Theforeman.foreman.content_credentials ansible module certificate error

Support
1

Problem:
When I run the content_credentials collection downloaded from ansible-galaxy I run into this certificate error:

-----END PGP PUBLIC KEY BLOCK-----", “content_type”: “gpg_key”, “name”: “RPM-GPG-KEY-google-crome”}, “msg”: “Failed to connect to Foreman server: DocLoadingError: Could not load data from https://foreman.domain.tld: HTTPSConnectionPool(host=‘foreman.domain.tld’, port=443): Max retries exceeded with url: /apidoc/v2.json (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)’)))\n - is your server down?\n - was rake apipie:cache run when using apipie cache? (typical production settings)”}

Expected outcome:
I expect the module to trust the system CA’s (including my self signed freeIPA-CA) like i.e curl does.

Alternatively some documentation on how to add trusted CA’s. On this link there is a “validate_certs” attribute:

https://docs.ansible.com/ansible/2.10/collections/theforeman/foreman/content_credential_module.html

but not on this which is the one referenced from ansible-galaxy:

https://theforeman.org/plugins/foreman-ansible-modules/

Foreman and Proxy versions:
Foreman 2.2.3

Foreman and Proxy plugin versions:
?? “rpm -qa | grep proxy” gives these ones:
gssproxy-0.7.0-29.el7.x86_64
foreman-proxy-2.2.3-1.el7.noarch
tfm-rubygem-smart_proxy_pulp-2.1.0-3.fm2_2.el7.noarch
fqdn-foreman-proxy-1.0-1.noarch
tfm-rubygem-smart_proxy_dynflow-0.2.4-6.fm2_2.el7.noarch
tfm-rubygem-smart_proxy_remote_execution_ssh-0.3.0-4.fm2_2.el7.noarch
tfm-rubygem-smart_proxy_dynflow_core-0.2.6-1.fm2_2.el7.noarch
tfm-rubygem-smart_proxy_ansible-3.0.1-6.fm2_2.el7.noarch
tfm-rubygem-smart_proxy_openscap-0.7.4-1.fm2_2.el7.noarch
sssd-proxy-1.16.5-10.el7_9.7.x86_64
fqdn-foreman-proxy-client-1.0-1.noarch

Distribution and version:

Other relevant data:
ansible --version:
ansible [core 2.11.2]
python version = 3.9.6 (default, Jun 29 2021, 00:00:00) [GCC 11.1.1 20210531 (Red Hat 11.1.1-3)]
jinja version = 3.0.1
libyaml = True

######################
pip freeze:
ansible==4.2.0
ansible-core==2.11.2
certifi==2021.5.30
cffi==1.14.6
charset-normalizer==2.0.3
cryptography==3.4.7
idna==3.2
Jinja2==3.0.1
MarkupSafe==2.0.1
packaging==21.0
pycparser==2.20
pyparsing==2.4.7
PyYAML==5.4.1
requests==2.26.0
resolvelib==0.5.4
urllib3==1.26.6

########################
Ruby and puppet is still in part kind of a mystery to me so the “apipie rake”-business I don’t know what to think of. Could that be relevant?

NOTE
My URL’s are edited and could be inconsistent.

2

Hey,

the module supports validate_certs: false just fine, you should see that in ansible-doc theforeman.foreman.content_credential and on theforeman.foreman.content_credential – Manage Content Credentials — Foreman Ansible Modules documentation (which is the site behind the link you posted).

But now that I’ve typed all that – you mention content_credentials, which is a role, not a module.

Documented at theforeman.foreman.content_credentials — Foreman Ansible Modules documentation.

And roles, due to the way how Ansible handles variables, need to pass their params with a prefix, so the above becomes foreman_validate_certs: false, see Foreman Ansible Modules — Foreman Ansible Modules documentation

But that all said – the modules should trust the system certs just fine. Are you running them on the Foreman host, or some other machine?

Hope this helps.

3

Hi @evgeni

Thanks for your answer. Didn’t notice the “s” at the end. Eyes are the first thing you get blind at…
I read the docs for role but used the module.

However, I would prefer that the system CA’s be trusted and since you state that they should, let’s focus on that.

I run my ansible playbook on a remote host towards the foreman server. On the same remote host the curl command towards the api validates the certificate against the system trusted CA’s just fine:

swefredde@lighthouse ~]$ curl -iv https://foreman.domain.tld(/api)?

  • Trying this:is:ipv6::3402:443…
  • Connected to foreman.domain.tld (this:is:ipv6::3402) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
  • CApath: none
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Request CERT (13):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: C=tld; O=MyOrg; CN=foreman.domain.tld
  • start date: Nov 23 23:48:26 2020 GMT
  • expire date: Nov 24 23:48:26 2022 GMT
  • subjectAltName: host “foreman.domain.tld” matched cert’s “foreman.domain.tld”
  • issuer: C=tld; O=MyOrg; CN=IPA
  • SSL certificate verify ok.

It also work to ask the api for stuff using curl with authentication. Both foreman host and remote host have ipv4 and ipv6 addresses and the forward and reverse lookups works.

I’ve tried the validate_certs: false attribute and then it works but as soon as I want verification it fails with thiss message:

fatal: [localhost]: FAILED! => {“changed”: false, “msg”: “Failed to connect to Foreman server: SSLError: HTTPSConnectionPool(host=‘foreman.domain.tld’, port=443): Max retries exceeded with url: /api/status (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)’)))”}

I got almost the same error against a foreman 2.5.1 server I’m about to set up (hence the interest in automating the boring stuff):

fatal: [localhost]: FAILED! => {“changed”: false, “msg”: “Failed to connect to Foreman server: DocLoadingError: Could not load data from https://newforeman.domain.tld: HTTPSConnectionPool(host=‘newforeman.domain.tld’, port=443): Max retries exceeded with url: /apidoc/v2.json (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)’)))\n - is your server down?\n - was rake apipie:cache run when using apipie cache? (typical production settings)”}

As I said in my first post I’m using a self signed custom freeIPA cert but it’s trusted by curl. All services are up and running on both the 2.2.3 and 2.5.1 servers according to “foreman-maintain service status -b”.

4

Okay, if curl works, I would totally expect FAM to also work, as it’s using Python requests and that should take the system cert store…

Unless… did you install requests via pip or from the OS?

5

Via pip in my virtualenv. Does that matter?

6

Yeah, I think requests uses certifi which brings an own certs bundle, and doesn’t consult the system one.

Distributions usually patch certifi to use the distro-managed bundle instead.

1 Like
7

Great! Thanks. Then I learned something today. Now it works.

To add your custom CA to certifi you can use this link (no guarantees. I just googled it. Worked for me.):