search

F5Networks / f5-ansible

Imperative Ansible modules for F5 BIG-IP products
GNU General Public License v3.0
377 stars 233 forks source link

Module bigip_profile_server_ssl fails to create server SSL profile if SSL key is passphrase protected #2435

Open gomesjj opened 2 weeks ago

gomesjj commented 2 weeks ago
COMPONENT NAME

bigip_profile_server_ssl

Environment

ANSIBLE VERSION
ansible [core 2.16.7]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/Users/gj1606/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/gj1606/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/gj1606/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/gj1606/.pyenv/versions/3.10.1/bin/ansible
  python version = 3.10.1 (main, Jan 16 2022, 18:16:51) [Clang 13.0.0 (clang-1300.0.29.30)] (/Users/gj1606/.pyenv/versions/3.10.1/bin/python3.10)
  jinja version = 3.1.2
  libyaml = True
BIGIP VERSION
Sys::Version
Main Package
  Product     BIG-IP
  Version     16.1.4
  Build       0.0.2
  Edition     Final
  Date        Wed Aug  2 05:09:36 PDT 2023
CONFIGURATION

Default configuration.

OS / ENVIRONMENT

macOS 13.6.7 Darwin aaron 22.6.0 Darwin Kernel Version 22.6.0: Mon Apr 22 20:54:28 PDT 2024; root:xnu-8796.141.3.705.2~1/RELEASE_X86_64 x86_64

SUMMARY

The module will not create a new server SSL profile when the SSL key is protected by a passphrase. Please note that the same certificate and key files were used to create a client SSL profile with no issues.

Please see example playbook.

STEPS TO REPRODUCE

I've run this test playbook with test certificates already imported.

---
- name: Create Client and Server SSL profiles
  hosts: all
  gather_facts: false
  connection: local

  tasks:
   - name: Create a client SSL profile with a cert/key/chain setting
     f5networks.f5_modules.bigip_profile_client_ssl:
      provider: "{{ provider }}"
      state: present
      name: PRD.DEVTTY.LOCAL_CLIENTSSL
      server_name: prd.devtty.local
      cert_key_chain:
       - cert: prd.devtty.local.crt
         key: prd.devtty.local.key
         chain: DEVTTY-INTERNAL-CHAIN
         passphrase: "{{ passphrase | default(omit) }}"
         true_names: true
     delegate_to: localhost

   - name: Create a new server SSL profile with a cert/key/chain setting
     f5networks.f5_modules.bigip_profile_server_ssl:
      provider: "{{ provider }}"
      state: present
      name: PRD.DEVTTY.LOCAL_SERVERSSL
      server_name: prd.devtty.local
      certificate: prd.devtty.local.crt
      key: prd.devtty.local.key
      chain: DEVTTY-INTERNAL-CHAIN
      passphrase: "{{ passphrase | default(omit) }}"
     delegate_to: localhost
EXPECTED RESULTS

Task completed succesfully.

ACTUAL RESULTS
ansible-playbook [core 2.16.7]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/Users/gj1606/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/gj1606/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/gj1606/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/gj1606/.pyenv/versions/3.10.1/bin/ansible-playbook
  python version = 3.10.1 (main, Jan 16 2022, 18:16:51) [Clang 13.0.0 (clang-1300.0.29.30)] (/Users/gj1606/.pyenv/versions/3.10.1/bin/python3.10)
  jinja version = 3.1.2
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Loading collection ansible.builtin from 
host_list declined parsing /etc/ansible/inventory.yml as it did not pass its verify_file() method
script declined parsing /etc/ansible/inventory.yml as it did not pass its verify_file() method
Parsed /etc/ansible/inventory.yml inventory source with yaml plugin
Loading collection f5networks.f5_modules from /Users/gj1606/.ansible/collections/ansible_collections/f5networks/f5_modules
Loading callback plugin default of type stdout, v2.0 from /Users/gj1606/.local/lib/python3.10/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: test_ssl_profile.yml *********************************************************************************************************************************************************************************************************************
Positional arguments: test_ssl_profile.yml
verbosity: 4
connection: ssh
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/inventory.yml',)
subset: slb01
forks: 5
1 plays in test_ssl_profile.yml

