Try SpotterGet a certificate from a host:port
Authors: John Westcott IV (@john-westcott-iv)
preview | supported by community
Install with ansible-galaxy collection install community.crypto:==0.1.0
collections:
- name: community.crypto
version: 0.1.0Makes a secure connection and returns information about the presented certificate
The module can use the cryptography Python library, or the pyOpenSSL Python library. By default, it tries to detect which one is available. This can be overridden with the I(select_crypto_backend) option. Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in Ansible 2.13."
- name: Get the cert from an RDP port
get_certificate:
host: "1.2.3.4"
port: 3389
delegate_to: localhost
run_once: true
register: cert
- name: Get a cert from an https port
get_certificate:
host: "www.google.com"
port: 443
delegate_to: localhost
run_once: true
register: cert
- name: How many days until cert expires
debug:
msg: "cert expires in: {{ expire_days }} days."
vars:
expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"
host:
description:
- The host to get the cert for (IP is fine)
required: true
type: str
port:
description:
- The port to connect to
required: true
type: int
ca_cert:
description:
- A PEM file containing one or more root certificates; if present, the cert will be
validated against these root certs.
- Note that this only validates the certificate is signed by the chain; not that the
cert is valid for the host presenting it.
type: path
timeout:
default: 10
description:
- The timeout in seconds
type: int
proxy_host:
description:
- Proxy host used when get a certificate.
type: str
proxy_port:
default: 8080
description:
- Proxy port used when get a certificate.
type: int
select_crypto_backend:
choices:
- auto
- cryptography
- pyopenssl
default: auto
description:
- Determines which crypto backend to use.
- The default choice is C(auto), which tries to use C(cryptography) if available,
and falls back to C(pyopenssl).
- If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/)
library.
- If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/)
library.
type: str
cert:
description: The certificate retrieved from the port
returned: success
type: str
expired:
description: Boolean indicating if the cert is expired
returned: success
type: bool
extensions:
contains:
asn1_data:
description: The Base64 encoded ASN.1 content of the extnesion.
returned: success
type: str
critical:
description: Whether the extension is critical.
returned: success
type: bool
name:
description: The extension's name.
returned: success
type: str
description: Extensions applied to the cert
elements: dict
returned: success
type: list
issuer:
description: Information about the issuer of the cert
returned: success
type: dict
not_after:
description: Expiration date of the cert
returned: success
type: str
not_before:
description: Issue date of the cert
returned: success
type: str
serial_number:
description: The serial number of the cert
returned: success
type: str
signature_algorithm:
description: The algorithm used to sign the cert
returned: success
type: str
subject:
description: Information about the subject of the cert (OU, CN, etc)
returned: success
type: dict
version:
description: The version number of the certificate
returned: success
type: str