This project adheres to Semantic Versioning and human-readable changelog.

The current role maintainer is drybjed.

debops.pki master - unreleased


  • Add custom pre and post task hooks to allow more flexibility with PKI management. [muelli]
  • Support to change or disable CRL and OCSP for PKI authorities using item.crl and item.ocsp. [ypid]
  • Use X.509 Name Constraints to limit PKI authorities to item.domain by default. This greatly reduces the damage that a compromised PKI authority could do (which is trusted by the cluster by default). Previously, any CA managed by debops.pki could happily issue certificates for any domain and clients would accept them which is probably not what you want. Use item.name_constraints if you want to change the default. Note that this new default is only effective for newly created CAs. Refer to A Web PKI x509 certificate primer for details. [ypid]

debops.pki v0.2.14 - 2016-11-21



  • Change the method that Bash scripts use to compare the version numbers for a more reliable one. [drybjed]
  • Documentation improvements. [ypid]
  • Remove the www subdomain from list of default ACME subdomains. This should make configuration of ACME certificates easier. [drybjed]
  • Make sure that the domain PKI realm by default adds the host FQDN to the list of Subject Alt Names of a certificate. This should solve an issue with some software which cannot deal with wildcard hostnames properly. [drybjed]


  • Fix an error where certain versions of GnuTLS certtool did not support the "URI" SubjectAltName which resulted in an abort and certificate requests not being generated correctly. The "URI" SANs will only be added when correct version of the certtool is available. [drybjed]
  • Fix an issue where ACME certificate requests were not performed correctly on Ubuntu hosts due to the default umask setting of the user accounts being 0007, which resulted in the web server not being able to serve ACME challenge responses. Now, correct umask will be set for the acme-tiny script, so that ACME responses are world-readable. [drybjed]
  • Fix an error in pki-authority script which invoked a Python print call that was unsupported in modern Python versions, the call is now supported on both 2.x and 3.x. [yuvadm]
  • Don’t use MD5 or other hash functions to sanitize STDOUT of programs for later comparison when a simple base64 encoding is enough. [ypid]
  • Also run pki-realm new-realm against realms with disabled internal CA. [ypid]
  • Reviewed the role. Fixed potential shell script issues reported by shellcheck and added CI tests using shellcheck. [ypid]
  • Use the group id instead of group names (from id -gn to id -g) in pki-realm and pki-authority to cope with group names with spaces which can happen when LDAP is used. [zpfvo]

debops.pki v0.2.13 - 2016-07-07


  • Update the Changelog with links to change diffs on GitHub. [drybjed]
  • Include the COPYRIGHT file in the RST documentation. [drybjed]
  • Update the .travis.yml configuration file. [drybjed]

debops.pki v0.2.12 - 2016-07-06


  • The session token is now generated using SHA-256 hashing algorithm instead of MD5. [drybjed]
  • Move the copyright information to a COPYRIGHT file in the main directory. [drybjed]
  • Move the example playbook to an external, separate file. [drybjed]

debops.pki v0.2.11 - 2016-07-05


  • Ensure that highly sensitive files are not checked into version control when for example etckeeper is used for tracking changes in /etc. Note that sensitive files which are already tracked by version control will need to be manually deleted from version control history! Refer to pki_vcs_ignore_patterns_role for more details. [ypid]


  • Convert Changelog to the new format. [drybjed]


  • The PKI session token is now generated once for all hosts, by delegating the task to Ansible Controller. This fixes a bug with Ansible Playbook runs on multiple hosts at once, where only one host would receive the certificates at a time. [drybjed]

debops.pki v0.2.10 - 2016-06-14


  • Documentation fixes and improvements. Made variables hyperlinks using the any role in Sphinx which also ensures that variables which the documentation refers to actually exist. [ypid]
  • Assert that required dependencies are met. [ypid]
  • Use pki_ca_library variable to select correct crypto library for assertion. [drybjed]
  • Don't assert crypto library version or bash version on Ansible Controller if no internal Certificate Authority is enabled. In this case they are not relevant for debops.pki operation. [drybjed]

debops.pki v0.2.9 - 2016-06-01


  • Expose the list with order of authority preference used by a PKI realm to select active valid certificate in role default variables. [drybjed]
  • Add support for creation of self-signed certificates when internal CA is disabled. This enables proper operation of other services like nginx, which can then be used to request and authenticate ACME certificates. [drybjed]

debops.pki v0.2.8 - 2016-05-05


  • Add support for setting filesystem ACL entries for private directories and files. [drybjed]


