Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x509_certificate: Unable to load certificate #226

Closed
PrymalInstynct opened this issue May 7, 2021 · 5 comments · Fixed by #237
Closed

x509_certificate: Unable to load certificate #226

PrymalInstynct opened this issue May 7, 2021 · 5 comments · Fixed by #237

Comments

@PrymalInstynct
Copy link

SUMMARY

Attempting to use community.crypto to create a self-signed CA, then sign a number of x509 certifcates

ISSUE TYPE
  • Bug Report
COMPONENT NAME

x509_certificate

ANSIBLE VERSION
ansible 2.9.18
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/zimmermanc/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
CONFIGURATION
DEFAULT_CALLBACK_WHITELIST(/etc/ansible/ansible.cfg) = ['profile_tasks']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
OS / ENVIRONMENT

Red Hat Enterprise Linux 8.3

STEPS TO REPRODUCE

This is a part of role, so the yaml below is from the task associated with these steps

- name: Create OpenSSL CA.key
  run_once: yes
  become: yes
  become_user: "{{ local_user }}"
  delegate_to: localhost
  openssl_privatekey:
    path: "{{ role_path }}/files/ca.key"
    type: RSA
    size: 4096
    owner: "{{ local_user }}"
    group: "{{ local_user }}"

- name: "Create OpenSSL CA.crt"
  run_once: yes
  become: yes
  become_user: "{{ local_user }}"
  delegate_to: localhost
  openssl_publickey:
    path: "{{ role_path }}/files/ca.crt"
    privatekey_path: "{{ role_path }}/files/ca.key"

- name: "Create OpenSSL {{ vault_url }}.key"
  run_once: yes
  become: yes
  become_user: "{{ local_user }}"
  delegate_to: localhost
  openssl_privatekey:
    path: "{{ role_path }}/files/{{ vault_url }}.key"
    type: RSA
    size: 4096
    owner: "{{ local_user }}"
    group: "{{ local_user }}"

- name: "Create OpenSSL {{ vault_url }}.csr"
  run_once: yes
  become: yes
  become_user: "{{ local_user }}"
  delegate_to: localhost
  openssl_csr:
    path: "{{ role_path }}/files/{{ vault_url }}.csr"
    privatekey_path: "{{ role_path }}/files/{{ vault_url }}.key"
    country_name: US
    state_or_province_name: Colorado
    common_name: "{{ vault_url }}"
    basic_constraints:
      - CA:FALSE
    key_usage:
      - digitalSignature
      - nonRepudiation
      - keyEncipherment
      - dataEncipherment
    extended_key_usage:
      - serverAuth
    subject_alt_name: 'DNS:{{ vault_url }},DNS:{{ vault_short_url }}'
    owner: "{{ local_user }}"
    group: "{{ local_user }}"

- name: "Create OpenSSL {{ vault_url }}.crt"
  run_once: yes
  become: yes
  become_user: "{{ local_user }}"
  delegate_to: localhost
  x509_certificate:
    path: "{{ role_path }}/files/{{ vault_url }}.crt"
    csr_path: "{{ role_path }}/files/{{ vault_url }}.csr"
    ownca_path: "{{ role_path }}/files/ca.crt"
    ownca_privatekey_path: "{{ role_path }}/files/ca.key"
    provider: ownca
EXPECTED RESULTS

I expect the x509_certificate module to successfully create and output a certificate

ACTUAL RESULTS

I get the following output fatal: [vault01.dev.env]: FAILED! => {"changed": false, "msg": "Unable to load certificate"}

