community.vmware.vmware_guest_cross_vc_clone - Failing due to SSL error despite validate_certs: no

[MTWiley]

SUMMARY

community.vmware.vmware_guest_cross_vc_clone - Failing due to SSL error despite validate_certs: no

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.vmware.vmware_guest_cross_vc_clone

+label module +label vmware

ANSIBLE VERSION

ansible [core 2.13.3]
  config file = /home/________/________/ansible.cfg
  configured module search path = ['/home/________/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/________/________/.venv/lib/python3.8/site-packages/ansible
  ansible collection location = /home/________/________
  executable location = /home/________/________/.venv/bin/ansible
  python version = 3.8.10 (default, Jun 22 2022, 20:18:18) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

/home/______/______/.venv/lib/python3.8/site-packages/urllib3/contrib/socks.py:32: DependencyWarning: SOCKS support in urllib3 requires the installation of optional dependencies: specifically, PySocks.  For more information, see https://urllib3.readthedocs.io/en/latest/contrib.html#socks-proxies
  warnings.warn((

# /home/______/______/ansible_collections
Collection       Version
---------------- -------
community.vmware 2.8.0  

# /home/______/______/.venv/lib/python3.8/site-packages/ansible_collections
Collection       Version
---------------- -------
community.vmware 2.7.0  

CONFIGURATION

COLLECTIONS_PATHS(/home/_____/_____/ansible.cfg) = ['/home/_____/_____']
DEFAULT_STDOUT_CALLBACK(/home/_____/_____/ansible.cfg) = yaml
DEFAULT_VAULT_PASSWORD_FILE(/home/_____/_____/ansible.cfg) = /home/_____/_____/id_rsa.pub

OS / ENVIRONMENT

6.5 VCSA & 7.0 VCSA (vCenter Appliance)

STEPS TO REPRODUCE

2 vCenters setup (6.5 & 7.0), try connect to and move a VM from the 6.5 to 7.0. With this particular module I believe the module connects to/initiates the move in the 7.0 vCenter. The vCenters are configured with the default/self-signed certificate

    - name: Move VM From vCenter 6.5 --> vCenter 7.0
      community.vmware.vmware_guest_cross_vc_clone:
        validate_certs: no
        hostname: '{{ src_vcenter_hostname }}'
        username: '{{ src_vcenter_username }}'
        password: "{{ src_vcenter_password }}"
        name: "{{ src_vm_name }}"
        destination_vm_name: "{{ src_vm_name }}"
        destination_vcenter: '{{ dst_vcenter_hostname }}'
        destination_vcenter_username: '{{ dst_vcenter_username }}'
        destination_vcenter_password: '{{ dst_vcenter_password }}'
        destination_host: '{{ dst_esxi }}'
        destination_datastore: '{{ dst_datastore }}'
        destination_vm_folder: '{{ dst_vm_folder }}'
        state: poweredon
      register: cross_vc_clone_from_vm

EXPECTED RESULTS

I expect for the cross-vCenter migration to take place and for the VM to be moved/cloned from the old vCenter to the new vCenter

ACTUAL RESULTS

TASK [Move VM From vCenter 6.5 --> vCenter 7.0] ************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => changed=false 
  module_stderr: |-
    /home/_____/_____/.venv/lib/python3.8/site-packages/urllib3/contrib/socks.py:32: DependencyWarning: SOCKS support in urllib3 requires the installation of optional dependencies: specifically, PySocks.  For more information, see https://urllib3.readthedocs.io/en/latest/contrib.html#socks-proxies
      warnings.warn((
    pyVmomi.VmomiSupport.SSLVerifyFault: (vim.fault.SSLVerifyFault) {
       dynamicType = <unset>,
       dynamicProperty = (vmodl.DynamicProperty) [],
       msg = "Authenticity of the host's SSL certificate is not verified.",
       faultCause = <unset>,
       faultMessage = (vmodl.LocalizableMessage) [],
       selfSigned = false,
       thumbprint = '__:__:__:__:__:__:__:__:__:__:__:__:__:__:__:__:__:__:__:__'
    }
  
