When executing Ansible via Vagrant the module setting validate_certs: False is ignored.
ISSUE TYPE
Bug Report
ANSIBLE VERSION
2.8.0
KATELLO/FOREMAN VERSION
1.21.3
NAILGUN VERSION
0.32.0
STEPS TO REPRODUCE
Execute Ansible via Vagrant against a self-signed Foreman with validate_certs set to False.
EXPECTED RESULTS
The module is executed properly.
ACTUAL RESULTS
Failed to connect to Foreman server: HTTPSConnectionPool(host='foreman.example.com', port=443): Max retries exceeded with url: /api/status (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
CAUSE
This is because of how the verify flag is passed from Apypie into Pythons requests.
Right now the value for validate_certs is set as a property on the request object. When session.request() is executed it will do the following in merge_environment_settings in sessions.py:
Check the argument value for verify if it is None, which it is
Override the session property with the following environment variables:
REQUESTS_CA_BUNDLE
CURL_CA_BUNDLE (this is set by Vagrant to /opt/vagrant/embedded/cacert.pem)
The request is then made but with the session property of verify overridden.
SOLUTION
Pass the verify as an argument instead of setting it as merely a property on the session object. This will make sure it is honored properly when set to False even when there are environment variables.
SUMMARY
When executing Ansible via Vagrant the module setting
validate_certs: False
is ignored.ISSUE TYPE
ANSIBLE VERSION
KATELLO/FOREMAN VERSION
NAILGUN VERSION
STEPS TO REPRODUCE
Execute Ansible via Vagrant against a self-signed Foreman with
validate_certs
set toFalse
.EXPECTED RESULTS
The module is executed properly.
ACTUAL RESULTS
CAUSE
This is because of how the
verify
flag is passed from Apypie into Pythons requests.Right now the value for
validate_certs
is set as a property on the request object. Whensession.request()
is executed it will do the following inmerge_environment_settings
insessions.py
:verify
if it isNone
, which it is/opt/vagrant/embedded/cacert.pem
)The request is then made but with the session property of
verify
overridden.SOLUTION
Pass the
verify
as an argument instead of setting it as merely a property on the session object. This will make sure it is honored properly when set toFalse
even when there are environment variables.I have a PR here which does this in Apypie: https://github.com/Apipie/apypie/pull/25