Skip to main content

Ansible ACME

This Integration is part of the Ansible Linux Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Automatic Certificate Management Environment on Linux hosts management using Ansible modules. This integration lets you manage certificate generation on Linux hosts with a CA supporting the ACME protocol, such as Let’s Encrypt. The Ansible engine is self-contained and pre-configured as part of this pack onto your XSOAR server, all you need to do is provide credentials you are ready to use the feature rich commands. This integration functions without any agents or additional software installed on the hosts by utilising SSH combined with Python.

To use this integration, configure an instance of this integration. This will associate a credential to be used to access hosts when commands are run. The commands from this integration will take the Linux host address(es) as an input, and use the saved credential associated to the instance to execute. Create separate instances if multiple credentials are required.

This integration was tested with Let's Encrypt and supports the ACME http-01, dns-01 and tls-alpn-01 challenges.

Requirements#

This integration requires a linux host to be specified from which the connections to the ACME service will be performed, and where the certificate/key files will be stored.

The Linux host used for ACME interaction requires:

  • python >= 2.6
  • either openssl or cryptography >= 1.5

Network Requirements#

By default, TCP port 22 will be used to initiate a SSH connection to the Linux host.

The connection will be initiated from the XSOAR engine/server specified in the instance settings.

Credentials#

This integration supports a number of methods of authenticating with the Linux Host:

  1. Username & Password entered into the integration
  2. Username & Password credential from the XSOAR credential manager
  3. Username and SSH Key from the XSOAR credential manager

Permissions#

Normal Linux user privileges are required, a SuperUser account is not required. ACME Account management operations require access to the ACME account RSA or Elliptic Curve key file on the Linux host used for management to authenticate with the ACME service.

Privilege Escalation#

Ansible can use existing privilege escalation systems to allow a user to execute tasks as another. Different from the user that logged into the machine (remote user). This is done using existing privilege escalation tools, which you probably already use or have configured, like sudo, su, or doas. Use the Integration parameters Escalate Privileges, Privilege Escalation Method, Privilege Escalation User, Privileges Escalation Password to configure this.

Further information#

This integration is powered by Ansible 2.9. Further information can be found on that the following locations:

Configure Ansible ACME in Cortex#

ParameterDescriptionRequired
UsernameThe credentials to associate with the instance. SSH keys can be configured using the credential manager.True
PasswordTrue
Default SSH PortThe default port to use if one is not specified in the commands `host` argument.True
Concurrency FactorIf multiple hosts are specified in a command, how many hosts should be interacted with concurrently.True
Escalate PrivilegesAnsible allows you to β€˜become’ another user, different from the user that
logged into the machine (remote user).
True
Privilege Escalation MethodWhich privilege escalation method should be used.True
Privilege Escalation UserSet the user you become through privilege escalationFalse
Privilege Escalation PasswordSet the privilege escalation password.False

Testing#

This integration does not support testing from the integration management screen. Instead it is recommended to use the !acme-inspectcommand providing an example host as the command argument to connect to a ACME provider like Let's Encrypt. Eg. !acme-inspect host="123.123.123.123" acme_directory="https://acme-staging-v02.api.letsencrypt.org/directory" acme_version="2" method="directory-only" This command will connect to the specified host with the configured credentials in the integration, and if successful output information about the Let's Encrypt ACME directory.

Idempotence#

The action commands in this integration are idempotent. This means that the result of performing it once is exactly the same as the result of performing it repeatedly without any intervening actions.

State Arguement#

Some of the commands in this integration take a state argument. These define the desired end state of the object being managed. As a result these commands are able to perform multiple management operations depending on the desired state value. Common state values are: | State | Result | | --- | --- | | present | Object should exist. If not present, the object will be created with the provided parameters. If present but not with correct parameters, it will be modified to met provided parameters. | | running | Object should be running not stopped. | | stopped | Object should be stopped not running. | | restarted | Object will be restarted. | | absent | Object should not exist. If it it exists it will be deleted. |

Complex Command Inputs#

Some commands may require structured input arguments such as lists or dictionary, these can be provided in standard JSON notation wrapped in double curly braces. For example a argument called dns_servers that accepts a list of server IPs 8.8.8.8 and 8.8.4.4 would be entered as dns_servers="{{ ['8.8.8.8', '8.8.4.4'] }}".

