Hello, bash-5.1# echo foo | openssl s_client -showcerts -servername 172.17.0.1 -connect 172.17.0.1:8200 CONNECTED(00000003) depth=0 CN = *.dc1.vault verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = *.dc1.vault verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = *.dc1.vault verify return:1 --- Certificate chain 0 s:CN = *.dc1.vault i:CN = hashistack -----BEGIN CERTIFICATE----- MIIFbjCCA1agAwIBAgIUCYP89il1SogP7klVmPkg6ypytAowDQYJKoZIhvcNAQEL BQAwFTETMBEGA1UEAwwKaGFzaGlzdGFjazAeFw0yMzA0MjIxMjAzMTlaFw0zMzA0 MTkxMjAzMTlaMBYxFDASBgNVBAMMCyouZGMxLnZhdWx0MIICIjANBgkqhkiG9w0B AQEFAAOCAg8AMIICCgKCAgEAsyup9SKo2UQDJiJ38bzFZ4Rqsnj0lb/b28SZFucN gezSzaowDEB8U4U5XRKE/Dy3DSomI5qFZXLj9NczKLvVkE20e4A7XsHyWcIQRluQ kN7GV3EfPttr56OI1itRhDb/N+mLAbJDSBajiWZhzvs7x9j4nbVaYAD/bEwjcaWA oQvkBXY0iaY2JLyMdiCbBOVeY/vFtNZus4wyJBxD+WO+a+91Kc3q5YcdzZ3Qj9PX 2gBfRfok1wAN/vkLrqsYpJaaoGCf8kGWhu29U56pUS6hIz2GwD10FQJp+Y66qJg2 HMNjl4eNMJ+bK9GA+Ux93cmWPCxyT+QK/CVQI85GD0oNpv5KyfxRhEvq9QS0Vocv d4BN5xJeE7NFlPZxUHFjgb2R3JBOigyIC9l6YEohCbfeb8J3fuZysw0CBrezetm3 zM/Q/5XLwaQ4TfOH9fLCuky+Y1Yn8CKETiRkVGPzg3Pd5cchX1kC9Uz9yMcHvQLG dB3J+Xq4ZFvxojTtOtEKLvsJXyWSjx2gobeZ/eSbgXX71wXRGqsjHUrT3cJYQ8BJ rBR60bQDNb+pFkRTk5OMmkaLHtGCLU/9FmB9s79Mgk0kCsEF1h0qFwhst/KVHWuc yDed5hDjWCZbmDxX45R3FeThuk4rHnaO5WtdPnO8xWoTRCoRk5u8CFeNOW+DJOJr SokCAwEAAaOBtDCBsTAyBgNVHREEKzApgglsb2NhbGhvc3SHBH8AAAGHBKwRAAGC EHNlcnZlci5kYzEudmF1bHQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRcirVcPh/m Bh+KA4e471V5cvXWxzAfBgNVHSMEGDAWgBSNnGUF47oE4w048AWej2cuoLEXhTAN BgkqhkiG9w0BAQsFAAOCAgEAU+XOSrBfhwXRfy5KGs9rlxvFyuTffpnD1NhdXBzC 6qwdaEq88s1xLKixG5VbFcRdP3Epx84PLMrz0YCCXXBUDGKLENAcozhkbBPt826p Ld9Whas6F0dL/wWPcLe3nrH3wnH+2pYBboTXHJDuQe1GTwUGL54Y4Q5T52ziK1wk OcicXaV9PZZCIn3g48yGcDBENqVZP/w0joavUwBB4+e6UfdoXBAXhrxJkhWi0YI9 o/8PxewIcxhkZSHAbJ6eAOfLrkFMC/WMPRwgY4M6et/GjNvuuZbCmHYXjv5F3Jc5 HHwXqQdMtVAT/JEjm9WDY4v2w/EB4H9K7T5Gudnf9/W9I3egngPaRlR+nRhoITD/ i0Pw2vsCa6WJRevrsYszcwzsJkTM5WcB48VTILDdrH7CpwBiTy3VSO8emwgYBTYQ Bai85dEhqrfg+el4FxAsEQpF0sob1LTbU0Tdv+hRxpIOa0D/rpDQ4m9dzLFVFKRS RpegHY2Nuxr0HcEYTUErCSdEBfySApeM3xNerMHPwWtL1THjHY6CE7KIfItiYB0g 003AuFgVm+b4kjbfkh8IZJ4GgpKDVm1nCQpRC16o99fJYg5UU+iRbRf9hUAQ8H+E HSLXUvU3ErnN3o3uLlPR6b9xgTFsvjKVUb2rGTls3uXn+Y94aLYJghyFL2RnKvBX 3wI= -----END CERTIFICATE----- --- Server certificate subject=CN = *.dc1.vault
issuer=CN = hashistack --- No client certificate CA names sent Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2257 bytes and written 406 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 4096 bit Secure Renegotiation IS NOT supported No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: 1EA85806456E36F0B94664CA074AF449278BA5733A19C8C5CFBAEE0DE3887794 Session-ID-ctx: Resumption PSK: B3C6A77FE89DF3ECEB91EAB8AAED6AA9661E5566565BCB35E8AF8D87B023368C PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: 0000 - d9 d3 4c e0 8d d6 12 bf-74 13 f1 83 bd cc 72 39 ..L.....t.....r9 0010 - 6f 45 84 3e 71 82 97 13-5c 19 05 d7 c4 be ba 2c oE.>q...\......, 0020 - dd df 94 bb 80 b7 4f 65-bd 6b c0 00 30 13 29 33 ......Oe.k..0.)3 0030 - 8d 12 42 fc 34 33 d4 b4-13 90 21 32 3a 3f 51 3c ..B.43....!2:?Q< 0040 - 5f 97 bb 68 8c d6 2c 10-75 cb 06 29 c7 4d 78 0e _..h..,.u..).Mx. 0050 - 17 07 c3 d2 7d bf bd 40-f0 a3 9b 10 ae bb ea 55 ....}[email protected] 0060 - b3 e2 08 d4 c8 5b 82 2f-03 f4 9a a2 e3 15 13 df .....[./........ 