community / community.crypto / 2.18.0 / module / get_certificate Get a certificate from a host:port Authors: John Westcott IV (@john-westcott-iv)community.crypto.get_certificate (2.18.0) — module
Install with ansible-galaxy collection install community.crypto:==2.18.0
collections: - name: community.crypto version: 2.18.0
Makes a secure connection and returns information about the presented certificate
The module uses the cryptography Python library.
Support SNI (L(Server Name Indication,https://en.wikipedia.org/wiki/Server_Name_Indication)) only with python >= 2.7.
- name: Get the cert from an RDP port community.crypto.get_certificate: host: "1.2.3.4" port: 3389 delegate_to: localhost run_once: true register: cert
- name: Get a cert from an https port community.crypto.get_certificate: host: "www.google.com" port: 443 delegate_to: localhost run_once: true register: cert
- name: How many days until cert expires ansible.builtin.debug: msg: "cert expires in: {{ expire_days }} days." vars: expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"
host: description: - The host to get the cert for (IP is fine) required: true type: str port: description: - The port to connect to required: true type: int ca_cert: description: - A PEM file containing one or more root certificates; if present, the cert will be validated against these root certs. - Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it. type: path ciphers: description: - SSL/TLS Ciphers to use for the request. - When a list is provided, all ciphers are joined in order with V(:). - See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT) for more details. - The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions. elements: str type: list version_added: 2.11.0 version_added_collection: community.crypto timeout: default: 10 description: - The timeout in seconds type: int starttls: choices: - mysql description: - Requests a secure connection for protocols which require clients to initiate encryption. - Only available for V(mysql) currently. type: str version_added: 1.9.0 version_added_collection: community.crypto proxy_host: description: - Proxy host used when get a certificate. type: str proxy_port: default: 8080 description: - Proxy port used when get a certificate. type: int asn1_base64: description: - Whether to encode the ASN.1 values in the RV(extensions) return value with Base64 or not. - The documentation claimed for a long time that the values are Base64 encoded, but they never were. For compatibility this option is set to V(false). - The default value V(false) is B(deprecated) and will change to V(true) in community.crypto 3.0.0. type: bool version_added: 2.12.0 version_added_collection: community.crypto server_name: description: - Server name used for SNI (L(Server Name Indication,https://en.wikipedia.org/wiki/Server_Name_Indication)) when hostname is an IP or is different from server name. type: str version_added: 1.4.0 version_added_collection: community.crypto select_crypto_backend: choices: - auto - cryptography default: auto description: - Determines which crypto backend to use. - The default choice is V(auto), which tries to use C(cryptography) if available. - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. type: str
cert: description: The certificate retrieved from the port returned: success type: str expired: description: Boolean indicating if the cert is expired returned: success type: bool extensions: contains: asn1_data: description: - The ASN.1 content of the extension. - If O(asn1_base64=true) this will be Base64 encoded, otherwise the raw binary value will be returned. - Please note that the raw binary value might not survive JSON serialization to the Ansible controller, and also might cause failures when displaying it. See U(https://github.com/ansible/ansible/issues/80258) for more information. - B(Note) that depending on the C(cryptography) version used, it is not possible to extract the ASN.1 content of the extension, but only to provide the re-encoded content of the extension in case it was parsed by C(cryptography). This should usually result in exactly the same value, except if the original extension value was malformed. returned: success type: str critical: description: Whether the extension is critical. returned: success type: bool name: description: The extension's name. returned: success type: str description: Extensions applied to the cert elements: dict returned: success type: list issuer: description: Information about the issuer of the cert. returned: success type: dict not_after: description: Expiration date of the cert. returned: success type: str not_before: description: Issue date of the cert. returned: success type: str serial_number: description: - The serial number of the cert. - This return value is an B(integer). If you need the serial numbers as a colon-separated hex string, such as C(11:22:33), you need to convert it to that form with P(community.crypto.to_serial#filter). returned: success type: int signature_algorithm: description: The algorithm used to sign the cert. returned: success type: str subject: description: Information about the subject of the cert (C(OU), C(CN), etc). returned: success type: dict version: description: The version number of the certificate. returned: success type: str