workshops
workshops copied to clipboard
ansible
[Security Workshop] Add letsencrypt certificates
SUMMARY
Currently the security workshop spins up at least two web interfaces which are accessible by the outside but do not have proper letsencrypt certificates: QRadar and Windows web RDP/Myrtille.
This should be fixed.
ISSUE TYPE
- Bug Report
I am constantly having this issue:
fatal: [attendance-host]: FAILED! => changed=true
attempts: 5
cmd: certbot certonly --no-bootstrap --standalone -d securityworkshopthree.trotman.com --email [email protected] --noninteractive --agree-tos
delta: '0:00:01.128436'
end: '2022-03-19 14:24:50.082978'
msg: non-zero return code
rc: 1
start: '2022-03-19 14:24:48.954542'
stderr: |-
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
stderr_lines:
And though the documentation says that the provisioner will still pass, it doesn't and I can not reach the Windows web RDP/Myrtille. Let's Encrypt says there are too many requests so it bans you for an hour. You wait for it to clear in that hour or so and run it again and it still fails.
Hi @JayDi11a This is a limit implemented by letsencrypt.org themselves and not something we control or maintain. Certificate requested for securityworkshopthree.trotman.com is thotlled due to multiple requests
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see
, However, the Windows and QRadar instances don't use letsencrypt certificates, which indicates another is causing the failure.
Based on the troubleshooting we did, this seems to be related to the provisioner not being able to gather ec2 facts for the instances.
task path: /Users/gerald.trotmanibm.com/workshops/roles/manage_ec2_instances/tasks/security_includes/security_ec2_tags.yml:21
fatal: [localhost]: FAILED! =>
msg: '''dict object'' has no attribute ''instances'''```
@JayDi11a May I please ask to upload your latest provisioner output with -vvvv tags, ansible --version and ansible-galaxy collections list
@IPvSean FYI. I believe this might have something to do with the latest Ansible core version or FQCN changes. @JayDi11a is using a Mac and I can't recreate the issue on Fedora.
@JayDi11a May I please ask to upload your latest provisioner output with
-vvvvtags,ansible --versionandansible-galaxy collections list
MacBook-Pro-4:provisioner gerald.trotmanibm.com$ ansible --version
ansible [core 2.12.3]
config file = /Users/gerald.trotmanibm.com/workshops/provisioner/ansible.cfg
configured module search path = ['/Users/gerald.trotmanibm.com/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /Users/gerald.trotmanibm.com/.pyenv/versions/3.9.1/lib/python3.9/site-packages/ansible
ansible collection location = /Users/gerald.trotmanibm.com/.ansible/collections:/usr/share/ansible/collections
executable location = /Users/gerald.trotmanibm.com/.pyenv/versions/3.9.1/bin/ansible
python version = 3.9.1 (default, Jul 20 2021, 20:03:28) [Clang 12.0.5 (clang-1205.0.22.9)]
jinja version = 3.0.3
libyaml = True
ansible-galaxy collection list
# /Users/gerald.trotmanibm.com/.pyenv/versions/3.9.1/lib/python3.9/site-packages/ansible_collections
Collection Version
----------------------------- -------
amazon.aws 2.1.0
ansible.netcommon 2.5.1
ansible.posix 1.3.0
ansible.utils 2.5.0
ansible.windows 1.9.0
arista.eos 3.1.0
awx.awx 19.4.0
azure.azcollection 1.11.0
check_point.mgmt 2.2.2
chocolatey.chocolatey 1.2.0
cisco.aci 2.1.0
cisco.asa 2.1.0
cisco.intersight 1.0.18
cisco.ios 2.7.1
cisco.iosxr 2.7.0
cisco.ise 1.2.1
cisco.meraki 2.6.0
cisco.mso 1.3.0
cisco.nso 1.0.3
cisco.nxos 2.9.0
cisco.ucs 1.6.0
cloud.common 2.1.0
cloudscale_ch.cloud 2.2.0
community.aws 2.3.0
community.azure 1.1.0
community.ciscosmb 1.0.4
community.crypto 2.2.2
community.digitalocean 1.15.1
community.dns 2.0.7
community.docker 2.2.0
community.fortios 1.0.0
community.general 4.5.0
