search

Venafi / ansible-collection-venafi

Ansible collection for managing machine identities (certificates and keys) using Venafi
Apache License 2.0
14 stars 7 forks source link

'CSR_ORIGIN_LOCAL' is not defined. #39

Open cbrister78 opened 1 year ago

cbrister78 commented 1 year ago

PROBLEM SUMMARY

We are getting a 'CSR_ORIGIN_LOCAL' is not defined message on the Enroll Venafi certificate on remote host task. We have recently upgraded from Ansible Automation Platform 1 to 2 when these issues started. image

We noticed in the Venafi_Credentials.py file is being defaulted to ‘CSR_ORIGIN_LOCAL’: image

I have it set to “Service” in the code: image

STEPS TO REPRODUCE

EXPECTED RESULTS

ACTUAL RESULTS

ENVIRONMENT DETAILS

COMMENTS/WORKAROUNDS

dwebr commented 1 year ago

I am having the same issue, setting certificate_csr_origin role variable to "service" does not resolve the issue.

luispresuelVenafi commented 1 year ago

A colleague's answer on this:

This issue normally happens when you install the collection but not its dependencies. Venafi ansible collection depends on vcert library. https://pypi.org/project/vcert/ If you are running ansible locally, make sure to install vcert in your global or virtual environment. If you are running ansible in an platform like Automation Platform, make sure that your runner has the library installed before running the playbook

@cbrister78 , @dwebr , could you confirm VCert Python library is installed among your dependencies?

lastusrnameon3 commented 11 months ago

I have the same issue and can confirm that vCert is installed. What's odd about this issue is that " CSR_ORIGIN_LOCAL" should be set by default by roles/certificate/tasks/main.yml as a variable named: *"certificate_csr_origin": (see below)

https://github.com/Venafi/ansible-collection-venafi/blob/f20c4ed0913813fdd2fabe46573c5224f88fabbd/roles/certificate/defaults/main.yml#L28C1-L32C32

Also, it looks like the original post shows that the "Certificate_remote_execution" is set to false
(see below) same as mine image

So that would mean that in main/roles/certificate/tasks/main.yml the ansible.builtin.import_tasks: local-certificate.yml would be used. (link below) https://github.com/Venafi/ansible-collection-venafi/blob/f20c4ed0913813fdd2fabe46573c5224f88fabbd/roles/certificate/tasks/main.yml#L13

And as seen in line 25 of the roles/certificate/tasks/local-certificate.yml, the "certificate_csr_origin": from the runbook ('service') is set to a new variable named csr_origin https://github.com/Venafi/ansible-collection-venafi/blob/f20c4ed0913813fdd2fabe46573c5224f88fabbd/roles/certificate/tasks/local-certificate.yml#L25C7-L25C7

but I don't see where the csr_origin variable is called to be transformed into "CSR_ORIGIN_SERVICE based on the variable's value (currently set to 'service') image

and if it wasn't set to service, it should at least be set to Local, as shown above.

Fantomace74 commented 10 months ago

Found the bug due to version of python lib with vcert (lib ruamel.yaml version <=0.17.31 to work, bug with version 0.18.5) “pip install --upgrade vcert” solved it

rvelaVenafi commented 10 months ago

@cbrister78 Is @Fantomace74 fix working for you?

@Fantomace74 What version of python are you using? Starting with vcert 0.16.0 support for python 3.6 has been dropped. Minimum python version is 3.9 latest version of ruamel.yaml also dont support python 3.6

Fantomace74 commented 10 months ago

I’m using python version 3.11.5 and vcert 0.16.2, which downgraded the ruamel.yaml from 0.18.5 to version 0.17.31 but in the source of vcert-python project there is ruamel.yaml==0.18.5 https://github.com/Venafi/vcert-python/blob/v0.16.2/requirements.txt and when installing upgrade of ruamel.yaml, I get the dependecy conflict message: vcert 0.16.2 requires ruamel.yaml==0.17.31, but you have ruamel-yaml 0.18.5 which is incompatible

rvelaVenafi commented 10 months ago

@Fantomace74 definitely something we need to fix. The ruamel dependency was updated on the requirements file but not on the setup.py file

DaDenniX commented 9 months ago

Hey there, do you have any update on this issue? Thanks in advance :)

Fantomace74 commented 9 months ago

@DaDenniX did you try at last update on your controler (no other python module upgrade after) pip install --upgrade vcert

If you are running the role in a play on localhost (controler with vcert) Check your settings of variables below. certificate_csr_origin: service certificate_remote_execution: false If true you have to set correct python interpreter with vcert installed aswell on the remote hosts.

This more a vcert and python deps bug than an ansible collection bug.

See project vcert-python (waiting for merge) https://github.com/Venafi/vcert-python/pull/143