ -179,7 +182,7 @@
 <h1>community.crypto.acme_account module – Create, modify or delete ACME accounts<a class="headerlink" href="#community-crypto-acme-account-module-create-modify-or-delete-acme-accounts" title="Link to this heading"></a></h1>
 <div class="admonition note">
 <p class="admonition-title">Note</p>
-<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.20.0).</p>
+<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.21.0).</p>
 <p>It is not included in <code class="docutils literal notranslate"><span class="pre">ansible-core</span></code>.
 To check whether it is installed, run <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">list</span></code>.</p>
 <p>To install it, use: <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">install</span> <span class="pre">community.crypto</span></code>.
diff --git a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_ari_info_module.html b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_ari_info_module.html
index f806843..d8978a2 100644
--- a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_ari_info_module.html
+++ b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_ari_info_module.html
@@ -101,6 +101,8 @@
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <code class="docutils literal notranslate"><span class="pre">tls-alpn-01</span></code></a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
@@ -109,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
+<li class="toctree-l1"><a class="reference internal" href="gpg_keypair_module.html">community.crypto.gpg_keypair module – Generate or delete GPG private and public keys</a></li>
 <li class="toctree-l1"><a class="reference internal" href="luks_device_module.html">community.crypto.luks_device module – Manage encrypted (LUKS) devices</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
@@ -179,7 +182,7 @@
 <h1>community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate<a class="headerlink" href="#community-crypto-acme-ari-info-module-retrieves-acme-renewal-information-ari-for-a-certificate" title="Link to this heading"></a></h1>
 <div class="admonition note">
 <p class="admonition-title">Note</p>
-<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.20.0).</p>
+<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.21.0).</p>
 <p>It is not included in <code class="docutils literal notranslate"><span class="pre">ansible-core</span></code>.
 To check whether it is installed, run <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">list</span></code>.</p>
 <p>To install it, use: <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">install</span> <span class="pre">community.crypto</span></code>.
diff --git a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_certificate_module.html b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_certificate_module.html
index dc01628..3d30893 100644
--- a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_certificate_module.html
+++ b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_certificate_module.html
@@ -24,7 +24,7 @@
         <script src="_static/sphinx_highlight.js?v=dc90522c"></script>
     <script src="_static/js/theme.js"></script>
     <link rel="search" title="Search" href="search.html" />
-    <link rel="next" title="community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol" href="acme_certificate_revoke_module.html" />
+    <link rel="next" title="community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order" href="acme_certificate_deactivate_authz_module.html" />
     <link rel="prev" title="community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate" href="acme_ari_info_module.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
 
 
@@ -101,6 +101,8 @@
 </li>
 </ul>
 </li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_certificate_revoke_module.html">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_challenge_cert_helper_module.html">community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as <code class="docutils literal notranslate"><span class="pre">tls-alpn-01</span></code></a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_inspect_module.html">community.crypto.acme_inspect module – Send direct requests to an ACME server</a></li>
@@ -109,6 +111,7 @@
 <li class="toctree-l1"><a class="reference internal" href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
+<li class="toctree-l1"><a class="reference internal" href="gpg_keypair_module.html">community.crypto.gpg_keypair module – Generate or delete GPG private and public keys</a></li>
 <li class="toctree-l1"><a class="reference internal" href="luks_device_module.html">community.crypto.luks_device module – Manage encrypted (LUKS) devices</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
@@ -179,7 +182,7 @@
 <h1>community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol<a class="headerlink" href="#community-crypto-acme-certificate-module-create-ssl-tls-certificates-with-the-acme-protocol" title="Link to this heading"></a></h1>
 <div class="admonition note">
 <p class="admonition-title">Note</p>
-<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.20.0).</p>
+<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.21.0).</p>
 <p>It is not included in <code class="docutils literal notranslate"><span class="pre">ansible-core</span></code>.
 To check whether it is installed, run <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">list</span></code>.</p>
 <p>To install it, use: <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">install</span> <span class="pre">community.crypto</span></code>.
@@ -342,9 +345,9 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
 <p class="ansible-option-type-line"><span class="ansible-option-type">path</span></p>
 </div></td>
 <td><div class="ansible-option-cell"><p>File containing the CSR for the new certificate.</p>
-<p>Can be created with <a class="reference internal" href="openssl_csr_module.html#ansible-collections-community-crypto-openssl-csr-module"><span class="std std-ref">community.crypto.openssl_csr</span></a> or <code class="docutils literal notranslate"><span class="pre">openssl</span> <span class="pre">req</span> <span class="pre">...</span></code>.</p>
+<p>Can be created with <a class="reference internal" href="openssl_csr_module.html#ansible-collections-community-crypto-openssl-csr-module"><span class="std std-ref">community.crypto.openssl_csr</span></a>.</p>
 <p>The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed.</p>
-<p><em>Note</em>: the private key used to create the CSR <em>must not</em> be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case.</p>
+<p><strong>Note</strong>: the private key used to create the CSR <strong>must not</strong> be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case.</p>
 <p>Precisely one of <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-csr"><span class="std std-ref"><span class="pre">csr</span></span></a></strong></code> or <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-csr-content"><span class="std std-ref"><span class="pre">csr_content</span></span></a></strong></code> must be specified.</p>
 </div></td>
 </tr>
@@ -354,9 +357,9 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
 <p><em class="ansible-option-versionadded">added in community.crypto 1.2.0</em></p>
 </div></td>
 <td><div class="ansible-option-cell"><p>Content of the CSR for the new certificate.</p>
-<p>Can be created with <a class="reference internal" href="openssl_csr_pipe_module.html#ansible-collections-community-crypto-openssl-csr-pipe-module"><span class="std std-ref">community.crypto.openssl_csr_pipe</span></a> or <code class="docutils literal notranslate"><span class="pre">openssl</span> <span class="pre">req</span> <span class="pre">...</span></code>.</p>
+<p>Can be created with <a class="reference internal" href="openssl_csr_pipe_module.html#ansible-collections-community-crypto-openssl-csr-pipe-module"><span class="std std-ref">community.crypto.openssl_csr_pipe</span></a>.</p>
 <p>The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed.</p>
-<p><em>Note</em>: the private key used to create the CSR <em>must not</em> be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case.</p>
+<p><strong>Note</strong>: the private key used to create the CSR <strong>must not</strong> be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case.</p>
 <p>Precisely one of <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-csr"><span class="std std-ref"><span class="pre">csr</span></span></a></strong></code> or <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-csr-content"><span class="std std-ref"><span class="pre">csr_content</span></span></a></strong></code> must be specified.</p>
 </div></td>
 </tr>
@@ -426,7 +429,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
 <p><code class="ansible-value docutils literal notranslate"><span class="pre">never</span></code> never sends the certificate ID of the certificate to renew. <code class="ansible-value docutils literal notranslate"><span class="pre">always</span></code> will always send it.</p>
 <p><code class="ansible-value docutils literal notranslate"><span class="pre">when_ari_supported</span></code> only sends the certificate ID if the ARI endpoint is found in the ACME directory.</p>
 <p>Generally you should use <code class="ansible-value docutils literal notranslate"><span class="pre">when_ari_supported</span></code> if you know that the ACME service supports a compatible draft (or final version, once it is out) of the ARI extension. <code class="ansible-value docutils literal notranslate"><span class="pre">always</span></code> should never be necessary. If you are not sure, or if you receive strange errors on invalid <code class="docutils literal notranslate"><span class="pre">replaces</span></code> values in order objects, use <code class="ansible-value docutils literal notranslate"><span class="pre">never</span></code>, which also happens to be the default.</p>
-<p>ACME servers might refuse to create new orders with <code class="docutils literal notranslate"><span class="pre">replaces</span></code> for certificates that already have an existing order. This can happen if this module is used to create an order, and then the playbook/role fails in case the challenges cannot be set up. If the playbook/role does not record the order data to continue with the existing order, but tries to create a new one on the next run, creating the new order might fail. For this reason, this option should only be set to a value different from <code class="ansible-value docutils literal notranslate"><span class="pre">never</span></code> if the role/playbook using it keeps track of order data accross restarts.</p>