Other more advanced data manipulation tools such as Ansible/Jinja2 filters can also be used in-line. For example to get a random number between 0 and 60 you can use {{ 60 | random }}.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

acme-account#


Create, modify or delete ACME accounts Further documentation available at https://docs.ansible.com/ansible/2.9/modules/acme_account_module.html

Base Command#

acme-account

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
stateThe state of the account, to be identified by its account key. If the state is absent, the account will either not exist or be deactivated. If the state is changed_key, the account must exist. The account key will be changed; no other information will be touched. Possible values are: present, absent, changed_key.Required
allow_creationWhether account creation is allowed (when state is present). Possible values are: Yes, No. Default is Yes.Optional
contactA list of contact URLs. Email addresses must be prefixed with mailto:. See https://tools.ietf.org/html/rfc8555#section-7.3 for what is allowed. Must be specified when state is present. Will be ignored if state is absent or changed_key.Optional
terms_agreedBoolean indicating whether you agree to the terms of service document. ACME servers can require this to be true. Possible values are: Yes, No. Default is No.Optional
new_account_key_srcPath to a file containing the ACME account RSA or Elliptic Curve key to change to. Same restrictions apply as to account_key_src. Mutually exclusive with new_account_key_content. Required if new_account_key_content is not used and state is changed_key.Optional
new_account_key_contentContent of the ACME account RSA or Elliptic Curve key to change to. Same restrictions apply as to account_key_content. Mutually exclusive with new_account_key_src. Required if new_account_key_src is not used and state is changed_key.Optional
account_key_srcPath to a file containing the ACME account RSA or Elliptic Curve key. RSA keys can be created with openssl genrsa .... Elliptic curve keys can be created with openssl ecparam -genkey .... Any other tool creating private keys in PEM format can be used as well. Mutually exclusive with account_key_content. Required if account_key_content is not used.Optional
account_key_contentContent of the ACME account RSA or Elliptic Curve key.
Mutually exclusive with account_key_src.
Required if account_key_src is not used.
Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key β€” it can be used to change the account key, or to revoke your certificates without knowing their private keys β€”, this might not be acceptable.
In case cryptography is used, the content is not written into a temporary file. It can still happen that it is written to disk by Ansible in the process of moving the module with its argument to the node where it is executed.
Optional
account_uriIf specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails.Optional
acme_versionThe ACME version of the endpoint. Must be 1 for the classic Let's Encrypt and Buypass ACME endpoints, or 2 for standardized ACME v2 endpoints. Possible values are: 1, 2. Default is 1.Optional
acme_directoryThe ACME directory to use. This is the entry point URL to access CA server API. For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. For Let's Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/. For Buypass, all endpoints can be found here: https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints For Let's Encrypt, the production directory URL for ACME v1 is https://acme-v01.api.letsencrypt.org/directory, and the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory. For Buypass, the production directory URL for ACME v2 and v1 is https://api.buypass.com/acme/directory. Warning: So far, the module has only been tested against Let's Encrypt (staging and production), Buypass (staging and production), and Pebble testing server,https://github.com/letsencrypt/Pebble. Default is https://acme-staging.api.letsencrypt.org/directory.Optional
validate_certsWhether calls to the ACME directory will validate TLS certificates. Warning: Should only ever be set to no for testing purposes, for example when testing against a local Pebble server. Possible values are: Yes, No. Default is Yes.Optional
select_crypto_backendDetermines which crypto backend to use. The default choice is auto, which tries to use cryptography if available, and falls back to openssl. If set to openssl, will try to use the openssl binary. If set to cryptography, will try to use the cryptography,https://cryptography.io/ library. Possible values are: auto, cryptography, openssl. Default is auto.Optional

Context Output#

PathTypeDescription
ACME.AcmeAccount.account_uristringACME account URI, or None if account does not exist.

