search

ansible-collections / netapp.ontap

Ansible collection to support NetApp ONTAP configuration.
https://galaxy.ansible.com/netapp/ontap
GNU General Public License v3.0
55 stars 35 forks source link

netapp.ontap.na_ontap_user module with use_rest: always and validate_certs : true - "certificate verify failed" #149

Closed jf229 closed 8 months ago

jf229 commented 1 year ago

Summary

when adding use_rest: always with the na_ontap_user module I’m getting a bunch of certificate verify issues… if I remove that parameter and it just uses the default value I don’t get any cert errors… is it possible the REST SSL end points aren’t setup correctly?

Component Name

netapp.ontap.na_ontap_user

Ansible Version

14:07:50 ansible 2.9.1
14:07:50   config file = /etc/ansible/ansible.cfg
14:07:50   configured module search path = [.../.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
14:07:50   ansible python module location = .../test/.env/lib/python2.7/site-packages/ansible
14:07:50   executable location = .../workspace/ansible-password-rotation-test/.env/bin/ansible
14:07:50   python version = 2.7.5 (default, May 27 2022, 11:27:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]

ONTAP Collection Version

collections:
  # Install netapp ontap collection from Ansible Galaxy.
  - name: netapp.ontap
    version: 22.2.0
  # Install git acp collections from Ansible Galaxy.
  - name: lvrfrc87.git_acp
    version: 1.1.3
  # Install slack collections from Ansible Galaxy.
  - name: community.general
    version: 3.5.0
  # Install netapp eseries santricity collection from Ansible Galaxy.
  - name: netapp_eseries.santricity
    version: 1.2.7
  # Install utils module from Ansible Galaxy
  - name: ansible.utils
    version: 2.4.2

ONTAP Version

XXX::> version
NetApp Release 9.8P16X2: Fri Dec 02 02:05:05 UTC 2022

XXX::> version
NetApp Release 9.10.1P3: Tue Apr 19 17:44:44 UTC 2022

Playbook

login: &login
      hostname: "{{ item }}.{{ dnsdomain }}"
      cert_filepath: "{{ cert_tower_path }}"
      key_filepath: "{{ key_tower_path }}"
      https: true
      validate_certs: true

- name: "Update password for {{ ansible_user }} account in netapp cluster"
      netapp.ontap.na_ontap_user:
        <<: *login
        state: present
        name: "{{ ansible_user }}"
        set_password: "{{ user_password }}"
        role_name: admin
        application: "ontapi,console,http"
        authentication_method: password
        vserver: "{{ item }}"
        use_rest: always
      tags: ansible_password
      loop: "{{ query('inventory_hostnames', 'all') }}"

Steps to Reproduce

when adding use_rest: always with the na_ontap_user module I’m getting a bunch of certificate verify issues… if I remove that parameter and it just uses the default value I don’t get any cert errors

Expected Results

when adding use_rest: always with the na_ontap_user module it should validate the ssl connection with the same logic that it uses when it works with the default use_rest: auto

Actual Results

Cert verify errors - (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))"

carchi8py commented 1 year ago

If your ONTAP APi instance if using the default self signed certificate you'll want to change the validate_certs from true to false

https://docs.ansible.com/ansible/devel/collections/netapp/ontap/na_ontap_user_module.html#parameter-validate_certs

jf229 commented 1 year ago

If your ONTAP APi instance if using the default self signed certificate you'll want to change the validate_certs from true to false

https://docs.ansible.com/ansible/devel/collections/netapp/ontap/na_ontap_user_module.html#parameter-validate_certs

Thanks for the reply Chris, these clusters are using internal CA signed certificates, not self signed. The certificate verification seems to work successfully when we don't specify 'use_rest: always' as it defaults to 'use_rest: auto' and I believe is using ZAPI to make the request due to the ONTAP version (mix of 9.7 + and 9.8 +). We have reported this through our netapp support contract channels and believe it is being looked at there as well.

jrgoldfinemiddleton commented 9 months ago

Any update on this @jf229? Seem to be encountering the same issue.

carchi8py commented 9 months ago

As a quick fix Setting

validate_certs: false

Turns off the certificate verification in python. There a bunch of reason why it might not be working https://cheapsslweb.com/blog/ssl-certificate-verify-failed-error-in-python

jf229 commented 9 months ago

No other updates, we've had to revert to using use_rest: never as the user account creation didn't work in some cases with the default settings.

also should note that we installed ca cert to the python ca cert file, which can be located with the following python -c 'import certifi; print(certifi.where())'

jrgoldfinemiddleton commented 9 months ago

I was able to resolve the issue by specifying the CA certificates bundle via the environment directive. i.e.

environment:
  REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt