search

ansible-collections / community.vmware

Ansible Collection for VMware
GNU General Public License v3.0
352 stars 336 forks source link

vmware_tag_manager ignores validate_certs: no #1255

Open jaydabi opened 2 years ago

jaydabi commented 2 years ago
SUMMARY

validate_certs: no is ignored and throws certificate verify failed

Other modules, like vmware_guest and vmware_guest_disk seem to be unaffected.

ISSUE TYPE
COMPONENT NAME

vmware_tag_manager

ANSIBLE VERSION
ansible [core 2.11.6]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ansible/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ansible/.local/bin/ansible
  python version = 3.9.10 (main, Mar  2 2022, 04:23:34) [GCC 10.2.1 20210110]
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
# /home/ansible/.local/lib/python3.9/site-packages/ansible_collections
Collection       Version
---------------- -------
community.vmware 1.14.0

# /home/ansible/.ansible/collections/ansible_collections
Collection       Version
---------------- -------
community.vmware 2.1.0
CONFIGURATION
OS / ENVIRONMENT

Docker Container with python:3.9 based on Debian 11

STEPS TO REPRODUCE

Just add a tag to an existing VM.

- name: Add tag to virtual machine
  community.vmware.vmware_tag_manager:
    tag_names:
      - "exampletag"
    object_name: "{{ vm_hostname }}"
    object_type: VirtualMachine
    state: add
    validate_certs: no
  delegate_to: localhost
EXPECTED RESULTS

Self-signed certificate will be accepted and task will proceed.

ACTUAL RESULTS

Task fails to execute due to certificate verify failed error.

fatal: [localhost -> localhost]: FAILED! => {"changed": false, "msg": "Failed to connect to vCenter or ESXi API at vcenter.local:443 due to SSL verification failure : HTTPSConnectionPool(host='vcenter.local', port=443): Max retries exceeded with url: /api (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])\")))"}
Akasurde commented 2 years ago

@jaydabi Thanks for reporting this issue. This is due to the fact that vmware_tag_manager uses vSphere Automation SDK for Python to deal with VMware Tag functionality. You need to have requests version 3.0 or greater as discussed here.

Can you please upgrade requests version and let us know if this solution works for you? Thanks,

jaydabi commented 2 years ago

Thanks for getting back so fast, @Akasurde .

As I understand, requests version 3.x is not released yet. I will try your suggestion as soon as the version will be officially released by the maintainer. I will respond to this issue as soon as I tested the new requests version.

For now, I will just add the affected certificate to the ca-certificate store of the container to workaround the issue.

Akasurde commented 2 years ago

@jaydabi Thanks. I will keep this issue open.

MTWiley commented 2 years ago

Seeing the same/similar behavior in the vmware_guest_cross_vc_clone as well and have noticed that a few other modules have had or have open issues for various SSL issues.

mariolenz commented 1 year ago

Is this still an open issue?

jaydabi commented 1 year ago

From my perspective, it is still open.

The suggested fix is to use requests>=3.0, but this version is still not officially released. Latest release right now is v2.28.2 ( https://github.com/psf/requests/releases )

mariolenz commented 1 year ago

I really don't understand this. I'm sure I've used the module without any problems on vCenter servers with a self-signed certificate.

And, anyway, to the best of my knowledge the integration tests run with self-signed certificates and validate_certs: false. But they don't fail.

This is really odd, I don't think I understand the problem.

noesberger commented 1 year ago

Hi, I have exactly the same issue.

  "msg": "Failed to connect to vCenter or ESXi API at xxx:443 due to SSL verification failure : HTTPSConnectionPool(host='xxx', port=443): Max retries exceeded with url: /api (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))",

other modules worked fine to the same endpoint.

Automation SDK Version: vsphere-automation-sdk-python@v8.0.1.0

noesberger commented 1 year ago

I just found out, that when the variable REQUESTS_CA_BUNDLE is set, then the task is failing otherwise not. We use this variable to configure our internal CA Certificates. Can you confirm as well, that when "REQUESTS_CA_BUNDLE" is configured the task is ignoring the validate_certs: false.

t-readyroc commented 3 months ago

Thanks, @noesberger - was having this same issue with the vmware_vm_info module, & updating my REQUESTS_CA_BUNDLE solved it for me.

rplueckh commented 2 months ago

For me, this combo works:

 environment:
    VMWARE_VALIDATE_CERTS: false
    REQUESTS_CA_BUNDLE: ''
jwhite-ac commented 2 months ago

For me, this combo works:

 environment:
    VMWARE_VALIDATE_CERTS: false
    REQUESTS_CA_BUNDLE: ''

This works (just REQUESTS_CA_BUNDLE with validate_certs: false in my case).

This would seem to be an issue with this specific module as none of the other VMware modules that I'm using have this problem. We have REQUESTS_CA_BUNDLE set in our local environment for other ansible plays, however this should not be overriding validate_certs: false.