Fix x509_crl mode parameter and auto-fix Python linting

- Remove deprecated 'mode' parameter from x509_crl task
- Add separate file task to set CRL permissions (0644)
- Auto-fix Python datetime import (use datetime.UTC alias)

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

roles/strongswan/tasks/openssl.yml

@@ -246,6 +246,10 @@
         issuer:
           CN: "{{ IP_subject_alt_name }}"
         revoked_certificates: "{{ revoked_certificates }}"
+
+    - name: Set CRL file permissions
+      file:
+        path: "{{ ipsec_pki_path }}/crl.pem"
         mode: "0644"
   delegate_to: localhost
   become: false

tests/unit/test_openssl_compatibility.py

@@ -10,6 +10,7 @@ import os
 import re
 import subprocess
 import sys
+from datetime import UTC
 
 from cryptography import x509
 from cryptography.x509.oid import ExtensionOID, NameOID
@@ -423,8 +424,8 @@ def validate_certificate_chain_real(cert_files):
         assert certificate.issuer == ca_certificate.subject, f"Certificate {cert_path} not signed by CA"
 
         # Verify certificate is currently valid (not expired)
-        from datetime import datetime, timezone
-        now = datetime.now(timezone.utc)
+        from datetime import datetime
+        now = datetime.now(UTC)
         assert certificate.not_valid_before <= now, f"Certificate {cert_path} not yet valid"
         assert certificate.not_valid_after >= now, f"Certificate {cert_path} has expired"
 

uv.lock

@@ -1,6 +1,6 @@
 version = 1
 revision = 2
-requires-python = ">=3.10"
+requires-python = ">=3.11"
 
 [[package]]
 name = "algo"