community.crypto
community.crypto copied to clipboard
x509_certificate_info error in ansible 2.9.11 <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed
SUMMARY
When verify all the file in /etc/ssl/certs i got this error
File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 881, in <module>
File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 874, in main
File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 488, in get_info
File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 560, in _get_key_usage
File "/usr/local/lib64/python3.6/site-packages/cryptography/utils.py", line 170, in inner
result = func(instance)
File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 127, in extensions
self._backend, self._x509
File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 249, in parse
"parsed".format(oid)
ValueError: The <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed
ISSUE TYPE
- Bug Report
COMPONENT NAME
x509_certificate_info
ANSIBLE VERSION
/-\|+ ansible --version
ansible 2.9.11
config file = /X/ansible-sik/ansible.cfg
configured module search path = [u'/home/X/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /X/lib/python2.7/site-packages/ansible
executable location = /X/bin/ansible
python version = 2.7.5 (default, Dec 3 2013, 08:35:16) [GCC 4.4.6 20120305 (Red Hat 4.4.6-4)]
CONFIGURATION
+ ansible-config dump --only-changed
ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
ANSIBLE_SSH_ARGS(/X/ansible.cfg) = -o ControlMaster=no -o UserKnownHostsFile=/dev/null
ANSIBLE_SSH_CONTROL_PATH(/X/ansible.cfg) = %(directory)s/%%h-%%r
CACHE_PLUGIN(/X/ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/X/ansible.cfg) = ./tmp/.ansible_fact_cache
CACHE_PLUGIN_TIMEOUT(/X/ansible.cfg) = 7200
DEFAULT_CALLBACK_WHITELIST(/X/ansible.cfg) = [u'profile_tasks']
DEFAULT_FILTER_PLUGIN_PATH(/X/ansible.cfg) = [u'/X/library/filters']
DEFAULT_FORKS(/X/ansible.cfg) = 25
DEFAULT_GATHERING(/X/ansible.cfg) = smart
DEFAULT_GATHER_TIMEOUT(/X/ansible.cfg) = 30
DEFAULT_LOCAL_TMP(env: ANSIBLE_LOCAL_TEMP) = /X/tmp/ansible/ansible-local-24783uQEOb_
DEFAULT_LOOKUP_PLUGIN_PATH(/X/ansible.cfg) = [u'/X/library/lookup']
DEFAULT_POLL_INTERVAL(/X/ansible.cfg) = 5
DEFAULT_ROLES_PATH(/X/ansible.cfg) = [u'/X/roles', u'/X/galaxy_roles']
DEFAULT_STDOUT_CALLBACK(/X/ansible.cfg) = debug
DEFAULT_STRATEGY(/X/ansible.cfg) = linear
DEFAULT_STRATEGY_PLUGIN_PATH(/X/ansible.cfg) = [u'/X/library/mitogen-0.2.9/ansible_mitogen/plugins/strategy']
DEFAULT_TIMEOUT(/X/ansible.cfg) = 15
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
OS / ENVIRONMENT
Red Hat 7.3 python2
STEPS TO REPRODUCE
- name: Find cert files under /etc/ssl/certs
find:
paths: /etc/ssl/certs
file_type: file
patterns: "*.crt,*.pem,*.cer"
recurse: yes
exclude: "*crl*"
register: find_result
- name: Check validity
community.crypto.x509_certificate_info:
path: "{{ item.path }}"
valid_at:
point_1: "+1w"
point_2: "+10w"
register: cert_info
loop: "{{ find_result.files }}"
- name: Filter out valid certs
set_fact:
outdated_certs: "{{ cert_info | json_query('results[? !(valid_at.point_1) || !(valid_at.point_2)]') }}"
- block:
- name: Check that all certificates are valid
assert:
that:
- outdated_certs | count == 0
rescue:
- name: Show info about outdated certs
debug:
msg: >-
{{ { "Outdated Certs": outdated_certs | json_query("[].item.path") } }}
- fail:
msg: "Outdated certs found. See list above"
EXPECTED RESULTS
Verify certificate
ACTUAL RESULTS
it append on 2 files /etc/ssl/certs/multisite_XXX.cer and ca_multisite_chain_complete.pem
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: The <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed
failed: [XXXXXX] (item={u'rusr': True, u'uid': 0, u'rgrp': True, u'xoth': False, u'islnk': False, u'woth': False, u'nlink': 1, u'issock': False, u'mtime': 1558689976.840408, u'gr_name': u'root', u'path': u'/etc/ssl/certs/ca_multisite_chaine_complete.pem', u'xusr': False, u'atime': 1595420107.449019, u'inode': 7210673, u'isgid': False, u'size': 13966, u'isdir': False, u'ctime': 1558690057.8965392, u'roth': True, u'wgrp': False, u'xgrp': False, u'isuid': False, u'dev': 64768, u'isblk': False, u'isreg': True, u'isfifo': False, u'mode': u'0644', u'pw_name': u'root', u'gid': 0, u'ischr': False, u'wusr': True}) => {
"ansible_loop_var": "item",
"changed": false,
"item": {
"atime": 1595420107.449019,
"ctime": 1558690057.8965392,
"dev": 64768,
"gid": 0,
"gr_name": "root",
"inode": 7210673,
"isblk": false,
"ischr": false,
"isdir": false,
"isfifo": false,
"isgid": false,
"islnk": false,
"isreg": true,
"issock": false,
"isuid": false,
"mode": "0644",
"mtime": 1558689976.840408,
"nlink": 1,
"path": "/etc/ssl/certs/ca_multisite_chain_complete.pem",
"pw_name": "root",
"rgrp": true,
"roth": true,
"rusr": true,
"size": 13966,
"uid": 0,
"wgrp": false,
"woth": false,
"wusr": true,
"xgrp": false,
"xoth": false,
"xusr": false
},
"rc": 1
}
MSG:
MODULE FAILURE
See stdout/stderr for the exact error
MODULE_STDOUT:
Traceback (most recent call last):
File "/tmp/ansible-tmp-1595432655.5-24980-6466534372655/AnsiballZ_x509_certificate_info.py", line 102, in <module>
_ansiballz_main()
File "/tmp/ansible-tmp-1595432655.5-24980-6466534372655/AnsiballZ_x509_certificate_info.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/tmp/ansible-tmp-1595432655.5-24980-6466534372655/AnsiballZ_x509_certificate_info.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.community.crypto.plugins.modules.x509_certificate_info', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 881, in <module>
File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 874, in main
File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 488, in get_info
File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 560, in _get_key_usage
File "/usr/local/lib64/python3.6/site-packages/cryptography/utils.py", line 170, in inner
result = func(instance)
File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 127, in extensions
self._backend, self._x509
File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 249, in parse
"parsed".format(oid)
ValueError: The <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed
MODULE_STDERR:
Warning: Permanently added 'XXXXXX,XXXXXX' (RSA) to the list of known hosts.
Connection to XXXXXX closed.