"Build the server pair" fatal error when trying to update-users

[kevinwaddle]

IP Address, CA pass, and usernames have been obscured.

OS / Environment

Ubuntu 16.04.2 LTS / Linode

Ansible version

ansible 2.2.0.0

Version of components from requirements.txt

Name: msrestazure
Version: 0.4.8
Summary: AutoRest swagger generator Python client runtime. Azure-specific module.
Home-page: https://github.com/Azure/msrestazure-for-python
Author: Microsoft Corporation
Author-email: UNKNOWN
License: MIT License
Location: /root/algo-master/env/lib/python2.7/site-packages
Requires: keyring, msrest, adal
---
Name: setuptools
Version: 36.0.1
Summary: Easily download, build, install, upgrade, and uninstall Python packages
Home-page: https://github.com/pypa/setuptools
Author: Python Packaging Authority
Author-email: distutils-sig@python.org
License: UNKNOWN
Location: /root/algo-master/env/lib/python2.7/site-packages
Requires: 
---
Name: ansible
Version: 2.2.0.0
Summary: Radically simple IT automation
Home-page: http://ansible.com/
Author: Ansible, Inc.
Author-email: info@ansible.com
License: GPLv3
Location: /root/algo-master/env/lib/python2.7/site-packages
Requires: PyYAML, setuptools, jinja2, paramiko, pycrypto
---
Name: dopy
Version: 0.3.5
Summary: Python client for the Digital Ocean API
Home-page: https://github.com/devo-ps/dopy
Author: Vincent Viallet
Author-email: vincent@devo.ps
License: The MIT License (MIT)
Location: /root/algo-master/env/lib/python2.7/site-packages
Requires: requests
---
Name: boto
Version: 2.47.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /root/algo-master/env/lib/python2.7/site-packages
Requires: 
---
Name: boto
Version: 2.47.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /root/algo-master/env/lib/python2.7/site-packages
Requires: 
---
Name: azure
Version: 2.0.0rc5
Summary: Microsoft Azure Client Libraries for Python
Home-page: https://github.com/Azure/azure-sdk-for-python
Author: Microsoft Corporation
Author-email: ptvshelp@microsoft.com
License: MIT License
Location: /root/algo-master/env/lib/python2.7/site-packages
Requires: azure-batch, azure-servicemanagement-legacy, azure-graphrbac, azure-storage, azure-mgmt, azure-servicebus
---
Name: msrest
Version: 0.4.1
Summary: AutoRest swagger generator Python client runtime.
Home-page: https://github.com/xingwu1/autorest/tree/python/ClientRuntimes/Python/msrest
Author: Microsoft Corporation
Author-email: UNKNOWN
License: MIT License
Location: /root/algo-master/env/lib/python2.7/site-packages
Requires: requests, certifi, chardet, requests-oauthlib, keyring, enum34, isodate
---
Name: six
Version: 1.10.0
Summary: Python 2 and 3 compatibility utilities
Home-page: http://pypi.python.org/pypi/six/
Author: Benjamin Peterson
Author-email: benjamin@python.org
License: MIT
Location: /root/algo-master/env/lib/python2.7/site-packages
Requires: 
---
Name: pyOpenSSL
Version: 17.0.0
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.readthedocs.io/
Author: Hynek Schlawack
Author-email: hs@ox.cx
License: Apache License, Version 2.0
Location: /root/algo-master/env/lib/python2.7/site-packages
Requires: cryptography, six

Summary of the problem

When I try and update-users there is a fatal error on the "Build the server pair" step.

Steps to reproduce the behavior

Run ./algo for first time (works fine) Run ./algo update-users

The way of deployment (cloud or local)

local

Expected behavior

No errors, new certs

Actual behavior

Fatal error

Full log

Enter the IP address of your server: (or use localhost for local installation)
: localhost

What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
[root]:

Do you want each user to have their own account for SSH tunneling?
[y/N]: N

Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
[localhost]: ###.###.###.###

Enter the password for the private CA key:
[pasted values will not be displayed]
:

PLAY [localhost] ***************************************************************

TASK [Add the server to the vpn-host group] ************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *****************************************
ok: [localhost -> localhost]

PLAY [User management] *********************************************************

TASK [setup] *******************************************************************
ok: [localhost]

TASK [Check the system] ********************************************************
changed: [localhost]

TASK [Ubuntu | Install prerequisites] ******************************************
skipping: [localhost]

TASK [Ubuntu | Configure defaults] *********************************************
skipping: [localhost]

TASK [FreeBSD / HardenedBSD | Install prerequisites] ***************************
skipping: [localhost]

TASK [FreeBSD / HardenedBSD | Configure defaults] ******************************
skipping: [localhost]

TASK [set_fact] ****************************************************************
skipping: [localhost]

TASK [Gather Facts] ************************************************************
ok: [localhost]

TASK [Ensure the algo ssh key exist on the server] *****************************
ok: [localhost]

TASK [Enable IPv6] *************************************************************
ok: [localhost]

TASK [Set facts if the deployment in a cloud] **********************************
ok: [localhost]

TASK [Generate password for the CA key] ****************************************
changed: [localhost -> localhost]