community.google 1.0.0
community.grafana 1.3.2
community.hashi_vault 2.3.0
community.hrobot 1.2.2
community.kubernetes 2.0.1
community.kubevirt 1.0.0
community.libvirt 1.0.2
community.mongodb 1.3.2
community.mysql 2.3.4
community.network 3.0.0
community.okd 2.1.0
community.postgresql 1.7.0
community.proxysql 1.3.1
community.rabbitmq 1.1.0
community.routeros 2.0.0
community.skydive 1.0.0
community.sops 1.2.0
community.vmware 1.17.1
community.windows 1.9.0
community.zabbix 1.5.1
containers.podman 1.9.1
cyberark.conjur 1.1.0
cyberark.pas 1.0.13
dellemc.enterprise_sonic 1.1.0
dellemc.openmanage 4.4.0
dellemc.os10 1.1.1
dellemc.os6 1.0.7
dellemc.os9 1.0.4
f5networks.f5_modules 1.14.0
fortinet.fortimanager 2.1.4
fortinet.fortios 2.1.4
frr.frr 1.0.3
gluster.gluster 1.0.2
google.cloud 1.0.2
hetzner.hcloud 1.6.0
hpe.nimble 1.1.4
ibm.qradar 1.0.3
infinidat.infinibox 1.3.3
infoblox.nios_modules 1.2.1
inspur.sm 1.3.0
junipernetworks.junos 2.9.0
kubernetes.core 2.2.3
mellanox.onyx 1.0.0
netapp.aws 21.7.0
netapp.azure 21.10.0
netapp.cloudmanager 21.14.0
netapp.elementsw 21.7.0
netapp.ontap 21.16.0
netapp.storagegrid 21.9.0
netapp.um_info 21.8.0
netapp_eseries.santricity 1.2.13
netbox.netbox 3.5.1
ngine_io.cloudstack 2.2.3
ngine_io.exoscale 1.0.0
ngine_io.vultr 1.1.0
openstack.cloud 1.7.0
openvswitch.openvswitch 2.1.0
ovirt.ovirt 1.6.6
purestorage.flasharray 1.12.1
purestorage.flashblade 1.9.0
sensu.sensu_go 1.13.0
servicenow.servicenow 1.0.6
splunk.es 1.0.2
t_systems_mms.icinga_director 1.27.1
theforeman.foreman 2.2.0
vyos.vyos 2.7.0
wti.remote 1.0.3
# /Users/gerald.trotmanibm.com/.ansible/collections/ansible_collections
Collection Version
----------------------------------- -------
amazon.aws 3.1.1
ansible.netcommon 2.6.1
ansible.network 1.2.0
ansible.posix 1.3.0
ansible.product_demos 1.2.13
ansible.utils 2.5.2
ansible.windows 1.9.0
ansible.workshops 1.0.11
arista.eos 4.1.1
awx.awx 19.4.0
chocolatey.chocolatey 1.2.0
cisco.ios 2.8.0
cisco.iosxr 2.8.1
cisco.nxos 2.9.0
community.aws 3.1.0
community.crypto 2.2.3
community.general 4.5.0
community.mysql 3.1.1
community.windows 1.9.0
containers.podman 1.9.1
f5networks.f5_modules 1.15.0
frr.frr 1.0.3
ibm.qradar 1.0.3
junipernetworks.junos 2.9.0
openvswitch.openvswitch 2.1.0
paloaltonetworks.panos 1.1.0
redhat_cop.controller_configuration 2.1.1
redhat_cop.tower_utilities 2.0.1
vyos.vyos 2.8.0
@IPvSean FYI. I believe this might have something to do with the latest Ansible core version or FQCN changes. @JayDi11a is using a Mac and I can't recreate the issue on Fedora. provisioner_output.txt teardown.txt
In the meantime try turning off the attendance node… maybe fallback only works on other SSL certs.
-S
On Sat, Mar 19, 2022 at 10:43 AM Gerald Trotman @.***> wrote:
I am constantly having this issue: fatal: [attendance-host]: FAILED! => changed=true attempts: 5 cmd: certbot certonly --no-bootstrap --standalone -d securityworkshopthree.trotman.com --email @.*** --noninteractive --agree-tos delta: '0:00:01.128436' end: '2022-03-19 14:24:50.082978' msg: non-zero return code rc: 1 start: '2022-03-19 14:24:48.954542' stderr: |- Saving debug log to /var/log/letsencrypt/letsencrypt.log An unexpected error occurred: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/ Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. stderr_lines: stdout: Requesting a certificate for securityworkshopthree.trotman.com stdout_lines:
And though the documentation says that the provisioner will still pass, it doesn't and I can not reach the Windows web RDP/Myrtille.
— Reply to this email directly, view it on GitHub https://github.com/ansible/workshops/issues/451#issuecomment-1073022032, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABR4DUHXUUOP6CLFCTVUPZTVAXRX7ANCNFSM4IZEZFTA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
