community.crypto.openssh_cert: PKCS11 keys with "PIN: always" stops working on ansible 12 #957
Description
SUMMARY
community.crypto.openssh_cert is unable to use stdio anymore on ansible 12. However, PKCS11 keys with "PIN: always" mandatorily requires stdio access for PIN, and will fail with libcrypto error if stdio is detached. Unfortunately, stdio is force detached in ansible 12.
The exact same playbook works if switch back to ansible 10.
From ansible 12 porting guide: https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_12.html
Task Execution / Forks - Forks no longer inherit stdio from the parent ansible-playbook process. stdout, stderr, and stdin within a worker are detached from the terminal, and non-functional. All needs to access stdio from a fork for controller side plugins requires use of Display.
ISSUE TYPE
- Bug Report
COMPONENT NAME
community.crypto.openssh_cert
ANSIBLE VERSION
ansible [core 2.19.2]
config file = None
configured module search path = ['/Users/<>/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/12.0.0/libexec/lib/python3.13/site-packages/ansible
ansible collection location = /Users/<>/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible
python version = 3.13.7 (main, Aug 14 2025, 11:12:11) [Clang 17.0.0 (clang-1700.0.13.3)] (/opt/homebrew/Cellar/ansible/12.0.0/libexec/bin/python)
jinja version = 3.1.6
pyyaml version = 6.0.2 (with libyaml v0.2.5)
COLLECTION VERSION
ansible_collections
Collection Version
---------------- -------
community.crypto 2.22.3
CONFIGURATION
CONFIG_FILE() = None
EDITOR(env: EDITOR) = emacs
PAGER(env: PAGER) = less
OS / ENVIRONMENT
macos 26.0
yubikey
PKCS11 library: libykcs11.dylib
STEPS TO REPRODUCE
Use community.crypto.openssh_cert to generate a certificate signed with yubikey PKCS11 keys that have PIN: always set.
EXPECTED RESULTS
A certificate signed with specified PKCS11 key is successfully generated.
ACTUAL RESULTS
[ERROR]: Task failed: Module failed: login failed
pkcs11_get_key failed
Couldn't certify key /Users/<>/.ansible/tmp/ansible-tmp-1758345613.400053-43322-223437183479596/ansible_key.pub: error in libcrypto
Origin: <>:18:3
16 run_once: true
17
18 - name: Generate an OpenSSH user certificate
^ column 3
fatal: [<>-> 127.0.0.1]: FAILED! => {
"changed": false,
"cmd": "/opt/homebrew/bin/ssh-keygen -s /Users/<>/.ssh/nano_sig.pub -P '' -I '' -D /usr/local/lib/libykcs11.dylib -n ansible -V 20250920052013:20250920132013 /Users/<>/.ansible/tmp/ansible-tmp-1758345613.400053-43322-223437183479596/ansible_key.pub",
"invocation": {
"module_args": {
"attributes": null,
"force": false,
"group": null,
"identifier": null,
"ignore_timestamps": false,
"mode": null,
"options": null,
"owner": null,
"path": "/Users/<>/.ssh/ansible_key-cert.pub",
"pkcs11_provider": "/usr/local/lib/libykcs11.dylib",
"principals": [
"ansible"
],
"public_key": "/Users/<>/.ssh/ansible_key.pub",
"regenerate": "partial_idempotence",
"selevel": null,
"serial_number": null,
"serole": null,
"setype": null,
"seuser": null,
"signature_algorithm": null,
"signing_key": "/Users/<>/.ssh/nano_sig.pub",
"state": "present",
"type": "user",
"unsafe_writes": false,
"use_agent": false,
"valid_at": null,
"valid_from": "+0s",
"valid_to": "+8h"
}
},
"msg": "login failed\r\npkcs11_get_key failed\r\nCouldn't certify key /Users/<>/.ansible/tmp/ansible-tmp-1758345613.400053-43322-223437183479596/ansible_key.pub: error in libcrypto",
"rc": 255,
"stderr": "login failed\r\npkcs11_get_key failed\r\nCouldn't certify key /Users/<>/.ansible/tmp/ansible-tmp-1758345613.400053-43322-223437183479596/ansible_key.pub: error in libcrypto\r\n",
"stderr_lines": [
"login failed",
"pkcs11_get_key failed",
"Couldn't certify key /Users/<>/.ansible/tmp/ansible-tmp-1758345613.400053-43322-223437183479596/ansible_key.pub: error in libcrypto"
],
"stdout": "",
"stdout_lines": []
}