search

Venafi / ansible-role-venafi

(END-OF-LIFE) Ansible Role that uses Venafi to streamline machine identity (certificate and key) acquisition.
Apache License 2.0
14 stars 8 forks source link

Read timed out on first run when enrolling Venafi certificates #29

Open AaronJaegerVA opened 4 years ago

AaronJaegerVA commented 4 years ago

PROBLEM SUMMARY Getting Timeout on "Enroll Venafi certificate on ..." on first run. Second run works okay because certificate has been created by then.

STEPS TO REPRODUCE Use the role to enroll a certificate for a server that does not already have one.

EXPECTED RESULTS The certificate is generated as expected and copied to the remote server.

ACTUAL RESULTS { "exception": "Traceback (most recent call last):\n File \"\", line 102, in \n File \"\", line 94, in _ansiballz_main\n File \"\", line 40, in invoke_module\n File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 718, in \n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 709, in main\n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 388, in enroll\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 285, in read_zone_conf\n status, data = self._post(URLS.ZONE_CONFIG, {\"PolicyDN\": self._get_policy_dn(tag)})\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 91, in _post\n self.auth()\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 120, in auth\n self._http_request_kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/api.py\", line 108, in post\n return request('post', url, data=data, json=json, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/api.py\", line 50, in request\n response = session.request(method=method, url=url, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/sessions.py\", line 486, in request\n resp = self.send(prep, send_kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/sessions.py\", line 598, in send\n r = adapter.send(request, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/adapters.py\", line 433, in send\n raise ReadTimeout(e, request=request)\nrequests.exceptions.ReadTimeout: HTTPSConnectionPool(host='xxx.xxx.xxx.xxx', port=443): Read timed out. (read timeout=60)\n", "_ansible_no_log": false, "_ansible_delegated_vars": { "ansible_host": "xxx.xxx.xxx.xxx" }, "module_stderr": "Traceback (most recent call last):\n File \"\", line 102, in \n File \"\", line 94, in _ansiballz_main\n File \"\", line 40, in invoke_module\n File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 718, in \n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 709, in main\n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 388, in enroll\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 285, in read_zone_conf\n status, data = self._post(URLS.ZONE_CONFIG, {\"PolicyDN\": self._get_policy_dn(tag)})\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 91, in _post\n self.auth()\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 120, in auth\n self._http_request_kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/api.py\", line 108, in post\n return request('post', url, data=data, json=json, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/api.py\", line 50, in request\n response = session.request(method=method, url=url, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/sessions.py\", line 486, in request\n resp = self.send(prep, send_kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/sessions.py\", line 598, in send\n r = adapter.send(request, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/adapters.py\", line 433, in send\n raise ReadTimeout(e, request=request)\nrequests.exceptions.ReadTimeout: HTTPSConnectionPool(host='xxx.xxx.xxx.xxx', port=443): Read timed out. (read timeout=60)\n", "changed": false, "module_stdout": "", "rc": 1, "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error" }

ENVIRONMENT DETAILS Using Ansible Tower v3.6.3 to run the role.

COMMENTS/WORKAROUNDS Running the role again for the same server succeeds because the certificate is already generated and the enroll task completes quickly.

I don't think it's the role that's broken, but rather a default timeout value in the Python requests library. Perhaps the role could allow the timeout to be adjusted upward from the default 60 seconds to allow the Venafi server more time to generate the certificate.

tr1ck3r commented 4 years ago

Hi @AaronJaegerVA, can you please confirm which CA you are using? For all of our DevOps integrations, including Ansible, we only consider CAs that are capable of reliably issuing certificates in 60 seconds or less to be applicable.

AaronJaegerVA commented 4 years ago

Internal CA at a Government department.

sajayku commented 3 years ago

Hi, With latest release of vcert (https://pypi.org/project/vcert/0.11.1/), they have configured timeout to be 0 by default causing the retrieval of certificate to fail every time. We had to switch back to vcert 0.11.0 to fix this.

tr1ck3r commented 3 years ago

Thank you for letting us know @sajayku, it does indeed sounds like a bug in vcert-python. The default timeout should be 180 seconds if the timeout parameter is not explicitly assigned a value. If you've assigned a value of 0 to the timeout parameter then the behavior you described is expected (i.e. only attempt to retrieve the certificate one time, immediately after requesting it).