search

F5Networks / f5-ansible

Imperative Ansible modules for F5 BIG-IP products
GNU General Public License v3.0
376 stars 231 forks source link

Error with validate_certs using bigip_file_copy #1065

Closed onurbrc closed 5 years ago

onurbrc commented 5 years ago
ISSUE TYPE
COMPONENT NAME

bigip_file_copy

ANSIBLE VERSION
ansible 2.7.0
  python version = 2.7.15rc1 (default, Apr 15 2018, 21:51:34) [GCC 7.3.0]
PYTHON VERSION
 python version = 2.7.15rc1
BIGIP VERSION
BIG-IP 12.1.3 Build 0.0.378 Final
LIBRARY VERSIONS
bigsuds==1.0.6
f5-sdk==3.0.18
CONFIGURATION
callback_whitelist = profile_tasks
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
OS / ENVIRONMENT
Distributor ID: Ubuntu
Description:    Ubuntu 18.04 LTS
Release:        18.04
SUMMARY

Hello,

I don't know if I'm doing something wrong, but iControl seems ignore "validate_certs: no" using the bigip_file_copy module. I'm using the updated icontrol.py to run bigip_file_copy and bigip_monitor_external associated to issue #778 .

STEPS TO REPRODUCE

TMSH commands :


  tasks: 

     - name: Script file transfer using rest
       bigip_file_copy:
          name: monitor1
          source: "{{ file_path }}/monitordns.sh"
          datastore: external-monitor
          partition: "{{ partition_zone | default('Common') }}"
          user: "{{ bigip_user }}"
          server: "{{ bigip_hostname }}"
          password: "{{ bigip_password }}"
          validate_certs: no 
       delegate_to: localhost

     - name: Using external file within external monitor 
       bigip_monitor_external:
          name: test
          external_program: monitor1
          partition: "{{ partition_zone | default('Common') }}"
          user: "{{ bigip_user }}"
          server: "{{ bigip_hostname }}"
          password: "{{ bigip_password }}"
          validate_certs: no 
       delegate_to: localhost

...
EXPECTED RESULTS
(/internet)(tmos)# list sys file external-monitor
sys file external-monitor monitordns {
    checksum SHA1:2078:a9b1497c1ed89d9a166304ef52ae914735deee61
    create-time 2018-11-15:07:46:24
    created-by admin
    last-update-time 2018-11-15:07:46:24
    mode 33261
    partition internet
    revision 1
    size 2078
    source-path file:///config/monitors/monitordns.sh
    updated-by admin
}
ACTUAL RESULTS
FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "auth_provider": null,
            "datastore": "external-monitor",
            "force": false,
            "name": "monitor1",
            "partition": "internet",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "provider": {
                "auth_provider": null,
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "server": "10.10.10.2",
                "server_port": null,
                "ssh_keyfile": null,
                "timeout": null,
                "transport": "rest",
                "user": "admin",
                "validate_certs": false
            },
            "server": "10.10.10.2",
            "server_port": null,
            "source": "/home/ansible/files/monitordns.sh",
            "state": "present",
            "transport": null,
            "user": "admin",
            "validate_certs": false
        }
    },
    "msg": "Unable to connect to 10.10.10.2 on port 443. The reported error was \"Failed to validate the SSL certificate for 10.10.10.2:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726).\"."
}
caphrim007 commented 5 years ago

@onurbrc how did you "install" the module? did you use it through the f5devcentral.f5ansible galaxy role?

caphrim007 commented 5 years ago

@onurbrc I cannot reproduce this using the galaxy role. I think there's a misconfiguration on your end.

onurbrc commented 5 years ago

@caphrim007 I was using the module as ad-hoc. I also have created a playbook after I downloaded the update of bigip_file_copy and its dependencies, module_utils/network/f5/icontrol.py. I'll check my actions again using those tasks above.

Thanks in advance.

onurbrc commented 5 years ago

@caphrim007

I just tested again after reviewing the parameters. I still have the message error telling me to use validate_certs=False. But, I was using it already. In my tasks I precise "validate_certs: no".

I'm using Ansible 2.7 and the latest icontrol.py. Should I have update another library ?

caphrim007 commented 5 years ago

@onurbrc install this galaxy role via the instructions on the README page

https://galaxy.ansible.com/f5devcentral/f5ansible

and then modify a playbook (as shown in the instructions) to see if it makes a difference.

onurbrc commented 5 years ago

@caphrim007 YES !!! \o/ It worked properly. Thanks.

But I'm a little bit lost now. What was the problem ? I surely did something wrong, but I don't know what ?

So, I must use role: f5devcentral.f5ansible before tasks waiting for a stable version ? I'm asking because I don't use ansible-galaxy very much. Sorry.

Thanks very much. ;-)

caphrim007 commented 5 years ago

I'm not sure what the problem was. I would guess its some difference in module utils in your installation.

The galaxy role is for people who need solutions "now" and not "4 months from now". Since Ansible itself is released quarterly, and the F5 team makes enhancements and fixes daily, there is a significant waiting period in place before you the customer can get these fixes and enhancements.

Galaxy is the method we use to package up our current development code for faster public consumption.

The galaxy role is essentially what you'll get automatically when you upgrade to the next stable version of Ansible. Except...you can get it today, and you don't need to worry about screwing up your existing ansible installation to make it work.

For instance, if you install it and it doesn't work, then you can just comment out the roles section that you added to include the galaxy role.

For people like yourself that interact with the developers on Github, the Galaxy approach is far more suitable (ie easier and less error prone) than trying to do-it-yourself by copying files around.

You can force install the galaxy role daily because we build it nightly at midnight Pacific time. Alternatively, we also release it bi-weekly on Friday's (also pacific time) for those who don't want to upgrade every night.

In terms of stability, the galaxy role is technically considered "development" and "unstable". However, with that said, it is also the most up-to-date and if there are bugs, they are fixed much faster than what you get in Ansible itself.

I personally consider the galaxy role as relatively stable code because it is ultimately what will be included in the next stable version of ansible.

onurbrc commented 5 years ago

I appreciate your explanation @caphrim007. It is very clear now. Thank you very much. I'll use ansible-galaxy \o/. Best regards.