search

dell / dellemc-openmanage-ansible-modules

Dell OpenManage Ansible Modules
GNU General Public License v3.0
331 stars 162 forks source link

[BUG]: iDrac SSL CSR request fails #737

Open rht-jbittner opened 1 week ago

rht-jbittner commented 1 week ago

Bug Description

CSR generation with key length of 4096 takes longer than for 2048 which is expected, however, module returns failure instead of waiting for finish. Changing timeout did not help. I think (guessing here) that the problem is that iDrac returns unexpected text (info about longer processing time) and module is not ready for that.

Component or Module Name

dellemc.openmanage.idrac_certificates

Ansible Version

Ansible 2.15.2

Python Version

Python 3.11.8

iDRAC/OME/OME-M version

Latest

Operating System

RHEL 9

Playbook Used

- name: Generate HTTPS certificate signing request
      dellemc.openmanage.idrac_certificates:
        idrac_ip: "{{ inventory_hostname }}"
        idrac_user: "{{ idrac_user }}"
        idrac_password: "{{ idrac_user_pw }}"
        command: "generate_csr"
        certificate_type: "HTTPS"
        certificate_path: "path/to/certificate"
        cert_params: "{{ idrac_cert_params }}"
        timeout: 120
      register: _idrac_csr
      delegate_to: localhost

Logs

{ "msg": "HTTP Error 503: Service Unavailable", "error_info": { "error": { "@Message.ExtendedInfo": [ { "Message": "The Generate CSR operation is taking longer duration than expected. Wait few minutes for the operation to complete and perform the Download CSR operation. For more information, see the iDRAC Redfish API Guide available on the support site.", "MessageArgs": [ " " ], "MessageArgs@odata.count": 1, "MessageId": "IDRAC.2.8.SYS537", "RelatedProperties": [], "RelatedProperties@odata.count": 0, "Resolution": "No response action is required.", "Severity": "Informational" } ], "code": "Base.1.12.GeneralError", "message": "A general error has occurred. See ExtendedInfo for more information" } },

Steps to Reproduce

Set iDrac to use 4096 RSA keys for CSR.

You can do that via command line racadm set iDRAC.Security.CsrKeySize 4096

Run Ansible task to request CSR (dellemc.openmanage.idrac_certificates).

Expected Behavior

Generate CSR

Actual Behavior

Return info about the fact that it is gonna take more time. CSR is actually generated, but it takes longer.

Screenshots

No response

Additional Information

No response

rht-jbittner commented 4 days ago

Basic workaround for this issue is to use dellemc.openmanage.idrac_certificates and when it fails run direct Red fish API command to download CSR fro iDrac:

- name: Download CSR via Redfish API
          ansible.builtin.uri:
            url: "https://{{ inventory_hostname }}/redfish/v1/CertificateService/Actions/Oem/DellCertificateService.GetLastGeneratedCSR"
            method: POST
            status_code:
              - 200
            return_content: true
            headers:
              Content-Type: application/json
            body: "{{ {'CertificateCollection': {'@odata.id': '/redfish/v1/Managers/iDRAC.Embedded.1/NetworkProtocol/HTTPS/Certificates'}} | to_json }}"
            body_format: json
            user: "{{ idrac_user }}"
            password: "{{ idrac_user_pw }}"
            validate_certs: false
          delegate_to: localhost
          register: idrac_csr_request
          until: idrac_csr_request.json.CSRString is defined
          retries: 10
          delay: 5