Issue with openssl_csr authority_cert_issuer

Archives Ansible Project
1

Hello,

I am trying to specify O and CN

authority_cert_issuer: ‘dirName:O = Example Net, CN = example.net
authority_key_identifier: xxxxxxxx
authority_cert_serial_number: xxxxxxxxx

I get the following error on playbook run.

“msg”: “Cannot parse Subject Alternative Name "dirName:O = Packet Hosting" (potentially unsupported by cryptography backend)”

Here is the trace

The full traceback is:
WARNING: The below traceback may not be related to the actual failure.
File “/tmp/ansible_openssl_csr_payload_wKv9F1/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py”, line 1088, in main
File “/tmp/ansible_openssl_csr_payload_wKv9F1/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py”, line 541, in generate
File “/tmp/ansible_openssl_csr_payload_wKv9F1/ansible_openssl_csr_payload.zip/ansible/modules/crypto/openssl_csr.py”, line 812, in _generate_csr
File “/tmp/ansible_openssl_csr_payload_wKv9F1/ansible_openssl_csr_payload.zip/ansible/module_utils/crypto.py”, line 1772, in cryptography_get_name
raise OpenSSLObjectError(‘Cannot parse Subject Alternative Name “{0}” (potentially unsupported by cryptography backend)’.format(name))

`

def cryptography_get_name(name):

‘’’

Given a name string, returns a cryptography x509.Name object.

Raises an OpenSSLObjectError if the name is unknown or cannot be parsed.

‘’’

try:

if name.startswith(‘DNS:’):

return x509.DNSName(to_text(name[4:]))

if name.startswith(‘IP:’):

return x509.IPAddress(ipaddress.ip_address(to_text(name[3:])))

if name.startswith(‘email:’):

return x509.RFC822Name(to_text(name[6:]))

if name.startswith(‘URI:’):

return x509.UniformResourceIdentifier(to_text(name[4:]))

except Exception as e:

raise OpenSSLObjectError(‘Cannot parse Subject Alternative Name “{0}”: {1}’.format(name, e))

if ‘:’ not in name:

raise OpenSSLObjectError(‘Cannot parse Subject Alternative Name “{0}” (forgot “DNS:” prefix?)’.format(name))

raise OpenSSLObjectError(‘Cannot parse Subject Alternative Name “{0}” (potentially unsupported by cryptography backend)’.format(name))
`

The documentation says it should support dirname but indeed it doesn’t. Can we amend the documentation?

Thanks,
Josh Goldman

2

Hi,

I am trying to specify O and CN

            authority_cert_issuer: 'dirName:O = Example Net, CN =
example.net'
            authority_key_identifier: xxxxxxxx
            authority_cert_serial_number: xxxxxxxxx

I get the following error on playbook run.

    "msg": "Cannot parse Subject Alternative Name \"dirName:O =
Packet Hosting\" (potentially unsupported by cryptography backend)"
[...]

The documentation says it should support dirname but indeed it
doesn't. Can we amend the documentation?

It does list it as a possible prefix for authorityCertIssuer, but IMO it
doesn't really say that it is actually supported :slight_smile:

The main reason I didn't add support for dirName (and otherName and
RID) when adding the cryptography backend is that I wasn't very
familiar with them, and then I forgot about that and never followed up
on that. Also, so far, nobody asked for them or created a PR to add
them. (The same problem is true for subjectAltName, which in fact uses
the same code to parse the names.)

I've played around with it a bit today, and created a PR to add support
for these names (instead of removing them from the documentation). I
think that's the better way forward. Feel free to test it and/or give
it a review: https://github.com/ansible/ansible/pull/67669

Cheers,
Felix

3

Amazing!! Thank you, I am looking at the code now. Let me see if I can test it.