[BUG]: SSL verification fails on hostname due to IP address use

[rht-jbittner]

Bug Description

Hello,

with version 8.2.0 and newer our Ansible plays start to fail on SSL verification.

- name: Retrieve basic inventory of all devices
      dellemc.openmanage.ome_device_info:
        hostname: openmanage.example.com
        username: user
        password: some_password
      delegate_to: localhost

Fails with:

fatal: [openmanage.example.com -> localhost]: FAILED! => changed=false 
  msg: '<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for ''192.168.1.1''. (_ssl.c:1006)>'

However, curl https://openmanage.example.com works.

It looks like that it translate hostname to ip address and then tries to connect to IP address rather than hostname and it fails, because SSL certificates are for hostname and not IP addresses.

Worked just fine with version 8.1.0.

Component or Module Name

any, above is just an example

Ansible Version

ansible core 2.15.2

Python Version

Python 3.11.5

iDRAC/OME/OME-M version

dell openmanage 3.x latest openamanage collection 8.2 and above

Operating System

RHEL 9, latest macOS

Playbook Used

• name: Retrieve basic inventory of all devices dellemc.openmanage.ome_device_info: hostname: openmanage.example.com username: user password: some_password delegate_to: localhost

Logs

fatal: [openmanage.example.com -> localhost]: FAILED! => changed=false msg: '<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for ''192.168.1.1''. (_ssl.c:1006)>'

Steps to Reproduce

Install latest openamanage collection and connect to openmanage hostname via SSL

Expected Behavior

works

Actual Behavior

fails on SSL validation

Screenshots

No response

Additional Information

No response

[sachin-apa]

@rht-jbittner please pass the param validate_certs : false to the module if you wish not to validate the certificates

- name: Retrieve basic inventory of all devices
      dellemc.openmanage.ome_device_info:
        hostname: openmanage.example.com
        username: user
        password: some_password
        validate_certs : false
      delegate_to: localhost

More details on Enable SSL certificate validation and Ignore SSL certificate validation

Closing this issue please reopen if you still see a issue.

[rht-jbittner]

Hi @sachin-apa,

Thank you for your prompt response and providing a workaround for the SSL certificate validation issue. I appreciate your assistance in this matter.

While setting validate_certs: false does indeed allow us to proceed without encountering the SSL certificate verification failure, it's important to highlight that this is more of a workaround rather than a solution to the root cause of the problem.

The core issue is that Openmanage modules, in versions 8.2.0 and newer, appears to be resolving the hostname to an IP address and connecting to that IP address, triggering SSL certificate validation against the IP address rather than the original hostname (URL). As a result, even if the certificate is valid for the hostname, it fails validation due to the mismatch with the IP address.

I believe it would be beneficial to investigate why Openmanage modules/code is resolving the hostname to an IP address and address this behavior to align with SSL validation against the hostname, as intended. This would not only provide a more secure solution but also ensure that ome code is functioning as expected in handling SSL certificates.

I appreciate your attention to this matter and look forward to any further guidance or updates on resolving the root cause of the SSL certificate validation issue.

Thank you!

[rht-jbittner]

I can not reopen the issue. Can you please do it @sachin-apa ?

[rht-jbittner]

@sachin-apa ^^

[sachin-apa]

@rht-jbittner The description seems to match issue #554, Please watch the other issue for more details.