search

F5Networks / f5-ansible-bigip

Declarative Ansible collection for managing F5 BIG-IP/BIG-IQ.
37 stars 17 forks source link

bigip_sslo_config_ssl issue - incorrect default block_expired and block_untrusted values #39

Closed kevingstewart closed 1 year ago

kevingstewart commented 1 year ago
COMPONENT NAME

bigip_sslo_config_ssl

Environment

ANSIBLE VERSION
ansible [core 2.12.5]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True
BIGIP VERSION
Sys::Version
Main Package
  Product     BIG-IP
  Version     16.1.3.2
  Build       0.0.4
  Edition     Point Release 2
  Date        Wed Sep 14 08:12:07 PDT 2022
SSL ORCHESTRATOR VERSION
9.3.41
CONFIGURATION

No specific system/ansible configuration changes

OS / ENVIRONMENT
Ubuntu 20.04
Python 3.8.10
SUMMARY

Forward Proxy "block_expired" and "block_untrusted" should default to "no" (false) unless specified. Also, these settings seem to have no effect unless you run the playbook twice. The correct settings should be "drop" and "ignore", with "ignore" being the default for forward proxy, and "drop" being the default for reverse proxy.

STEPS TO REPRODUCE
---
# Reference: https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/bigip_sslo_config_ssl_module.html#bigip-sslo-config-ssl-module-2

- name: Create SSLO SSL Outbound Configuration
  hosts: all
  gather_facts: False

  collections:
    - f5networks.f5_bigip
  connection: httpapi

  vars:
    #ansible_host: "172.16.1.83"
    ansible_httpapi_port: 443
    ansible_user: "admin"
    ansible_httpapi_password: "admin"
    ansible_network_os: f5networks.f5_bigip.bigip
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no

  tasks:
    ## import cert/key
    - name: Import CA cert/key
      bigip_ssl_key_cert:
        key_content: "{{ lookup('file', 'certs/subrsa.f5labs.com.pemk') }}"
        key_name: subrsa.f5labs.com
        cert_content: "{{ lookup('file', 'certs/subrsa.f5labs.com.crt') }}"
        cert_name: subrsa.f5labs.com

    ## SSL Configuration (simple)
    - name: Create an SSLO outbound SSL config
      bigip_sslo_config_ssl:
        name: "sslconfig"
        state: "absent"
        client_settings:
          proxy_type: "forward"
          ca_cert: "/Common/subrsa.f5labs.com.crt"
          ca_key: "/Common/subrsa.f5labs.com.key"
        server_settings:
          block_expired: false
          block_untrusted: false
KrithikaChidambaram commented 1 year ago

Hi, internal ID to track this item is: INFRAANO-927, thanks!

pgouband commented 1 year ago

Hi issue fixed in December 2022 release, please open new issue if you see any problem.