Command Example#

!acme-account host="123.123.123.123" "account_key_src"="/etc/letsencrypt/keys/example.com.key" state="present" terms_agreed="True" contact="mailto:user@example.com" acme_version=2 acme_directory=https://acme-staging-v02.api.letsencrypt.org/directory

Context Example#

{
"ACME": {
"AcmeAccount": {
"account_uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/12345678",
"changed": false,
"host": "123.123.123.123",
"status": "SUCCESS"
}
}
}

Human Readable Output#

123.123.123.123 - SUCCESS#

acme-account-info#


Retrieves information on ACME accounts Further documentation available at https://docs.ansible.com/ansible/2.9/modules/acme_account_info_module.html

Base Command#

acme-account-info

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
retrieve_ordersWhether to retrieve the list of order URLs or order objects, if provided by the ACME server. A value of ignore will not fetch the list of orders. Currently, Let's Encrypt does not return orders, so the orders result will always be empty. Possible values are: ignore, url_list, object_list. Default is ignore.Optional
account_key_srcPath to a file containing the ACME account RSA or Elliptic Curve key. RSA keys can be created with openssl genrsa .... Elliptic curve keys can be created with openssl ecparam -genkey .... Any other tool creating private keys in PEM format can be used as well. Mutually exclusive with account_key_content. Required if account_key_content is not used.Optional
account_key_contentContent of the ACME account RSA or Elliptic Curve key.
Mutually exclusive with account_key_src.
Required if account_key_src is not used.
Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key β€” it can be used to change the account key, or to revoke your certificates without knowing their private keys β€”, this might not be acceptable.
In case cryptography is used, the content is not written into a temporary file. It can still happen that it is written to disk by Ansible in the process of moving the module with its argument to the node where it is executed.
Optional
account_uriIf specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails.Optional
acme_versionThe ACME version of the endpoint. Must be 1 for the classic Let's Encrypt and Buypass ACME endpoints, or 2 for standardized ACME v2 endpoints. Possible values are: 1, 2. Default is 1.Optional
acme_directoryThe ACME directory to use. This is the entry point URL to access CA server API. For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. For Let's Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/. For Buypass, all endpoints can be found here: https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints For Let's Encrypt, the production directory URL for ACME v1 is https://acme-v01.api.letsencrypt.org/directory, and the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory. For Buypass, the production directory URL for ACME v2 and v1 is https://api.buypass.com/acme/directory. Warning: So far, the module has only been tested against Let's Encrypt (staging and production), Buypass (staging and production), and Pebble testing server,https://github.com/letsencrypt/Pebble. Default is https://acme-staging.api.letsencrypt.org/directory.Optional
validate_certsWhether calls to the ACME directory will validate TLS certificates. Warning: Should only ever be set to no for testing purposes, for example when testing against a local Pebble server. Possible values are: Yes, No. Default is Yes.Optional
select_crypto_backendDetermines which crypto backend to use. The default choice is auto, which tries to use cryptography if available, and falls back to openssl. If set to openssl, will try to use the openssl binary. If set to cryptography, will try to use the cryptography,https://cryptography.io/ library. Possible values are: auto, cryptography, openssl. Default is auto.Optional

Context Output#

PathTypeDescription
ACME.AcmeAccountInfo.existsbooleanWhether the account exists.
ACME.AcmeAccountInfo.account_uristringACME account URI, or None if account does not exist.
ACME.AcmeAccountInfo.accountunknownThe account information, as retrieved from the ACME server.
ACME.AcmeAccountInfo.ordersunknownThe list of orders. If `retrieve_orders` is `url_list`, this will be a list of URLs. If `retrieve_orders` is `object_list`, this will be a list of objects.

