Hello, bash-5.1# echo foo | openssl s_client -showcerts -servername 172.17.0.1 -connect 172.17.0.1:8200 CONNECTED(00000003) depth=0 CN = *.dc1.vault verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = *.dc1.vault verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = *.dc1.vault verify return:1 --- Certificate chain 0 s:CN = *.dc1.vault i:CN = hashistack -----BEGIN CERTIFICATE----- MIIFbjCCA1agAwIBAgIUCYP89il1SogP7klVmPkg6ypytAowDQYJKoZIhvcNAQEL BQAwFTETMBEGA1UEAwwKaGFzaGlzdGFjazAeFw0yMzA0MjIxMjAzMTlaFw0zMzA0 MTkxMjAzMTlaMBYxFDASBgNVBAMMCyouZGMxLnZhdWx0MIICIjANBgkqhkiG9w0B AQEFAAOCAg8AMIICCgKCAgEAsyup9SKo2UQDJiJ38bzFZ4Rqsnj0lb/b28SZFucN gezSzaowDEB8U4U5XRKE/Dy3DSomI5qFZXLj9NczKLvVkE20e4A7XsHyWcIQRluQ kN7GV3EfPttr56OI1itRhDb/N+mLAbJDSBajiWZhzvs7x9j4nbVaYAD/bEwjcaWA oQvkBXY0iaY2JLyMdiCbBOVeY/vFtNZus4wyJBxD+WO+a+91Kc3q5YcdzZ3Qj9PX 2gBfRfok1wAN/vkLrqsYpJaaoGCf8kGWhu29U56pUS6hIz2GwD10FQJp+Y66qJg2 HMNjl4eNMJ+bK9GA+Ux93cmWPCxyT+QK/CVQI85GD0oNpv5KyfxRhEvq9QS0Vocv d4BN5xJeE7NFlPZxUHFjgb2R3JBOigyIC9l6YEohCbfeb8J3fuZysw0CBrezetm3 zM/Q/5XLwaQ4TfOH9fLCuky+Y1Yn8CKETiRkVGPzg3Pd5cchX1kC9Uz9yMcHvQLG dB3J+Xq4ZFvxojTtOtEKLvsJXyWSjx2gobeZ/eSbgXX71wXRGqsjHUrT3cJYQ8BJ rBR60bQDNb+pFkRTk5OMmkaLHtGCLU/9FmB9s79Mgk0kCsEF1h0qFwhst/KVHWuc yDed5hDjWCZbmDxX45R3FeThuk4rHnaO5WtdPnO8xWoTRCoRk5u8CFeNOW+DJOJr SokCAwEAAaOBtDCBsTAyBgNVHREEKzApgglsb2NhbGhvc3SHBH8AAAGHBKwRAAGC EHNlcnZlci5kYzEudmF1bHQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRcirVcPh/m Bh+KA4e471V5cvXWxzAfBgNVHSMEGDAWgBSNnGUF47oE4w048AWej2cuoLEXhTAN BgkqhkiG9w0BAQsFAAOCAgEAU+XOSrBfhwXRfy5KGs9rlxvFyuTffpnD1NhdXBzC 6qwdaEq88s1xLKixG5VbFcRdP3Epx84PLMrz0YCCXXBUDGKLENAcozhkbBPt826p Ld9Whas6F0dL/wWPcLe3nrH3wnH+2pYBboTXHJDuQe1GTwUGL54Y4Q5T52ziK1wk OcicXaV9PZZCIn3g48yGcDBENqVZP/w0joavUwBB4+e6UfdoXBAXhrxJkhWi0YI9 o/8PxewIcxhkZSHAbJ6eAOfLrkFMC/WMPRwgY4M6et/GjNvuuZbCmHYXjv5F3Jc5 HHwXqQdMtVAT/JEjm9WDY4v2w/EB4H9K7T5Gudnf9/W9I3egngPaRlR+nRhoITD/ i0Pw2vsCa6WJRevrsYszcwzsJkTM5WcB48VTILDdrH7CpwBiTy3VSO8emwgYBTYQ Bai85dEhqrfg+el4FxAsEQpF0sob1LTbU0Tdv+hRxpIOa0D/rpDQ4m9dzLFVFKRS RpegHY2Nuxr0HcEYTUErCSdEBfySApeM3xNerMHPwWtL1THjHY6CE7KIfItiYB0g 003AuFgVm+b4kjbfkh8IZJ4GgpKDVm1nCQpRC16o99fJYg5UU+iRbRf9hUAQ8H+E HSLXUvU3ErnN3o3uLlPR6b9xgTFsvjKVUb2rGTls3uXn+Y94aLYJghyFL2RnKvBX 3wI= -----END CERTIFICATE----- --- Server certificate subject=CN = *.dc1.vault
issuer=CN = hashistack --- No client certificate CA names sent Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2257 bytes and written 406 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 4096 bit Secure Renegotiation IS NOT supported No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: 1EA85806456E36F0B94664CA074AF449278BA5733A19C8C5CFBAEE0DE3887794 Session-ID-ctx: Resumption PSK: B3C6A77FE89DF3ECEB91EAB8AAED6AA9661E5566565BCB35E8AF8D87B023368C PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: 0000 - d9 d3 4c e0 8d d6 12 bf-74 13 f1 83 bd cc 72 39 ..L.....t.....r9 0010 - 6f 45 84 3e 71 82 97 13-5c 19 05 d7 c4 be ba 2c oE.>q...\......, 0020 - dd df 94 bb 80 b7 4f 65-bd 6b c0 00 30 13 29 33 ......Oe.k..0.)3 0030 - 8d 12 42 fc 34 33 d4 b4-13 90 21 32 3a 3f 51 3c ..B.43....!2:?Q< 0040 - 5f 97 bb 68 8c d6 2c 10-75 cb 06 29 c7 4d 78 0e _..h..,.u..).Mx. 0050 - 17 07 c3 d2 7d bf bd 40-f0 a3 9b 10 ae bb ea 55 ....}..@.......U 0060 - b3 e2 08 d4 c8 5b 82 2f-03 f4 9a a2 e3 15 13 df .....[./........ 0070 - 94 . Start Time: 1682231134 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK DONE I don't understand exactly, does that mean there is a problem with the generation of the certificate? Thanks Le samedi 22 avril 2023 à 21:15:40 UTC+2, Dick Visser a écrit : > Can you post the output of: > > echo foo | openssl s_client -showcerts -servername 172.17.0.1 -connect > 172.17.0.1:8200 > > > > On Sat, 22 Apr 2023 at 15:33, Frédéric GAUTHIER BESNARD < > frederic.gau...