Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

https support? #16

Open
FleischKarussel opened this issue Oct 17, 2019 · 7 comments
Open

https support? #16

FleischKarussel opened this issue Oct 17, 2019 · 7 comments

Comments

@FleischKarussel
Copy link

Hello @elnappo,

we just enabled https in front of the check_mk server (LB) and since then, the check_mk.py is not able to work anymore.
Is this module tested against https or is http the only operation mode by design?

thanks in advance.
@elnappo
Copy link
Owner

elnappo commented Oct 18, 2019

It also works with HTTPS. Do you have a log message for me?

@FleischKarussel
Copy link
Author

Alright, it seems to be related to certificate verification. Custom enterprise CA.
Other ansible modules using this CA work fine, except the check_mk.py.
I'll add more details on Monday.

@FleischKarussel
Copy link
Author

FleischKarussel commented Oct 21, 2019
edited by elnappo
Loading

Additional information:

Ubuntu 16.04
Ansible Tower 3.5.2
Ansible 2.8.3

Playbook:

- name: Add host to check_mk Server via WATO API and discover services
  check_mk:
    server_url: "{{ check_mk_agent_monitoring_host_url }}"
    username: "{{ check_mk_agent_monitoring_host_wato_username }}"
    secret: "{{ check_mk_agent_monitoring_host_wato_secret }}"
    hostname: "{{ inventory_hostname }}"
    folder: "{{ check_mk_agent_monitoring_host_folder }}"
    discover_services: refresh
    state: present
  delegate_to: localhost

Debug messages:
The full traceback is:
WARNING: The below traceback may not be related to the actual failure.

  File "/tmp/ansible_check_mk_payload_H8_kJc/__main__.py", line 155, in _api_request
    r = self._session.post(self._api_url + action, data=payload or {}, verify=self._module.params["validate_certs"])
  File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", line 572, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", line 524, in request
    resp = self.send(prep, **send_kwargs)
  File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", line 637, in send
    r = adapter.send(request, **kwargs)
  File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e…

"msg": "HTTPSConnectionPool(host='checkmk-dev01.mgmt.example.com', port=443): Max retries exceeded with url: /cmktest/check_mk/webapi.py?_username=automation&_secret=********&action=get_host&effective_attributes=1 (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)\",),))

As I mentioned, i.e. the below playbook works fine, uses the same https://.
Afaik det_url also does verify certificates.

- name: download CheckMK Agent script from CheckMK Server and upload to destination host
  get_url: 
    url: "{{ check_mk_agent_monitoring_host_url }}check_mk/agents/check_mk_agent.linux" 
    dest: /usr/local/bin/check_mk_agent 
    owner: root 
    group: root 
    mode: 0755

@FleischKarussel
Copy link
Author

FleischKarussel commented Oct 21, 2019
edited
Loading

I just confirmed by setting validate_certs: False, then the playbook ran fine.
Does have the check_mk.py no access to CAs because it's not an upstream module?
Currently it's checked into the repo where the playbook resides.

@elnappo
Copy link
Owner

elnappo commented Oct 25, 2019
edited
Loading

The module uses the requests library as many other Ansible modules. It should respect your local certificate store. Could you please try this in your Python console?

import requests
url = "<your checkmk URL>"
r = requests.get(url)
r.status_code
r = requests.get(url, verify=True)
r.status_code
r = requests.get(url, verify=False)
r.status_code

@FleischKarussel
Copy link
Author

FleischKarussel commented Oct 25, 2019
edited by elnappo
Loading 

Python 2.7.12 (default, Nov 12 2018, 14:36:49)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
url = "https://checkmk-dev01.mgmt.example.com"
>>> url = "https://checkmk-dev01.mgmt.example.com"
>>> r = requests.get(url)
>>> r.status_code
200
>>> r = requests.get(url, verify=True)
>>> r.status_code
200
>>> r = requests.get(url, verify=False)
/var/lib/awx/venv/ansible/local/lib/python2.7/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
>>> r.status_code
200

@elnappo
Copy link
Owner

elnappo commented Oct 28, 2019
edited
Loading

Strange... Could you please post the debug output from the playbook run (one task should be enough)? e.g. ansible-playbook -i hosts playbook.yml -vvvv

Are you using a custom CA?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elnappo @FleischKarussel