get_certificate – Get a certificate from a host:port
New in version 2.8.
Synopsis
- Makes a secure connection and returns information about the presented certificate
Requirements
The below requirements are needed on the host that executes this module.
- pyOpenSSL >= 0.15
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| ca_cert path | A PEM file containing one or more root certificates; if present, the cert will be validated against these root certs. Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it. | |
| host string / required | The host to get the cert for (IP is fine) | |
| port integer / required | The port to connect to | |
| timeout integer | Default: 10 | The timeout in seconds |
Notes
Note
- When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.
Examples
- name: Get the cert from an RDP port
get_certificate:
host: "1.2.3.4"
port: 3389
delegate_to: localhost
run_once: true
register: cert
- name: Get a cert from an https port
get_certificate:
host: "www.google.com"
port: 443
delegate_to: localhost
run_once: true
register: cert
- name: How many days until cert expires
debug:
msg: "cert expires in: {{ expire_days }} days."
vars:
expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| cert string | success | The certificate retrieved from the port |
| expired boolean | success | Boolean indicating if the cert is expired |
| extensions list | success | Extensions applied to the cert |
| issuer dictionary | success | Information about the issuer of the cert |
| not_after string | success | Expiration date of the cert |
| not_before string | success | Issue date of the cert |
| serial_number string | success | The serial number of the cert |
| signature_algorithm string | success | The algorithm used to sign the cert |
| subject dictionary | success | Information about the subject of the cert (OU, CN, etc) |
| version string | success | The version number of the certificate |
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- John Westcott IV (@john-westcott-iv)
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/get_certificate_module.html