get_certificate – Get a certificate from a host:port

From Get docs
Ansible/docs/2.8/modules/get certificate module


get_certificate – Get a certificate from a host:port

New in version 2.8.


Synopsis

  • Makes a secure connection and returns information about the presented certificate

Requirements

The below requirements are needed on the host that executes this module.

  • pyOpenSSL >= 0.15

Parameters

Parameter Choices/Defaults Comments

ca_cert

path

A PEM file containing one or more root certificates; if present, the cert will be validated against these root certs.

Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it.

host

string / required

The host to get the cert for (IP is fine)

port

integer / required

The port to connect to

timeout

integer

Default:

10

The timeout in seconds



Notes

Note

  • When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.


Examples

- name: Get the cert from an RDP port
  get_certificate:
    host: "1.2.3.4"
    port: 3389
  delegate_to: localhost
  run_once: true
  register: cert

- name: Get a cert from an https port
  get_certificate:
    host: "www.google.com"
    port: 443
  delegate_to: localhost
  run_once: true
  register: cert

- name: How many days until cert expires
  debug:
    msg: "cert expires in: {{ expire_days }} days."
  vars:
    expire_days: "{{ (( cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

cert

string

success

The certificate retrieved from the port


expired

boolean

success

Boolean indicating if the cert is expired


extensions

list

success

Extensions applied to the cert


issuer

dictionary

success

Information about the issuer of the cert


not_after

string

success

Expiration date of the cert


not_before

string

success

Issue date of the cert


serial_number

string

success

The serial number of the cert


signature_algorithm

string

success

The algorithm used to sign the cert


subject

dictionary

success

Information about the subject of the cert (OU, CN, etc)


version

string

success

The version number of the certificate





Status

Authors

  • John Westcott IV (@john-westcott-iv)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/get_certificate_module.html