vmware_tag_manager ignores validate_certs: no

[jaydabi]

SUMMARY

validate_certs: no is ignored and throws certificate verify failed

Other modules, like vmware_guest and vmware_guest_disk seem to be unaffected.

ISSUE TYPE

• Bug Report

COMPONENT NAME

vmware_tag_manager

ANSIBLE VERSION

ansible [core 2.11.6]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ansible/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ansible/.local/bin/ansible
  python version = 3.9.10 (main, Mar  2 2022, 04:23:34) [GCC 10.2.1 20210110]
  jinja version = 3.0.3
  libyaml = True

COLLECTION VERSION

# /home/ansible/.local/lib/python3.9/site-packages/ansible_collections
Collection       Version
---------------- -------
community.vmware 1.14.0

# /home/ansible/.ansible/collections/ansible_collections
Collection       Version
---------------- -------
community.vmware 2.1.0

CONFIGURATION

OS / ENVIRONMENT

Docker Container with python:3.9 based on Debian 11

STEPS TO REPRODUCE

Just add a tag to an existing VM.

- name: Add tag to virtual machine
  community.vmware.vmware_tag_manager:
    tag_names:
      - "exampletag"
    object_name: "{{ vm_hostname }}"
    object_type: VirtualMachine
    state: add
    validate_certs: no
  delegate_to: localhost

EXPECTED RESULTS

Self-signed certificate will be accepted and task will proceed.

ACTUAL RESULTS

Task fails to execute due to certificate verify failed error.

fatal: [localhost -> localhost]: FAILED! => {"changed": false, "msg": "Failed to connect to vCenter or ESXi API at vcenter.local:443 due to SSL verification failure : HTTPSConnectionPool(host='vcenter.local', port=443): Max retries exceeded with url: /api (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])\")))"}

[Akasurde]

@jaydabi Thanks for reporting this issue. This is due to the fact that vmware_tag_manager uses vSphere Automation SDK for Python to deal with VMware Tag functionality. You need to have requests version 3.0 or greater as discussed here.

Can you please upgrade requests version and let us know if this solution works for you? Thanks,

[jaydabi]

Thanks for getting back so fast, @Akasurde .

As I understand, requests version 3.x is not released yet. I will try your suggestion as soon as the version will be officially released by the maintainer. I will respond to this issue as soon as I tested the new requests version.

For now, I will just add the affected certificate to the ca-certificate store of the container to workaround the issue.

[Akasurde]

@jaydabi Thanks. I will keep this issue open.

[MTWiley]

Seeing the same/similar behavior in the vmware_guest_cross_vc_clone as well and have noticed that a few other modules have had or have open issues for various SSL issues.

[mariolenz]

Is this still an open issue?

[jaydabi]

From my perspective, it is still open.

The suggested fix is to use requests>=3.0, but this version is still not officially released. Latest release right now is v2.28.2 ( https://github.com/psf/requests/releases )

[mariolenz]

I really don't understand this. I'm sure I've used the module without any problems on vCenter servers with a self-signed certificate.

And, anyway, to the best of my knowledge the integration tests run with self-signed certificates and validate_certs: false. But they don't fail.

This is really odd, I don't think I understand the problem.

[noesberger]

Hi, I have exactly the same issue.

  "msg": "Failed to connect to vCenter or ESXi API at xxx:443 due to SSL verification failure : HTTPSConnectionPool(host='xxx', port=443): Max retries exceeded with url: /api (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))",

other modules worked fine to the same endpoint.

Automation SDK Version: vsphere-automation-sdk-python@v8.0.1.0

[noesberger]

I just found out, that when the variable REQUESTS_CA_BUNDLE is set, then the task is failing otherwise not. We use this variable to configure our internal CA Certificates. Can you confirm as well, that when "REQUESTS_CA_BUNDLE" is configured the task is ignoring the validate_certs: false.