The cert ID cannot be computed if the certificate has no AKI.

This happens with older Pebble versions, which are used when testing against older ansible-core/-base/Ansible versions.
ansible-collections · May 4, 2024 · 5e71e1e · 5e71e1e
1 parent c0930e9
commit 5e71e1e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/plugins/module_utils/acme/utils.py b/plugins/module_utils/acme/utils.py
@@ -109,7 +109,7 @@ def compute_cert_id(backend, cert_info=None, cert_filename=None, cert_content=No
 
     # Convert Authority Key Identifier to string
     if cert_info.authority_key_identifier is None:
-        raise ModuleFailException('Module has no Authority Key Identifier extension')
+        raise ModuleFailException('Certificate has no Authority Key Identifier extension')
     aki = to_native(base64.urlsafe_b64encode(cert_info.authority_key_identifier)).replace('=', '')
 
     # Convert serial number to string

diff --git a/plugins/modules/acme_certificate_renewal_info.py b/plugins/modules/acme_certificate_renewal_info.py
@@ -123,7 +123,7 @@
 cert_id:
   description:
     - The certificate ID according to the L(ARI specification, https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-4.1).
-  returned: success and the certificate exists
+  returned: success, the certificate exists, and has an Authority Key Identifier X.509 extension
   type: str
   sample: aYhba4dGQEHhs3uEe6CuLN4ByNQ.AIdlQyE
 '''
@@ -186,8 +186,11 @@ def complete(should_renew, **kwargs):
             cert_filename=module.params['certificate_path'],
             cert_content=module.params['certificate_content'],
         )
-        cert_id = compute_cert_id(backend, cert_info=cert_info)
-        result['cert_id'] = cert_id
+        cert_id = None
+        if cert_info.authority_key_identifier is not None:
+            cert_id = compute_cert_id(backend, cert_info=cert_info)
+        if cert_id is not None:
+            result['cert_id'] = cert_id
 
         if module.params['now']:
             now = backend.parse_module_parameter(module.params['now'], 'now')
@@ -198,7 +201,7 @@ def complete(should_renew, **kwargs):
             complete(True, msg='The certificate has already expired')
 
         client = ACMEClient(module, backend)
-        if module.params['use_ari'] and client.directory.has_renewal_info_endpoint():
+        if cert_id is not None and module.params['use_ari'] and client.directory.has_renewal_info_endpoint():
             renewal_info = client.get_renewal_info(cert_id=cert_id)
             window_start = backend.parse_acme_timestamp(renewal_info['suggestedWindow']['start'])
             window_end = backend.parse_acme_timestamp(renewal_info['suggestedWindow']['end'])