Ansible URI module with cacert option
Solution 1
The uri module is not cURL, it's full python implementation. So no chance that cURL env-vars or options can work.
The others option is documented as "all arguments accepted by the file module also work here", so it simply means that you can use owner, group, mode, etc to set attributes to the dest.
client_cert and client_key were added in the recent 2.4 just to fix issue #18141 and they didn't think about the server TLS auth...
I can see 3 solutions:
- Add your CA certificate into your system certificates (on the target host of the
uritask) - only valid with python >= 2.7.9 - Use the
validate_certs: nooption to disable server certificate validation (so no CA certificate to use) - Raise an issue (and maybe a PR) to add support of a
cacertoption
Solution 2
Using SSL_CERT_FILE environment variable at task level. Ex task:
- name: test uri using a custom cacert file
environment:
SSL_CERT_FILE: "{{ cacert_file_path }}"
uri:
url: "{{ uri_url }}"
Andrew H
Updated on June 09, 2022Comments
-
Andrew H almost 2 years
I'm trying to do the equivalent of:
curl -X POST --data <json> --key <path to key> --cert <path to cert> --cacert <path to cacert> --header "Content-Type: application/json" <url>in an ansible play. Following the documentation from http://docs.ansible.com/ansible/latest/uri_module.html, there are equivalents for key, cert, X, header, and data, but I haven't found a way to pass in a Certificate Authority file.
I've tried:
environment: CURL_CA_BUNDLE: <path to cacert> uri: url: <url> client_cert: <path to cert> client_key: <path to key> body: <json> method: POST body_format: jsonSince man curl specifies that it will read the environment variable
CURL_CA_BUNDLE. I have also tried:uri: url: <url> client_cert: <path to cert> client_key: <path to key> body: <json> method: POST body_format: json others: --cacert <path to cacert>Neither method has worked. Without the cacert, I am getting the error: "Failed to validate the SSL certificate for
<url>. Make sure your managed systems have a valid CA certificate installed...". I know that if I pass invalidate_certs=False, then the method will work, and I know that it works via command line with curl.Is there another option I can pass into the URI module to bypass this issue?
-
Andrew H over 6 yearsJust to add some notes, I had CA certs installed in /etc/pki/tls/certs and ansible was indeed picking them up. My real issue turned out to be that I was running Python 2.7.5 and support for CAs were added in Python 2.7.9 (see docs.python.org/2/library/urllib2.html). I think I having the option to add a cacert file/directory for URI module would be a good addition, so I'll try to submit an issue at some point.
-
Indra Yadav almost 6 yearsdid you get the solution ?
-
Andrew H over 5 years@IndraYadav Yes, it did work with
validate_certs: no -
Yuri over 4 yearsJust note that you are switching to an insecure mode with
validate_certs: no. -
Christoffer Reijer over 4 yearsRegarding "Add your CA certificate into your system certificates": any idea on how to do this on macOS?