+<p>ACME servers might refuse to create new orders with <code class="docutils literal notranslate"><span class="pre">replaces</span></code> for certificates that already have an existing order. This can happen if this module is used to create an order, and then the playbook/role fails in case the challenges cannot be set up. If the playbook/role does not record the order data to continue with the existing order, but tries to create a new one on the next run, creating the new order might fail. For this reason, this option should only be set to a value different from <code class="ansible-value docutils literal notranslate"><span class="pre">never</span></code> if the role/playbook using it keeps track of order data accross restarts, or if it takes care to deactivate orders whose processing is aborted. Orders can be deactivated with the <a class="reference internal" href="acme_certificate_deactivate_authz_module.html#ansible-collections-community-crypto-acme-certificate-deactivate-authz-module"><span class="std std-ref">community.crypto.acme_certificate_deactivate_authz</span></a> module.</p>
 <p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
 <ul class="simple">
 <li><p><code class="ansible-option-default-bold docutils literal notranslate"><strong><span class="pre">&quot;never&quot;</span></strong></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
@@ -658,7 +661,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
 </dd>
 <dt><a class="reference external" href="https://tools.ietf.org/html/rfc8555">Automatic Certificate Management Environment (ACME)</a></dt><dd><p>The specification of the ACME protocol (RFC 8555).</p>
 </dd>
-<dt><a class="reference external" href="https://www.rfc-editor.org/rfc/rfc8737.html-05">ACME TLS ALPN Challenge Extension</a></dt><dd><p>The specification of the <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenge (RFC 8737).</p>
+<dt><a class="reference external" href="https://www.rfc-editor.org/rfc/rfc8737.html">ACME TLS ALPN Challenge Extension</a></dt><dd><p>The specification of the <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenge (RFC 8737).</p>
 </dd>
 <dt><a class="reference internal" href="acme_challenge_cert_helper_module.html#ansible-collections-community-crypto-acme-challenge-cert-helper-module"><span class="std std-ref">community.crypto.acme_challenge_cert_helper</span></a></dt><dd><p>Helps preparing <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenges.</p>
 </dd>
@@ -678,6 +681,8 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
 </dd>
 <dt><a class="reference internal" href="acme_inspect_module.html#ansible-collections-community-crypto-acme-inspect-module"><span class="std std-ref">community.crypto.acme_inspect</span></a></dt><dd><p>Allows to debug problems.</p>
 </dd>
+<dt><a class="reference internal" href="acme_certificate_deactivate_authz_module.html#ansible-collections-community-crypto-acme-certificate-deactivate-authz-module"><span class="std std-ref">community.crypto.acme_certificate_deactivate_authz</span></a></dt><dd><p>Allows to deactivate (invalidate) ACME v2 orders.</p>
+</dd>
 </dl>
 </div>
 </section>
@@ -763,7 +768,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
 <span class="c1">#     state: present</span>
 <span class="c1">#     wait: true</span>
 <span class="c1">#     # Note: route53 requires TXT entries to be enclosed in quotes</span>
-<span class="c1">#     value: &quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge.challenge_data</span><span class="o">[</span><span class="s1">&#39;sample.com&#39;</span><span class="o">][</span><span class="s1">&#39;dns-01&#39;</span><span class="o">]</span><span class="nv">.resource_value</span> <span class="o">|</span> <span class="nf">regex_replace</span><span class="o">(</span><span class="s1">&#39;^(.*)$&#39;</span><span class="o">,</span> <span class="s1">&#39;\&quot;\\1\&quot;&#39;</span><span class="o">)</span> <span class="cp">}}</span><span class="c1">&quot;</span>
+<span class="c1">#     value: &quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge.challenge_data</span><span class="o">[</span><span class="s1">&#39;sample.com&#39;</span><span class="o">][</span><span class="s1">&#39;dns-01&#39;</span><span class="o">]</span><span class="nv">.resource_value</span> <span class="o">|</span> <span class="nf">community</span><span class="nv">.dns.quote_txt</span><span class="o">(</span><span class="nv">always_quote</span><span class="o">=</span><span class="kp">true</span><span class="o">)</span> <span class="cp">}}</span><span class="c1">&quot;</span>
 <span class="c1">#   when: sample_com_challenge is changed and &#39;sample.com&#39; in sample_com_challenge.challenge_data</span>
 <span class="c1">#</span>
 <span class="c1"># Alternative way:</span>
@@ -778,7 +783,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
 <span class="c1">#     wait: true</span>
 <span class="c1">#     # Note: item.value is a list of TXT entries, and route53</span>
 <span class="c1">#     # requires every entry to be enclosed in quotes</span>
-<span class="c1">#     value: &quot;</span><span class="cp">{{</span> <span class="nv">item.value</span> <span class="o">|</span> <span class="nf">map</span><span class="o">(</span><span class="s1">&#39;regex_replace&#39;</span><span class="o">,</span> <span class="s1">&#39;^(.*)$&#39;</span><span class="o">,</span> <span class="s1">&#39;\&quot;\\1\&quot;&#39;</span> <span class="o">)</span> <span class="o">|</span> <span class="nf">list</span> <span class="cp">}}</span><span class="c1">&quot;</span>
+<span class="c1">#     value: &quot;</span><span class="cp">{{</span> <span class="nv">item.value</span> <span class="o">|</span> <span class="nf">map</span><span class="o">(</span><span class="s1">&#39;community.dns.quote_txt&#39;</span><span class="o">,</span> <span class="nv">always_quote</span><span class="o">=</span><span class="kp">true</span><span class="o">)</span> <span class="o">|</span> <span class="nf">list</span> <span class="cp">}}</span><span class="c1">&quot;</span>
 <span class="c1">#   loop: &quot;</span><span class="cp">{{</span> <span class="nv">sample_com_challenge.challenge_data_dns</span> <span class="o">|</span> <span class="nf">dict2items</span> <span class="cp">}}</span><span class="c1">&quot;</span>
 <span class="c1">#   when: sample_com_challenge is changed</span>
 
