search

elnappo / ansible-role-check-mk-agent

Ansible role for check_mk agent
MIT License
24 stars 27 forks source link

https support? #16

Open FleischKarussel opened 4 years ago

FleischKarussel commented 4 years ago

Hello @elnappo,

we just enabled https in front of the check_mk server (LB) and since then, the check_mk.py is not able to work anymore. Is this module tested against https or is http the only operation mode by design?

thanks in advance.

elnappo commented 4 years ago

It also works with HTTPS. Do you have a log message for me?

FleischKarussel commented 4 years ago

Alright, it seems to be related to certificate verification. Custom enterprise CA. Other ansible modules using this CA work fine, except the check_mk.py. I'll add more details on Monday.

FleischKarussel commented 4 years ago

Additional information:

Ubuntu 16.04 Ansible Tower 3.5.2 Ansible 2.8.3

Playbook:

- name: Add host to check_mk Server via WATO API and discover services
  check_mk:
    server_url: "{{ check_mk_agent_monitoring_host_url }}"
    username: "{{ check_mk_agent_monitoring_host_wato_username }}"
    secret: "{{ check_mk_agent_monitoring_host_wato_secret }}"
    hostname: "{{ inventory_hostname }}"
    folder: "{{ check_mk_agent_monitoring_host_folder }}"
    discover_services: refresh
    state: present
  delegate_to: localhost

Debug messages: The full traceback is: WARNING: The below traceback may not be related to the actual failure.

  File "/tmp/ansible_check_mk_payload_H8_kJc/__main__.py", line 155, in _api_request
    r = self._session.post(self._api_url + action, data=payload or {}, verify=self._module.params["validate_certs"])
  File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", line 572, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", line 524, in request
    resp = self.send(prep, **send_kwargs)
  File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", line 637, in send
    r = adapter.send(request, **kwargs)
  File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e…

"msg": "HTTPSConnectionPool(host='checkmk-dev01.mgmt.example.com', port=443): Max retries exceeded with url: /cmktest/check_mk/webapi.py?_username=automation&_secret=********&action=get_host&effective_attributes=1 (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)\",),))

As I mentioned, i.e. the below playbook works fine, uses the same https://. Afaik det_url also does verify certificates.

- name: download CheckMK Agent script from CheckMK Server and upload to destination host
  get_url: 
    url: "{{ check_mk_agent_monitoring_host_url }}check_mk/agents/check_mk_agent.linux" 
    dest: /usr/local/bin/check_mk_agent 
    owner: root 
    group: root 
    mode: 0755
FleischKarussel commented 4 years ago

I just confirmed by setting validate_certs: False, then the playbook ran fine. Does have the check_mk.py no access to CAs because it's not an upstream module? Currently it's checked into the repo where the playbook resides.

elnappo commented 4 years ago

The module uses the requests library as many other Ansible modules. It should respect your local certificate store. Could you please try this in your Python console?

import requests
url = "<your checkmk URL>"
r = requests.get(url)
r.status_code
r = requests.get(url, verify=True)
r.status_code
r = requests.get(url, verify=False)
r.status_code
FleischKarussel commented 4 years ago 
Python 2.7.12 (default, Nov 12 2018, 14:36:49)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
url = "https://checkmk-dev01.mgmt.example.com"
>>> url = "https://checkmk-dev01.mgmt.example.com"
>>> r = requests.get(url)
>>> r.status_code
200
>>> r = requests.get(url, verify=True)
>>> r.status_code
200
>>> r = requests.get(url, verify=False)
/var/lib/awx/venv/ansible/local/lib/python2.7/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
>>> r.status_code
200
elnappo commented 4 years ago

Strange... Could you please post the debug output from the playbook run (one task should be enough)? e.g. ansible-playbook -i hosts playbook.yml -vvvv

Are you using a custom CA?