Open AaronJaegerVA opened 4 years ago
Hi @AaronJaegerVA, can you please confirm which CA you are using? For all of our DevOps integrations, including Ansible, we only consider CAs that are capable of reliably issuing certificates in 60 seconds or less to be applicable.
Internal CA at a Government department.
Hi, With latest release of vcert (https://pypi.org/project/vcert/0.11.1/), they have configured timeout to be 0 by default causing the retrieval of certificate to fail every time. We had to switch back to vcert 0.11.0 to fix this.
Thank you for letting us know @sajayku, it does indeed sounds like a bug in vcert-python. The default timeout should be 180 seconds if the timeout
parameter is not explicitly assigned a value. If you've assigned a value of 0 to the timeout
parameter then the behavior you described is expected (i.e. only attempt to retrieve the certificate one time, immediately after requesting it).
PROBLEM SUMMARY Getting Timeout on "Enroll Venafi certificate on ..." on first run. Second run works okay because certificate has been created by then.
STEPS TO REPRODUCE Use the role to enroll a certificate for a server that does not already have one.
EXPECTED RESULTS The certificate is generated as expected and copied to the remote server.
ACTUAL RESULTS { "exception": "Traceback (most recent call last):\n File \"\", line 102, in \n File \"\", line 94, in _ansiballz_main\n File \"\", line 40, in invoke_module\n File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 718, in \n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 709, in main\n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 388, in enroll\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 285, in read_zone_conf\n status, data = self._post(URLS.ZONE_CONFIG, {\"PolicyDN\": self._get_policy_dn(tag)})\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 91, in _post\n self.auth()\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 120, in auth\n self._http_request_kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/api.py\", line 108, in post\n return request('post', url, data=data, json=json, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/api.py\", line 50, in request\n response = session.request(method=method, url=url, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/sessions.py\", line 486, in request\n resp = self.send(prep, send_kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/sessions.py\", line 598, in send\n r = adapter.send(request, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/adapters.py\", line 433, in send\n raise ReadTimeout(e, request=request)\nrequests.exceptions.ReadTimeout: HTTPSConnectionPool(host='xxx.xxx.xxx.xxx', port=443): Read timed out. (read timeout=60)\n",
"_ansible_no_log": false,
"_ansible_delegated_vars": {
"ansible_host": "xxx.xxx.xxx.xxx"
},
"module_stderr": "Traceback (most recent call last):\n File \"\", line 102, in \n File \"\", line 94, in _ansiballz_main\n File \"\", line 40, in invoke_module\n File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 718, in \n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 709, in main\n File \"/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 388, in enroll\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 285, in read_zone_conf\n status, data = self._post(URLS.ZONE_CONFIG, {\"PolicyDN\": self._get_policy_dn(tag)})\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 91, in _post\n self.auth()\n File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 120, in auth\n self._http_request_kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/api.py\", line 108, in post\n return request('post', url, data=data, json=json, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/api.py\", line 50, in request\n response = session.request(method=method, url=url, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/sessions.py\", line 486, in request\n resp = self.send(prep, send_kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/sessions.py\", line 598, in send\n r = adapter.send(request, kwargs)\n File \"/usr/lib/python2.7/site-packages/requests/adapters.py\", line 433, in send\n raise ReadTimeout(e, request=request)\nrequests.exceptions.ReadTimeout: HTTPSConnectionPool(host='xxx.xxx.xxx.xxx', port=443): Read timed out. (read timeout=60)\n",
"changed": false,
"module_stdout": "",
"rc": 1,
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}
ENVIRONMENT DETAILS Using Ansible Tower v3.6.3 to run the role.
COMMENTS/WORKAROUNDS Running the role again for the same server succeeds because the certificate is already generated and the enroll task completes quickly.
I don't think it's the role that's broken, but rather a default timeout value in the Python requests library. Perhaps the role could allow the timeout to be adjusted upward from the default 60 seconds to allow the Venafi server more time to generate the certificate.