Command Example#

!acme-account-info host="123.123.123.123" "account_key_src"="/etc/letsencrypt/keys/example.com.key" acme_version=2 acme_directory=https://acme-staging-v02.api.letsencrypt.org/directory

Context Example#

{
"ACME": {
"AcmeAccountInfo": {
"account": {
"contact": [
"mailto:user@example.com"
],
"createdAt": "2021-07-10T09:53:36Z",
"initialIp": "123.123.123.123",
"key": {
"e": "AQAB",
"kty": "RSA",
"n": "pdq0KgKTw2ih3...AgYk"
},
"public_account_key": {
"e": "AQAB",
"kty": "RSA",
"n": "pdq0KgKTw2ih3U...97AgYk"
},
"status": "valid"
},
"account_uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/12345678",
"changed": false,
"exists": true,
"host": "123.123.123.123",
"status": "SUCCESS"
}
}
}

Human Readable Output#

123.123.123.123 - SUCCESS#

acme-certificate#


Create SSL/TLS certificates with the ACME protocol Further documentation available at https://docs.ansible.com/ansible/2.9/modules/acme_certificate_module.html

Base Command#

acme-certificate

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
account_emailThe email address associated with this account. It will be used for certificate expiration warnings. Note that when modify_account is not set to no and you also used the acme_account module to specify more than one contact for your account, this module will update your account and restrict it to the (at most one) contact email address specified here.Optional
agreementURI to a terms of service document you agree to when using the ACME v1 service at acme_directory. Default is latest gathered from acme_directory URL. This option will only be used when acme_version is 1.Optional
terms_agreedBoolean indicating whether you agree to the terms of service document. ACME servers can require this to be true. This option will only be used when acme_version is not 1. Possible values are: Yes, No. Default is No.Optional
modify_accountBoolean indicating whether the module should create the account if necessary, and update its contact data. Set to no if you want to use the acme_account module to manage your account instead, and to avoid accidental creation of a new account using an old key if you changed the account key with acme_account. If set to no, terms_agreed and account_email are ignored. Possible values are: Yes, No. Default is Yes.Optional
challengeThe challenge to be performed. Possible values are: http-01, dns-01, tls-alpn-01. Default is http-01.Optional
csrFile containing the CSR for the new certificate. Can be created with openssl req .... The CSR may contain multiple Subject Alternate Names, but each one will lead to an individual challenge that must be fulfilled for the CSR to be signed. Note: the private key used to create the CSR must not be the account key. This is a bad idea from a security point of view, and the CA should not accept the CSR. The ACME server should return an error in this case.Required
dataThe data to validate ongoing challenges. This must be specified for the second run of the module only. The value that must be used here will be provided by a previous use of this module. See the examples for more details. Note that for ACME v2, only the order_uri entry of data will be used. For ACME v1, data must be non-empty to indicate the second stage is active; all needed data will be taken from the CSR. Note: the data option was marked as no_log up to Ansible 2.5. From Ansible 2.6 on, it is no longer marked this way as it causes error messages to be come unusable, and data does not contain any information which can be used without having access to the account key or which are not public anyway.Optional
destThe destination file for the certificate. Required if fullchain_dest is not specified.Optional
fullchain_destThe destination file for the full chain (i.e. certificate followed by chain of intermediate certificates). Required if dest is not specified.Optional
chain_destIf specified, the intermediate certificate will be written to this file.Optional
remaining_daysThe number of days the certificate must have left being valid. If cert_days < remaining_days, then it will be renewed. If the certificate is not renewed, module return values will not include challenge_data. To make sure that the certificate is renewed in any case, you can use the force option. Default is 10.Optional
deactivate_authzsDeactivate authentication objects (authz) after issuing a certificate, or when issuing the certificate failed. Authentication objects are bound to an account key and remain valid for a certain amount of time, and can be used to issue certificates without having to re-authenticate the domain. This can be a security concern. Possible values are: Yes, No. Default is No.Optional
forceEnforces the execution of the challenge and validation, even if an existing certificate is still valid for more than remaining_days. This is especially helpful when having an updated CSR e.g. with additional domains for which a new certificate is desired. Possible values are: Yes, No. Default is No.Optional
retrieve_all_alternatesWhen set to yes, will retrieve all alternate chains offered by the ACME CA. These will not be written to disk, but will be returned together with the main chain as all_chains. See the documentation for the all_chains return value for details. Possible values are: Yes, No. Default is No.Optional
account_key_srcPath to a file containing the ACME account RSA or Elliptic Curve key. RSA keys can be created with openssl genrsa .... Elliptic curve keys can be created with openssl ecparam -genkey .... Any other tool creating private keys in PEM format can be used as well. Mutually exclusive with account_key_content. Required if account_key_content is not used.Optional
account_key_contentContent of the ACME account RSA or Elliptic Curve key.
Mutually exclusive with account_key_src.
Required if account_key_src is not used.
Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key β€” it can be used to change the account key, or to revoke your certificates without knowing their private keys β€”, this might not be acceptable.
In case cryptography is used, the content is not written into a temporary file. It can still happen that it is written to disk by Ansible in the process of moving the module with its argument to the node where it is executed.
Optional
account_uriIf specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails.Optional
acme_versionThe ACME version of the endpoint. Must be 1 for the classic Let's Encrypt and Buypass ACME endpoints, or 2 for standardized ACME v2 endpoints. Possible values are: 1, 2. Default is 1.Optional
acme_directoryThe ACME directory to use. This is the entry point URL to access CA server API. For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. For Let's Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/. For Buypass, all endpoints can be found here: https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints For Let's Encrypt, the production directory URL for ACME v1 is https://acme-v01.api.letsencrypt.org/directory, and the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory. For Buypass, the production directory URL for ACME v2 and v1 is https://api.buypass.com/acme/directory. Warning: So far, the module has only been tested against Let's Encrypt (staging and production), Buypass (staging and production), and Pebble testing server,https://github.com/letsencrypt/Pebble. Default is https://acme-staging.api.letsencrypt.org/directory.Optional
validate_certsWhether calls to the ACME directory will validate TLS certificates. Warning: Should only ever be set to no for testing purposes, for example when testing against a local Pebble server. Possible values are: Yes, No. Default is Yes.Optional
select_crypto_backendDetermines which crypto backend to use. The default choice is auto, which tries to use cryptography if available, and falls back to openssl. If set to openssl, will try to use the openssl binary. If set to cryptography, will try to use the cryptography,https://cryptography.io/ library. Possible values are: auto, cryptography, openssl. Default is auto.Optional

