Add certname parameter to monitor selector import.vpn-certificate.ca

oelu commented 1 year ago

When importing a a file certificate with the monitor selector: import.vpn-certificate.ca (1) it is not possible to specify a name for the imported certificate. Instead the FortiGate issues a name in the format CA_Cert_1, CA_Cert_2, ...

This makes it hard to reference to said certificate in later scripts. I'd like to see an an additional certname parameter in the REST API and Ansible library to set the name of the imported certificate. I am using FOS v7.2.3.

(1): https://ansible-galaxy-fortios-docs.readthedocs.io/en/latest/fortios_monitor.html

MaxxLiu22 commented 1 year ago

Hi @oelu ,

Thank you for raising this issue, rename ca certificate function should be achieved by https://ansible-galaxy-fortios-docs-beta.readthedocs.io/en/latest/gen/fortios_certificate_ca.html, but there is a conflict since the argument "name" is also be used as a key to locate the certificate, I will report it to the development team for further investigation, now I suggest to use GUI or CLI command FortiGate-201E (ca) # rename CA_Cert_1 to import.vpn-certificate.ca as a temporary solution, sorry for any inconvenience.

Thanks, Maxx

jantari commented 5 months ago

Hello, is there an update on this?

Maybe this can be solved with an action: rename setting, like this:

- name: Rename certificate
  fortios_certificate_ca:
    vdom: "{{ vdom }}"
    access_token: "{{ access_token }}"
    action: rename
    self: CA_Cert_1
    to: MyFavoriteCert

actually I can see on FNDN that the POST /vpn.certificate/ca API already supports an action parameter, but only for action: clone. Adding action: rename to this API would be great, pleaseeee :)

EDIT: Ok I attempted to "rename" by just cloning and then deleting the original, but I could not get it to work:

- name: Attempt CA rename
  fortios_json_generic:
    vdom: "{{ vdom }}"
    access_token: "{{ fortios_access_token }}"
    json_generic:
      method: POST
      path: /api/v2/cmdb/vpn.certificate/ca
      dictbody:
        name: CA_Cert_1
      specialparams: 'action=clone&nkey=MyFavoriteCert'

results in a 405:

fatal: [devicename]: FAILED! => changed=false
  meta:
    action: clone
    build: 601
    http_method: POST
    http_status: 405
    name: ca
    path: vpn.certificate
    serial: <my serial>
    status: error
    vdom: root
    version: v7.0.14
  msg: Unable to precess the request, please provide correct parameters and make sure the path exists.

and the httpsd debug logs on the forti say:

[httpsd 19921 - 1710773464     info] api_cmdb_request_init_by_path[1651] -- new CMDB query (path='vpn.certificate',name='ca')
[httpsd 19921 - 1710773464     info] handle_cli_req_v2[3006] -- no method found for requested action: clone
[httpsd 19921 - 1710773464     info] handle_cli_req_v2[3124] -- returning to original vdom "root"
[httpsd 19921 - 1710773464  warning] api_return_http_result[1272] -- API error 405 raised
[httpsd 19921 - 1710773464     info] fweb_debug_final[306] -- Completed POST request for "/api/v2/cmdb/vpn.certificate/ca" (HTTP 405)

fortinet-ansible-dev / ansible-galaxy-fortios-collection

Add certname parameter to monitor selector import.vpn-certificate.ca #215