Closed sitaramkm closed 4 years ago
@arykalin I am not sure I know what "organization" means in TPP policy. I am going to find someone who knows TPP. I figured it must be something to do with TPP. Thanks for the quick response. Really appreciate it.
@arykalin I am not sure I know what "organization" means in TPP policy. I am going to find someone who knows TPP. I figured it must be something to do with TPP. Thanks for the quick response. Really appreciate it.
@sitaramkm Sorry, it was my mistake, usually we're adding functionality which is getting O, L, ST, and C values from TPP, but we forgot about it in this case. I'm working on fix now.
@sitaramkm Please update ansible module, also you may need to update vcert python (if you don't have latest version)
pip install vcert --upgrade
You need vcert version >= 0.6.7
@sitaramkm Please update ansible module, also you may need to update vcert python (if you don't have latest version)
pip install vcert --upgrade
You need vcert version >= 0.6.7
Thanks @arykalin I see a new error but indicates progress. After your changes to read the zone config and update the request, I see
"ERROR:root:Unknown error format: {u'Error': u'Organizational Unit value violates policy and cannot be used
Looks like now it's complaining about ou
Hmm, it's strange because OU should be updated in update_from_zone_config method. Could you show full ansible log?
Here's the latest log. I have also sent you the contents of credentials.yml separately if you want to reproduce using the TPP instance I am trying with ansible-error2.txt
Hm, @sitaramkm unfortunately I can't reproduce it. Could you try to enroll same certificate using vcert binary utility? https://github.com/Venafi/vcert/releases
Hm, @sitaramkm unfortunately I can't reproduce it. Could you try to enroll same certificate using vcert binary utility? https://github.com/Venafi/vcert/releases
I am not doing anything special. When you say you are unable to reproduce, I am assuming you tried with my TPP server, credentials.yml and sample playbook.
I tried quick with VCert on my setup and it looks it works fine for the same configuration
osboxes@osboxes:~/Downloads$ ./vcert-cli Enter password for tppadmin:***************** Enter key pass phrase:******** Verifying - Enter key pass phrase:******** vCert: 2019/11/10 20:48:12 Successfully connected to TPP vCert: 2019/11/10 20:48:12 Successfully read zone configuration for Certificates\\AWS\\Kubernetes vCert: 2019/11/10 20:48:12 Successfully created request for first-time.venafi.example vCert: 2019/11/10 20:48:13 Successfully posted request for first-time.venafi.example, will pick up by \VED\Policy\Certificates\AWS\Kubernetes\first-time.venafi.example vCert: 2019/11/10 20:48:13 Issuance of certificate is pending... vCert: 2019/11/10 20:48:18 Successfully retrieved request for \VED\Policy\Certificates\AWS\Kubernetes\first-time.venafi.example -----BEGIN CERTIFICATE-----
And here's the command I ran (vcert-cli is just script with following command)
~/Downloads/vcert_linux enroll -tpp-url https://<<REPLACE_WITH_TPP-Instance>>/vedsdk/ -tpp-user <<REPLACE_WITH_TPP_USER>> -z "Certificates\\\\AWS\\\\Kubernetes" -cn first-time.venafi.example
@sitaramkm Sorry, didn't realise you have public instance. I found an issue, it because we are setting OU to Organization Unit: ['Cloud Automation']. Will fix it today.
@sitaramkm looks like normal fix will take more time than we expected, a week or two. I published a quick workaround which will set OU field to the first value of the list, unfortunately it means that for now ansible can use only one OU field. Please try now with updated version and vcert-python >=0.6.8
PROBLEM SUMMARY Tried a simple scenario with Ansible playbook and I am seeing an Organization error. I believe everything on the Venafi side is setup correctly. Not sure how to fix the org error.
STEPS TO REPRODUCE Here's the complete steps on a clean machine
create credentials file (credentials.yml) Contents below
Create sample playbook (sample.yml) Contents below
Optionally, encrypt credentials file with ansible vault (will leave it for testing , for now.)
EXPECTED RESULTS No errors and a certificate issuance from Venafi.
ACTUAL RESULTS
ENVIRONMENT DETAILS Venafi TPP 19.3 Ansible setup on Ubuntu 19.10
COMMENTS/WORKAROUNDS Don't know if it has something to do with TPP or if I am not sending enough information in my playbook. I am trying to provide as minimal information as possible in the playbook.
ansible-error.txt