ansible-role-check-mk-agent
ansible-role-check-mk-agent copied to clipboard
elnappo
https support?
Hello @elnappo,
we just enabled https in front of the check_mk server (LB) and since then, the check_mk.py is not able to work anymore. Is this module tested against https or is http the only operation mode by design?
thanks in advance.
Alright, it seems to be related to certificate verification. Custom enterprise CA. Other ansible modules using this CA work fine, except the check_mk.py. I'll add more details on Monday.
Additional information:
Ubuntu 16.04 Ansible Tower 3.5.2 Ansible 2.8.3
Playbook:
- name: Add host to check_mk Server via WATO API and discover services
check_mk:
server_url: "{{ check_mk_agent_monitoring_host_url }}"
username: "{{ check_mk_agent_monitoring_host_wato_username }}"
secret: "{{ check_mk_agent_monitoring_host_wato_secret }}"
hostname: "{{ inventory_hostname }}"
folder: "{{ check_mk_agent_monitoring_host_folder }}"
discover_services: refresh
state: present
delegate_to: localhost
Debug messages: The full traceback is: WARNING: The below traceback may not be related to the actual failure.
File "/tmp/ansible_check_mk_payload_H8_kJc/__main__.py", line 155, in _api_request
r = self._session.post(self._api_url + action, data=payload or {}, verify=self._module.params["validate_certs"])
File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", line 572, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", line 524, in request
resp = self.send(prep, **send_kwargs)
File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", line 637, in send
r = adapter.send(request, **kwargs)
File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e…
"msg": "HTTPSConnectionPool(host='checkmk-dev01.mgmt.example.com', port=443): Max retries exceeded with url: /cmktest/check_mk/webapi.py?_username=automation&_secret=********&action=get_host&effective_attributes=1 (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)\",),))
As I mentioned, i.e. the below playbook works fine, uses the same https://
- name: download CheckMK Agent script from CheckMK Server and upload to destination host
get_url:
url: "{{ check_mk_agent_monitoring_host_url }}check_mk/agents/check_mk_agent.linux"
dest: /usr/local/bin/check_mk_agent
owner: root
group: root
mode: 0755
I just confirmed by setting validate_certs: False, then the playbook ran fine. Does have the check_mk.py no access to CAs because it's not an upstream module? Currently it's checked into the repo where the playbook resides.
The module uses the requests library as many other Ansible modules. It should respect your local certificate store. Could you please try this in your Python console?
import requests
url = "<your checkmk URL>"
r = requests.get(url)
r.status_code
r = requests.get(url, verify=True)
r.status_code
r = requests.get(url, verify=False)
r.status_code
Python 2.7.12 (default, Nov 12 2018, 14:36:49)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
url = "https://checkmk-dev01.mgmt.example.com"
>>> url = "https://checkmk-dev01.mgmt.example.com"
>>> r = requests.get(url)
>>> r.status_code
200
>>> r = requests.get(url, verify=True)
>>> r.status_code
200
>>> r = requests.get(url, verify=False)
/var/lib/awx/venv/ansible/local/lib/python2.7/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
>>> r.status_code
200
Strange... Could you please post the debug output from the playbook run (one task should be enough)? e.g. ansible-playbook -i hosts playbook.yml -vvvv
Are you using a custom CA?