f5-ansible icon indicating copy to clipboard operation
f5-ansible copied to clipboard
verified publisher icon F5Networks

bigip_ssl_key_cert error when replacing existing cert

Open SudarshanVK opened this issue 2 years ago • 4 comments

COMPONENT NAME

[](module: bigip_ssl_key_cert)

Environment

ANSIBLE VERSION
ansible [core 2.15.3]
  config file = /Users/sudarshanv/Documents/Automation/UoM/F5_SSL_PROFILE/ansible.cfg
  configured module search path = ['/Users/sudarshanv/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/sudarshanv/Documents/Automation/UoM/F5_SSL_PROFILE/.venv/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/sudarshanv/Documents/Automation/UoM/F5_SSL_PROFILE
  executable location = /Users/sudarshanv/Documents/Automation/UoM/F5_SSL_PROFILE/.venv/bin/ansible
  python version = 3.11.3 (main, May  2 2023, 20:05:18) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/Users/sudarshanv/Documents/Automation/UoM/F5_SSL_PROFILE/.venv/bin/python)
  jinja version = 3.1.2
  libyaml = True
BIGIP VERSION
Sys::Version
Main Package
  Product     BIG-IP
  Version     16.1.3.4
  Build       0.0.2
  Edition     Point Release 4
  Date        Mon Mar 20 14:38:17 PDT 2023
CONFIGURATION
OS / ENVIRONMENT

MacOS and Ansible Tower = Ansible Automation Platform Controller 4.4.1

SUMMARY

module bigip_ssl_key_cert has error trying to replace existing certificate. stack trace reports "KeyError: 'sourcePath'"

STEPS TO REPRODUCE

The issue occurs when you try to replace a cert/key which was manually imported via the UI in the first place.

Step 1: Import the Key and cert into the LB. Step 2: Try to import the key and cert into the LB using the bigip_ssl_key_cert module.

Note:- If the cert and key were originally imported via Ansible using the module, the error does not occur.
EXPECTED RESULTS

I would expect for Ansible to say Ok if the cert and key content has not changed. Or import the new cert and key if it has.

ACTUAL RESULTS
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: KeyError: 'sourcePath'
fatal: [XXXXXXXXXXX -> localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/Users/sudarshanv/.ansible/tmp/ansible-tmp-1694147006.214535-77424-22226097837846/AnsiballZ_bigip_ssl_key_cert.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/Users/sudarshanv/.ansible/tmp/ansible-tmp-1694147006.214535-77424-22226097837846/AnsiballZ_bigip_ssl_key_cert.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/Users/sudarshanv/.ansible/tmp/ansible-tmp-1694147006.214535-77424-22226097837846/AnsiballZ_bigip_ssl_key_cert.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.f5networks.f5_modules.plugins.modules.bigip_ssl_key_cert', init_globals=dict(_module_fqn='ansible_collections.f5networks.f5_modules.plugins.modules.bigip_ssl_key_cert', _modlib_path=modlib_path),\n  File \"<frozen runpy>\", line 226, in run_module\n  File \"<frozen runpy>\", line 98, in _run_module_code\n  File \"<frozen runpy>\", line 88, in _run_code\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 822, in <module>\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 815, in main\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 410, in exec_module\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 424, in present\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 440, in update\n  File \"/var/folders/xs/d85w4nh54flcz0q7pn008k540000gn/T/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload_c4g87xdw/ansible_f5networks.f5_modules.bigip_ssl_key_cert_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_ssl_key_cert.py\", line 740, in read_current_from_device\nKeyError: 'sourcePath'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

SudarshanVK avatar Sep 08 '23 04:09 SudarshanVK

This is related to the issue here.

https://github.com/F5Networks/f5-ansible/issues/2058

the proposed solution by @fairytaletrash actually works. Reposting the solution here for reference

Modifying the method read_current_from_device in the file f5_modules/plugins/modules/bigip_ssl_key_cert.py replace response[sourcePath] with response[fullPath] resolved my issue locally.

SudarshanVK avatar Sep 08 '23 04:09 SudarshanVK

Hi @SudarshanVK,

I tested to import cert and key via the GUI and after I tried the following playbook without any issue:

- hosts: all
  collections:
    - f5networks.f5_modules
  connection: local

  vars:
    provider:
      server: "X.X.X.X"
      user: "admin"
      password: "mysecretpassword"
      server_port: 443
      validate_certs: no
      no_f5_teem: yes

  tasks:
     - name: Import both key and cert
       bigip_ssl_key_cert:
         key_content: "{{ lookup('file', 'key-selfsigned.key') }}"
         key_name: test1
         cert_content: "{{ lookup('file', 'cert-selfsigned.crt') }}"
         cert_name: test1
         state: present
         provider: "{{ provider }}"
       delegate_to: localhost

The output:

PLAY [all] *********************************************************************

TASK [Gathering Facts] *********************************************************
ok: [X.X.X.X]

TASK [Import both key and cert] ************************************************
changed: [X.X.X.X -> localhost]

PLAY RECAP *********************************************************************
X.X.X.X                 : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

pgouband avatar Sep 27 '23 17:09 pgouband

Does below Task works for remove Key n cert file? Please share the details as we don't have testing environemts. Please help

     - name: Import both key and cert
       bigip_ssl_key_cert:
         key_name: test1_remove
         cert_name: test1_remove
         state: absent
         provider: "{{ provider }}"
       delegate_to: localhost

f5killer avatar Jul 17 '24 17:07 f5killer