ssl generate-csr | NetApp | Page 1

nocturne shore Aug 28, 2025, 6:51 AM

#

I'am trying to create a csr with the following playbook:

name: Create SSL CSR
netapp.ontap.na_ontap_security_certificates:
<<: *auth
vserver: "thuis"
type: server
common_name: "thuis.home.nl"
country: "NL"
state: "Zuid-Holland"
locality: "Den Haag"
organization: "Somewhere at work"
size: 4096
hash_function: SHA256
action: generate_csr
register: csr_result

When I run this playbook I get:
fatal: [localhost]: FAILED! => changed=false
msg: 'value of state must be one of: present, absent, got: Zuid-Holland'

Also I'm missing '-dns-name' in this module?

uneven jackal Aug 28, 2025, 7:32 AM

#

@nocturne shore You can try the below mentioned task,
- name: Generate CSR with all parameters
tags: generate_csr_full
na_ontap_command:
command: "security certificate generate-csr -common-name {{ ontap_cert_common_name }} -size 2048 -country US -state CA -locality Sunnyvale -organization NetApp -unit IT -email-addr admin@netapp.com -hash-function SHA256 -dns {{ ontap_cert_common_name }}.domain.com"
privilege: 'admin'
register: full_csr

- name: Extract CSR from output
  tags: generate_csr_full
  set_fact:
    generated_csr: "{{ full_csr.msg | regex_search('-----BEGIN CERTIFICATE REQUEST-----[\\s\\S]*-----END CERTIFICATE REQUEST-----') }}"

nocturne shore Aug 28, 2025, 9:31 AM

#

Already tried this, with the following outcome:
csr_result:
changed: true
failed: false
msg: '<results xmlns="http://www.netapp.com/filer/admin" status="passed"><cli-output>Error: invalid argument "-vserver"</cli-output><cli-result-value>0</cli-result-value></results>'
warnings:
- The module only supports ZAPI and is deprecated, and will no longer work with newer versions of ONTAP when ONTAPI is deprecated in CY22-Q4
- netapp.ontap.na_ontap_rest_cli should be used instead.
- 'With version 22.0.0 ONTAPI (ZAPI) has been deprecated. The final ONTAP version to support ZAPI is ONTAP 9.13.1. ZAPI calls in these modules will continue to work for ONTAP versions that supports ZAPI. You can update your playbook to use REST by adding use_rest: always to your playbook. More information can be found at: https://github.com/ansible-collections/netapp.ontap'

uneven jackal Aug 28, 2025, 6:20 PM

#

@nocturne shore Which version are you using?

uneven jackal Aug 29, 2025, 5:50 AM

#

@nocturne shore Could you please share the complete snippet which you ran.

nocturne shore Sep 2, 2025, 11:45 AM

#

name: log a message
debug:
msg: "20: Tonny was here"
name: Create SSL CSR
netapp.ontap.na_ontap_command:
<<: *auth
command: "security certificate generate-csr
-vserver thuis
-type server
-common-name thuis.home.nl
-size 4096
-hash-function SHA256
-country NL
-state Zuid-Holland
-locality Amsterdam
-dns-name thuis.home.nl"
# use_rest:
register: csr_result
- name: Show CSR
  debug:
  var: csr_result

Result:
ok: [localhost] =>
msg: '20: Tonny was here'

[WARNING]: The module only supports ZAPI and is deprecated, and will no longer work with newer versions of ONTAP when ONTAPI is deprecated in CY22-Q4
[WARNING]: netapp.ontap.na_ontap_rest_cli should be used instead.
[WARNING]: With version 22.0.0 ONTAPI (ZAPI) has been deprecated. The final ONTAP version to support ZAPI is ONTAP 9.13.1. ZAPI calls in these
modules will continue to work for ONTAP versions that supports ZAPI. You can update your playbook to use REST by adding use_rest: always to your
playbook. More information can be found at: https://github.com/ansible-collections/netapp.ontap
changed: [localhost]

ok: [localhost] =>
csr_result:
changed: true
failed: false
msg: <results xmlns="http://www.netapp.com/filer/admin" status="passed"><cli-output/><cli-result-value>0</cli-result-value></results>
warnings:
- The module only supports ZAPI and is deprecated, and will no longer work with newer versions of ONTAP when ONTAPI is deprecated in CY22-Q4
- netapp.ontap.na_ontap_rest_cli should be used instead.
- 'With version 22.0.0 ONTAPI (ZAPI) has been deprecated. The final ONTAP version to support ZAPI is ONTAP 9.13.1. More information can be found at: https://github.com/ansible-collections/netapp.ontap'

GitHub

GitHub - ansible-collections/netapp.ontap: Ansible collection to su...

Ansible collection to support NetApp ONTAP configuration. - ansible-collections/netapp.ontap

#

Netapp OS: 9.14.1P11
ansible collections:
netapp.cloudmanager 21.24.0
netapp.ontap 22.14.0
netapp.storagegrid 21.14.0
netapp_eseries.santricity 1.4.1
netapp.elementsw 21.7.0
netapp.um_info 21.8.1

elder kestrel Sep 2, 2025, 1:20 PM

#

nocturne shore I'am trying to create a csr with the following playbook: - name: Create SSL CSR ...

Not sure why no one asked but as the error message says, the "state" should either be "present" or "absent".
Does it not work if you change this?

uneven jackal Sep 2, 2025, 5:26 PM

#

elder kestrel Not sure why no one asked but as the error message says, the "state" should eith...

The module netapp.ontap.na_ontap_security_certificates cannot be used to generate csr, as per the module the state 'present' and 'absent' is for cert creation and deletion.

elder kestrel Sep 3, 2025, 7:06 AM

#

uneven jackal The module netapp.ontap.na_ontap_security_certificates cannot be used to genera...

Ooh ok, I thought the "action: generate_csr" part was official. Is there a module for CSR planned so we don't have to use rest_cli?

#ssl generate-csr