Module URI unable to get local issuer

[Frédéric GAUTHIER BESNARD]

Hi,

I try to create an playbook look like to this command:

===

curl --header "X-Vault-Token: $VAULT_TOKEN" \

--request POST \

--data @payload.json \

--cacert /etc/ssl/hashistack/hashistack-ca.pem \

--cert /etc/ssl/hashistack/dc1-server-vault.pem \

--key /etc/ssl/hashistack/dc1-server-vault.key \

https://172.17.0.1:8200/v1/auth/token/renew-self

===

bash-5.1# ansible --version

ansible [core 2.14.4]

config file = None

configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']

ansible python module location = /usr/local/lib/python3.10/site-packages/ansible

ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections

executable location = /usr/local/bin/ansible

python version = 3.10.5 (main, Jul 20 2022, 01:24:16) [GCC 10.3.1 20211027] (/usr/local/bin/python)

jinja version = 3.1.2

libyaml = False

This is my playbook:

===

- name: Renew Vault Token

hosts: localhost

become: no

connection: local

vars:

ansible_python_interpreter: /usr/local/bin/python3.10

tasks:

- name: Vault Token | Renew a token self

ansible.builtin.uri:

url: "https://172.17.0.1:8200"

ca_path: "/etc/ssl/hashistack/hashistack-ca.pem"

client_cert: "/etc/ssl/hashistack/dc1-server-vault.pem"

client_key: "/etc/ssl/hashistack/dc1-server-vault.key"

method: POST

headers:

X-Vault-Token: "{{ lookup('ansible.builtin.env', 'VAULT_TOKEN') }}"

body: |

{

"increment": "48h"

}

body_format: json

status_code:

- 200

===

Playbook runs on docker container alpine with volume mount /etc/ssl/hashistack folder.

It works with previous curl simple command. But with ansible: ( ansible-playbook -i localhost, playbook.yml -vvvvv)

TASK [Vault Token | Renew a token self] ************************************************************************************************************************

task path: /data/playbook4.yml:8

<localhost> ESTABLISH LOCAL CONNECTION FOR USER: root

<localhost> EXEC /bin/sh -c 'echo ~root && sleep 0'

<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774 `" && echo ansible-tmp-1682170225.9506385-907-180721098619774="` echo /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774 `" ) && sleep 0'

Including module_utils file ansible/__init__.py

Including module_utils file ansible/module_utils/__init__.py

Including module_utils file ansible/module_utils/_text.py

Including module_utils file ansible/module_utils/basic.py

Including module_utils file ansible/module_utils/common/_collections_compat.py

Including module_utils file ansible/module_utils/common/__init__.py

Including module_utils file ansible/module_utils/common/_json_compat.py

Including module_utils file ansible/module_utils/common/_utils.py

Including module_utils file ansible/module_utils/common/arg_spec.py

Including module_utils file ansible/module_utils/common/file.py

Including module_utils file ansible/module_utils/common/parameters.py

Including module_utils file ansible/module_utils/common/collections.py

Including module_utils file ansible/module_utils/common/process.py

Including module_utils file ansible/module_utils/common/sys_info.py

Including module_utils file ansible/module_utils/common/text/converters.py

Including module_utils file ansible/module_utils/common/text/__init__.py

Including module_utils file ansible/module_utils/common/text/formatters.py

Including module_utils file ansible/module_utils/common/validation.py

Including module_utils file ansible/module_utils/common/warnings.py

Including module_utils file ansible/module_utils/compat/selectors.py

Including module_utils file ansible/module_utils/compat/__init__.py

Including module_utils file ansible/module_utils/compat/_selectors2.py

Including module_utils file ansible/module_utils/compat/selinux.py

Including module_utils file ansible/module_utils/distro/__init__.py

Including module_utils file ansible/module_utils/distro/_distro.py

Including module_utils file ansible/module_utils/errors.py

Including module_utils file ansible/module_utils/parsing/convert_bool.py

Including module_utils file ansible/module_utils/parsing/__init__.py

Including module_utils file ansible/module_utils/pycompat24.py

Including module_utils file ansible/module_utils/six/__init__.py

Including module_utils file ansible/module_utils/urls.py

Using module file /usr/lib/python3.9/site-packages/ansible/modules/uri.py

<localhost> PUT /root/.ansible/tmp/ansible-local-8698sf4r32t/tmpfy224g4z TO /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/AnsiballZ_uri.py

<localhost> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/ /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/AnsiballZ_uri.py && sleep 0'

<localhost> EXEC /bin/sh -c '/usr/local/bin/python3.10 /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/AnsiballZ_uri.py && sleep 0'