<localhost> ESTABLISH LOCAL CONNECTION FOR USER: zimmermanc
<localhost> EXEC /bin/sh -c 'echo ~zimmermanc && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/zimmermanc/.ansible/tmp `"&& mkdir "` echo /home/zimmermanc/.ansible/tmp/ansible-tmp-1620392623.492317-1658179-74491262349629 `" && echo ansible-tmp-1620392623.492317-1658179-74491262349629="` echo /home/zimmermanc/.ansible/tmp/ansible-tmp-1620392623.492317-1658179-74491262349629 `" ) && sleep 0'
Using module file /home/zimmermanc/.ansible/collections/ansible_collections/community/crypto/plugins/modules/x509_certificate.py
<localhost> PUT /home/zimmermanc/.ansible/tmp/ansible-local-165787482qd_06h/tmpeg9gdh3_ TO /home/zimmermanc/.ansible/tmp/ansible-tmp-1620392623.492317-1658179-74491262349629/AnsiballZ_x509_certificate.py
<localhost> EXEC /bin/sh -c 'chmod u+x /home/zimmermanc/.ansible/tmp/ansible-tmp-1620392623.492317-1658179-74491262349629/ /home/zimmermanc/.ansible/tmp/ansible-tmp-1620392623.492317-1658179-74491262349629/AnsiballZ_x509_certificate.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python3.6 /home/zimmermanc/.ansible/tmp/ansible-tmp-1620392623.492317-1658179-74491262349629/AnsiballZ_x509_certificate.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /home/zimmermanc/.ansible/tmp/ansible-tmp-1620392623.492317-1658179-74491262349629/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/tmp/ansible_x509_certificate_payload_cjqckiab/ansible_x509_certificate_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate.py", line 544, in main
  File "/tmp/ansible_x509_certificate_payload_cjqckiab/ansible_x509_certificate_payload.zip/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate.py", line 371, in select_backend
    return provider.create_backend(module, backend)
  File "/tmp/ansible_x509_certificate_payload_cjqckiab/ansible_x509_certificate_payload.zip/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_ownca.py", line 336, in create_backend
    return OwnCACertificateBackendCryptography(module)
  File "/tmp/ansible_x509_certificate_payload_cjqckiab/ansible_x509_certificate_payload.zip/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/certificate_ownca.py", line 97, in __init__
    backend=self.backend
  File "/tmp/ansible_x509_certificate_payload_cjqckiab/ansible_x509_certificate_payload.zip/ansible_collections/community/crypto/plugins/module_utils/crypto/support.py", line 203, in load_certificate
    raise OpenSSLObjectError(exc)
fatal: [gitlab.dev.env]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "acme_accountkey_path": null,
            "acme_chain": false,
            "acme_challenge_path": null,
            "acme_directory": "https://acme-v02.api.letsencrypt.org/directory",
            "attributes": null,
            "backup": false,
            "content": null,
            "csr_content": null,
            "csr_path": "/home/zimmermanc/Projects/homelab/ansible/roles/dev-setup/files/vault01.dev.env.csr",
            "delimiter": null,
            "directory_mode": null,
            "entrust_api_client_cert_key_path": null,
            "entrust_api_client_cert_path": null,
            "entrust_api_key": null,
            "entrust_api_specification_path": "https://cloud.entrust.net/EntrustCloud/documentation/cms-api-2.1.0.yaml",
            "entrust_api_user": null,
            "entrust_cert_type": "STANDARD_SSL",
            "entrust_not_after": "+365d",
            "entrust_requester_email": null,
            "entrust_requester_name": null,
            "entrust_requester_phone": null,
            "extended_key_usage": null,
            "extended_key_usage_strict": false,
            "follow": false,
            "force": false,
            "group": null,
            "has_expired": false,
            "invalid_at": null,
            "issuer": null,
            "issuer_strict": false,
            "key_usage": null,
            "key_usage_strict": false,
            "mode": null,
            "not_after": null,
            "not_before": null,
            "ownca_content": null,
            "ownca_create_authority_key_identifier": true,
            "ownca_create_subject_key_identifier": "create_if_not_provided",
            "ownca_digest": "sha256",
            "ownca_not_after": "+3650d",
            "ownca_not_before": "+0s",
            "ownca_path": "/home/zimmermanc/Projects/homelab/ansible/roles/dev-setup/files/ca.crt",
            "ownca_privatekey_content": null,
            "ownca_privatekey_passphrase": null,
            "ownca_privatekey_path": "/home/zimmermanc/Projects/homelab/ansible/roles/dev-setup/files/ca.key",
            "ownca_version": 3,
            "owner": null,
            "path": "/home/zimmermanc/Projects/homelab/ansible/roles/dev-setup/files/vault01.dev.env.crt",
            "privatekey_content": null,
            "privatekey_passphrase": null,
            "privatekey_path": null,
            "provider": "ownca",
            "regexp": null,
            "remote_src": null,
            "return_content": false,
            "select_crypto_backend": "auto",
            "selevel": null,
            "selfsigned_create_subject_key_identifier": "create_if_not_provided",
            "selfsigned_digest": "sha256",
            "selfsigned_not_after": "+3650d",
            "selfsigned_not_before": "+0s",
            "selfsigned_version": 3,
            "serole": null,
            "setype": null,
            "seuser": null,
            "signature_algorithms": null,
            "src": null,
            "state": "present",
            "subject": null,
            "subject_alt_name": null,
            "subject_alt_name_strict": false,
            "subject_strict": false,
            "unsafe_writes": null,
            "valid_at": null,
            "valid_in": null,
            "version": null
        }
    },
    "msg": "Unable to load certificate"
}

I have validated it is not a permissions issue as the become user owns the files that the x509_certificate module is trying to read.

@felixfontein
Copy link
Contributor

Well, this is not a surprise since ca.crt in your example is not a certificate, but a public key:

- name: "Create OpenSSL CA.crt"
  run_once: yes
  become: yes
  become_user: "{{ local_user }}"
  delegate_to: localhost
  openssl_publickey:
    path: "{{ role_path }}/files/ca.crt"
    privatekey_path: "{{ role_path }}/files/ca.key"

You need a certificate, not a public key.

@PrymalInstynct
Copy link
Author

ok, gotcha, I should have realized that. If I can make a recommendation it would be to update the documentation that goes along with this module to address creating a self-signed CA as that has got to be a pretty common usecase.

@Ajpantuso
Copy link
Collaborator

ok, gotcha, I should have realized that. If I can make a recommendation it would be to update the documentation that goes along with this module to address creating a self-signed CA as that has got to be a pretty common usecase.

Were you able to create your self-signed root certificate?

The first example in the x509_certificate documentation covers this:

- name: Generate a Self Signed OpenSSL certificate 
  community.crypto.x509_certificate:
    path: /etc/ssl/crt/ansible.com.crt
    privatekey_path: /etc/ssl/private/ansible.com.pem
    csr_path: /etc/ssl/csr/ansible.com.csr
    provider: selfsigned

To your point however these modules don't really cover creating a CA which typically involves setting up the directory structure, configurations, and initial state of the CA database/serial number sequence.

So if you really need to create a CA I would look at other options however for creating a self-signed cert the docs cover what is needed.

@felixfontein
Copy link
Contributor

This is something we should add as a scenario guide I guess, similar to some other common use-cases. (We hopefully will be able to publish guides soon, using ansible-community/antsibull-build#255...)

@felixfontein
Copy link
Contributor

I started writing some guides in #237.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants