search

fortinet-solutions-cse / fortiosapi

Python library aimed to be used by configuration management system using Fortigate/Fortios devices (REST API)
https://fndn.fortinet.com
Apache License 2.0
115 stars 41 forks source link

HTTP -> HTTPS (via 302 redirect) does not disable certificate checking #36

Closed JonTheNiceGuy closed 3 years ago

JonTheNiceGuy commented 5 years ago

I am using the ansible_fgt_module libraries, and if I forget to specify https: True, and don't specify a port number, I get the following:

fatal: [localhost]: FAILED! => {
    "changed": false,
    "module_stderr": "/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\n/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\n/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\nTraceback (most recent call last):\n  File \"/home/spriggsj/.ansible/tmp/ansible-tmp-1549621114.0393393-176012617895562/AnsiballZ_fortios_log_syslogd_setting.py\", line 113, in <module>\n    _ansiballz_main()\n  File \"/home/spriggsj/.ansible/tmp/ansible-tmp-1549621114.0393393-176012617895562/AnsiballZ_fortios_log_syslogd_setting.py\", line 105, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/spriggsj/.ansible/tmp/ansible-tmp-1549621114.0393393-176012617895562/AnsiballZ_fortios_log_syslogd_setting.py\", line 48, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/usr/lib/python3.6/imp.py\", line 235, in load_module\n    return load_source(name, filename, file)\n  File \"/usr/lib/python3.6/imp.py\", line 170, in load_source\n    module = _exec(spec, sys.modules[name])\n  File \"<frozen importlib._bootstrap>\", line 618, in _exec\n  File \"<frozen importlib._bootstrap_external>\", line 678, in exec_module\n  File \"<frozen importlib._bootstrap>\", line 219, in _call_with_frames_removed\n  File \"/tmp/ansible_fortios_log_syslogd_setting_payload_lpcznfjs/__main__.py\", line 367, in <module>\n  File \"/tmp/ansible_fortios_log_syslogd_setting_payload_lpcznfjs/__main__.py\", line 358, in main\n  File \"/tmp/ansible_fortios_log_syslogd_setting_payload_lpcznfjs/__main__.py\", line 293, in fortios_log_syslogd\n  File \"/tmp/ansible_fortios_log_syslogd_setting_payload_lpcznfjs/__main__.py\", line 265, in login\n  File \"/usr/local/lib/python3.6/dist-packages/fortiosapi/fortiosapi.py\", line 193, in login\n    raise Exception('login failed')\nException: login failed\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

If I specify https: True this play runs successfully.

I believe that the fortiosapi library is disabling HTTPS certificate checking when HTTPS is enabled, but not doing so when it is not enabled. Thus, when the HTTP302 is fired, and it redirects to the HTTPS port, it should also disable HTTPS certificate checking.

I can't spot where in the code this is happening (I had a quick parse, but couldn't catch it), but it's worth noting.

killua1517 commented 4 years ago

Hi! I have a same problem with HTTPS certificate checking and I have tried to disable it, but I have not succeeded. How can I disable it?

Thanks!