PLAY [Create Client and Server SSL profiles] *******************************************************************************************************************************************************************************************************

TASK [Create a client SSL profile with a cert/key/chain setting] ***********************************************************************************************************************************************************************************
task path: /Users/gj1606/Devel/F5/WPT/test_ssl_profile.yml:26
Trying secret FileVaultSecret(filename='/Users/gj1606/.anspw/vault_pw') for vault_id=default
Trying secret FileVaultSecret(filename='/Users/gj1606/.anspw/vault_pw') for vault_id=default
<localhost> Using network group action f5networks.f5_modules.bigip for f5networks.f5_modules.bigip_profile_client_ssl
Loading collection ansible.netcommon from /Users/gj1606/.ansible/collections/ansible_collections/ansible/netcommon
<localhost> connection transport is rest
<192.168.1.132> ANSIBLE_NETWORK_IMPORT_MODULES: disabled
<192.168.1.132> ANSIBLE_NETWORK_IMPORT_MODULES: module execution time may be extended
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: gj1606
<localhost> EXEC /bin/sh -c 'echo ~gj1606 && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/gj1606/.ansible/tmp `"&& mkdir "` echo /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656 `" && echo ansible-tmp-1730589466.872941-13664-168786780657656="` echo /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656 `" ) && sleep 0'
Using module file /Users/gj1606/.ansible/collections/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_client_ssl.py
<localhost> PUT /Users/gj1606/.ansible/tmp/ansible-local-13637f7ur6egt/tmp372xa9bs TO /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656/AnsiballZ_bigip_profile_client_ssl.py
<localhost> EXEC /bin/sh -c 'chmod u+x /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656/ /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656/AnsiballZ_bigip_profile_client_ssl.py && sleep 0'
<localhost> EXEC /bin/sh -c '/Users/gj1606/.pyenv/versions/3.10.1/bin/python3.10 /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656/AnsiballZ_bigip_profile_client_ssl.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656/ > /dev/null 2>&1 && sleep 0'
changed: [slb01.intra.insynergy.uk -> localhost] => {
    "cert_key_chain": [
        {
            "cert": "/Common/********",
            "chain": "/Common/********",
            "key": "/Common/********",
            "name": "prd.devtty.local",
            "passphrase": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
        }
    ],
    "changed": true,
    "invocation": {
        "module_args": {
            "advertised_cert_authority": null,
            "allow_expired_crl": null,
            "allow_non_ssl": null,
            "cache_size": null,
            "cache_timeout": null,
            "cert_auth_depth": null,
            "cert_key_chain": [
                {
                    "cert": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                    "chain": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                    "key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                    "passphrase": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                    "true_names": true
                }
            ],
            "cipher_group": null,
            "ciphers": null,
            "client_auth_crl": null,
            "client_auth_frequency": null,
            "client_certificate": null,
            "name": "PRD.DEVTTY.LOCAL_CLIENTSSL",
            "options": null,
            "parent": null,
            "partition": "Common",
            "provider": {
                "auth_provider": null,
                "no_f5_teem": false,
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "server": "slb01.intra.insynergy.uk",
                "server_port": 443,
                "timeout": null,
                "transport": "rest",
                "user": "gj1606",
                "validate_certs": false
            },
            "renegotiation": null,
            "retain_certificate": null,
            "secure_renegotiation": null,
            "server_name": "prd.devtty.local",
            "sni_default": null,
            "sni_require": null,
            "state": "present",
            "strict_resume": null,
            "trusted_cert_authority": null
        }
    }
}