  • Include realms defined in pki_default_realms in tasks that copy files from Ansible Controller depending on an Ansible inventory group. [drybjed]

debops.pki v0.2.7 - 2016-05-03


  • Documentation improvements. Fixed examples, spelling, grammar and Sphinx inline syntax. [ypid]
  • Don’t rely on the value of the special variable omit for having a high enough entropy (or any entropy at all) to use it as PKI session token. Although usage of the omit variable for this use case is quite creative and has been suggested by one of the Ansible core developers, it is believed that this does not meet the quality and maintainability standards of the DebOps project. Now the random Jinja filter is used as random source which is more explicit, has a proper entropy and is less hacky. [ypid]
  • Honor the value of ansible_local.root.lib. Previously, using another value than /usr/local/lib would have broken the role. [ypid]
  • Only use pki_fact_lib_path inside of quotes as this value could contain whitespace characters. [ypid]

debops.pki v0.2.6 - 2016-04-12


  • Convert ACME intermediate certificate from DER to PEM format automatically. [drybjed]
  • Make sure that role works with older debops.nginx deployments, which didn't support ACME integration. [drybjed]

debops.pki v0.2.5 - 2016-03-02


debops.pki v0.2.4 - 2016-02-21


  • Use a more portable "shebang" string in Bash scripts. [drybjed]

  • Provide a portable dnsdomainname alternative function which works on operating systems without the former command present. [drybjed]

  • Use short hostname -f argument for portability. [drybjed]

  • Update support for subjectAltName extension in certificates. Currently only IP addresses, DNS records, URI paths and emails are supported. [drybjed]

  • Document pki_realms lists. [drybjed]

  • Redesign the secret/pki/ca-certificates/ directory. It's now based on Ansible inventory groups and allows distribution of CA certificates to all hosts, specific host groups, or specific hosts. [drybjed]

  • Don't update symlinks if the target is correct. [drybjed]

  • Split file signature creation and verification. This allows checking if the file signature is correct without updating it, so that it can be performed at different stages of the script. [drybjed]

  • Make sure that request generation works without subdomains and SANs present. [drybjed]

  • Automatically reset incomplete internal certificate requests.

    If a certificate does not exist in the realm and internal certificates are enabled, something must have gone wrong with the certificate signing. To make it easier, generated configuration file and CSR are removed so that they can be recreated further in the script with current session token and not rejected by the internal CA. [drybjed]

  • Change the way ACME intermediate CA certificate is downloaded.

    Instead of using a static URL to download an intermediate certificate, pki-realm script will now check the certificate for the "CA Issuers" URI and download the certificate using it. The URI is stored and used later to check if the new certificate has the same or different URI, to not download the intermediate certificate every time the pki-realm script is run. [drybjed]

  • Slight changes in certificate chaining logic, to ensure that when certificates are changed, all generated chained certificate files are correctly updated. [drybjed]

debops.pki v0.2.3 - 2016-02-08


  • Replace the example hook script with something that actually works. [drybjed]
  • Fix deprecation warnings in Ansible 2.1.0. [drybjed]

debops.pki v0.2.2 - 2016-02-03


  • Add support for Diffie-Hellman parameters appended to certificate chains. DHE parameters are managed by debops.dhparam Ansible role. [drybjed]


  • When an active authority directory is changed, correctly clean up files not present in the new authority directory and symlinks without existing targets. [drybjed]
  • Do not enable PKI support on remote hosts without defined domain. Without this applications try to use non-existent X.509 certificates and fail. [drybjed]
  • Make system PKI realm selection idempotent. Now, if another role changes the default system realm, running debops.pki role without that override will keep the realm specified in Ansible local facts. [drybjed]
  • Make sure that CA organization is non-empty. If a host domain is not configured correctly, hostname will be used instead. This makes some of the URLs in created CA certificates incorrect, but the debops.pki role works fine otherwise, and internal Certificate Authorities are easy to recreate with correct configuration. [drybjed]
  • Change the file tracked by the PKI realm creation task to be the realm private key instead of the certificate. This allows for realms that only contain Root CA certificates and does not create idempotency issues. [drybjed]
  • Do not create a cron task when support for PKI is disabled on a host. [drybjed]

debops.pki v0.2.1 - 2016-02-01


  • Update old README with new documentation. [drybjed]

debops.pki v0.2.0 - 2016-02-01


  • Replace old debops.pki role with a new, redesigned version. Some additional code, variable cleanup and documentation is still missing, but role is usable at this point. [drybjed]

debops.pki v0.1.0 - 2016-01-04


  • Add support for managing the list of active Root CA Certificates in /etc/ca-certificates.conf. Current set of active Root CA Certificates is preserved. [drybjed]
  • Add a way to copy arbitrary files from Ansible Controller to remote host PKI directories. [drybjed]
  • Expose ansible_fqdn variable as pki_fqdn so that it can be overridden if necessary. [drybjed]


  • Reorder Changelog entries. [drybjed]


  • Remove Diffie-Hellman parameter support from the role, it's now managed by a separate debops.dhparam Ansible role. Existing hosts won't be affected. [drybjed]