ansible-for-nsxt
ansible-for-nsxt copied to clipboard
vmware
Certificate chains are not fully uploaded
Hi,
We are trying to upload a certificate fullchain via the module nsxt_certificates.py from dev.
While the module seems to work for single certificates, it fails to do so for chains.
The module cuts off the chain after the first "-----END CERTIFICATE-----" .
We suspect that the error happens in vmware_nsxt.py, more specifically in
def get_certificate_string(crt_file)
This snippet might do the trick:
def get_certificate_string(crt_file):
'''
param: crt_file is the file containing the public key string
result: returns the public key(client certificate) string to be passed to the payload
'''
f = open(crt_file, 'r')
file_content = f.read()
f.close()
return json.dumps(file_content)
Have the same issue must upload cert manually. please fix.
The next step is also missing: you need to register the cluster certificate.
To do it you can use the cluster API:
curl --insecure -u admin:'PASSWORD' -X POST "https://$NSX_MANAGER_IP_ADDRESS/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=$CERTIFICATE_ID"
would be great if it will be implemented in this or another module.
Hello @12Balu34 @bannov Did you create you certificate using steps mentioned in README? The module was created keeping in mind that as pem encoded input, only public key is accepted. The .p12 file we create contains both public and private key. Thus we retrieve only public key part from the .p12 file. If you have tried adding your certificates using API then please do share the steps to create certificate file and API request. We will incorporate the required into our code ASAP. Thank you.
Hello @12Balu34 @bannov Did you create you certificate using steps mentioned in README?
To which README exactly are you referring to? We created the certificates via certbot running against an ACME Server. It will give you
- fullchain.pem
- cert.pem
- privacy.pem
Unfortunately our Lab Environment (where I tested things before) is currently unavailable. I can try to recreate the API calls as soon as it is back up and running.
The readme I am referring to is https://github.com/vmware/ansible-for-nsxt/blob/dev/README.md Instructions of creating self signed certificates are written in it under generating certificates.
We have a certification authority (CA) that issues us digital certificates. So we dont need to generate and use self signed certificates. We can upload our certificate using this module unfortunately NSX said that we need to upload the full chain of certificates. But this module nsxt_certificates.py use the function def get_certificate_string(crt_file): from module_utils/vmware_nsxt.py.
` def get_certificate_string(crt_file):
f = open(crt_file, 'r')
file_content = f.read()
file_content = file_content.split("\n")
certificate_string = ""
got_line_start = False
for string in file_content:
if string == "-----BEGIN CERTIFICATE-----":
got_line_start = True
certificate_string = certificate_string + string + "\n"
elif string == "-----END CERTIFICATE-----":
certificate_string = certificate_string + "\n" + string
break
elif got_line_start:
certificate_string = certificate_string + string
else:
pass
f.close()
return certificate_string`
As you can see this function read file content till the first "-----END CERTIFICATE-----" and then break, so if we have a fullchain certificate everything that goes after first "-----END CERTIFICATE-----" will be cuted off , so it will be just a part of fullchain certificate uploaded.
Is this issue being worked on? My customer has a similar problem and we cannot use the nsxt_certificates.py module because of this.
@andyjohnschneider I have heard that it will be fixed in 3.0.3 patch. or 2.5.3 but didnt fint it in release notes bug fixes. can tell you more next week after we get update installed.