community.crypto icon indicating copy to clipboard operation
community.crypto copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

x509_certificate_info error in ansible 2.9.11 <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed

Open yodatak opened this issue 4 years ago • 6 comments

SUMMARY

When verify all the file in /etc/ssl/certs i got this error

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 881, in <module>

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 874, in main

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 488, in get_info

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_gna4u96f/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 560, in _get_key_usage

  File "/usr/local/lib64/python3.6/site-packages/cryptography/utils.py", line 170, in inner

    result = func(instance)

  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 127, in extensions

    self._backend, self._x509

  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 249, in parse

    "parsed".format(oid)

ValueError: The <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed
ISSUE TYPE
  • Bug Report
COMPONENT NAME

x509_certificate_info

ANSIBLE VERSION
/-\|+ ansible --version
ansible 2.9.11
  config file = /X/ansible-sik/ansible.cfg
  configured module search path = [u'/home/X/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /X/lib/python2.7/site-packages/ansible
  executable location = /X/bin/ansible
  python version = 2.7.5 (default, Dec  3 2013, 08:35:16) [GCC 4.4.6 20120305 (Red Hat 4.4.6-4)]
CONFIGURATION

+ ansible-config dump --only-changed
ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
ANSIBLE_SSH_ARGS(/X/ansible.cfg) = -o ControlMaster=no -o UserKnownHostsFile=/dev/null
ANSIBLE_SSH_CONTROL_PATH(/X/ansible.cfg) = %(directory)s/%%h-%%r
CACHE_PLUGIN(/X/ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/X/ansible.cfg) = ./tmp/.ansible_fact_cache
CACHE_PLUGIN_TIMEOUT(/X/ansible.cfg) = 7200
DEFAULT_CALLBACK_WHITELIST(/X/ansible.cfg) = [u'profile_tasks']
DEFAULT_FILTER_PLUGIN_PATH(/X/ansible.cfg) = [u'/X/library/filters']
DEFAULT_FORKS(/X/ansible.cfg) = 25
DEFAULT_GATHERING(/X/ansible.cfg) = smart
DEFAULT_GATHER_TIMEOUT(/X/ansible.cfg) = 30
DEFAULT_LOCAL_TMP(env: ANSIBLE_LOCAL_TEMP) = /X/tmp/ansible/ansible-local-24783uQEOb_
DEFAULT_LOOKUP_PLUGIN_PATH(/X/ansible.cfg) = [u'/X/library/lookup']
DEFAULT_POLL_INTERVAL(/X/ansible.cfg) = 5
DEFAULT_ROLES_PATH(/X/ansible.cfg) = [u'/X/roles', u'/X/galaxy_roles']
DEFAULT_STDOUT_CALLBACK(/X/ansible.cfg) = debug
DEFAULT_STRATEGY(/X/ansible.cfg) = linear
DEFAULT_STRATEGY_PLUGIN_PATH(/X/ansible.cfg) = [u'/X/library/mitogen-0.2.9/ansible_mitogen/plugins/strategy']
DEFAULT_TIMEOUT(/X/ansible.cfg) = 15
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
OS / ENVIRONMENT

Red Hat 7.3 python2

STEPS TO REPRODUCE
- name: Find cert files under /etc/ssl/certs
  find:
    paths: /etc/ssl/certs
    file_type: file
    patterns: "*.crt,*.pem,*.cer"
    recurse: yes
    exclude: "*crl*"
  register: find_result

- name: Check validity
  community.crypto.x509_certificate_info:
    path: "{{ item.path }}"
    valid_at:
      point_1: "+1w"
      point_2: "+10w"
  register: cert_info
  loop: "{{ find_result.files }}"

- name: Filter out valid certs
  set_fact:
    outdated_certs: "{{ cert_info | json_query('results[? !(valid_at.point_1) || !(valid_at.point_2)]') }}"

