[Bug]: x509_v2 module can't be used with salt-ssh

[baby-gnu]

What happened?

The x509_v2 module is not available in salt-ssh despite being configured:

ssh_minion_opts:
  log_level: debug
  features:
    x509_v2: true

salt-ssh minion2 x509.expires '/tmp/my.crt' days=7

minion2:
    ----------
    _error:
        The command resulted in a non-zero exit code
    parsed:
        None
    retcode:
        255
    stderr:
        'x509' __virtual__ returned False: Superseded, using x509_v2
    stdout:

I attach the debug salt-call.log from the minion:

salt-call.log

Type of salt install

Official deb

Major version

3007.x

What supported OS are you seeing the problem on? Can select multiple. (If bug appears on an unsupported OS, please open a GitHub Discussion instead)

debian-12

salt --versions-report output

Salt Version:
          Salt: 3007.11
 
Python Version:
        Python: 3.10.19 (main, Jan  7 2026, 23:50:47) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 2.0.0
      cherrypy: 18.8.0
  cryptography: 42.0.5
      dateutil: 2.8.2
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.6
       libgit2: Not Installed
  looseversion: 1.3.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.7
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 24.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.5.2
        PyYAML: 6.0.1
         PyZMQ: 25.1.2
        relenv: 0.22.2
         smmap: Not Installed
       timelib: 0.3.0
       Tornado: 6.5.4
           ZMQ: 4.3.4
 
Salt Package Information:
  Package Type: onedir
 
System Versions:
          dist: debian 12.13 bookworm
        locale: utf-8
       machine: x86_64
       release: 6.1.0-42-amd64
        system: Linux
       version: Debian GNU/Linux 12.13 bookworm

[lkubb]

The error message is a red herring, it's shown because your configuration successfully disables the deprecated x509 modules, but the x509_v2 execution module crashes when it's loaded.

The crash is caused by a missing cryptography in the system Python:

2026-01-13 09:56:35,048 [salt.loader.lazy :917 ][DEBUG   ][39996] Failed to import utils x509:
Traceback (most recent call last):
  File "/tmp/.thin_dir/pyall/salt/loader/lazy.py", line 902, in _load_module
    self.run(spec.loader.exec_module, mod)
  File "/tmp/.thin_dir/pyall/salt/loader/lazy.py", line 1365, in run
    return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.thin_dir/pyall/salt/loader/lazy.py", line 1380, in _run_as
    ret = _func_or_method(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap_external>", line 940, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/tmp/.thin_dir/running_data/var/cache/salt/minion/extmods/utils/x509.py", line 12, in <module>
    import cryptography
ModuleNotFoundError: No module named 'cryptography'

It seems you are distributing a custom x509 utils module (File "/tmp/.thin_dir/running_data/var/cache/salt/minion/extmods/utils/x509.py") and x509_v2 execution module (the one in Salt core imports salt.utils.x509 directly while guarding against an ImportError):

salt/salt/modules/x509_v2.py

Lines 178 to 186 in 62a7bb0

	try:
	import cryptography.x509 as cx509
	from cryptography.hazmat.primitives import hashes, serialization
	import salt.utils.x509 as x509util
	HAS_CRYPTOGRAPHY = True
	except ImportError:
	HAS_CRYPTOGRAPHY = False