bigip_ssl_key_cert error when replacing existing cert

[SudarshanVK]

COMPONENT NAME

[](module: bigip_ssl_key_cert)

Environment

ANSIBLE VERSION

ansible [core 2.15.3]
  config file = /Users/sudarshanv/Documents/Automation/UoM/F5_SSL_PROFILE/ansible.cfg
  configured module search path = ['/Users/sudarshanv/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/sudarshanv/Documents/Automation/UoM/F5_SSL_PROFILE/.venv/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/sudarshanv/Documents/Automation/UoM/F5_SSL_PROFILE
  executable location = /Users/sudarshanv/Documents/Automation/UoM/F5_SSL_PROFILE/.venv/bin/ansible
  python version = 3.11.3 (main, May  2 2023, 20:05:18) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/Users/sudarshanv/Documents/Automation/UoM/F5_SSL_PROFILE/.venv/bin/python)
  jinja version = 3.1.2
  libyaml = True

BIGIP VERSION

Sys::Version
Main Package
  Product     BIG-IP
  Version     16.1.3.4
  Build       0.0.2
  Edition     Point Release 4
  Date        Mon Mar 20 14:38:17 PDT 2023

CONFIGURATION

OS / ENVIRONMENT

MacOS and Ansible Tower = Ansible Automation Platform Controller 4.4.1

SUMMARY

module bigip_ssl_key_cert has error trying to replace existing certificate. stack trace reports "KeyError: 'sourcePath'"

STEPS TO REPRODUCE

The issue occurs when you try to replace a cert/key which was manually imported via the UI in the first place.

Step 1: Import the Key and cert into the LB. Step 2: Try to import the key and cert into the LB using the bigip_ssl_key_cert module.

Note:- If the cert and key were originally imported via Ansible using the module, the error does not occur.

EXPECTED RESULTS

I would expect for Ansible to say Ok if the cert and key content has not changed. Or import the new cert and key if it has.

ACTUAL RESULTS

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: KeyError: 'sourcePath'
fatal: [XXXXXXXXXXX -> localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/Users/sudarshanv/.ansible/tmp/ansible-tmp-1694147006.214535-77424-22226097837846/AnsiballZ_bigip_ssl_key_cert.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/Users/sudarshanv/.ansible/tmp/ansible-tmp-1694147006.214535-77424-22226097837846/AnsiballZ_bigip_ssl_key_cert.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/Users/sudarshanv/.ansible/tmp/ansible-tmp-1694147006.214535-77424-22226097837846/AnsiballZ_bigip_ssl_key_cert.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.f5networks.f5_modules.plugins.modules.bigip_ssl_key_cert', init_globals=dict(_module_fqn='ansible_collections.f5networks.f5_modules.plugins.modules.bigip_ssl_key_cert', _modlib_path=modlib_path),\n  File \"<frozen runpy>\", line 226, in run_module\n  File \"<frozen runpy>\", line 98, in _run_module_code\n  File \"<frozen runpy>\", line 88, in _run_code\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 822, in <module>\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 815, in main\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 410, in exec_module\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 424, in present\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 440, in update\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 740, in read_current_from_device\nKeyError: 'sourcePath'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

[SudarshanVK]

This is related to the issue here.

https://github.com/F5Networks/f5-ansible/issues/2058

the proposed solution by @fairytaletrash actually works. Reposting the solution here for reference

Modifying the method read_current_from_device in the file f5_modules/plugins/modules/bigip_ssl_key_cert.py replace response[sourcePath] with response[fullPath] resolved my issue locally.

[pgouband]

Hi @SudarshanVK,

I tested to import cert and key via the GUI and after I tried the following playbook without any issue:

- hosts: all
  collections:
    - f5networks.f5_modules
  connection: local

  vars:
    provider:
      server: "X.X.X.X"
      user: "admin"
      password: "mysecretpassword"
      server_port: 443
      validate_certs: no
      no_f5_teem: yes

  tasks:
     - name: Import both key and cert
       bigip_ssl_key_cert:
         key_content: "{{ lookup('file', 'key-selfsigned.key') }}"
         key_name: test1
         cert_content: "{{ lookup('file', 'cert-selfsigned.crt') }}"
         cert_name: test1
         state: present
         provider: "{{ provider }}"
       delegate_to: localhost

The output:

PLAY [all] *********************************************************************

TASK [Gathering Facts] *********************************************************
ok: [X.X.X.X]

TASK [Import both key and cert] ************************************************
changed: [X.X.X.X -> localhost]

PLAY RECAP *********************************************************************
X.X.X.X                 : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0 

[f5killer]

Does below Task works for remove Key n cert file? Please share the details as we don't have testing environemts. Please help

     - name: Import both key and cert
       bigip_ssl_key_cert:
         key_name: test1_remove
         cert_name: test1_remove
         state: absent
         provider: "{{ provider }}"
       delegate_to: localhost

[penghon]

Issue still present in 1.30.1 and easily repro-able.

[penghon@devops ansible]$ ansible-galaxy collection list | grep -ai f5 f5networks.f5_modules 1.30.1

Import cert/key via GUI, then make sure you specify a different cert and key when you upload via this module:

TASK [Upload cert and key to BIG-IP] ** An exception occurred during task execution. To see the full traceback, use -vvv. The error was: KeyError: 'sourcePath' fatal: [ -> localhost]: FAILED! => changed=false module_stderr: |- Traceback (most recent call last): File "/home/penghon/.ansible/tmp/ansible-tmp-1724330838.3756802-26021-73007445232518/AnsiballZ_bigip_ssl_key_cert.py", line 107, in _ansiballz_main() File "/home/penghon/.ansible/tmp/ansible-tmp-1724330838.3756802-26021-73007445232518/AnsiballZ_bigip_ssl_key_cert.py", line 99, in _ansiballz_main invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS) File "/home/penghon/.ansible/tmp/ansible-tmp-1724330838.3756802-26021-73007445232518/AnsiballZ_bigip_ssl_key_cert.py", line 47, in invoke_module runpy.run_module(mod_name='ansible_collections.f5networks.f5_modules.plugins.modules.bigip_ssl_key_cert', init_globals=dict(_module_fqn='ansible_collections.f5networks.f5_modules.plugins.modules.bigip_ssl_key_cert', _modlib_path=modlib_path), File "/usr/lib64/python3.9/runpy.py", line 225, in run_module return _run_module_code(code, init_globals, run_name, mod_spec) File "/usr/lib64/python3.9/runpy.py", line 97, in _run_module_code _run_code(code, mod_globals, init_globals, File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code exec(code, run_globals) File "/tmp/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_3us498dg/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py", line 826, in File "/tmp/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_3us498dg/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py", line 819, in main File "/tmp/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_3us498dg/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py", line 410, in exec_module File "/tmp/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_3us498dg/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py", line 424, in present File "/tmp/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_3us498dg/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py", line 440, in update File "/tmp/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_3us498dg/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py", line 744, in read_current_from_device KeyError: 'sourcePath' module_stdout: '' msg: |- MODULE FAILURE See stdout/stderr for the exact error rc: 1

The issue goes away if you are uploading the cert and key with key_name and cert_name that are different from the existing cert/key pair.