0070 - 94 . Start Time: 1682231134 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK DONE I don't understand exactly, does that mean there is a problem with the generation of the certificate? Thanks Le samedi 22 avril 2023 à 21:15:40 UTC+2, Dick Visser a écrit : > Can you post the output of: > > echo foo | openssl s_client -showcerts -servername 172.17.0.1 -connect > 172.17.0.1:8200 > > > > On Sat, 22 Apr 2023 at 15:33, Frédéric GAUTHIER BESNARD < > [email protected]> wrote: > >> Hi, >> >> I try to create an playbook look like to this command: >> >> === >> curl --header "X-Vault-Token: $VAULT_TOKEN" \ >> --request POST \ >> --data @payload.json \ >> --cacert /etc/ssl/hashistack/hashistack-ca.pem \ >> --cert /etc/ssl/hashistack/dc1-server-vault.pem \ >> --key /etc/ssl/hashistack/dc1-server-vault.key \ >> https://172.17.0.1:8200/v1/auth/token/renew-self >> === >> >> bash-5.1# ansible --version >> ansible [core 2.14.4] >> config file = None >> configured module search path = ['/root/.ansible/plugins/modules', >> '/usr/share/ansible/plugins/modules'] >> ansible python module location = >> /usr/local/lib/python3.10/site-packages/ansible >> ansible collection location = >> /root/.ansible/collections:/usr/share/ansible/collections >> executable location = /usr/local/bin/ansible >> python version = 3.10.5 (main, Jul 20 2022, 01:24:16) [GCC 10.3.1 >> 20211027] (/usr/local/bin/python) >> jinja version = 3.1.2 >> libyaml = False >> >> >> This is my playbook: >> >> === >> - name: Renew Vault Token >> hosts: localhost >> become: no >> connection: local >> vars: >> ansible_python_interpreter: /usr/local/bin/python3.10 >> tasks: >> - name: Vault Token | Renew a token self >> ansible.builtin.uri: >> url: "https://172.17.0.1:8200"; >> ca_path: "/etc/ssl/hashistack/hashistack-ca.pem" >> client_cert: "/etc/ssl/hashistack/dc1-server-vault.pem" >> client_key: "/etc/ssl/hashistack/dc1-server-vault.key" >> method: POST >> headers: >> X-Vault-Token: "{{ lookup('ansible.builtin.env', 'VAULT_TOKEN') }}" >> body: | >> { >> "increment": "48h" >> } >> body_format: json >> status_code: >> - 200 >> === >> >> Playbook runs on docker container alpine with volume mount >> /etc/ssl/hashistack folder. >> >> It works with previous curl simple command. But with ansible: ( >> ansible-playbook -i localhost, playbook.yml -vvvvv) >> >> >> TASK [Vault Token | Renew a token self] >> ************************************************************************************************************************ >> task path: /data/playbook4.yml:8 >> <localhost> ESTABLISH LOCAL CONNECTION FOR USER: root >> <localhost> EXEC /bin/sh -c 'echo ~root && sleep 0' >> <localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo >> /root/.ansible/tmp `"&& mkdir "` echo >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774 `" && >> echo ansible-tmp-1682170225.9506385-907-180721098619774="` echo >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774 `" ) >> && sleep 0' >> Including module_utils file ansible/__init__.py >> Including module_utils file ansible/module_utils/__init__.py >> Including module_utils file ansible/module_utils/_text.py >> Including module_utils file ansible/module_utils/basic.py >> Including module_utils file >> ansible/module_utils/common/_collections_compat.py >> Including module_utils file ansible/module_utils/common/__init__.py >> Including module_utils file ansible/module_utils/common/_json_compat.py >> Including module_utils file ansible/module_utils/common/_utils.py >> Including module_utils file ansible/module_utils/common/arg_spec.py >> Including module_utils file ansible/module_utils/common/file.py >> Including module_utils file ansible/module_utils/common/parameters.py >> Including module_utils file ansible/module_utils/common/collections.py >> Including module_utils file ansible/module_utils/common/process.py >> Including module_utils file ansible/module_utils/common/sys_info.py >> Including module_utils file ansible/module_utils/common/text/converters.py >> Including module_utils file ansible/module_utils/common/text/__init__.py >> Including module_utils file ansible/module_utils/common/text/formatters.py >> Including module_utils file ansible/module_utils/common/validation.py >> Including module_utils file ansible/module_utils/common/warnings.py >> Including module_utils file ansible/module_utils/compat/selectors.py >> Including module_utils file ansible/module_utils/compat/__init__.py >> Including module_utils file ansible/module_utils/compat/_selectors2.py >> Including module_utils file ansible/module_utils/compat/selinux.py >> Including module_utils file ansible/module_utils/distro/__init__.py >> Including module_utils file ansible/module_utils/distro/_distro.py >> Including module_utils file ansible/module_utils/errors.py >> Including module_utils file ansible/module_utils/parsing/convert_bool.py >> Including module_utils file ansible/module_utils/parsing/__init__.py >> Including module_utils file ansible/module_utils/pycompat24.py >> Including module_utils file ansible/module_utils/six/__init__.py >> Including module_utils file ansible/module_utils/urls.py >> Using module file /usr/lib/python3.9/site-packages/ansible/modules/uri.py >> <localhost> PUT /root/.ansible/tmp/ansible-local-8698sf4r32t/tmpfy224g4z >> TO >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/AnsiballZ_uri.py >> <localhost> EXEC /bin/sh -c 'chmod u+x >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/ >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/AnsiballZ_uri.py >> >> && sleep 0' >> <localhost> EXEC /bin/sh -c '/usr/local/bin/python3.10 >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/AnsiballZ_uri.py >> >> && sleep 0' >> <localhost> EXEC /bin/sh -c 'rm -f -r >> /root/.ansible/tmp/ansible-tmp-1682170225.9506385-907-180721098619774/ > >> /dev/null 2>&1 && sleep 0' >> fatal: [localhost]: FAILED! => { >> "changed": false, >> "elapsed": 0, >> "invocation": { >> "module_args": { >> "attributes": null, >> "body": "{\n \"increment\": \"48h\"\n}\n", >> "body_format": "json", >> "ca_path": "/etc/ssl/hashistack/hashistack-ca.pem", >> "client_cert": "/etc/ssl/hashistack/dc1-server-vault.pem", >> "client_key": "/etc/ssl/hashistack/dc1-server-vault.key", >> "creates": null, >> "dest": null, >> "follow_redirects": "safe", >> "force": false, >> "force_basic_auth": false, >> "group": null, >> "headers": { >> "Content-Type": "application/json", >> "X-Vault-Token": "xxxx" >> }, >> "http_agent": "ansible-httpget", >> "method": "POST", >> "mode": null, >> "owner": null, >> "remote_src": false, >> "removes": null, >> "return_content": false, >> "selevel": null, >> "serole": null, >> "setype": null, >> "seuser": null, >> "src": null, >> "status_code": [ >> 200 >> ], >> "timeout": 30, >> "unix_socket": null, >> "unsafe_writes": false, >> "url": "https://172.17.0.1:8200";, >> "url_password": null, >> "url_username": null, >> "use_gssapi": false, >> "use_proxy": true, >> "validate_certs": true >> } >> }, >> "msg": "Status code was -1 and not [200]: Request failed: <urlopen error >> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get >> local issuer certificate (_ssl.c:997)>", >> "redirected": false, >> "status": -1, >> "url": "https://172.17.0.1:8200"; >> } >> >> PLAY RECAP >> ***************************************************************************************************************************************************** >> localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 >> ignored=0 >> >> >> >> I installed pyopenssl >> I tried with validate_certs: no, error 207. >> >> What is the problem? >> >> Thanks >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/c25e536c-aae3-4bc3-a4a4-87116202d95en%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/c25e536c-aae3-4bc3-a4a4-87116202d95en%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d5eb1d33-16a6-47fc-bd4b-d33972debe52n%40googlegroups.com.