TASK [Define password facts] ***************************************************
ok: [localhost]

TASK [Define the commonName] ***************************************************
ok: [localhost]

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] ****
skipping: [localhost]

TASK [ssh_tunneling : Ensure that the algo group exist] ************************
skipping: [localhost]

TASK [ssh_tunneling : Ensure that the jail directory exist] ********************
skipping: [localhost]

TASK [ssh_tunneling : Ensure that the SSH users exist] *************************
skipping: [localhost] => (item=UserB) 
skipping: [localhost] => (item=UserA) 

TASK [ssh_tunneling : The authorized keys file created] ************************
skipping: [localhost] => (item=UserB) 
skipping: [localhost] => (item=UserA) 

TASK [ssh_tunneling : Generate SSH fingerprints] *******************************
skipping: [localhost]

TASK [ssh_tunneling : Fetch users SSH private keys] ****************************
skipping: [localhost] => (item=UserB) 
skipping: [localhost] => (item=UserA) 

TASK [ssh_tunneling : Change mode for SSH private keys] ************************
skipping: [localhost] => (item=UserB) 
skipping: [localhost] => (item=UserA) 

TASK [ssh_tunneling : Fetch the known_hosts file] ******************************
skipping: [localhost]

TASK [ssh_tunneling : Build the client ssh config] *****************************
skipping: [localhost] => (item=UserB) 
skipping: [localhost] => (item=UserA) 

TASK [ssh_tunneling : SSH | Get active system users] ***************************
skipping: [localhost]

TASK [ssh_tunneling : SSH | Delete non-existing users] *************************
skipping: [localhost] => (item=null) 

TASK [vpn : Ensure the pki directory does not exist] ***************************
skipping: [localhost]

TASK [vpn : Ensure the pki directories exist] **********************************
ok: [localhost -> localhost] => (item=ecparams)
ok: [localhost -> localhost] => (item=certs)
ok: [localhost -> localhost] => (item=crl)
ok: [localhost -> localhost] => (item=newcerts)
ok: [localhost -> localhost] => (item=private)
ok: [localhost -> localhost] => (item=reqs)

TASK [vpn : Ensure the files exist] ********************************************
changed: [localhost -> localhost] => (item=.rnd)
changed: [localhost -> localhost] => (item=private/.rnd)
changed: [localhost -> localhost] => (item=index.txt)
changed: [localhost -> localhost] => (item=index.txt.attr)
changed: [localhost -> localhost] => (item=serial)

TASK [vpn : Generate the openssl server configs] *******************************
ok: [localhost -> localhost]

TASK [vpn : Build the CA pair] *************************************************
ok: [localhost -> localhost]

TASK [vpn : Copy the CA certificate] *******************************************
ok: [localhost -> localhost]

TASK [vpn : Generate the serial number] ****************************************
ok: [localhost -> localhost]

TASK [vpn : Build the server pair] *********************************************
fatal: [localhost -> localhost]: FAILED! => {"changed": true, "cmd": "openssl req -utf8 -new -newkey ec:ecparams/prime256v1.pem -config openssl.cnf -keyout private/localhost.key -out reqs/localhost.req -nodes -passin pass:\"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\" -subj \"/CN=localhost\" -batch && openssl ca -utf8 -in reqs/localhost.req -out certs/localhost.crt -config openssl.cnf -days 3650 -batch -passin pass:\"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\" -subj \"/CN=localhost\" && touch certs/localhost_crt_generated", "delta": "0:00:00.013214", "end": "2017-06-07 16:23:11.801775", "failed": true, "rc": 1, "start": "2017-06-07 16:23:11.788561", "stderr": "Generating a 256 bit EC private key\nwriting new private key to 'private/localhost.key'\n-----\nUsing configuration from openssl.cnf\nError Loading extension section basic_exts\n140074873857688:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group= name=unique_subject\n140074873857688:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group=CA_default name=email_in_dn\n140074873857688:error:220A4076:X509 V3 routines:a2i_GENERAL_NAME:bad ip address:v3_alt.c:476:value=localhost\n140074873857688:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=DNS:localhost,IP:localhost", "stdout": "", "stdout_lines": [], "warnings": []}

TASK [vpn : debug] *************************************************************
ok: [localhost] => {
    "fail_hint": [
        "Sorry, but something went wrong!", 
        "Please check the troubleshooting guide.", 
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [vpn : fail] **************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "Failed as requested from task"}

PLAY RECAP *********************************************************************
localhost                  : ok=18   changed=4    unreachable=0    failed=1   

[jackivanov]

The public IP address of your server should not be localhost

[kevinwaddle]

It isn't. I entered the actual public IP address there. Can you please reopen?

[kevinwaddle]

EXTRA_VARS is only using IP_subject_alt_name If you add that to the update-users invocation of ansible-playback (it is currently only using IP_subject) then it works.

[kevinwaddle]

Line 473 ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled IP_subject_alt_name=$IP_subject IP_subject=$IP_subject easyrsa_CA_password=$easyrsa_CA_password" -t update-users --skip-tags common

[kevinwaddle]

Thank you Jack.