Try SpotterGet a certificate from a host:port
Authors: John Westcott IV (@john-westcott-iv)
Install with ansible-galaxy collection install community.crypto:==2.18.0
collections:
- name: community.crypto
version: 2.18.0Makes a secure connection and returns information about the presented certificate
The module uses the cryptography Python library.
Support SNI (L(Server Name Indication,https://en.wikipedia.org/wiki/Server_Name_Indication)) only with python >= 2.7.
- name: Get the cert from an RDP port
community.crypto.get_certificate:
host: "1.2.3.4"
port: 3389
delegate_to: localhost
run_once: true
register: cert
- name: Get a cert from an https port
community.crypto.get_certificate:
host: "www.google.com"
port: 443
delegate_to: localhost
run_once: true
register: cert
- name: How many days until cert expires
ansible.builtin.debug:
msg: "cert expires in: {{ expire_days }} days."
vars:
expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"
host:
description:
- The host to get the cert for (IP is fine)
required: true
type: str
port:
description:
- The port to connect to
required: true
type: int
ca_cert:
description:
- A PEM file containing one or more root certificates; if present, the cert will be
validated against these root certs.
- Note that this only validates the certificate is signed by the chain; not that the
cert is valid for the host presenting it.
type: path
ciphers:
description:
- SSL/TLS Ciphers to use for the request.
- When a list is provided, all ciphers are joined in order with V(:).
- See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT)
for more details.
- The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions.
elements: str
type: list
version_added: 2.11.0
version_added_collection: community.crypto
timeout:
default: 10
description:
- The timeout in seconds
type: int
starttls:
choices:
- mysql
description:
- Requests a secure connection for protocols which require clients to initiate encryption.
- Only available for V(mysql) currently.
type: str
version_added: 1.9.0
version_added_collection: community.crypto
proxy_host:
description:
- Proxy host used when get a certificate.
type: str
proxy_port:
default: 8080
description:
- Proxy port used when get a certificate.
type: int
asn1_base64:
description:
- Whether to encode the ASN.1 values in the RV(extensions) return value with Base64
or not.
- The documentation claimed for a long time that the values are Base64 encoded, but
they never were. For compatibility this option is set to V(false).
- The default value V(false) is B(deprecated) and will change to V(true) in community.crypto
3.0.0.
type: bool
version_added: 2.12.0
version_added_collection: community.crypto
server_name:
description:
- Server name used for SNI (L(Server Name Indication,https://en.wikipedia.org/wiki/Server_Name_Indication))
when hostname is an IP or is different from server name.
type: str
version_added: 1.4.0
version_added_collection: community.crypto
select_crypto_backend:
choices:
- auto
- cryptography
default: auto
description:
- Determines which crypto backend to use.
- The default choice is V(auto), which tries to use C(cryptography) if available.
- If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/)
library.
type: str
cert:
description: The certificate retrieved from the port
returned: success
type: str
expired:
description: Boolean indicating if the cert is expired
returned: success
type: bool
extensions:
contains:
asn1_data:
description:
- The ASN.1 content of the extension.
- If O(asn1_base64=true) this will be Base64 encoded, otherwise the raw binary
value will be returned.
- Please note that the raw binary value might not survive JSON serialization
to the Ansible controller, and also might cause failures when displaying it.
See U(https://github.com/ansible/ansible/issues/80258) for more information.
- B(Note) that depending on the C(cryptography) version used, it is not possible
to extract the ASN.1 content of the extension, but only to provide the re-encoded
content of the extension in case it was parsed by C(cryptography). This should
usually result in exactly the same value, except if the original extension
value was malformed.
returned: success
type: str
critical:
description: Whether the extension is critical.
returned: success
type: bool
name:
description: The extension's name.
returned: success
type: str
description: Extensions applied to the cert
elements: dict
returned: success
type: list
issuer:
description: Information about the issuer of the cert.
returned: success
type: dict
not_after:
description: Expiration date of the cert.
returned: success
type: str
not_before:
description: Issue date of the cert.
returned: success
type: str
serial_number:
description:
- The serial number of the cert.
- This return value is an B(integer). If you need the serial numbers as a colon-separated
hex string, such as C(11:22:33), you need to convert it to that form with P(community.crypto.to_serial#filter).
returned: success
type: int
signature_algorithm:
description: The algorithm used to sign the cert.
returned: success
type: str
subject:
description: Information about the subject of the cert (C(OU), C(CN), etc).
returned: success
type: dict
version:
description: The version number of the certificate.
returned: success
type: str