Ansible URI module with cacert option
Solution 1
The uri
module is not cURL, it's full python implementation. So no chance that cURL env-vars or options can work.
The others
option is documented as "all arguments accepted by the file module also work here", so it simply means that you can use owner
, group
, mode
, etc to set attributes to the dest
.
client_cert
and client_key
were added in the recent 2.4 just to fix issue #18141 and they didn't think about the server TLS auth...
I can see 3 solutions:
- Add your CA certificate into your system certificates (on the target host of the
uri
task) - only valid with python >= 2.7.9 - Use the
validate_certs: no
option to disable server certificate validation (so no CA certificate to use) - Raise an issue (and maybe a PR) to add support of a
cacert
option
Solution 2
Using SSL_CERT_FILE
environment variable at task level. Ex task:
- name: test uri using a custom cacert file
environment:
SSL_CERT_FILE: "{{ cacert_file_path }}"
uri:
url: "{{ uri_url }}"
Andrew H
Updated on June 09, 2022Comments
-
Andrew H almost 2 years
I'm trying to do the equivalent of:
curl -X POST --data <json> --key <path to key> --cert <path to cert> --cacert <path to cacert> --header "Content-Type: application/json" <url>
in an ansible play. Following the documentation from http://docs.ansible.com/ansible/latest/uri_module.html, there are equivalents for key, cert, X, header, and data, but I haven't found a way to pass in a Certificate Authority file.
I've tried:
environment: CURL_CA_BUNDLE: <path to cacert> uri: url: <url> client_cert: <path to cert> client_key: <path to key> body: <json> method: POST body_format: json
Since man curl specifies that it will read the environment variable
CURL_CA_BUNDLE
. I have also tried:uri: url: <url> client_cert: <path to cert> client_key: <path to key> body: <json> method: POST body_format: json others: --cacert <path to cacert>
Neither method has worked. Without the cacert, I am getting the error: "Failed to validate the SSL certificate for
<url>
. Make sure your managed systems have a valid CA certificate installed...". I know that if I pass invalidate_certs=False
, then the method will work, and I know that it works via command line with curl.Is there another option I can pass into the URI module to bypass this issue?
-
Andrew H over 6 yearsJust to add some notes, I had CA certs installed in /etc/pki/tls/certs and ansible was indeed picking them up. My real issue turned out to be that I was running Python 2.7.5 and support for CAs were added in Python 2.7.9 (see docs.python.org/2/library/urllib2.html). I think I having the option to add a cacert file/directory for URI module would be a good addition, so I'll try to submit an issue at some point.
-
Indra Yadav almost 6 yearsdid you get the solution ?
-
Andrew H over 5 years@IndraYadav Yes, it did work with
validate_certs: no
-
Yuri over 4 yearsJust note that you are switching to an insecure mode with
validate_certs: no
. -
Christoffer Reijer over 4 yearsRegarding "Add your CA certificate into your system certificates": any idea on how to do this on macOS?