Request: Certificate validation to use OS trusted root certificates first #365
Labels
area/idrac
idrac modules
area/ome
ome modules
area/ome-modular
OME-Modular modules
needs-triage
Issue requires triage.
type/feature
A feature. This label is applied to a feature issues.
Projects
Description
The updated notes about what types of certificates are expected for the ca_path parameter was helpful in getting me going with them.
I do still have concerns about the overall burden needed to manage these certificates, when other Ansible modules can validate certs without needing to specify a path to specific files.
Ideally, if the host that is running Ansible already trusts the root CA, then it seems like a certificate path shouldn't be necessary. Only if it wasn't already trusted, then it would make sense to need to specify a ca_path for a certain cert bundle.
In my case I have a mix of devices that have certificates issues by DigiCert, an external CA, as well as our internal CA. Between our AWX servers, development boxes, and Execution Environments, we have worked to make sure our internal CAs are add as trusted roots where we will be using Ansible playbooks.
With needing to specify the exact location of a certificate, we have to ensure all of these certs are in a central location that our Ansible related playbooks can reach.
We have a ./files/certificates folder in our git repository, but as this runs either on our development servers, or inside of AWX, or inside of an Execution Environment, the full path can vary widely, so we have to use a relative path to these certificates.
The problem we are running into now is the ca_path parameter is relative to the playbook location and not the working directory where you launch ansible-playbook from.
In our case, we some playbooks in the following folder structure:
./Dell
./Dell/networking
./Dell/idrac
If we are running a playbook that lives in ./Dell/networking, we would run this with something like
ansible-playbook ./Dell/networking/manage_vlan.yml ...
and in order for the ca_path to work, we could have to useca_path: ../../files/certificates/DigiCert_root_bundle.pem
This would go back 2 folders to the root of the project, and then go into the files/certificates folder to find the .pem needed.
Since I want to make our configs using variables as much as I can, I store this location as a group_var for the hosts so I have a single location to manage it.
The next problem comes when I want to run a playbook that isn't in a subfolder of the Dell folder, but directly in this folder, such as ./Dell/ome_config.yml
Now when it uses the variable for the ca_path it still goes up 2 folders, which is now too far back and can't find /files/certificate path anymore. One solution would be to hard code this path, but as we have playbooks running on multiple platforms, the full path changes so that won't work.
The final issue, is that some of our system have a different intermediate CA from Digicert and some use the internal CA, so a single bundle from Digicert doesn't work for all hosts and the ones using our internal CA need completely different certs.
All of these are trusted by our hosts, but needing to specify a path is causing significant issues and either needs a sprawl of new variables or hard coded paths, or the easiest solution is just to turn off validate_certs
I've looked at other Ansible modules we are using and some are able to have a validate_certs parameter without needing a cert path:
https://docs.ansible.com/ansible/latest/collections/community/general/ldap_entry_module.html
https://docs.ansible.com/ansible/latest/collections/awx/awx/user_module.html
While some do require a ca_path parameter:
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html
Questions:
validate_certs: false
in the 5.0.x collection today, does it still use SSL and just doesn't validate it is trusted, or it is completely unsecure in plain text?New or existing component
5.x release that requires a ca_path to a specific certificate chain for validate_certs parameter instead of using OS's default list of trusted roots, just like a browser will trust all of the trusted root certs without prompting
Community Note
to the original issue to help the community and maintainers prioritize this request
they generate extra noise for issue followers and do not help prioritize the request
The text was updated successfully, but these errors were encountered: