Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default values not being assigned if they are not specified in the playbook file #23

Open
ricrodriguezg opened this issue Mar 3, 2022 · 3 comments
Open

Default values not being assigned if they are not specified in the playbook file #23

ricrodriguezg opened this issue Mar 3, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@ricrodriguezg
Copy link
Contributor

PROBLEM SUMMARY
When not specified, options certificate_privatekey_type and certificate_privatekey_size are not being set by default by the certificate role so when requesting a new certificate.

STEPS TO REPRODUCE
Request a certificate using the certificate role without certificate_privatekey_type and certificate_privatekey_size:

----
- name: Generate and Install cert
  hosts: all
  collections: venafi.machine_identity

  vars_files:
    - variables.yml
  tasks:
    - name: Calling Venafi role
      include_role:
        name: certificate
        apply:
          delegate_to: localhost
      vars:
        certificate_common_name: "{{ cert_name }}"
        certificate_copy_private_key_to_remote: false
        certificate_chain_option: "last"
        certificate_cert_dir: "{{ cert_path }}/{{ certificate_common_name }}"
        certificate_remote_execution: false

EXPECTED RESULTS
The task fails with the following error :

    "msg": "Certificate file does not exist | Private key file does not contain a valid private key | Private key file does not contain a valid private key"

ACTUAL RESULTS
The task fails with the following error :

fatal: [hostname -> localhost]: FAILED! => {                                                                                                                                                     
    "changed": false,                                                                                                                                                                         
    "invocation": {                                                                                                                                                                           
        "module_args": {                                                                                                                                                                      
            "access_token": "",                                                                                                                                                               
            "alt_name": [],                                                                                                                                                                   
            "attributes": null,                                                                                                                                                               
            "before_expired_hours": 72,                                                                                                                                                       
            "cert_path": "/tmp/my.cert.example.pem",
            "chain_option": "last",                                                                                                                                                           
            "chain_path": "/tmp//tmp/my.cert.example.pem",
            "common_name": "my.cert.example",                                                                                                                                       
            "csr_origin": "local",                                                             
            "csr_path": "/tmp/my.cert.example.csr", 
            "custom_fields": null,
            "force": false,
            "group": null,
            "issuer_hint": "DEFAULT",
            "mode": null,
            "owner": null,
            "password": "",
            "path": "/tmp/my.cert.example.pem",
            "privatekey_curve": null,
            "privatekey_passphrase": null,
            "privatekey_path": "/tmp/my.cert.example.key",
            "privatekey_reuse": true,
            "privatekey_size": null,
            "privatekey_type": null,
            "renew": true,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "state": "present",
            "test_mode": false,
            "token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "trust_bundle": null,
            "unsafe_writes": false,
            "url": "",
            "use_pkcs12_format": false,
            "user": "",
            "validity_hours": null,
            "zone": "App\\mycit"
        }

    "msg": "Certificate file does not exist | Private key file does not contain a valid private key | Private key file does not contain a valid private key"

ENVIRONMENT DETAILS

ansible [core 2.12.3]
  config file = None
  configured module search path = ['/home/ricrodriguez/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ricrodriguez/venvs/ansible-venafi/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ricrodriguez/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ricrodriguez/venvs/ansible-venafi/bin/ansible
  python version = 3.9.10 (main, Feb 22 2022, 13:54:07) [GCC 11.2.0]
  jinja version = 3.0.1
  libyaml = True

Machine Identity collection: 0.8.0

COMMENTS/WORKAROUNDS
Add the options to the playbook:

----
- name: Generate and Install cert
  hosts: all
  collections: venafi.machine_identity

  vars_files:
    - variables.yml
  tasks:
    - name: Calling Venafi role
      include_role:
        name: certificate
        apply:
          delegate_to: localhost
      vars:
        certificate_common_name: "{{ cert_name }}"
        certificate_copy_private_key_to_remote: false
        certificate_privatekey_type: "RSA"
        certificate_privatekey_size: "2048"
        certificate_chain_option: "last"
        certificate_cert_dir: "{{ cert_path }}/{{ certificate_common_name }}"
        certificate_remote_execution: false
@ricrodriguezg ricrodriguezg added the bug Something isn't working label Mar 3, 2022
@cdmadrigal
Copy link
Contributor

Seems like this bug doesn't apply to deployments done on a Mac.
Environment Details:

  ansible [core 2.12.3]
  config file = None
  configured module search path = ['/Users/cris.madrigal/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
  ansible collection location = /Users/cris.madrigal/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.12 (default, Oct 13 2021, 06:42:42) [Clang 13.0.0 (clang-1300.0.29.3)]
  jinja version = 2.11.2
  libyaml = True

@AaronJaegerVA
Copy link

AaronJaegerVA commented Jul 12, 2022
edited
Loading

We got the error

"msg": "Certificate file does not exist | Private key file does not contain a valid private key | Private key file does not contain a valid private key"

when the Private Key was not "Stored in Software" in Venafi like this:

image

@Shmooty
Copy link

Shmooty commented Feb 21, 2023

Same issue experienced here, and resolved with the workaround of providing specifically privatekey fields

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cdmadrigal @Shmooty @AaronJaegerVA @ricrodriguezg