Context Output#

PathTypeDescription
ACME.AcmeCertificate.cert_daysnumberThe number of days the certificate remains valid.
ACME.AcmeCertificate.challenge_dataunknownPer identifier / challenge type challenge data. Since Ansible 2.8.5, only challenges which are not yet valid are returned.
ACME.AcmeCertificate.challenge_data_dnsunknownList of TXT values per DNS record, in case challenge is `dns-01`. Since Ansible 2.8.5, only challenges which are not yet valid are returned.
ACME.AcmeCertificate.authorizationsunknownACME authorization data. Maps an identifier to ACME authorization objects. See `https://tools.ietf.org/html/rfc8555#section-7.1.4\`.
ACME.AcmeCertificate.order_uristringACME order URI.
ACME.AcmeCertificate.finalization_uristringACME finalization URI.
ACME.AcmeCertificate.account_uristringACME account URI.
ACME.AcmeCertificate.all_chainsunknownWhen `retrieve_all_alternates` is set to `yes`, the module will query the ACME server for alternate chains. This return value will contain a list of all chains returned, the first entry being the main chain returned by the server. See `Section 7.4.2 of RFC8555,https://tools.ietf.org/html/rfc8555#section-7.4.2\` for details.

Command Example#

!acme-certificate host="123.123.123.123" "account_key_src"="/etc/letsencrypt/keys/example.com.key" dest=/etc/letsencrypt/certs/test.example.com.crt csr=/etc/letsencrypt/csrs/example.com.csr acme_directory=https://acme-v02.api.letsencrypt.org/directory acme_version=2 challenge="dns-01" terms_agreed=1

