community.crypto icon indicating copy to clipboard operation
community.crypto copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

community.crypto.get_certificate fails to fetch certificate from mTLS enabled remote

Open michalmedvecky opened this issue 3 years ago • 2 comments

SUMMARY

If mutual TLS is mandatory on the remote server, the remote certificate can still be fetched even without providing client TLS certificate. openssl s_client -connect host:port proves this.

Currently this module fails when contacting mTLS enabled server (providing a client certificate is anyway unsupported).

ISSUE TYPE
  • Bug Report
COMPONENT NAME

community.crypto.get_certificate

ANSIBLE VERSION
ansible [core 2.11.5]
  config file = /home/misko/.ansible.cfg
  configured module search path = ['/home/misko/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/misko/my_new_python_venv/lib/python3.6/site-packages/ansible
  ansible collection location = /home/misko/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/misko/my_new_python_venv/bin/ansible
  python version = 3.6.9 (default, Jan 26 2021, 15:33:00) [GCC 8.4.0]
  jinja version = 3.0.1
  libyaml = True
COLLECTION VERSION
community.crypto              1.9.2
CONFIGURATION
CACHE_PLUGIN(/home/misko/.ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/home/misko/.ansible.cfg) = /tmp/kkt
CACHE_PLUGIN_TIMEOUT(/home/misko/.ansible.cfg) = 86400
CALLBACKS_ENABLED(/home/misko/.ansible.cfg) = ['profile_tasks', 'timer', 'debug']
DEFAULT_FORKS(/home/misko/.ansible.cfg) = 50
DEFAULT_GATHERING(/home/misko/.ansible.cfg) = smart
DEFAULT_KEEP_REMOTE_FILES(env: ANSIBLE_KEEP_REMOTE_FILES) = True
DEFAULT_STDOUT_CALLBACK(/home/misko/.ansible.cfg) = debug
HOST_KEY_CHECKING(/home/misko/.ansible.cfg) = False
OS / ENVIRONMENT

Ubuntu Bionic, virtualenv with python 3.6

STEPS TO REPRODUCE
  1. Set up any TLS server with mandatory client authentication
  2. Play this:
- name: Get the cert from Kafka port
  community.crypto.get_certificate:
    host: kafka1.private
    port: 49093
EXPECTED RESULTS

Fetch the certificate from remote host

ACTUAL RESULTS
TASK [kafka : Get the cert from Kafka port] ***********************
fatal: [kafka1]: FAILED! => {
    "changed": false
}

MSG:

Failed to get cert from kafka1.private:49093, error: [SSL: UNEXPECTED_MESSAGE] unexpected message (_ssl.c:877)

NO MORE HOSTS LEFT *************************************************************

michalmedvecky avatar Nov 26 '21 15:11 michalmedvecky

I'm not sure how hard it will be to fix this. As opposed to how openssl s_client works (very low-level), we use standard Python functionality to start a TLS connection. That code does not handle such "surprises" well, as you can see :)

felixfontein avatar Dec 06 '21 18:12 felixfontein

I guess one could also see this as a feature request though, or a docs bug (the docs should say that this isn't possible at the moment).

felixfontein avatar Dec 06 '21 18:12 felixfontein