F5Networks
bigip_ssl_certificate & bigip_ssl_key are unable to upload Files
ISSUE TYPE
- Bug Report
COMPONENT NAME
bigip_ssl_certificate bigip_ssl_key
ANSIBLE VERSION
ansible 2.9.2
config file = /home/mkrsn/Documents/projects/git/loadbalancer/ansible.cfg
configured module search path = ['/home/mkrsn/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib64/python3.6/site-packages/ansible
executable location = /usr/lib/python-exec/python3.6/ansible
python version = 3.6.9 (default, Oct 16 2019, 13:19:58) [GCC 8.3.0]
PYTHON VERSION
Python 2.7.17
Python 3.6.9
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 15.1.0
Build 0.0.31
Edition Final
Date Thu Nov 21 05:44:00 PST 2019
CONFIGURATION
forks = 10 pipelining = True deprecation_warnings = False
OS / ENVIRONMENT
Gentoo
SUMMARY
I've created an ansible User in the BigIP with the following Permissions
- Common {role certificate-manager}
- dev int prod qa {role manager}
The part from my Playbook:
...
- name: Manage Certs
tags:
- loadbalancer
- loadbalancer-certs
bigip_ssl_certificate:
provider:
server: "{{ loadbalancer_node }}"
user: "{{ loadbalancer_user }}"
password: "{{ loadbalancer_pwd }}"
validate_certs: 'no'
transport: 'rest'
name: "{{ item.crt | regex_replace('\\.[a-zA-z]{3}$', '') }}"
content: "{{ lookup('file', 'roles/bigip/files/certs/' + item.crt) }}"
partition: 'Common'
state: "{{ item.state }}"
delegate_to: 127.0.0.1
with_items:
- "{{ loadbalancer_ssl }}"
...
I'm unable to upload certificates, it failes with '"msg": "Failed to upload the file."'
TASK [bigip : Manage Certs] ***************************************************************************************************************************************************************************************
task path: /home/mkrsn/Documents/projects/git/dodply_loadbalancer/roles/bigip/tasks/main.yml:204
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: mkrsn
<127.0.0.1> EXEC /bin/sh -c 'echo ~mkrsn && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/mkrsn/.ansible/tmp/ansible-tmp-1579091026.518771-163163371189597 `" && echo ansible-tmp-1579091026.518771-163163371189597="` echo /home/mkrsn/.ansible/tmp/ansible-tmp-1579091026.518771-163163371189597 `" ) && sleep 0'
Using module file /usr/lib64/python3.6/site-packages/ansible/modules/network/f5/bigip_ssl_certificate.py
<127.0.0.1> PUT /home/mkrsn/.ansible/tmp/ansible-local-18354i0mfiz_u/tmp0mudlurh TO /home/mkrsn/.ansible/tmp/ansible-tmp-1579091026.518771-163163371189597/AnsiballZ_bigip_ssl_certificate.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/mkrsn/.ansible/tmp/ansible-tmp-1579091026.518771-163163371189597/ /home/mkrsn/.ansible/tmp/ansible-tmp-1579091026.518771-163163371189597/AnsiballZ_bigip_ssl_certificate.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3.6 /home/mkrsn/.ansible/tmp/ansible-tmp-1579091026.518771-163163371189597/AnsiballZ_bigip_ssl_certificate.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/mkrsn/.ansible/tmp/ansible-tmp-1579091026.518771-163163371189597/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/tmp/ansible_bigip_ssl_certificate_payload_u1vefr9j/ansible_bigip_ssl_certificate_payload.zip/ansible/modules/network/f5/bigip_ssl_certificate.py", line 572, in main
File "/tmp/ansible_bigip_ssl_certificate_payload_u1vefr9j/ansible_bigip_ssl_certificate_payload.zip/ansible/modules/network/f5/bigip_ssl_certificate.py", line 324, in exec_module
File "/tmp/ansible_bigip_ssl_certificate_payload_u1vefr9j/ansible_bigip_ssl_certificate_payload.zip/ansible/modules/network/f5/bigip_ssl_certificate.py", line 347, in present
File "/tmp/ansible_bigip_ssl_certificate_payload_u1vefr9j/ansible_bigip_ssl_certificate_payload.zip/ansible/modules/network/f5/bigip_ssl_certificate.py", line 353, in create
File "/tmp/ansible_bigip_ssl_certificate_payload_u1vefr9j/ansible_bigip_ssl_certificate_payload.zip/ansible/modules/network/f5/bigip_ssl_certificate.py", line 458, in create_on_device
File "/tmp/ansible_bigip_ssl_certificate_payload_u1vefr9j/ansible_bigip_ssl_certificate_payload.zip/ansible/modules/network/f5/bigip_ssl_certificate.py", line 432, in upload_file_to_device
failed: [lb01.some-domain.tld -> 127.0.0.1] (item={'state': 'present', 'crt': 'sectigo_rsa_domain_validation_secure_server_ca.crt', 'key': '', 'chain': ''}) => {
"ansible_loop_var": "item",
"changed": false,
"invocation": {
"module_args": {
"content": "-----BEGIN CERTIFICATE-----<SCHNIPP>-----END CERTIFICATE-----",
"issuer_cert": null,
"name": "sectigo_rsa_domain_validation_secure_server_ca",
"partition": "Common",
"provider": {
"auth_provider": null,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"server": "lb01a.some-domain.tld",
"server_port": null,
"ssh_keyfile": null,
"timeout": null,
"transport": "rest",
"user": "ansible",
"validate_certs": false
},
"state": "present"
}
},
"item": {
"chain": "",
"crt": "sectigo_rsa_domain_validation_secure_server_ca.crt",
"key": "",
"state": "present"
},
"msg": "Failed to upload the file."
