malcolm-garstin
commented
4 days ago The workaround to get the XML API CSR to go into the shared config is to utilize the ansible.builtin.uri module and completely circumvent this collection:
- name: Generate CSR on Palo device
vars:
org: "Company With Spaces"
oum: "Team With Spaces"
ansible.builtin.uri:
url: https://{{ firewall }}/api/?type=op&cmd=<request><certificate><generate><ca>no</ca><name>{{ cert_name }}</name><certificate-name>{{ cert_filename }}</certificate-name><organization>{{ org | urlencode }}</organization><organization-unit><member>{{ oum | urlencode }}</member></organization-unit><email>random@email.com</email><country-code>US</country-code><state>Florida</state><locality>Tampa</locality><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><signed-by>external</signed-by></generate></certificate></request>&key={{ panorama_api_key }}
validate_certs: no
register: csr_outputThankfully after a 4 week case a TAC engineer was able to help me, but this is still a bug in paloaltonetworks.panos.panos_op
Describe the bug
When using the paloaltonetworks.panos.panos_op module to create a CSR request with XML API commands, it does not show as pending in the GUI and places the CSR in vsys instead of shared config
Expected behavior
After getting "Successfully generated certificate and key pair" from the XML API command, I should be able to see the pending CSR request in the GUI, and in the shared config (not vsys), because it should be a 1:1 match with creating a CSR in the GUI.
Current behavior
The API responds with success but does not replicate the manual steps, does not reflect pending status in the GUI, and places the CSR in vsys in the running-config. If you generate the CSR with the GUI, it will show a pending status on the devices/certificates page and it will place the pending CSR in config/shared.
The command works on execution, but not on implementation:
Possible solution
Show the pending status of the CSR in the GUI and place the CSR in the same place in the config as if you were using the GUI.
Steps to reproduce
Refer to Current Behavior section. Please take my word for it when I say I have spent hundreds of hours on this issue and have an active TAC case open that 4 engineers have been on unable to resolve.
Evidence of CSR going to vsys:
Context
I am trying to automate end-to-end certificate installations signed by third party for the Palo firewalls. I have successfully generated it end-to-end, but I can never get the blue-checkmark key to show up on the Palo device in the GUI because I believe it is related to how the Palo Alto generates the CSR on the device. I do not want the key to be generated by open-ssl or some other device because of strict cybersecurity reasons of the key never leaving the device. That is why I need this to work properly, so I believe the CSR generation contains a bug, at least with this ansible module.
I noticed in https://github.com/PaloAltoNetworks/pan-os-ansible/blob/develop/plugins/modules/panos_op.py that you are basically defaulting all commands to go into vsys, at least from my feeble understanding of Python. There should be an option to choose to write to the 'config/shared', not 'vsys'. Not every environment has vsys configured.
Your Environment