Open AaronJaegerVA opened 3 years ago
@AaronJaegerVA can you share a bit more on the TPP side of our architecture? Is https://vaww.certmgr.va.gov/ a single TPP API server or a virtual server load balancing traffic between several TPP API servers? Do your Ansible nodes have direct network connectivity with the TPP API endpoint or does traffic traverse a proxy server? Also, do your TPP API servers have certificate authentication enabled in IIS (specifically looking at the SSL Settings of the "VEDSDK" application under the "Venafi" web site)? Are you able to enroll a certificate from your Ansible node 001 using our VCert CLI utility with legacy username/password authentication (i.e. --tpp-user
and --tpp-password
)?
Have you tried using token authentication with our Ansible Role? Many of the TPP side configuration requirements for legacy username/password authentication do not exist when using token authentication and we strongly advise making the transition to token authentication because legacy username/password authentication will be dropped from TPP in 2021. Token authentication is also more performant and more secure since a token can only be used for API access whereas a username/password can be used to access the TPP web console and possibly other enterprise applications if it is a non-local user.
I will ask our Venafi administrators about token authentication. Thank you.
We have an Ansible Tower cluster with three nodes (Ansible control hosts). When we run a job template that calls a playbook that calls the Venafi Ansible role, we regularly get this error on node 001, but rarely or never on nodes 002 and 003.
The nodes are configured as identically as possible. I am digging for some difference somewhere. Can someone point me in the right direction? Ansible is authenticating with a username/password service account.