#Unable to authenticate using certificates with ansible

1 messages · Page 1 of 1 (latest)

urban parcel
#

I followed this article:

https://netapp.io/2020/06/25/cert4uid-pswd/

So I created the openssl cert with the following:

openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout ansible.key -out ansible.pem -subj "/C=CA/ST=ON/L=Toronto/O=TI/CN=Cert_user"

Then I installed the cert using a user called Ansible on the Filer-side - my yaml looks like the following (was working before using hard-coded user/password):

  • hosts: localhost
    gather_facts: false
    vars_files:

    • create-igroup.vars
      collections:
    • netapp.ontap

    tasks:

    • name: Create iGroup
      na_ontap_igroup:
      state: present
      hostname: "{{ PRI_CLU }}"
      cert_filepath: ansible.pem
      key_filepath: ansible.key
      name: "{{ IGROUP_NAME }}"
      vserver: "{{ PRI_SVM }}"
      initiator_group_type: iscsi
      ostype: "{{ OS_TYPE }}"
      initiator: "{{ IQN }}"
      https: true
      validate_certs: false

Previously the playbook worked using hardcoded username/password but now I'm getting the following error:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: netapp_lib.api.zapi.zapi.NaApiError: NetApp API failed. Reason - 401:Unauthorized
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error fetching igroup info test: NetApp API failed. Reason - 401:Unauthorized"}

thePub
Authenticating Ansible ONTAP Modules with Certificates Instead of U...

Facebook Twitter LinkedIn One of the most requested features for our Ansible modules has been the ability to not have to use username/password authentication.  We are happy to announce that […]

snow cove
#

is there a login account created for "cert_user" and provided http and ontapi application access?

security login show -vserver ontap_cluster_1 -user-or-group-name cert_user

urban parcel
#

security login show -vserver q-mars -user-or-group-name ansible

Vserver: q-mars
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method

ansible http cert admin - none
ansible ontapi cert admin - none
2 entries were displayed.

#

Sorry mean to add a comment above that - so the cert was added and client-ca authorized as per the article so I'm at a little bit of a loss. The playbook and the pem/key files are in the same folder as the playbook and the previous run of the same playbook using hardcoded user/pass worked so I know the playbook functions and that the host can communicate with the Filer.

drifting kite
#

If the user name is "ansible", this is what you need to use when creating the certificate. Here you have "Cert_user"

The blog is a bit inconsistent, though David added this warning ```` For the CN=cert_user this needs to be the user that will be connecting, so for admin again it would be CN=admin.