Context Example#

{
"ACME": {
"AcmeCertificate": {
"account_uri": "https://acme-v02.api.letsencrypt.org/acme/acct/123456789",
"authorizations": {
"xsoar-example.example.com": {
"challenges": [
{
"status": "pending",
"token": "UjnalQ...8OEsJw",
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12345678901/4cF9Tg"
},
{
"status": "pending",
"token": "UjnalQ...8OEsJw",
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12345678901/J6Svyw"
},
{
"status": "pending",
"token": "UjnalQ...8OEsJw",
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12345678901/Phy50Q"
}
],
"expires": "2021-07-13T10:05:43Z",
"identifier": {
"type": "dns",
"value": "xsoar-example.example.com"
},
"status": "pending",
"uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/12345678901"
}
},
"cert_days": -1,
"challenge_data": {
"xsoar-example.example.com": {
"dns-01": {
"record": "_acme-challenge.xsoar-example.example.com",
"resource": "_acme-challenge",
"resource_value": "aIt7...MjsnM"
},
"http-01": {
"resource": ".well-known/acme-challenge/UjnalQ...8OEsJw",
"resource_value": "UjnalQ...8OEsJw.brMgVl5klrL6Hsd4E1YqcpXU5Mn-jVxqb5MtbbzmMjg"
},
"tls-alpn-01": {
"resource": "xsoar-example.example.com",
"resource_original": "dns:xsoar-example.example.com",
"resource_value": "aIt7...MjsnM="
}
}
},
"challenge_data_dns": {
"_acme-challenge.xsoar-example.example.com": [
"aIt7...MjsnM"
]
},
"changed": true,
"finalize_uri": "https://acme-v02.api.letsencrypt.org/acme/finalize/123456789/12345678901",
"host": "123.123.123.123",
"order_uri": "https://acme-v02.api.letsencrypt.org/acme/order/123456789/12345678901",
"status": "CHANGED"
}
}
}

Human Readable Output#

123.123.123.123 - CHANGED#

acme-certificate-revoke#


Revoke certificates with the ACME protocol Further documentation available at https://docs.ansible.com/ansible/2.9/modules/acme_certificate_revoke_module.html

Base Command#

acme-certificate-revoke

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
certificatePath to the certificate to revoke.Required
account_key_srcPath to a file containing the ACME account RSA or Elliptic Curve key. RSA keys can be created with openssl rsa .... Elliptic curve keys can be created with openssl ecparam -genkey .... Any other tool creating private keys in PEM format can be used as well. Mutually exclusive with account_key_content. Required if account_key_content is not used.Optional
account_key_contentContent of the ACME account RSA or Elliptic Curve key.
Note that exactly one of account_key_src, account_key_content, private_key_src or private_key_content must be specified.
Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key β€” it can be used to change the account key, or to revoke your certificates without knowing their private keys β€”, this might not be acceptable.
In case cryptography is used, the content is not written into a temporary file. It can still happen that it is written to disk by Ansible in the process of moving the module with its argument to the node where it is executed.
Optional
private_key_srcPath to the certificate's private key. Note that exactly one of account_key_src, account_key_content, private_key_src or private_key_content must be specified.Optional
private_key_contentContent of the certificate's private key.
Note that exactly one of account_key_src, account_key_content, private_key_src or private_key_content must be specified.
Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key β€” it can be used to change the account key, or to revoke your certificates without knowing their private keys β€”, this might not be acceptable.
In case cryptography is used, the content is not written into a temporary file. It can still happen that it is written to disk by Ansible in the process of moving the module with its argument to the node where it is executed.
Optional
revoke_reasonOne of the revocation reasonCodes defined in Section 5.3.1 of RFC5280,https://tools.ietf.org/html/rfc5280#section-5.3.1. Possible values are 0 (unspecified), 1 (keyCompromise), 2 (cACompromise), 3 (affiliationChanged), 4 (superseded), 5 (cessationOfOperation), 6 (certificateHold), 8 (removeFromCRL), 9 (privilegeWithdrawn), 10 (aACompromise).Optional
account_uriIf specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails.Optional
acme_versionThe ACME version of the endpoint. Must be 1 for the classic Let's Encrypt and Buypass ACME endpoints, or 2 for standardized ACME v2 endpoints. Possible values are: 1, 2. Default is 1.Optional
acme_directoryThe ACME directory to use. This is the entry point URL to access CA server API. For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. For Let's Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/. For Buypass, all endpoints can be found here: https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints For Let's Encrypt, the production directory URL for ACME v1 is https://acme-v01.api.letsencrypt.org/directory, and the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory. For Buypass, the production directory URL for ACME v2 and v1 is https://api.buypass.com/acme/directory. Warning: So far, the module has only been tested against Let's Encrypt (staging and production), Buypass (staging and production), and Pebble testing server,https://github.com/letsencrypt/Pebble. Default is https://acme-staging.api.letsencrypt.org/directory.Optional
validate_certsWhether calls to the ACME directory will validate TLS certificates. Warning: Should only ever be set to no for testing purposes, for example when testing against a local Pebble server. Possible values are: Yes, No. Default is Yes.Optional
select_crypto_backendDetermines which crypto backend to use. The default choice is auto, which tries to use cryptography if available, and falls back to openssl. If set to openssl, will try to use the openssl binary. If set to cryptography, will try to use the cryptography,https://cryptography.io/ library. Possible values are: auto, cryptography, openssl. Default is auto.Optional