}
STEPS TO REPRODUCE
see above
EXPECTED RESULTS
Cert should be uploaded to BigIP
ACTUAL RESULTS
Cert upload is failing
"msg": "Failed to upload the file."
hmm.... if the ansible User is Admin ("all-partitions {role admin}") then the file upload is working.
Unforteunately the role admin is the only role that works. Resource Admin isn't working.
@mkrsn can you upload certificates using a user with "Resource Admin" via Web Interface?
Yes, manually uploading the Certificates is working well. Also with Role "certificate-manager".
I've tested it meanwhile on a BigIP v13 - same Problem here.
Works on BigIP v14 for me
Do you mean cert uploading work for you with "Resource Admin" via Ansible?
I don't understand 'Resource Admin", but, my code :)
Copy key (or cert) on my local machine (delegate_to: localhost), access with lookup(file)
- name: Add profile SSL key
f5networks.f5_modules.bigip_ssl_key:
name: "{{ item.name }}"
state: "{{ item.state | default('present') }}"
partition: "{{ item.partition | default(omit) }}"
parent: "{{ item.parent | default(omit) }}"
content: "{{ lookup('file', '/tmp/' + item.name + '.key') }}"
provider: "{{ my_provider }}"
loop: "{{ bigip_ssl_certificate }}"
Hum .... i'm using f5networks ansible collection, not embedded module
Using Ansible 2.9.6 with BIG-IP 12.1.2, and BIG-IP 14.1.2.6, I get the same error.
The F5 user used in Provider (connectiont o F5) is a "Resource Admin" on both F5's. Does the "Resource Admin" have sufficient access to upload certificates with the Ansible F5 modules?
Using ansible 2.10.1 with BIG-IP 15.1.1.6, i am getting the same error. Any user(admin/non-admin) is not able to load the certs/keys.
Can this please be fixed or a workaround provided
@erichyde , Resource Admin does not have enough access with the module to perform the action. This may have to do with requiring higher privileges to upload the file to the box before applying it.
@focrensh , I have tried with admin user(all partitions) and still facing the issue. ansible 2.10.1 with BIG-IP 15.1.1.6
@focrensh the Resource admin HAS enough permission to upload Certs. See https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-11-6-0/3.html
As i already mentioned: Uploading via WebUI as Resource Admin or Cert Manager is working well but NOT with the plugins. So this is an issue with the ansible Plugins.
And it would be really wonderful if finally someone from F5 would solve this issue. It's now an year old...
@mkrsn can you check the restjavad logs in BIGIP for this certificate upload ? Also, test the iControl ReST API calls for uploading the ssl cert/key with required privileged user and share your findings.
sorry, i can't - I have left the company. Currently i don't have any access to a BigIP.
And it would be nice when someone would remove the "Question" Label. This is no question - it's a bug. Not sure why this was added -.-
its not an issue with ansible, IMO. test the same manually with iControl ReST APIs with the same privileged user and share your findings.
@mkrsn The comments were around permissions within the ansible module. I understand the task outside of Ansibles context had privilege but I do appreciate you linking to the docs. The Question label is added until a conclusive repro with logs is done. Some users in the thread above mentioned not being able to upload even with admin privileges as well which seems like an anomaly in this case.
@erichyde / @Ankmat , do either of you have the logs @trinaths is requesting above?
A cert manager user "par_manager" in the example below, is not allowed to "scp" a file to "/config/httpd/conf/ssl.crt/" So this issue is not with ansible module. closing this issue.
######### failed when dest folder is "/config/httpd/conf/ssl.cert/"
~$ scp /home/tsomanchi/test_02.crt [email protected]:/config/httpd/conf/ssl.crt/test_02.crt Password: path not allowed
######### scp succeeded when dest folder is /var/tmp
~$ scp /home/tsomanchi/test_02.crt [email protected]:/var/tmp/test_02.crt Password: test_02.crt
I'm currently a bit speechless.
I'm talking about transport Method REST API and you're testing SCP? I'm talking about uploading SSL-Certs for vServer and you're test uploading ssl-cert for apache mgmt interface... directly in its ssl-cert dir (which is owned by apache user)... with a unprivileged user.... srsly?
lol... just lol
@mkrsn - I'm not testing SCP. I'm validating the user privileges to do that action.
Hi, please try upgrading to the latest version. Re-open if you still face the issue, thanks!
f5networks.f5_modules.bigip_ssl_certificate: - unable to upload cert with "Cert Manager Role" (ui works well): ... "msg": "Failed to upload the file." ... ansible [core 2.14.3] f5networks.f5_modules 1.22.1