@@ -896,7 +901,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
 </tr>
 <tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="return-challenge_data"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data"><strong>challenge_data</strong></p>
-<a class="ansibleOptionLink" href="#return-challenge_data" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=dictionary</span></p>
+<a class="ansibleOptionLink" href="#return-challenge_data" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">dictionary</span></p>
 </div></td>
 <td><div class="ansible-option-cell"><p>Per identifier / challenge type challenge data.</p>
 <p>Since Ansible 2.8.5, only challenges which are not yet valid are returned.</p>
@@ -904,37 +909,57 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
 </div></td>
 </tr>
 <tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
-<div class="ansibleOptionAnchor" id="return-challenge_data/record"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-record"><strong>record</strong></p>
-<a class="ansibleOptionLink" href="#return-challenge_data/record" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
+<div class="ansibleOptionAnchor" id="return-challenge_data/identifier"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-identifier"><strong>identifier</strong></p>
+<a class="ansibleOptionLink" href="#return-challenge_data/identifier" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">dictionary</span></p>
 </div></td>
-<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The full DNS record’s name for the challenge.</p>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>For every identifier, provides a dictionary of challenge types mapping to challenge data.</p>
+<p>The keys in this dictionary are the identifiers. <code class="docutils literal notranslate"><span class="pre">identifier</span></code> is a placeholder used in the documentation.</p>
+<p>Note that the keys are not valid Jinja2 identifiers.</p>
+<p class="ansible-option-line"><strong class="ansible-option-returned-bold">Returned:</strong> changed</p>
+</div></td>
+</tr>
+<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="return-challenge_data/identifier/challenge-type"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-identifier-challenge-type"><strong>challenge-type</strong></p>
+<a class="ansibleOptionLink" href="#return-challenge_data/identifier/challenge-type" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">dictionary</span></p>
+</div></td>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>Data for every challenge type.</p>
+<p>The keys in this dictionary are the challenge types. <code class="docutils literal notranslate"><span class="pre">challenge-type</span></code> is a placeholder used in the documentation. Possible keys are <code class="ansible-value docutils literal notranslate"><span class="pre">http-01</span></code>, <code class="ansible-value docutils literal notranslate"><span class="pre">dns-01</span></code>, and <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code>.</p>
+<p>Note that the keys are not valid Jinja2 identifiers.</p>
+<p class="ansible-option-line"><strong class="ansible-option-returned-bold">Returned:</strong> changed</p>
+</div></td>
+</tr>
+<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-indent"></div><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="return-challenge_data/identifier/challenge-type/record"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-identifier-challenge-type-record"><strong>record</strong></p>
+<a class="ansibleOptionLink" href="#return-challenge_data/identifier/challenge-type/record" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
+</div></td>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-indent-desc"></div><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The full DNS record’s name for the challenge.</p>
 <p class="ansible-option-line"><strong class="ansible-option-returned-bold">Returned:</strong> changed and challenge is <code class="ansible-value docutils literal notranslate"><span class="pre">dns-01</span></code></p>
 <p class="ansible-option-line ansible-option-sample"><strong class="ansible-option-sample-bold">Sample:</strong> <code class="ansible-option-sample docutils literal notranslate"><span class="pre">&quot;_acme-challenge.example.com&quot;</span></code></p>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
-<div class="ansibleOptionAnchor" id="return-challenge_data/resource"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-resource"><strong>resource</strong></p>
-<a class="ansibleOptionLink" href="#return-challenge_data/resource" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
+<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-indent"></div><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="return-challenge_data/identifier/challenge-type/resource"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-identifier-challenge-type-resource"><strong>resource</strong></p>
+<a class="ansibleOptionLink" href="#return-challenge_data/identifier/challenge-type/resource" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