<localhost> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/ > /dev/null 2>&1 && sleep 0'

fatal: [localhost]: FAILED! => {

"changed": false,

"elapsed": 0,

"invocation": {

"module_args": {

"attributes": null,

"body": "{\n \"increment\": \"48h\"\n}\n",

"body_format": "json",

"ca_path": "/etc/ssl/hashistack/hashistack-ca.pem",

"client_cert": "/etc/ssl/hashistack/dc1-server-vault.pem",

"client_key": "/etc/ssl/hashistack/dc1-server-vault.key",

"creates": null,

"dest": null,

"follow_redirects": "safe",

"force": false,

"force_basic_auth": false,

"group": null,

"headers": {

"Content-Type": "application/json",

"X-Vault-Token": "xxxx"

},

"http_agent": "ansible-httpget",

"method": "POST",

"mode": null,

"owner": null,

"remote_src": false,

"removes": null,

"return_content": false,

"selevel": null,

"serole": null,

"setype": null,

"seuser": null,

"src": null,

"status_code": [

200

],

"timeout": 30,

"unix_socket": null,

"unsafe_writes": false,

"url": "https://172.17.0.1:8200",

"url_password": null,

"url_username": null,

"use_gssapi": false,

"use_proxy": true,

"validate_certs": true

}

},

"msg": "Status code was -1 and not [200]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)>",

"redirected": false,

"status": -1,

"url": "https://172.17.0.1:8200"

}

PLAY RECAP *****************************************************************************************************************************************************

localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

I installed pyopenssl

I tried with validate_certs: no, error 207.

What is the problem?

Thanks

[Dick Visser]

Can you post the output of:

echo foo | openssl s_client -showcerts -servername 172.17.0.1 -connect 172.17.0.1:8200

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c25e536c-aae3-4bc3-a4a4-87116202d95en%40googlegroups.com.

[Frédéric GAUTHIER BESNARD]

Hello,

bash-5.1# echo foo | openssl s_client -showcerts -servername 172.17.0.1 -connect 172.17.0.1:8200

CONNECTED(00000003)