@quanticware.com> wrote: > >> Hi, >> >> I try to create an playbook look like to this command: >> >> === >> curl --header "X-Vault-Token: $VAULT_TOKEN" \ >> --request POST \ >> --data @payload.json \ >> --cacert /etc/ssl/hashistack/hashistack-ca.pem \ >> --cert /etc/ssl/hashistack/dc1-server-vault.pem \ >> --key /etc/ssl/hashistack/dc1-server-vault.key \ >> https://172.17.0.1:8200/v1/auth/token/renew-self >> === >> >> bash-5.1# ansible --version >> ansible [core 2.14.4] >> config file = None >> configured module search path = ['/root/.ansible/plugins/modules', >> '/usr/share/ansible/plugins/modules'] >> ansible python module location = >> /usr/local/lib/python3.10/site-packages/ansible >> ansible collection location = >> /root/.ansible/collections:/usr/share/ansible/collections >> executable location = /usr/local/bin/ansible >> python version = 3.10.5 (main, Jul 20 2022, 01:24:16) [GCC 10.3.1 >> 20211027] (/usr/local/bin/python) >> jinja version = 3.1.2 >> libyaml = False >> >> >> This is my playbook: >> >> === >> - name: Renew Vault Token >> hosts: localhost >> become: no >> connection: local >> vars: >> ansible_python_interpreter: /usr/local/bin/python3.10 >> tasks: >> - name: Vault Token | Renew a token self >> ansible.builtin.uri: >> url: "https://172.17.0.1:8200"; >> ca_path: "/etc/ssl/hashistack/hashistack-ca.pem" >> client_cert: "/etc/ssl/hashistack/dc1-server-vault.pem" >> client_key: "/etc/ssl/hashistack/dc1-server-vault.key" >> method: POST >> headers: >> X-Vault-Token: "{{ lookup('ansible.builtin.env', 'VAULT_TOKEN') }}" >> body: | >> { >> "increment": "48h" >> } >> body_format: json >> status_code: >> - 200 >> === >> >> Playbook runs on docker container alpine with volume mount >> /etc/ssl/hashistack folder. >> >> It works with previous curl simple command. But with ansible: ( >> ansible-playbook -i localhost, playbook.yml -vvvvv) >> >> >> TASK [Vault Token | Renew a token self] >> ************************************************************************************************************************ >> task path: /data/playbook4.yml:8 >> <localhost> ESTABLISH LOCAL CONNECTION FOR USER: root >> <localhost> EXEC /bin/sh -c 'echo ~root && sleep 0' >> <localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo >> /root/.ansible/tmp `"&& mkdir "` echo >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774 `" && >> echo ansible-tmp-1682170225.9506385-907-180721098619774="` echo >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774 `" ) >> && sleep 0' >> Including module_utils file ansible/__init__.py >> Including module_utils file ansible/module_utils/__init__.py >> Including module_utils file ansible/module_utils/_text.py >> Including module_utils file ansible/module_utils/basic.py >> Including module_utils file >> ansible/module_utils/common/_collections_compat.py >> Including module_utils file ansible/module_utils/common/__init__.py >> Including module_utils file ansible/module_utils/common/_json_compat.py >> Including module_utils file ansible/module_utils/common/_utils.py >> Including module_utils file ansible/module_utils/common/arg_spec.py >> Including module_utils file ansible/module_utils/common/file.py >> Including module_utils file ansible/module_utils/common/parameters.py >> Including module_utils file ansible/module_utils/common/collections.py >> Including module_utils file ansible/module_utils/common/process.py >> Including module_utils file ansible/module_utils/common/sys_info.py >> Including module_utils file ansible/module_utils/common/text/converters.py >> Including module_utils file ansible/module_utils/common/text/__init__.py >> Including module_utils file ansible/module_utils/common/text/formatters.py >> Including module_utils