ara icon indicating copy to clipboard operation
ara copied to clipboard

Published 20 hours ago verified publisher icon ansible-community

Add option for trusted CA when using HTTPS

Open polski-g opened this issue 3 years ago • 2 comments

What is the idea ?

There is an ARA_API_INSECURE option which lets one ignore SSL errors, but then you get a python warning message at runtime. Would be nice for an option like ARA_API_CA which can point to a file that would be used by the requests library when making HTTPS requests.

polski-g avatar Feb 11 '22 16:02 polski-g

Here is my workaround for this:

You can set the Environment variable REQUESTS_CA_BUNDLE and/or CURL_CA_BUNDLE [in the context you are running Ara in] to the path to your CA-Chain. The chain could only contain the required certs or you just use the system one [if you imported your cert into the system].

e.g. for Centos 8 I'm using REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.trust.crt

Source: https://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

Nold360 avatar Feb 22 '22 12:02 Nold360

Using the REQUEST_CA_BUNDLE environment variable is more than a workaround. It's kind of a standard for Python tools and widely used.

Would be probabably make sense to highlight it in the documentation.

hille721 avatar Feb 22 '22 20:02 hille721

@Nold360 @hille721 How do you add that REQUEST_CA_BUNDLE when using ansible.cfg?

I would think that ARA should set the CA for requests if the user changes ARA_API_CA

gaby avatar Sep 08 '22 22:09 gaby

Unless mistaken, support for specifying certs, keys and CA has landed in the master branch via https://github.com/ansible-community/ara/pull/392 and https://github.com/ansible-community/ara/pull/403 but the CLI arg names will need to change a bit (see this issue) before 1.6.0 is released.

In other words, ARA_API_CA should already work if you if you install from the master branch. I would say you could use the container images that have the source installation but this is a client-side feature, not a server one.

I will leave this issue for now but let me know if it works for you.

dmsimard avatar Sep 09 '22 03:09 dmsimard

I will test again tomorrow. Now that I got home my issue may be related to me specifying both:

  • ARA_INSECURE_API
  • ARA_CA

I will report back tomorrow once I test it again. I'm using the latest ara client + server.

gaby avatar Sep 09 '22 03:09 gaby

@Nold360 @hille721 How do you add that REQUEST_CA_BUNDLE when using ansible.cfg?

I have following in my .profle/.bashrc:

# on RHEL/CentOS
if [ -f /etc/pki/tls/certs/ca-bundle.crt ]; then
    CRTFILE=/etc/pki/tls/certs/ca-bundle.crt
# on Ubuntu
elif [ -f /etc/ssl/certs/ca-certificates.crt ]; then
    CRTFILE=/etc/ssl/certs/ca-certificates.crt
fi

export REQUESTS_CA_BUNDLE=$CRTFILE
export SSL_CERT_FILE=$CRTFILE

While REQUESTS_CA_BUNDLE is used from Python requests package, SSL_CERT_FILE is used from some other tools, e.g. curl, httpx client, ...

hille721 avatar Sep 09 '22 05:09 hille721

@hille721 That works for one user. We have hundreds of hosts that run ansible using ansible-pull. Which is why I wanted to do this via ansible.cfg.

gaby avatar Sep 09 '22 11:09 gaby

No, you can also set it in /etc/profile or /etc/environment and it will work for all users. And if you run ansible-pull via cron then you can also set it as environment variable in your crontab.

But yeah you can not set it in ansible.cfg as it is not an Ansible config.

hille721 avatar Sep 09 '22 11:09 hille721

It would also help if ARA did this in the client code when ARA_INSECURE_API is set:

import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

When verify is False, here: https://github.com/ansible-community/ara/blob/master/ara/clients/http.py#L36

gaby avatar Sep 09 '22 13:09 gaby

Using ara_ca in my ansible.cfg fixed the issue for me. :-) I think this issue can be closed.

ansible.cfg

[ara]
api_client = http
ara_ca = /path/to/ca
ara_host = https://example.com

gaby avatar Sep 10 '22 02:09 gaby

It would also help if ARA did this in the client code when ARA_INSECURE_API is set:

import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

When verify is False, here: https://github.com/ansible-community/ara/blob/master/ara/clients/http.py#L36

I guess we can do that. Want to send a PR @gaby ? :)

dmsimard avatar Sep 10 '22 02:09 dmsimard

Using ara_ca in my ansible.cfg fixed the issue for me. :-) I think this issue can be closed.

api_ca, right ? There is no such setting as ara_ca.

Same thing for ara_host, it's api_host.

dmsimard avatar Sep 10 '22 02:09 dmsimard

Using ara_ca in my ansible.cfg fixed the issue for me. :-) I think this issue can be closed.

api_ca, right ? There is no such setting as ara_ca.

Same thing for ara_host, it's api_host.

Oops! Yes!

[ara]
api_client = http
api_ca = /path/to/ca
api_host = https://example.com

gaby avatar Sep 10 '22 03:09 gaby

It would also help if ARA did this in the client code when ARA_INSECURE_API is set:

import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

When verify is False, here: https://github.com/ansible-community/ara/blob/master/ara/clients/http.py#L36

I guess we can do that. Want to send a PR @gaby ? :)

Sure, I can submit a PR tomorrow during the day. I'm currently on my phone.

gaby avatar Sep 10 '22 03:09 gaby

@dmsimard PR has been submitted

gaby avatar Sep 10 '22 19:09 gaby