-<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The challenge resource that must be created for validation.</p>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-indent-desc"></div><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The challenge resource that must be created for validation.</p>
 <p class="ansible-option-line"><strong class="ansible-option-returned-bold">Returned:</strong> changed</p>
 <p class="ansible-option-line ansible-option-sample"><strong class="ansible-option-sample-bold">Sample:</strong> <code class="ansible-option-sample docutils literal notranslate"><span class="pre">&quot;.well-known/acme-challenge/evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA&quot;</span></code></p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
-<div class="ansibleOptionAnchor" id="return-challenge_data/resource_original"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-resource-original"><strong>resource_original</strong></p>
-<a class="ansibleOptionLink" href="#return-challenge_data/resource_original" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
+<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-indent"></div><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="return-challenge_data/identifier/challenge-type/resource_original"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-identifier-challenge-type-resource-original"><strong>resource_original</strong></p>
+<a class="ansibleOptionLink" href="#return-challenge_data/identifier/challenge-type/resource_original" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
-<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The original challenge resource including type identifier for <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenges.</p>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-indent-desc"></div><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The original challenge resource including type identifier for <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenges.</p>
 <p class="ansible-option-line"><strong class="ansible-option-returned-bold">Returned:</strong> changed and <code class="ansible-option docutils literal notranslate"><strong><a class="reference internal" href="#ansible-collections-community-crypto-acme-certificate-module-parameter-challenge"><span class="std std-ref"><span class="pre">challenge</span></span></a></strong></code> is <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code></p>
 <p class="ansible-option-line ansible-option-sample"><strong class="ansible-option-sample-bold">Sample:</strong> <code class="ansible-option-sample docutils literal notranslate"><span class="pre">&quot;DNS:example.com&quot;</span></code></p>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
-<div class="ansibleOptionAnchor" id="return-challenge_data/resource_value"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-resource-value"><strong>resource_value</strong></p>
-<a class="ansibleOptionLink" href="#return-challenge_data/resource_value" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
+<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-indent"></div><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="return-challenge_data/identifier/challenge-type/resource_value"></div><p class="ansible-option-title" id="ansible-collections-community-crypto-acme-certificate-module-return-challenge-data-identifier-challenge-type-resource-value"><strong>resource_value</strong></p>
+<a class="ansibleOptionLink" href="#return-challenge_data/identifier/challenge-type/resource_value" title="Permalink to this return value"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
-<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The value the resource has to produce for the validation.</p>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-indent-desc"></div><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The value the resource has to produce for the validation.</p>
 <p>For <code class="ansible-value docutils literal notranslate"><span class="pre">http-01</span></code> and <code class="ansible-value docutils literal notranslate"><span class="pre">dns-01</span></code> challenges, the value can be used as-is.</p>
 <p>For <code class="ansible-value docutils literal notranslate"><span class="pre">tls-alpn-01</span></code> challenges, note that this return value contains a Base64 encoded version of the correct binary blob which has to be put into the acmeValidation x509 extension; see <a class="reference external" href="https://www.rfc-editor.org/rfc/rfc8737.html#section-3">https://www.rfc-editor.org/rfc/rfc8737.html#section-3</a> for details. To do this, you might need the <a class="reference external" href="https://docs.ansible.com/ansible/devel/collections/ansible/builtin/b64decode_filter.html#ansible-collections-ansible-builtin-b64decode-filter" title="(in Ansible vdevel)"><span class="xref std std-ref">ansible.builtin.b64decode</span></a> Jinja filter to extract the binary blob from this return value.</p>
 <p class="ansible-option-line"><strong class="ansible-option-returned-bold">Returned:</strong> changed</p>
@@ -994,7 +1019,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
 