file ansible/module_utils/common/validation.py >> Including module_utils file ansible/module_utils/common/warnings.py >> Including module_utils file ansible/module_utils/compat/selectors.py >> Including module_utils file ansible/module_utils/compat/__init__.py >> Including module_utils file ansible/module_utils/compat/_selectors2.py >> Including module_utils file ansible/module_utils/compat/selinux.py >> Including module_utils file ansible/module_utils/distro/__init__.py >> Including module_utils file ansible/module_utils/distro/_distro.py >> Including module_utils file ansible/module_utils/errors.py >> Including module_utils file ansible/module_utils/parsing/convert_bool.py >> Including module_utils file ansible/module_utils/parsing/__init__.py >> Including module_utils file ansible/module_utils/pycompat24.py >> Including module_utils file ansible/module_utils/six/__init__.py >> Including module_utils file ansible/module_utils/urls.py >> Using module file /usr/lib/python3.9/site-packages/ansible/modules/uri.py >> <localhost> PUT /root/.ansible/tmp/ansible-local-8698sf4r32t/tmpfy224g4z >> TO >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/AnsiballZ_uri.py >> <localhost> EXEC /bin/sh -c 'chmod u+x >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/ >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/AnsiballZ_uri.py >> >> && sleep 0' >> <localhost> EXEC /bin/sh -c '/usr/local/bin/python3.10 >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/AnsiballZ_uri.py >> >> && sleep 0' >> <localhost> EXEC /bin/sh -c 'rm -f -r >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/ > >> /dev/null 2>&1 && sleep 0' >> fatal: [localhost]: FAILED! => { >> "changed": false, >> "elapsed": 0, >> "invocation": { >> "module_args": { >> "attributes": null, >> "body": "{\n \"increment\": \"48h\"\n}\n", >> "body_format": "json", >> "ca_path": "/etc/ssl/hashistack/hashistack-ca.pem", >> "client_cert": "/etc/ssl/hashistack/dc1-server-vault.pem", >> "client_key": "/etc/ssl/hashistack/dc1-server-vault.key", >> "creates": null, >> "dest": null, >> "follow_redirects": "safe", >> "force": false, >> "force_basic_auth": false, >> "group": null, >> "headers": { >> "Content-Type": "application/json", >> "X-Vault-Token": "xxxx" >> }, >> "http_agent": "ansible-httpget", >> "method": "POST", >> "mode": null, >> "owner": null, >> "remote_src": false, >> "removes": null, >> "return_content": false, >> "selevel": null, >> "serole": null, >> "setype": null, >> "seuser": null, >> "src": null, >> "status_code": [ >> 200 >> ], >> "timeout": 30, >> "unix_socket": null, >> "unsafe_writes": false, >> "url": "https://172.17.0.1:8200";, >> "url_password": null, >> "url_username": null, >> "use_gssapi": false, >> "use_proxy": true, >> "validate_certs": true >> } >> }, >> "msg": "Status code was -1 and not [200]: Request failed: <urlopen error >> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get >> local issuer certificate (_ssl.c:997)>", >> "redirected": false, >> "status": -1, >> "url": "https://172.17.0.1:8200"; >> } >> >> PLAY RECAP >> ***************************************************************************************************************************************************** >> localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 >> ignored=0 >> >> >> >> I installed pyopenssl >> I tried with validate_certs: no, error 207. >> >> What is the problem? >> >> Thanks >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-proje...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/c25e536c-aae3-4bc3-a4a4-87116202d95en%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/c25e536c-aae3-4bc3-a4a4-87116202d95en%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d5eb1d33-16a6-47fc-bd4b-d33972debe52n%40googlegroups.com.