- block:
    - name: Check that all certificates are valid
      assert:
        that:
          - outdated_certs | count == 0

  rescue:
    - name: Show info about outdated certs
      debug:
        msg: >-
          {{ { "Outdated Certs": outdated_certs | json_query("[].item.path") } }}

    - fail:
        msg: "Outdated certs found. See list above"
EXPECTED RESULTS

Verify certificate

ACTUAL RESULTS

it append on 2 files /etc/ssl/certs/multisite_XXX.cer and ca_multisite_chain_complete.pem

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: The <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed
failed: [XXXXXX] (item={u'rusr': True, u'uid': 0, u'rgrp': True, u'xoth': False, u'islnk': False, u'woth': False, u'nlink': 1, u'issock': False, u'mtime': 1558689976.840408, u'gr_name': u'root', u'path': u'/etc/ssl/certs/ca_multisite_chaine_complete.pem', u'xusr': False, u'atime': 1595420107.449019, u'inode': 7210673, u'isgid': False, u'size': 13966, u'isdir': False, u'ctime': 1558690057.8965392, u'roth': True, u'wgrp': False, u'xgrp': False, u'isuid': False, u'dev': 64768, u'isblk': False, u'isreg': True, u'isfifo': False, u'mode': u'0644', u'pw_name': u'root', u'gid': 0, u'ischr': False, u'wusr': True}) => {
    "ansible_loop_var": "item", 
    "changed": false, 
    "item": {
        "atime": 1595420107.449019, 
        "ctime": 1558690057.8965392, 
        "dev": 64768, 
        "gid": 0, 
        "gr_name": "root", 
        "inode": 7210673, 
        "isblk": false, 
        "ischr": false, 
        "isdir": false, 
        "isfifo": false, 
        "isgid": false, 
        "islnk": false, 
        "isreg": true, 
        "issock": false, 
        "isuid": false, 
        "mode": "0644", 
        "mtime": 1558689976.840408, 
        "nlink": 1, 
        "path": "/etc/ssl/certs/ca_multisite_chain_complete.pem", 
        "pw_name": "root", 
        "rgrp": true, 
        "roth": true, 
        "rusr": true, 
        "size": 13966, 
        "uid": 0, 
        "wgrp": false, 
        "woth": false, 
        "wusr": true, 
        "xgrp": false, 
        "xoth": false, 
        "xusr": false
    }, 
    "rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error


MODULE_STDOUT:

Traceback (most recent call last):

  File "/tmp/ansible-tmp-1595432655.5-24980-6466534372655/AnsiballZ_x509_certificate_info.py", line 102, in <module>

    _ansiballz_main()

  File "/tmp/ansible-tmp-1595432655.5-24980-6466534372655/AnsiballZ_x509_certificate_info.py", line 94, in _ansiballz_main

    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)

  File "/tmp/ansible-tmp-1595432655.5-24980-6466534372655/AnsiballZ_x509_certificate_info.py", line 40, in invoke_module

    runpy.run_module(mod_name='ansible_collections.community.crypto.plugins.modules.x509_certificate_info', init_globals=None, run_name='__main__', alter_sys=True)

  File "/usr/lib64/python3.6/runpy.py", line 205, in run_module

    return _run_module_code(code, init_globals, run_name, mod_spec)

  File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code

    mod_name, mod_spec, pkg_name, script_name)

  File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code

    exec(code, run_globals)

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 881, in <module>

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 874, in main

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 488, in get_info

  File "/tmp/ansible_community.crypto.x509_certificate_info_payload_6sv72yl8/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 560, in _get_key_usage

  File "/usr/local/lib64/python3.6/site-packages/cryptography/utils.py", line 170, in inner

    result = func(instance)

  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 127, in extensions

    self._backend, self._x509

  File "/usr/local/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 249, in parse

    "parsed".format(oid)

ValueError: The <ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)> extension is invalid and can't be parsed




MODULE_STDERR:

Warning: Permanently added 'XXXXXX,XXXXXX' (RSA) to the list of known hosts.

Connection to XXXXXX closed.

yodatak avatar Jul 22 '20 16:07 yodatak