Getting ERROR:root:Unknown error format: {u'Error': u"Organization error. Organization value '' violates policy organization settings."} when running Ansible playbook with Venafi Role

[sitaramkm]

PROBLEM SUMMARY Tried a simple scenario with Ansible playbook and I am seeing an Organization error. I believe everything on the Venafi side is setup correctly. Not sure how to fix the org error.

STEPS TO REPRODUCE Here's the complete steps on a clean machine

sudo pip install ansible vcert --upgrade
ansible-galaxy install venafi.ansible_role_venafi
cd ~
mkdir ansible
cd ansible 

create credentials file (credentials.yml) Contents below

osboxes@osboxes:~/ansible$ cat credentials.yml 
user: 'REPLACE_WITH_USERNAME'
password: 'REPLACE_WITH_PASSWORD'
url: 'https://REPLACE_WITH_TPP_SERVER/vedsdk/'
zone: "Certificates\\\\Tools\\\\Ansible"
trust_bundle: "/home/osboxes/ansible/venafi/REPLACE_WITH_FULL_CHAIN.crt"

Create sample playbook (sample.yml) Contents below

osboxes@osboxes:~/ansible$ cat sample.yml 
---
- hosts: localhost
  roles:
    - role: venafi.ansible_role_venafi
      certificate_cert_dir: "/tmp/etc/ssl/{{ certificate_common_name }}"

Optionally, encrypt credentials file with ansible vault (will leave it for testing , for now.)

Execute 
ansible-playbook sample.yml

EXPECTED RESULTS No errors and a certificate issuance from Venafi.

ACTUAL RESULTS

<localhost> EXEC /bin/sh -c 'rm -f -r /home/osboxes/.ansible/tmp/ansible-tmp-1573342648.92-43424936517647/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost -> localhost]: FAILED! => {
    "changed": false, 
    "module_stderr": "ERROR:root:Unknown error format: {u'Error': u\"Organization error. Organization value '' violates policy organization settings.\"}\nTraceback (most recent call last):\n  File \"/home/osboxes/.ansible/tmp/ansible-tmp-1573342648.92-43424936517647/AnsiballZ_venafi_certificate.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/home/osboxes/.ansible/tmp/ansible-tmp-1573342648.92-43424936517647/AnsiballZ_venafi_certificate.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/osboxes/.ansible/tmp/ansible-tmp-1573342648.92-43424936517647/AnsiballZ_venafi_certificate.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible.modules.venafi_certificate', init_globals=None, run_name='__main__', alter_sys=False)\n  File \"/usr/lib/python2.7/runpy.py\", line 192, in run_module\n    fname, loader, pkg_name)\n  File \"/usr/lib/python2.7/runpy.py\", line 72, in _run_code\n    exec code in run_globals\n  File \"/tmp/ansible_venafi_certificate_payload_b8e1ad/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 647, in <module>\n  File \"/tmp/ansible_venafi_certificate_payload_b8e1ad/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 640, in main\n  File \"/tmp/ansible_venafi_certificate_payload_b8e1ad/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 391, in enroll\n  File \"/home/osboxes/.local/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 145, in request_cert\n    \"DisableAutomaticRenewal\": \"true\"})\n  File \"/home/osboxes/.local/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 97, in _post\n    return self.process_server_response(r)\n  File \"/home/osboxes/.local/lib/python2.7/site-packages/vcert/common.py\", line 495, in process_server_response\n    (r.status_code, r.request.url))\nvcert.errors.VenafiConnectionError: Server status: 400\n Response: https://orlando.venafidemo.com/vedsdk/certificates/request\n", 
    "module_stdout": "", 
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", 
    "rc": 1
}

PLAY RECAP ********************************************************************************************************************
localhost                  : ok=4    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

ENVIRONMENT DETAILS Venafi TPP 19.3 Ansible setup on Ubuntu 19.10

COMMENTS/WORKAROUNDS Don't know if it has something to do with TPP or if I am not sending enough information in my playbook. I am trying to provide as minimal information as possible in the playbook.

ansible-error.txt

[sitaramkm]

@arykalin I am not sure I know what "organization" means in TPP policy. I am going to find someone who knows TPP. I figured it must be something to do with TPP. Thanks for the quick response. Really appreciate it.

