vmware_vm_facts: SSL: CERTIFICATE_VERIFY_FAILED

[shockre]

Hi all. I'm trying to collect facts from vCenter 5.5 VMs using vmware_vm_facts but keep getting: SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)"

ansible --version
ansible 2.1.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = Default w/o overrides

Ansible.cfg is unchanged, using this playbook to collect facts:

- hosts: 127.0.0.1
  connection: local
  user: root
  gather_facts: false

  tasks:
  - vmware_vm_facts:
      hostname: <hostname>
      username: <username>
      password: <password>

And here is the verbose output when running the above playbook:

ansible-playbook vmtest.yml -vvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback default of type stdout, v2.0

1 plays in vmtest.yml

PLAY ***************************************************************************

TASK [vmware_vm_facts username=<username> password=<password> hostname=<hostname>l] ***
task path: /etc/ansible/vmtest.yml:17

ESTABLISH LOCAL CONNECTION FOR USER: root

127.0.0.1 EXEC mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1450695179.74-195295147196473 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1450695179.74-195295147196473 )"

127.0.0.1 PUT /tmp/tmpAuX3GA TO /root/.ansible/tmp/ansible-tmp-1450695179.74-195295147196473/vmware_vm_facts

127.0.0.1 EXEC LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1450695179.74-195295147196473/vmware_vm_facts; 
rm -rf "/root/.ansible/tmp/ansible-tmp-1450695179.74-195295147196473/" > /dev/null 2>&1

fatal: [127.0.0.1]: FAILED! => {"changed": false, "failed": true, "invocation": {"module_args": {"hostname": "<hostname>", "password": "<password>", "username": "<username>"}, "module_name": "vmware_vm_facts"}, "msg": "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)"}

PLAY RECAP *********************************************************************

127.0.0.1                  : ok=0    changed=0    unreachable=0    failed=1   

Proposed example at the end of "ansible-doc vmware_vm_fact" is not working by default, that should be corrected as well, IMHO.

This is running on CentOS 7 (no problems with SELinux), Python 2.7.5 , PIP 7.1.2 including these packages: pyOpenSSL (0.15.1),pysphere (0.1.7).

I've been searching around for working examples of vmware_vm_facts but none had risen.

Thank you in advance! Ansible is one great product, keep up to magnificent work!

[jhawkesworth]

Not tried this myself but had something similar when testing the vmware inventory. I think you need to fetch the SSL certificate from your vcenter and put it on your ansible controller. From memory, by default vcenter comes with a default self-signed cert, so you'll either need that, or a proper matching cert. Can't recall the details but if I remember I searched and found a page telling me where it vcenter keeps its self-signed cert and then copied that to cert location on my controller.

Hope this helps.

Jon

[shockre]

Hi Jon and thanks for the tip. Tried appending certs to existing CA bundles without success. Ended up editing /usr/lib/python2.7/site-packages/pyVim/connect.py which bypassed the problem. I've added verify=False , one could also specify path to certificate file/dir as well but since this is for internal use I'm happy with this:

try:
if sslContext is not None and sslContext.verify_mode == ssl.CERT_NONE:
sock = requests.get(url, verify=False)
else:
sock = requests.get(url, verify=False)

Hope this helps someone.

NOTE: Much more graceful solution is to set REQUESTS_CA_BUNDLE variable as described in http://docs.python-requests.org/en/latest/user/advanced/. This approach does not require any editing when upgrading.

export REQUESTS_CA_BUNDLE='/etc/pki/CA/certs/bundle.pem'

[jhawkesworth]

Ok, glad I was some help. This isn't really a problem with ansible per se, just general 'fun' of managing certificates then. Can you close off the issue now?

[shockre]

Sure, closing this one.

[DavidGamba]

Definining validate_certs is avaliable as of: https://github.com/ansible/ansible/commit/fa13aa8c007ac7bb3534626d3312e05fee2c7190

The vmware_argument_spec indicates that this should be possible. https://github.com/ansible/ansible/blob/e5460d6a6e9cd8c134a8f391dd8cd844bc9c9660/lib/ansible/module_utils/vmware.py#L125

You require python > 2.7.9 for validate_certs=false to work.

@jhawkesworth how do you put a certificate in ansible's controller? Can't find the docs for that. Thanks!

[hbokh]

How to use the argument validate_certs? Since this is not working overhere:

---
-
  hosts: localhost
  vars:
   - esxihosts:
     - esxi003
  tasks:

   - name: Gather facts on virtual machines
     local_action:
       module: vmware_vm_facts
       hostname: "{{ item }}"
       username: root
       password: password
       validate_certs: False
     with_items: "{{ esxihosts }}"

Ansible 2.1.0.0 // Python 2.7.11 // pyvmomi (6.0.0.2016.4)

[DavidGamba]

Your vars section is wrong. No need to use - for array entries, it is expecting key: value entries. Also, don't know if it matters, but I have false as lowercase.

[hbokh]

Thanks. "False / false / off", all are allowed. Deleting the vars and setting the hostname hard-coded makes no difference.

In the meantime I am using a dirty little hack found here: https://groups.google.com/d/msg/ansible-project/PNzzvbeT5hY/BwfgLOBIDAAJ

[digennarot]

tested and not working with

Python 2.7.9 ansible-playbook 2.1.1.0 pyvmomi (6.0.0.2016.4) or pyvmomi (5.5.0.2014.1.1)

[jhawkesworth]

@digennarot does your vcenter have a self-signed certificate? If so I'd expect python 2.7.9 or later to fail unless you import the cert, replace it with a trusted cert, or by set validate_certs: False (or otherwise persuade python not to validate the cert).

[gentunian]

Not working for me either:

ansible-playbook 2.1.1.0 Successfully installed pyvmomi-6.0.0.2016.6 requests-2.11.1 six-1.10.0 Python 2.7.11

fatal: [localhost -> localhost]: FAILED! => {"changed": false, "failed": true, "invocation": {"module_args": {"cluster": null, "datacenter": "mydatacenter", "hostname": "hostname", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "username": "user", "validate_certs": false, "vm_id": "vmName", "vm_id_type": "vm_name", "vm_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "vm_shell": "ifconfig", "vm_shell_args": " eth0 192.168.0.22", "vm_shell_cwd": "/tmp", "vm_shell_env": ["PATH=/bin"], "vm_username": "root"}, "module_name": "vmware_vm_shell"}, "msg": "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)"}

validate_certs is working great with vsphere_guest core module. I'm trying to provision a VM creating it with vsphere_guest and then setting IP with vmware_vm_shell and this last task fail.

EDIT: I think this should be opened. It's working with core module vsphere_guest but it isn't working with extra module vmware_vm_shell connecting to the same VSphere server.

[jctanner]

@gentunian please open a new issue.

[gentunian]

@jctanner thanks for your comment, in the process of creating it I found that the issue is already addressed: https://github.com/ansible/ansible-modules-extras/issues/2757

Bad search made by me I ended up here. Regards,