Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Module bigip_profile_server_ssl fails to create server SSL profile if SSL key is passphrase protected #2435

Open
gomesjj opened this issue Nov 2, 2024 · 2 comments
Open

Module bigip_profile_server_ssl fails to create server SSL profile if SSL key is passphrase protected #2435

gomesjj opened this issue Nov 2, 2024 · 2 comments
Labels
backlog Item logged internally bug Issues that are related to bugs in the Ansible modules

Comments

@gomesjj
Copy link
Contributor

gomesjj commented Nov 2, 2024

COMPONENT NAME

bigip_profile_server_ssl

Environment

ANSIBLE VERSION
ansible [core 2.16.7]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/Users/gj1606/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/gj1606/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/gj1606/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/gj1606/.pyenv/versions/3.10.1/bin/ansible
  python version = 3.10.1 (main, Jan 16 2022, 18:16:51) [Clang 13.0.0 (clang-1300.0.29.30)] (/Users/gj1606/.pyenv/versions/3.10.1/bin/python3.10)
  jinja version = 3.1.2
  libyaml = True
BIGIP VERSION
Sys::Version
Main Package
  Product     BIG-IP
  Version     16.1.4
  Build       0.0.2
  Edition     Final
  Date        Wed Aug  2 05:09:36 PDT 2023
CONFIGURATION

Default configuration.

OS / ENVIRONMENT

macOS 13.6.7
Darwin aaron 22.6.0 Darwin Kernel Version 22.6.0: Mon Apr 22 20:54:28 PDT 2024; root:xnu-8796.141.3.705.2~1/RELEASE_X86_64 x86_64

SUMMARY

The module will not create a new server SSL profile when the SSL key is protected by a passphrase. Please note that the same certificate and key files were used to create a client SSL profile with no issues.

Please see example playbook.

STEPS TO REPRODUCE

I've run this test playbook with test certificates already imported.

---
- name: Create Client and Server SSL profiles
  hosts: all
  gather_facts: false
  connection: local

  tasks:
   - name: Create a client SSL profile with a cert/key/chain setting
     f5networks.f5_modules.bigip_profile_client_ssl:
      provider: "{{ provider }}"
      state: present
      name: PRD.DEVTTY.LOCAL_CLIENTSSL
      server_name: prd.devtty.local
      cert_key_chain:
       - cert: prd.devtty.local.crt
         key: prd.devtty.local.key
         chain: DEVTTY-INTERNAL-CHAIN
         passphrase: "{{ passphrase | default(omit) }}"
         true_names: true
     delegate_to: localhost

   - name: Create a new server SSL profile with a cert/key/chain setting
     f5networks.f5_modules.bigip_profile_server_ssl:
      provider: "{{ provider }}"
      state: present
      name: PRD.DEVTTY.LOCAL_SERVERSSL
      server_name: prd.devtty.local
      certificate: prd.devtty.local.crt
      key: prd.devtty.local.key
      chain: DEVTTY-INTERNAL-CHAIN
      passphrase: "{{ passphrase | default(omit) }}"
     delegate_to: localhost
EXPECTED RESULTS

Task completed succesfully.

ACTUAL RESULTS
ansible-playbook [core 2.16.7]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/Users/gj1606/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/gj1606/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/gj1606/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/gj1606/.pyenv/versions/3.10.1/bin/ansible-playbook
  python version = 3.10.1 (main, Jan 16 2022, 18:16:51) [Clang 13.0.0 (clang-1300.0.29.30)] (/Users/gj1606/.pyenv/versions/3.10.1/bin/python3.10)
  jinja version = 3.1.2
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Loading collection ansible.builtin from 
host_list declined parsing /etc/ansible/inventory.yml as it did not pass its verify_file() method
script declined parsing /etc/ansible/inventory.yml as it did not pass its verify_file() method
Parsed /etc/ansible/inventory.yml inventory source with yaml plugin
Loading collection f5networks.f5_modules from /Users/gj1606/.ansible/collections/ansible_collections/f5networks/f5_modules
Loading callback plugin default of type stdout, v2.0 from /Users/gj1606/.local/lib/python3.10/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: test_ssl_profile.yml *********************************************************************************************************************************************************************************************************************
Positional arguments: test_ssl_profile.yml
verbosity: 4
connection: ssh
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/inventory.yml',)
subset: slb01
forks: 5
1 plays in test_ssl_profile.yml

PLAY [Create Client and Server SSL profiles] *******************************************************************************************************************************************************************************************************

TASK [Create a client SSL profile with a cert/key/chain setting] ***********************************************************************************************************************************************************************************
task path: /Users/gj1606/Devel/F5/WPT/test_ssl_profile.yml:26
Trying secret FileVaultSecret(filename='/Users/gj1606/.anspw/vault_pw') for vault_id=default
Trying secret FileVaultSecret(filename='/Users/gj1606/.anspw/vault_pw') for vault_id=default
<localhost> Using network group action f5networks.f5_modules.bigip for f5networks.f5_modules.bigip_profile_client_ssl
Loading collection ansible.netcommon from /Users/gj1606/.ansible/collections/ansible_collections/ansible/netcommon
<localhost> connection transport is rest
<192.168.1.132> ANSIBLE_NETWORK_IMPORT_MODULES: disabled
<192.168.1.132> ANSIBLE_NETWORK_IMPORT_MODULES: module execution time may be extended
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: gj1606
<localhost> EXEC /bin/sh -c 'echo ~gj1606 && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/gj1606/.ansible/tmp `"&& mkdir "` echo /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656 `" && echo ansible-tmp-1730589466.872941-13664-168786780657656="` echo /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656 `" ) && sleep 0'
Using module file /Users/gj1606/.ansible/collections/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_client_ssl.py
<localhost> PUT /Users/gj1606/.ansible/tmp/ansible-local-13637f7ur6egt/tmp372xa9bs TO /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656/AnsiballZ_bigip_profile_client_ssl.py
<localhost> EXEC /bin/sh -c 'chmod u+x /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656/ /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656/AnsiballZ_bigip_profile_client_ssl.py && sleep 0'
<localhost> EXEC /bin/sh -c '/Users/gj1606/.pyenv/versions/3.10.1/bin/python3.10 /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656/AnsiballZ_bigip_profile_client_ssl.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /Users/gj1606/.ansible/tmp/ansible-tmp-1730589466.872941-13664-168786780657656/ > /dev/null 2>&1 && sleep 0'
changed: [slb01.intra.insynergy.uk -> localhost] => {
    "cert_key_chain": [
        {
            "cert": "/Common/********",
            "chain": "/Common/********",
            "key": "/Common/********",
            "name": "prd.devtty.local",
            "passphrase": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
        }
    ],
    "changed": true,
    "invocation": {
        "module_args": {
            "advertised_cert_authority": null,
            "allow_expired_crl": null,
            "allow_non_ssl": null,
            "cache_size": null,
            "cache_timeout": null,
            "cert_auth_depth": null,
            "cert_key_chain": [
                {
                    "cert": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                    "chain": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                    "key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                    "passphrase": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                    "true_names": true
                }
            ],
            "cipher_group": null,
            "ciphers": null,
            "client_auth_crl": null,
            "client_auth_frequency": null,
            "client_certificate": null,
            "name": "PRD.DEVTTY.LOCAL_CLIENTSSL",
            "options": null,
            "parent": null,
            "partition": "Common",
            "provider": {
                "auth_provider": null,
                "no_f5_teem": false,
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "server": "slb01.intra.insynergy.uk",
                "server_port": 443,
                "timeout": null,
                "transport": "rest",
                "user": "gj1606",
                "validate_certs": false
            },
            "renegotiation": null,
            "retain_certificate": null,
            "secure_renegotiation": null,
            "server_name": "prd.devtty.local",
            "sni_default": null,
            "sni_require": null,
            "state": "present",
            "strict_resume": null,
            "trusted_cert_authority": null
        }
    }
}

TASK [Create a new server SSL profile with a cert/key/chain setting] *******************************************************************************************************************************************************************************
task path: /Users/gj1606/Devel/F5/WPT/test_ssl_profile.yml:40
Trying secret FileVaultSecret(filename='/Users/gj1606/.anspw/vault_pw') for vault_id=default
Trying secret FileVaultSecret(filename='/Users/gj1606/.anspw/vault_pw') for vault_id=default
<localhost> Using network group action f5networks.f5_modules.bigip for f5networks.f5_modules.bigip_profile_server_ssl
Loading collection ansible.netcommon from /Users/gj1606/.ansible/collections/ansible_collections/ansible/netcommon
<localhost> connection transport is rest
<192.168.1.132> ANSIBLE_NETWORK_IMPORT_MODULES: disabled
<192.168.1.132> ANSIBLE_NETWORK_IMPORT_MODULES: module execution time may be extended
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: gj1606
<localhost> EXEC /bin/sh -c 'echo ~gj1606 && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/gj1606/.ansible/tmp `"&& mkdir "` echo /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268 `" && echo ansible-tmp-1730589469.9974341-13690-38579390805268="` echo /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268 `" ) && sleep 0'
Using module file /Users/gj1606/.ansible/collections/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py
<localhost> PUT /Users/gj1606/.ansible/tmp/ansible-local-13637f7ur6egt/tmpri3ims9g TO /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268/AnsiballZ_bigip_profile_server_ssl.py
<localhost> EXEC /bin/sh -c 'chmod u+x /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268/ /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268/AnsiballZ_bigip_profile_server_ssl.py && sleep 0'
<localhost> EXEC /bin/sh -c '/Users/gj1606/.pyenv/versions/3.10.1/bin/python3.10 /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268/AnsiballZ_bigip_profile_server_ssl.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /Users/gj1606/.ansible/tmp/ansible-tmp-1730589469.9974341-13690-38579390805268/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/var/folders/64/bwkhb_vd6yx9nny1q7mrf3f00000gn/T/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload_9mnjny74/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py", line 846, in main
  File "/var/folders/64/bwkhb_vd6yx9nny1q7mrf3f00000gn/T/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload_9mnjny74/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py", line 611, in exec_module
  File "/var/folders/64/bwkhb_vd6yx9nny1q7mrf3f00000gn/T/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload_9mnjny74/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py", line 635, in present
  File "/var/folders/64/bwkhb_vd6yx9nny1q7mrf3f00000gn/T/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload_9mnjny74/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py", line 691, in create
  File "/var/folders/64/bwkhb_vd6yx9nny1q7mrf3f00000gn/T/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload_9mnjny74/ansible_f5networks.f5_modules.bigip_profile_server_ssl_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_server_ssl.py", line 710, in create_on_device
fatal: [slb01.intra.insynergy.uk -> localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "authenticate_name": null,
            "ca_file": null,
            "certificate": "prd.devtty.local.crt",
            "chain": "DEVTTY-INTERNAL-CHAIN",
            "cipher_group": null,
            "ciphers": null,
            "key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "name": "PRD.DEVTTY.LOCAL_SERVERSSL",
            "ocsp_profile": null,
            "options": null,
            "parent": "/Common/serverssl",
            "partition": "Common",
            "passphrase": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "provider": {
                "auth_provider": null,
                "no_f5_teem": false,
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "server": "slb01.intra.insynergy.uk",
                "server_port": 443,
                "timeout": null,
                "transport": "rest",
                "user": "gj1606",
                "validate_certs": false
            },
            "renegotiation": null,
            "secure_renegotiation": null,
            "server_certificate": null,
            "server_name": "prd.devtty.local",
            "sni_default": null,
            "sni_require": null,
            "state": "present",
            "update_password": "always"
        }
    },
    "msg": "01070313:3: Error reading key PEM file /Common/******** for profile /Common/PRD.DEVTTY.LOCAL_SERVERSSL: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib"
}

PLAY RECAP *****************************************************************************************************************************************************************************************************************************************
slb01.intra.insynergy.uk   : ok=1    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
@gomesjj gomesjj added bug Issues that are related to bugs in the Ansible modules untriaged issue that needs an initial response from the developers labels Nov 2, 2024
@pgouband
Copy link
Contributor

pgouband commented Nov 6, 2024

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1696.

As a workaround, have you tried using AS3?

@pgouband pgouband added backlog Item logged internally and removed untriaged issue that needs an initial response from the developers labels Nov 6, 2024
@gomesjj
Copy link
Contributor Author

gomesjj commented Nov 6, 2024

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1696.

As a workaround, have you tried using AS3?

Hi @pgouband ,

I've tested the following:

  • TMSH - works
  • REST API (postman) - works

I haven't tested with AS3 because it's not on the company's automation strategy. I've been asked to help networking engineering but I am not part of the team, so I have no leverage on their strategy...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog Item logged internally bug Issues that are related to bugs in the Ansible modules
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gomesjj @pgouband