Context Output#

PathTypeDescription

acme-challenge-cert-helper#


Prepare certificates required for ACME challenges such as C(tls-alpn-01) Further documentation available at https://docs.ansible.com/ansible/2.9/modules/acme_challenge_cert_helper_module.html

Base Command#

acme-challenge-cert-helper

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
challengeThe challenge type. Possible values are: tls-alpn-01.Required
challenge_dataThe challenge_data entry provided by acme_certificate for the challenge.Required
private_key_srcPath to a file containing the private key file to use for this challenge certificate. Mutually exclusive with private_key_content.Optional
private_key_contentContent of the private key to use for this challenge certificate. Mutually exclusive with private_key_src.Optional

Context Output#

PathTypeDescription
ACME.AcmeChallengeCertHelper.domainstringThe domain the challenge is for. The certificate should be provided if this is specified in the request's the `Host` header.
ACME.AcmeChallengeCertHelper.identifier_typestringThe identifier type for the actual resource identifier. Will be `dns` or `ip`.
ACME.AcmeChallengeCertHelper.identifierstringThe identifier for the actual resource. Will be a domain name if the type is `dns`, or an IP address if the type is `ip`.
ACME.AcmeChallengeCertHelper.challenge_certificatestringThe challenge certificate in PEM format.
ACME.AcmeChallengeCertHelper.regular_certificatestringA self-signed certificate for the challenge domain. If no existing certificate exists, can be used to set-up https in the first place if that is needed for providing the challenge.

acme-inspect#


Send direct requests to an ACME server Further documentation available at https://docs.ansible.com/ansible/2.9/modules/acme_inspect_module.html