 <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
         <a href="acme_ari_info_module.html" class="btn btn-neutral float-left" title="community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
-        <a href="acme_certificate_revoke_module.html" class="btn btn-neutral float-right" title="community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
+        <a href="acme_certificate_deactivate_authz_module.html" class="btn btn-neutral float-right" title="community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
     </div>
 
   <hr/>
diff --git a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_certificate_revoke_module.html b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_certificate_revoke_module.html
index 49eb6cb..1a4a87b 100644
--- a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_certificate_revoke_module.html
+++ b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_certificate_revoke_module.html
@@ -25,7 +25,7 @@
     <script src="_static/js/theme.js"></script>
     <link rel="search" title="Search" href="search.html" />
     <link rel="next" title="community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as tls-alpn-01" href="acme_challenge_cert_helper_module.html" />
-    <link rel="prev" title="community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol" href="acme_certificate_module.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
+    <link rel="prev" title="community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not" href="acme_certificate_renewal_info_module.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
 
 
 
@@ -87,6 +87,8 @@
 <li class="toctree-l1"><a class="reference internal" href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves information on ACME accounts</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_ari_info_module.html">community.crypto.acme_ari_info module – Retrieves ACME Renewal Information (ARI) for a certificate</a></li>
 <li class="toctree-l1"><a class="reference internal" href="acme_certificate_module.html">community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_deactivate_authz_module.html">community.crypto.acme_certificate_deactivate_authz module – Deactivate all authz for an ACME v2 order</a></li>
+<li class="toctree-l1"><a class="reference internal" href="acme_certificate_renewal_info_module.html">community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not</a></li>
 <li class="toctree-l1 current"><a class="current reference internal" href="#">community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol</a><ul>
 <li class="toctree-l2"><a class="reference internal" href="#synopsis">Synopsis</a></li>
 <li class="toctree-l2"><a class="reference internal" href="#requirements">Requirements</a></li>
@@ -108,6 +110,7 @@
 <li class="toctree-l1"><a class="reference internal" href="ecs_certificate_module.html">community.crypto.ecs_certificate module – Request SSL/TLS certificates with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="ecs_domain_module.html">community.crypto.ecs_domain module – Request validation of a domain with the Entrust Certificate Services (ECS) API</a></li>
 <li class="toctree-l1"><a class="reference internal" href="get_certificate_module.html">community.crypto.get_certificate module – Get a certificate from a host:port</a></li>
+<li class="toctree-l1"><a class="reference internal" href="gpg_keypair_module.html">community.crypto.gpg_keypair module – Generate or delete GPG private and public keys</a></li>
 <li class="toctree-l1"><a class="reference internal" href="luks_device_module.html">community.crypto.luks_device module – Manage encrypted (LUKS) devices</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_cert_module.html">community.crypto.openssh_cert module – Generate OpenSSH host or user certificates.</a></li>
 <li class="toctree-l1"><a class="reference internal" href="openssh_keypair_module.html">community.crypto.openssh_keypair module – Generate OpenSSH private and public keys</a></li>
@@ -178,7 +181,7 @@
 <h1>community.crypto.acme_certificate_revoke module – Revoke certificates with the ACME protocol<a class="headerlink" href="#community-crypto-acme-certificate-revoke-module-revoke-certificates-with-the-acme-protocol" title="Link to this heading"></a></h1>
 <div class="admonition note">
 <p class="admonition-title">Note</p>
-<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.20.0).</p>
+<p>This module is part of the <a class="reference external" href="https://galaxy.ansible.com/ui/repo/published/community/crypto/">community.crypto collection</a> (version 2.21.0).</p>
 <p>It is not included in <code class="docutils literal notranslate"><span class="pre">ansible-core</span></code>.
 To check whether it is installed, run <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">list</span></code>.</p>
 <p>To install it, use: <code class="code docutils literal notranslate"><span class="pre">ansible-galaxy</span> <span class="pre">collection</span> <span class="pre">install</span> <span class="pre">community.crypto</span></code>.
@@ -472,7 +475,7 @@ see <a class="reference internal" href="#ansible-collections-community-crypto-ac
           
