search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
84 stars 47 forks source link

There must be at least 1 server certificate configured #299

Closed arnoldthebat closed 3 months ago

arnoldthebat commented 4 months ago

Using fortinet.fortios.fortios_firewall_vip - version 2.3.5

Attempting to add in a VIP of type 'server-load-balance'

Code snippet:

- name: Configure Virtual Servers.
      fortinet.fortios.fortios_firewall_vip:
        vdom:  "{{ vdom }}"
        state: "present"
        access_token: "{{ fortigate_access_token }}"
        enable_log: true
        firewall_vip:
          extintf: any
          extip: "{{ fortigate_vip_extip }}"
          extport: "{{ fortigate_vip_extport }}"
          http_ip_header: enable
          http_multiplex: enable
          name: "{{ fortigate_vip_name }}"
          server_type: https
          ldb_method: static
          type: server-load-balance
          ssl_mode: full
          ssl_certificate: 'my_cert'
          monitor:
            - 
              name : 'health check'
          realservers:
            "{{ vip_entries }}"

Error: There must be at least 1 server certificate configured.\nattribute set operator error, -56, discard the setting\nCommand fail

Setting the following on the FW diag deb en diag deb cli 8

On the CLI, the last command we see is unset ssl-certificate and then abort with error 56.

For ref, setting the server_type to http then running the above works. The certificate wont get set of course.

Also see: https://stackoverflow.com/questions/77959671/ansible-fortigate-vip-configuration-with-ssl-certificate for another user experiencing the same issue

Tried 2.3.5 - 2.3.3 versions of the collection with the same output error

Setting the cert manually after changing the type to https, and adding in the certs allows subsequent changes to be made to the VIP. Any cert changes however are ignored.

Note that this fails on FortiOS7.4.3 but works on FortiOS7.2.7 so related to a small change in the payload since in 7.4.3 its changed to an array:

FortiOS7.4.3

ssl-certificate : 
0 : 
name : "my_cert"

FortiOS7.2.7

ssl-certificate : 
q_origin_key : "my_cert"
MaxxLiu22 commented 4 months ago

Hi @arnoldthebat ,

Thank you for raising this issue, you are right, ssl-certificate data type changed from string to array since FortiOS7.4.2, I will report it to the development team for fixing, here is a temporary workaround solution for you, sorry for any inconvenience.

  - name: config firewall vip
    fortios_json_generic:
      vdom: '{{ vdom }}'
      json_generic:
        method: POST
        path: /api/v2/cmdb/firewall/vip
        jsonbody: '
                {
                    "extintf": "any",
                    "extip": "2.3.4.5",
                    "extport": "23",
                    "name": "vip_json2",
                    "server-type": "https",
                    "type": "server-load-balance",
                    "ssl-mode": "full",
                    "ssl-certificate": [
                        {
                            "name": "Fortinet_Factory"
                        }
                    ]
                }
          '
    register: info
  - name: display vars
    debug: msg="{{info}}"

Thanks, Maxx

JieX19 commented 3 months ago

Hi @arnoldthebat

Please install the latest version 2.3.6 and try this module again! I will close this ticket as the issue has been fixed in this version. Use the parameter 'ssl_certificate_dict' in your playbook if the fortiOS firmware version is >=7.4.2

https://ansible-galaxy-fortios-docs.readthedocs.io/en/latest/gen/fortios_firewall_vip.html

ssl_certificate_dict:
    - name: Fortinet_Factory
    - name: "Fortinet_Factory_Backup"

Thanks, Jie