Base Command#

acme-inspect

Input#

Argument NameDescriptionRequired
hosthostname or IP of target. Optionally the port can be specified using :PORT. If multiple targets are specified using an array, the integration will use the configured concurrency factor for high performance.Required
urlThe URL to send the request to. Must be specified if method is not directory-only.Optional
methodThe method to use to access the given URL on the ACME server. The value post executes an authenticated POST request. The content must be specified in the content option. The value get executes an authenticated POST-as-GET request for ACME v2, and a regular GET request for ACME v1. The value directory-only only retrieves the directory, without doing a request. Possible values are: get, post, directory-only. Default is get.Optional
contentAn encoded JSON object which will be sent as the content if method is post. Required when method is post, and not allowed otherwise.Optional
fail_on_acme_errorIf method is post or get, make the module fail in case an ACME error is returned. Possible values are: Yes, No. Default is Yes.Optional
account_key_srcPath to a file containing the ACME account RSA or Elliptic Curve key. RSA keys can be created with openssl genrsa .... Elliptic curve keys can be created with openssl ecparam -genkey .... Any other tool creating private keys in PEM format can be used as well. Mutually exclusive with account_key_content. Required if account_key_content is not used.Optional
account_key_contentContent of the ACME account RSA or Elliptic Curve key.
Mutually exclusive with account_key_src.
Required if account_key_src is not used.
Warning: the content will be written into a temporary file, which will be deleted by Ansible when the module completes. Since this is an important private key β€” it can be used to change the account key, or to revoke your certificates without knowing their private keys β€”, this might not be acceptable.
In case cryptography is used, the content is not written into a temporary file. It can still happen that it is written to disk by Ansible in the process of moving the module with its argument to the node where it is executed.
Optional
account_uriIf specified, assumes that the account URI is as given. If the account key does not match this account, or an account with this URI does not exist, the module fails.Optional
acme_versionThe ACME version of the endpoint. Must be 1 for the classic Let's Encrypt and Buypass ACME endpoints, or 2 for standardized ACME v2 endpoints. Possible values are: 1, 2. Default is 1.Optional
acme_directoryThe ACME directory to use. This is the entry point URL to access CA server API. For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates. For Let's Encrypt, all staging endpoints can be found here: https://letsencrypt.org/docs/staging-environment/. For Buypass, all endpoints can be found here: https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints For Let's Encrypt, the production directory URL for ACME v1 is https://acme-v01.api.letsencrypt.org/directory, and the production directory URL for ACME v2 is https://acme-v02.api.letsencrypt.org/directory. For Buypass, the production directory URL for ACME v2 and v1 is https://api.buypass.com/acme/directory. Warning: So far, the module has only been tested against Let's Encrypt (staging and production), Buypass (staging and production), and Pebble testing server,https://github.com/letsencrypt/Pebble. Default is https://acme-staging.api.letsencrypt.org/directory.Optional
validate_certsWhether calls to the ACME directory will validate TLS certificates. Warning: Should only ever be set to no for testing purposes, for example when testing against a local Pebble server. Possible values are: Yes, No. Default is Yes.Optional
select_crypto_backendDetermines which crypto backend to use. The default choice is auto, which tries to use cryptography if available, and falls back to openssl. If set to openssl, will try to use the openssl binary. If set to cryptography, will try to use the cryptography,https://cryptography.io/ library. Possible values are: auto, cryptography, openssl. Default is auto.Optional

Context Output#

PathTypeDescription
ACME.AcmeInspect.directoryunknownThe ACME directory's content
ACME.AcmeInspect.headersunknownThe request's HTTP headers (with lowercase keys)
ACME.AcmeInspect.output_textstringThe raw text output
ACME.AcmeInspect.output_jsonunknownThe output parsed as JSON

Command Example#

!acme-inspect host="123.123.123.123" acme_directory="https://acme-staging-v02.api.letsencrypt.org/directory" acme_version="2" method="directory-only"

Context Example#

{
"ACME": {
"AcmeInspect": {
"changed": false,
"directory": {
"d3x8YeEROW0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org/docs/staging-environment/"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
},
"host": "123.123.123.123",
"status": "SUCCESS"
}
}
}

Human Readable Output#

123.123.123.123 - SUCCESS#

Troubleshooting#

The Ansible-Runner container is not suitable for running as a non-root user. Therefore, the Ansible integrations will fail if you follow the instructions in Docker hardening guide (Cortex XSOAR 6.13) or Docker hardening guide (Cortex XSOAR 8 Cloud) or Docker hardening guide (Cortex XSOAR 8.7 On-prem).

The docker.run.internal.asuser server configuration causes the software that is run inside of the Docker containers utilized by Cortex XSOAR to run as a non-root user account inside the container.

The Ansible-Runner software is required to run as root as it applies its own isolation via bwrap to the Ansible execution environment.

This is a limitation of the Ansible-Runner software itself https://github.com/ansible/ansible-runner/issues/611.

A workaround is to use the docker.run.internal.asuser.ignore server setting and to configure Cortex XSOAR to ignore the Ansible container image by setting the value of demisto/ansible-runner and afterwards running /reset_containers to reload any containers that might be running to ensure they receive the configuration.

See step 2 of this Docker hardening guide (Cortex XSOAR 6.13). For Cortex XSOAR 8 Cloud see step 3 in Run Docker with non-root internal users of this Docker hardening guide (Cortex XSOAR 8 Cloud). For Cortex XSOAR 8.7 On-prem see step 3 in Run Docker with non-root internal users of this Docker hardening guide (Cortex XSOAR 8.7 On-prem) for complete instructions.