 
 <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
-        <a href="acme_certificate_module.html" class="btn btn-neutral float-left" title="community.crypto.acme_certificate module – Create SSL/TLS certificates with the ACME protocol" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
+        <a href="acme_certificate_renewal_info_module.html" class="btn btn-neutral float-left" title="community.crypto.acme_certificate_renewal_info module – Determine whether a certificate should be renewed or not" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
         <a href="acme_challenge_cert_helper_module.html" class="btn btn-neutral float-right" title="community.crypto.acme_challenge_cert_helper module – Prepare certificates required for ACME challenges such as tls-alpn-01" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
     </div>
 
diff --git a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_challenge_cert_helper_module.html b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_challenge_cert_helper_module.html
index d462cec..52fc71f 100644
--- a/home/runner/work/community.crypto/community.crypto/docsbuild/base/acme_challenge_cert_helper_module.html
+++ b/home/runner/work/community.crypto/community.crypto/docsbuild/head/acme_challenge_cert_helper_module.html
@@ -87,6 +87,8 @@
 <li class="toctree-l1"><a class="reference internal" href="acme_account_info_module.html">community.crypto.acme_account_info module – Retrieves inform...*[Comment body truncated]*

austinlucaslake and others added 30 commits May 9, 2024 20:20
)

* Create acme_certificate_deactivate_authz module.

* Add ACME version check.
…ps that omit seconds (ansible-collections#745)

* Add time module utils.

* Add time helpers to ACME backend.

* Add changelog fragment.

* ACME timestamp parser: do not choke on nanoseconds.
* Allow to provide cert_info object to get_renewal_info().

* Add acme_certificate_renewal_info module.

* Allow to provide value for 'now'.

* Actually append msg_append.

* Fix bug in module timestamp param parsing, and add tests.
…ate_renewal_info return value (ansible-collections#747)

* Use community.dns.quote_txt filter instead of regex replace to quote TXT entry value.

* Fix documentation of acme_certificate's challenge_data return value.

* Also return cert_id from acme_certificate_renewal_info module.

* The cert ID cannot be computed if the certificate has no AKI.

This happens with older Pebble versions, which are used when
testing against older ansible-core/-base/Ansible versions.

* Fix AKI extraction for older OpenSSL versions.
…le-collections#748)

Shouldn't happen since CA-issued certs should always have AKI,
but better be safe than sorry.
…le-collections#749)

* Refactor argument spec helper.

* Remove superfluous comments.
…/csr_content to own docs fragment (ansible-collections#750)

* Fix bug in argspec module util.

* Move csr / csr_content to new docs fragment.

* Simplify code.

* Refactor ACME argspec creation. Add with_certificate argument for new CERTIFICATE docs fragment.
…tions#740)

* renew request CSR validation

* Create 740-ecs_certificate-renewal-without-csr

* Rename 740-ecs_certificate-renewal-without-csr to 740-ecs_certificate-renewal-without-csr.yml

---------

Co-authored-by: flovecchio <[email protected]>
* Fix time idempotence.

* Lint and add changelog fragment.

* Add tests.

* Make sure 'ignore_timestamps: false' is passed for time idempotence tests; pass right private key for OwnCA tests
Revert "Fix documentation. (ansible-collections#751)"
Revert "ACME modules: simplify code, refactor argspec handling code, move csr/csr_content to own docs fragment (ansible-collections#750)"
Revert "Refactor and extend argument spec helper, use for ACME modules (ansible-collections#749)"
Revert "Avoid exception if certificate has no AKI in acme_certificate. (ansible-collections#748)"
Revert "ACME: improve acme_certificate docs, include cert_id in acme_certificate_renewal_info return value (ansible-collections#747)"
Revert "Add acme_certificate_renewal_info module (ansible-collections#746)"
Revert "Refactor time code, add tests, fix bug when parsing absolute timestamps that omit seconds (ansible-collections#745)"
Revert "Add tests for acme_certificate_deactivate_authz module. (ansible-collections#744)"
Revert "Create acme_certificate_deactivate_authz module (ansible-collections#741)"
Revert "acme_certificate: allow to request renewal of a certificate according to ARI (ansible-collections#739)"
Revert "Implement basic acme_ari_info module. (ansible-collections#732)"
Revert "Add function for retrieval of ARI information. (ansible-collections#738)"
Revert "acme module utils: add functions for parsing Retry-After header values and computation of ARI certificate IDs (ansible-collections#737)"
Revert "Implement certificate information retrieval code in the ACME backends. (ansible-collections#736)"
Revert "Split up the default acme docs fragment to allow modules ot not need account data. (ansible-collections#735)"

This reverts commits 5e59c52, aa82575,
f3c9cb7, f82b335, 553ab45,
59606d4, 0a15be1, 9501a28,
d906914, 33d278a, 6d4fc58,
9614b09, af5f4b5, c6fbe58,
and afe7f75.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

GPG module and key lookup
3 participants