    The above exception was the direct cause of the following exception:
  
    Traceback (most recent call last):
      File "/home/_____/.ansible/tmp/ansible-tmp-1660859378.8619072-420144-208586164595151/AnsiballZ_vmware_guest_cross_vc_clone.py", line 107, in <module>
        _ansiballz_main()
      File "/home/_____/.ansible/tmp/ansible-tmp-1660859378.8619072-420144-208586164595151/AnsiballZ_vmware_guest_cross_vc_clone.py", line 99, in _ansiballz_main
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
      File "/home/_____/.ansible/tmp/ansible-tmp-1660859378.8619072-420144-208586164595151/AnsiballZ_vmware_guest_cross_vc_clone.py", line 47, in invoke_module
        runpy.run_module(mod_name='ansible_collections.community.vmware.plugins.modules.vmware_guest_cross_vc_clone', init_globals=dict(_module_fqn='ansible_collections.community.vmware.plugins.modules.vmware_guest_cross_vc_clone', _modlib_path=modlib_path),
      File "/usr/lib/python3.8/runpy.py", line 207, in run_module
        return _run_module_code(code, init_globals, run_name, mod_spec)
      File "/usr/lib/python3.8/runpy.py", line 97, in _run_module_code
        _run_code(code, mod_globals, init_globals,
      File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
        exec(code, run_globals)
      File "/tmp/ansible_community.vmware.vmware_guest_cross_vc_clone_payload_q33m9bq6/ansible_community.vmware.vmware_guest_cross_vc_clone_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest_cross_vc_clone.py", line 397, in <module>
      File "/tmp/ansible_community.vmware.vmware_guest_cross_vc_clone_payload_q33m9bq6/ansible_community.vmware.vmware_guest_cross_vc_clone_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest_cross_vc_clone.py", line 388, in main
      File "/tmp/ansible_community.vmware.vmware_guest_cross_vc_clone_payload_q33m9bq6/ansible_community.vmware.vmware_guest_cross_vc_clone_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest_cross_vc_clone.py", line 250, in clone
      File "/tmp/ansible_community.vmware.vmware_guest_cross_vc_clone_payload_q33m9bq6/ansible_community.vmware.vmware_guest_cross_vc_clone_payload.zip/ansible_collections/community/vmware/plugins/module_utils/vmware.py", line 155, in wait_for_task
      File "<string>", line 3, in raise_from
    ansible_collections.community.vmware.plugins.module_utils.vmware.TaskError: ("Authenticity of the host's SSL certificate is not verified.", '__:__:__:__:__:__:__:__:__:__:__:__:__:__:__:__:__:__:__:__')
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

[ansibullbot]

Files identified in the description: None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[MTWiley]

@ansibullbot

+label module +label vmware

[mariolenz]

@MTWiley I don't know this module very well, but it looks like validate_certs only affects the connection to the (source) vCenter. But there seems to be a dedicated parameter destination_vcenter_validate_certs for the connection to the (destination) vCenter. Could you please try with:

destination_vcenter_validate_certs: no

[MTWiley]

@mariolenz the same behavior is observed with one, or both of validate_certs:no & destination_vcenter_validate_certs: no

That was something I missed the first time, but that unfortunately did not resolve the issue.

[mariolenz]

That was something I missed the first time, but that unfortunately did not resolve the issue.

Too bad, I was hoping destination_vcenter_validate_certs would fix your issue.

I'm out of office at the moment and don't have access to my usual test environment. I'll try to have another look at this when I'm back the week after next.