depth=0 CN = *.dc1.vault

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = *.dc1.vault

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 CN = *.dc1.vault

verify return:1

---

Certificate chain

0 s:CN = *.dc1.vault

i:CN = hashistack

-----BEGIN CERTIFICATE-----

MIIFbjCCA1agAwIBAgIUCYP89il1SogP7klVmPkg6ypytAowDQYJKoZIhvcNAQEL

BQAwFTETMBEGA1UEAwwKaGFzaGlzdGFjazAeFw0yMzA0MjIxMjAzMTlaFw0zMzA0

MTkxMjAzMTlaMBYxFDASBgNVBAMMCyouZGMxLnZhdWx0MIICIjANBgkqhkiG9w0B

AQEFAAOCAg8AMIICCgKCAgEAsyup9SKo2UQDJiJ38bzFZ4Rqsnj0lb/b28SZFucN

gezSzaowDEB8U4U5XRKE/Dy3DSomI5qFZXLj9NczKLvVkE20e4A7XsHyWcIQRluQ

kN7GV3EfPttr56OI1itRhDb/N+mLAbJDSBajiWZhzvs7x9j4nbVaYAD/bEwjcaWA

oQvkBXY0iaY2JLyMdiCbBOVeY/vFtNZus4wyJBxD+WO+a+91Kc3q5YcdzZ3Qj9PX

2gBfRfok1wAN/vkLrqsYpJaaoGCf8kGWhu29U56pUS6hIz2GwD10FQJp+Y66qJg2

HMNjl4eNMJ+bK9GA+Ux93cmWPCxyT+QK/CVQI85GD0oNpv5KyfxRhEvq9QS0Vocv

d4BN5xJeE7NFlPZxUHFjgb2R3JBOigyIC9l6YEohCbfeb8J3fuZysw0CBrezetm3

zM/Q/5XLwaQ4TfOH9fLCuky+Y1Yn8CKETiRkVGPzg3Pd5cchX1kC9Uz9yMcHvQLG

dB3J+Xq4ZFvxojTtOtEKLvsJXyWSjx2gobeZ/eSbgXX71wXRGqsjHUrT3cJYQ8BJ

rBR60bQDNb+pFkRTk5OMmkaLHtGCLU/9FmB9s79Mgk0kCsEF1h0qFwhst/KVHWuc

yDed5hDjWCZbmDxX45R3FeThuk4rHnaO5WtdPnO8xWoTRCoRk5u8CFeNOW+DJOJr

SokCAwEAAaOBtDCBsTAyBgNVHREEKzApgglsb2NhbGhvc3SHBH8AAAGHBKwRAAGC

EHNlcnZlci5kYzEudmF1bHQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG

AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRcirVcPh/m

Bh+KA4e471V5cvXWxzAfBgNVHSMEGDAWgBSNnGUF47oE4w048AWej2cuoLEXhTAN

BgkqhkiG9w0BAQsFAAOCAgEAU+XOSrBfhwXRfy5KGs9rlxvFyuTffpnD1NhdXBzC

6qwdaEq88s1xLKixG5VbFcRdP3Epx84PLMrz0YCCXXBUDGKLENAcozhkbBPt826p

Ld9Whas6F0dL/wWPcLe3nrH3wnH+2pYBboTXHJDuQe1GTwUGL54Y4Q5T52ziK1wk

OcicXaV9PZZCIn3g48yGcDBENqVZP/w0joavUwBB4+e6UfdoXBAXhrxJkhWi0YI9

o/8PxewIcxhkZSHAbJ6eAOfLrkFMC/WMPRwgY4M6et/GjNvuuZbCmHYXjv5F3Jc5

HHwXqQdMtVAT/JEjm9WDY4v2w/EB4H9K7T5Gudnf9/W9I3egngPaRlR+nRhoITD/

i0Pw2vsCa6WJRevrsYszcwzsJkTM5WcB48VTILDdrH7CpwBiTy3VSO8emwgYBTYQ

Bai85dEhqrfg+el4FxAsEQpF0sob1LTbU0Tdv+hRxpIOa0D/rpDQ4m9dzLFVFKRS

RpegHY2Nuxr0HcEYTUErCSdEBfySApeM3xNerMHPwWtL1THjHY6CE7KIfItiYB0g

003AuFgVm+b4kjbfkh8IZJ4GgpKDVm1nCQpRC16o99fJYg5UU+iRbRf9hUAQ8H+E

HSLXUvU3ErnN3o3uLlPR6b9xgTFsvjKVUb2rGTls3uXn+Y94aLYJghyFL2RnKvBX

3wI=

-----END CERTIFICATE-----

---

Server certificate

subject=CN = *.dc1.vault

issuer=CN = hashistack

---

No client certificate CA names sent

Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1

Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512

Peer signing digest: SHA256

Peer signature type: RSA-PSS

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 2257 bytes and written 406 bytes

Verification error: unable to verify the first certificate

---

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256

Server public key is 4096 bit

Secure Renegotiation IS NOT supported

No ALPN negotiated

Early data was not sent

Verify return code: 21 (unable to verify the first certificate)

---

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

Protocol : TLSv1.3

Cipher : TLS_AES_128_GCM_SHA256

Session-ID: 1EA85806456E36F0B94664CA074AF449278BA5733A19C8C5CFBAEE0DE3887794

Session-ID-ctx:

Resumption PSK: B3C6A77FE89DF3ECEB91EAB8AAED6AA9661E5566565BCB35E8AF8D87B023368C

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 604800 (seconds)

TLS session ticket:

0000 - d9 d3 4c e0 8d d6 12 bf-74 13 f1 83 bd cc 72 39 ..L.....t.....r9

0010 - 6f 45 84 3e 71 82 97 13-5c 19 05 d7 c4 be ba 2c oE.>q...\......,

0020 - dd df 94 bb 80 b7 4f 65-bd 6b c0 00 30 13 29 33 ......Oe.k..0.)3

0030 - 8d 12 42 fc 34 33 d4 b4-13 90 21 32 3a 3f 51 3c ..B.43....!2:?Q<

0040 - 5f 97 bb 68 8c d6 2c 10-75 cb 06 29 c7 4d 78 0e _..h..,.u..).Mx.

0050 - 17 07 c3 d2 7d bf bd 40-f0 a3 9b 10 ae bb ea 55 ....}..@.......U

0060 - b3 e2 08 d4 c8 5b 82 2f-03 f4 9a a2 e3 15 13 df .....[./........

0070 - 94 .

Start Time: 1682231134

Timeout : 7200 (sec)

Verify return code: 21 (unable to verify the first certificate)

Extended master secret: no

Max Early Data: 0

---

read R BLOCK

DONE

I don't understand exactly, does that mean there is a problem with the generation of the certificate?

Thanks

[Dick Visser]

On Sat, 22 Apr 2023 at 15:33, Frédéric GAUTHIER BESNARD <frederic.gau...@quanticware.com> wrote:

Hi,I installed pyopenssl

I tried with validate_certs: no, error 207.

I'm thinking that the SSL verification error could be caused by ansible not having access to the CA certificate, perhaps the path inside your container is different from the path outside the container? I would check that.

Once you disable verification, you can reach the API, and that "error 207" looks like it is the HTTP response from the API.

What that exactly means depends on the API that you're calling. 

I would check the logs of the system at 172.17.0.1 that implements the API and see what that says.

Dick

[Frédéric GAUTHIER BESNARD]

Hi,

I found solution.

Too old docker image I built (10 months...).

I updated all components .

Sorry I wirite wrong code I previous message. it wasn't 207, but 307.

My working dockerfile:

FROM python:alpine3.17

RUN echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories

RUN apk add --update alpine-sdk

RUN apk add --update --no-cache bash mariadb-client tar restic rclone ca-certificates fuse tzdata shellinabox msmtp mongodb-tools openssl curl vim python3-dev libc-dev gcc libffi-dev

RUN pip3 install --no-cache-dir PyMySQL ansible python-consul python-nomad hvac pyopenssl

RUN ansible-galaxy collection install community.general

Thanks for your help Dick!