TASK [Create a new server SSL profile with a cert/key/chain setting] *******************************************************************************************************************************************************************************
task path: /Users/gj1606/Devel/F5/WPT/test_ssl_profile.yml:40
Trying secret FileVaultSecret(filename='/Users/gj1606/.anspw/vault_pw') for vault_id=default
Trying secret FileVaultSecret(filename='/Users/gj1606/.anspw/vault_pw') for vault_id=default
<localhost> Using network group action f5networks.f5_modules.bigip for f5networks.f5_modules.bigip_profile_server_ssl
Loading collection ansible.netcommon from /Users/gj1606/.ansible/collections/ansible_collections/ansible/netcommon
<localhost> connection transport is rest
<192.168.1.132> ANSIBLE_NETWORK_IMPORT_MODULES: disabled
<192.168.1.132> ANSIBLE_NETWORK_IMPORT_MODULES: module execution time may be extended
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: gj1606
<localhost> EXEC /bin/sh -c 'echo ~gj1606 && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/gj1606/.ansible/tmp `"&& mkdir "` echo /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268 `" && echo ansible-tmp-1730589469.9974341-13690-38579390805268="` echo /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268 `" ) && sleep 0'
Using module file /Users/gj1606/.ansible/collections/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py
<localhost> PUT /Users/gj1606/.ansible/tmp/ansible-local-13637f7ur6egt/tmpri3ims9g TO /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268/AnsiballZ_bigip_profile_server_ssl.py
<localhost> EXEC /bin/sh -c 'chmod u+x /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268/ /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268/AnsiballZ_bigip_profile_server_ssl.py && sleep 0'
<localhost> EXEC /bin/sh -c '/Users/gj1606/.pyenv/versions/3.10.1/bin/python3.10 /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268/AnsiballZ_bigip_profile_server_ssl.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/var/folders/64/bwkhb_vd6yx9nny1q7mrf3f00000gn/T/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload_9mnjny74/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py", line 846, in main
  File "/var/folders/64/bwkhb_vd6yx9nny1q7mrf3f00000gn/T/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload_9mnjny74/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py", line 611, in exec_module
  File "/var/folders/64/bwkhb_vd6yx9nny1q7mrf3f00000gn/T/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload_9mnjny74/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py", line 635, in present
  File "/var/folders/64/bwkhb_vd6yx9nny1q7mrf3f00000gn/T/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload_9mnjny74/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py", line 691, in create
  File "/var/folders/64/bwkhb_vd6yx9nny1q7mrf3f00000gn/T/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload_9mnjny74/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py", line 710, in create_on_device
fatal: [slb01.intra.insynergy.uk -> localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "authenticate_name": null,
            "ca_file": null,
            "certificate": "prd.devtty.local.crt",
            "chain": "DEVTTY-INTERNAL-CHAIN",
            "cipher_group": null,
            "ciphers": null,
            "key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "name": "PRD.DEVTTY.LOCAL_SERVERSSL",
            "ocsp_profile": null,
            "options": null,
            "parent": "/Common/serverssl",
            "partition": "Common",
            "passphrase": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "provider": {
                "auth_provider": null,
                "no_f5_teem": false,
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "server": "slb01.intra.insynergy.uk",
                "server_port": 443,
                "timeout": null,
                "transport": "rest",
                "user": "gj1606",
                "validate_certs": false
            },
            "renegotiation": null,
            "secure_renegotiation": null,
            "server_certificate": null,
            "server_name": "prd.devtty.local",
            "sni_default": null,
            "sni_require": null,
            "state": "present",
            "update_password": "always"
        }
    },
    "msg": "01070313:3: Error reading key PEM file /Common/******** for profile /Common/PRD.DEVTTY.LOCAL_SERVERSSL: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib"
}

PLAY RECAP *****************************************************************************************************************************************************************************************************************************************
slb01.intra.insynergy.uk   : ok=1    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
pgouband commented 2 weeks ago

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1696.

As a workaround, have you tried using AS3?

gomesjj commented 2 weeks ago

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1696.

As a workaround, have you tried using AS3?

Hi @pgouband ,

I've tested the following:

I haven't tested with AS3 because it's not on the company's automation strategy. I've been asked to help networking engineering but I am not part of the team, so I have no leverage on their strategy...