[mariolenz]

This is a bit weird. The module fails in the very last step, the actual cloning:

https://github.com/ansible-collections/community.vmware/blob/c660ecd19cabaa878f9fa71d5680bece2f2a13d8/plugins/modules/vmware_guest_cross_vc_clone.py#L249-L250

It ignores the certificate of the source vCenter, otherwise it wouldn't connect to it. And it does this very early when creating an object of class CrossVCCloneManager(PyVmomi). Which calls the constructor of the superclass, which mainly opens the connection.

The module also ignores the certificate of the destination vCenter here:

https://github.com/ansible-collections/community.vmware/blob/c660ecd19cabaa878f9fa71d5680bece2f2a13d8/plugins/modules/vmware_guest_cross_vc_clone.py#L267-L274

which would fail otherwise. If the connections would fail (because of untrusted certificates or anything else) the module would fail far sooner.

[hinotori74]

I'm have the same error. I'm use validate_certs: no and destination_vcenter_validate_certs: no . The module requests an ESXi host to clone the VM, could the certificate of this host be the cause of the error?

This is my output:

"module_stderr": "pyVmomi.VmomiSupport.SSLVerifyFault: (vim.fault.SSLVerifyFault) {\n dynamicType = ,\n dynamicProperty = (vmodl.DynamicProperty) [],\n msg = "Authenticity of the host's SSL certificate is not verified.",\n faultCause = ,\n faultMessage = (vmodl.LocalizableMessage) [],\n selfSigned = false,\n thumbprint = '90:B6:97:E4:3E:FF:D5:64:78:2F:3A:53:13:D3:AE:D5:59:06:E0:69'\n}\n\nThe above exception was the direct cause of the following exception:\n\nTraceback (most recent call last):\n File "/root/.ansible/tmp/ansible-tmp-1668554581.060155-26-82333182748552/AnsiballZ_vmware_guest_cross_vc_clone.py", line 107, in \n _ansiballz_main()\n File "/root/.ansible/tmp/ansible-tmp-1668554581.060155-26-82333182748552/AnsiballZ_vmware_guest_cross_vc_clone.py", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/root/.ansible/tmp/ansible-tmp-1668554581.060155-26-82333182748552/AnsiballZ_vmware_guest_cross_vc_clone.py", line 47, in invoke_module\n runpy.run_module(mod_name='ansible_collections.community.vmware.plugins.modules.vmware_guest_cross_vc_clone', init_globals=dict(_module_fqn='ansible_collections.community.vmware.plugins.modules.vmware_guest_cross_vc_clone', _modlib_path=modlib_path),\n File "/usr/lib64/python3.8/runpy.py", line 207, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File "/usr/lib64/python3.8/runpy.py", line 97, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File "/usr/lib64/python3.8/runpy.py", line 87, in _run_code\n exec(code, run_globals)\n File "/tmp/ansible_community.vmware.vmware_guest_cross_vc_clone_payload_n59b21ny/ansible_community.vmware.vmware_guest_cross_vc_clone_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest_cross_vc_clone.py", line 397, in \n File "/tmp/ansible_community.vmware.vmware_guest_cross_vc_clone_payload_n59b21ny/ansible_community.vmware.vmware_guest_cross_vc_clone_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest_cross_vc_clone.py", line 388, in main\n File "/tmp/ansible_community.vmware.vmware_guest_cross_vc_clone_payload_n59b21ny/ansible_community.vmware.vmware_guest_cross_vc_clone_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest_cross_vc_clone.py", line 250, in clone\n File "/tmp/ansible_community.vmware.vmware_guest_cross_vc_clone_payload_n59b21ny/ansible_community.vmware.vmware_guest_cross_vc_clone_payload.zip/ansible_collections/community/vmware/plugins/module_utils/vmware.py", line 155, in wait_for_task\n File "", line 3, in raise_from\nansible_collections.community.vmware.plugins.module_utils.vmware.TaskError: ("Authenticity of the host's SSL certificate is not verified.", '90:B6:97:E4:3E:FF:D5:64:78:2F:3A:53:13:D3:AE:D5:59:06:E0:69')\n",

This output show: "selfSigned = false", is correct?