[arykalin]

@arykalin I am not sure I know what "organization" means in TPP policy. I am going to find someone who knows TPP. I figured it must be something to do with TPP. Thanks for the quick response. Really appreciate it.

@sitaramkm Sorry, it was my mistake, usually we're adding functionality which is getting O, L, ST, and C values from TPP, but we forgot about it in this case. I'm working on fix now.

[arykalin]

@sitaramkm Please update ansible module, also you may need to update vcert python (if you don't have latest version)

pip install vcert --upgrade

You need vcert version >= 0.6.7

[sitaramkm]

@sitaramkm Please update ansible module, also you may need to update vcert python (if you don't have latest version)

pip install vcert --upgrade

You need vcert version >= 0.6.7

Thanks @arykalin I see a new error but indicates progress. After your changes to read the zone config and update the request, I see "ERROR:root:Unknown error format: {u'Error': u'Organizational Unit value violates policy and cannot be used Looks like now it's complaining about ou

[arykalin]

Hmm, it's strange because OU should be updated in update_from_zone_config method. Could you show full ansible log?

[sitaramkm]

Here's the latest log. I have also sent you the contents of credentials.yml separately if you want to reproduce using the TPP instance I am trying with ansible-error2.txt

[arykalin]

Hm, @sitaramkm unfortunately I can't reproduce it. Could you try to enroll same certificate using vcert binary utility? https://github.com/Venafi/vcert/releases

[sitaramkm]

Hm, @sitaramkm unfortunately I can't reproduce it. Could you try to enroll same certificate using vcert binary utility? https://github.com/Venafi/vcert/releases

I am not doing anything special. When you say you are unable to reproduce, I am assuming you tried with my TPP server, credentials.yml and sample playbook.

I tried quick with VCert on my setup and it looks it works fine for the same configuration osboxes@osboxes:~/Downloads$ ./vcert-cli Enter password for tppadmin:***************** Enter key pass phrase:******** Verifying - Enter key pass phrase:******** vCert: 2019/11/10 20:48:12 Successfully connected to TPP vCert: 2019/11/10 20:48:12 Successfully read zone configuration for Certificates\\AWS\\Kubernetes vCert: 2019/11/10 20:48:12 Successfully created request for first-time.venafi.example vCert: 2019/11/10 20:48:13 Successfully posted request for first-time.venafi.example, will pick up by \VED\Policy\Certificates\AWS\Kubernetes\first-time.venafi.example vCert: 2019/11/10 20:48:13 Issuance of certificate is pending... vCert: 2019/11/10 20:48:18 Successfully retrieved request for \VED\Policy\Certificates\AWS\Kubernetes\first-time.venafi.example -----BEGIN CERTIFICATE----- And here's the command I ran (vcert-cli is just script with following command) ~/Downloads/vcert_linux enroll -tpp-url https://<<REPLACE_WITH_TPP-Instance>>/vedsdk/ -tpp-user <<REPLACE_WITH_TPP_USER>> -z "Certificates\\\\AWS\\\\Kubernetes" -cn first-time.venafi.example

[arykalin]

@sitaramkm Sorry, didn't realise you have public instance. I found an issue, it because we are setting OU to Organization Unit: ['Cloud Automation']. Will fix it today.

[arykalin]

@sitaramkm looks like normal fix will take more time than we expected, a week or two. I published a quick workaround which will set OU field to the first value of the list, unfortunately it means that for now ansible can use only one OU field. Please try now with updated version and vcert-python >=0.6.8

[tr1ck3r]

Issue was addressed by https://github.com/Venafi/vcert-python/pull/25, https://github.com/Venafi/ansible-role-venafi/pull/10 and https://github.com/Venafi/ansible-role-venafi/pull/12