community.vmware icon indicating copy to clipboard operation
community.vmware copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

vmware_tag_manager ignores validate_certs: no

Open jaydabi opened this issue 3 years ago • 12 comments

SUMMARY

validate_certs: no is ignored and throws certificate verify failed

Other modules, like vmware_guest and vmware_guest_disk seem to be unaffected.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

vmware_tag_manager

ANSIBLE VERSION
ansible [core 2.11.6]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ansible/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ansible/.local/bin/ansible
  python version = 3.9.10 (main, Mar  2 2022, 04:23:34) [GCC 10.2.1 20210110]
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
# /home/ansible/.local/lib/python3.9/site-packages/ansible_collections
Collection       Version
---------------- -------
community.vmware 1.14.0

# /home/ansible/.ansible/collections/ansible_collections
Collection       Version
---------------- -------
community.vmware 2.1.0
CONFIGURATION
OS / ENVIRONMENT

Docker Container with python:3.9 based on Debian 11

STEPS TO REPRODUCE

Just add a tag to an existing VM.

- name: Add tag to virtual machine
  community.vmware.vmware_tag_manager:
    tag_names:
      - "exampletag"
    object_name: "{{ vm_hostname }}"
    object_type: VirtualMachine
    state: add
    validate_certs: no
  delegate_to: localhost
EXPECTED RESULTS

Self-signed certificate will be accepted and task will proceed.

ACTUAL RESULTS

Task fails to execute due to certificate verify failed error.

fatal: [localhost -> localhost]: FAILED! => {"changed": false, "msg": "Failed to connect to vCenter or ESXi API at vcenter.local:443 due to SSL verification failure : HTTPSConnectionPool(host='vcenter.local', port=443): Max retries exceeded with url: /api (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])\")))"}

jaydabi avatar Mar 16 '22 14:03 jaydabi

@jaydabi Thanks for reporting this issue. This is due to the fact that vmware_tag_manager uses vSphere Automation SDK for Python to deal with VMware Tag functionality. You need to have requests version 3.0 or greater as discussed here.

Can you please upgrade requests version and let us know if this solution works for you? Thanks,

Akasurde avatar Mar 16 '22 14:03 Akasurde

Thanks for getting back so fast, @Akasurde .

As I understand, requests version 3.x is not released yet. I will try your suggestion as soon as the version will be officially released by the maintainer. I will respond to this issue as soon as I tested the new requests version.

For now, I will just add the affected certificate to the ca-certificate store of the container to workaround the issue.

jaydabi avatar Mar 16 '22 15:03 jaydabi

@jaydabi Thanks. I will keep this issue open.

Akasurde avatar Mar 16 '22 15:03 Akasurde

Seeing the same/similar behavior in the vmware_guest_cross_vc_clone as well and have noticed that a few other modules have had or have open issues for various SSL issues.

MTWiley avatar Aug 18 '22 21:08 MTWiley

Is this still an open issue?

mariolenz avatar Mar 22 '23 17:03 mariolenz

From my perspective, it is still open.

The suggested fix is to use requests>=3.0, but this version is still not officially released. Latest release right now is v2.28.2 ( https://github.com/psf/requests/releases )

jaydabi avatar Mar 28 '23 09:03 jaydabi

I really don't understand this. I'm sure I've used the module without any problems on vCenter servers with a self-signed certificate.

And, anyway, to the best of my knowledge the integration tests run with self-signed certificates and validate_certs: false. But they don't fail.

This is really odd, I don't think I understand the problem.

mariolenz avatar Mar 31 '23 12:03 mariolenz

Hi, I have exactly the same issue.

  "msg": "Failed to connect to vCenter or ESXi API at xxx:443 due to SSL verification failure : HTTPSConnectionPool(host='xxx', port=443): Max retries exceeded with url: /api (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))",

other modules worked fine to the same endpoint.

Automation SDK Version: [email protected]

noesberger avatar Jun 28 '23 12:06 noesberger

I just found out, that when the variable REQUESTS_CA_BUNDLE is set, then the task is failing otherwise not. We use this variable to configure our internal CA Certificates. Can you confirm as well, that when "REQUESTS_CA_BUNDLE" is configured the task is ignoring the validate_certs: false.

noesberger avatar Jun 29 '23 08:06 noesberger