8000 CA verification does not work at all with hvac 2.0 on FreeBSD · Issue #413 · ansible-collections/community.hashi_vault · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
CA verification does not work at all with hvac 2.0 on FreeBSD #413
New issue
New issue
Open
Open
CA verification does not work at all with hvac 2.0 on FreeBSD#413
Assignees
briantist
@Vladimir-csp

Description

@Vladimir-csp
Vladimir-csp
opened on Dec 5, 2023
SUMMARY

After upgrading py39-hvac from 1.2.1 to 2.0.0 vault modules fail with requests.exceptions.SSLError due to CERTIFICATE_VERIFY_FAILED

ISSUE TYPE
  • Bug Report
COMPONENT NAME

hvac

ANSIBLE VERSION
ansible [core 2.15.6]
  python version = 3.9.18 (main, Oct 19 2023, 22:57:51) [Clang 14.0.5 (https://github.com/llvm/llvm-project.git llvmorg-14.0.5-0-gc1238 (/usr/local/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
7.5.0
CONFIGURATION
OS / ENVIRONMENT

FreeBSD 13

STEPS TO REPRODUCE

Set variables in context of vault module or lookup:

ansible_hashi_vault_auth_method: token
ansible_hashi_vault_token: ...
ansible_hashi_vault_url: https://...
ansible_hashi_vault_ca_cert: /etc/ssl/certs # FreeBSD trust store, a dir of hashed certs, including a custom CA required for vault URL.

Try accessing vault via any vault module.

EXPECTED RESULTS

It works. Preferably it should work even without ansible_hashi_vault_ca_cert, since /etc/ssl/certs is a system trust store.

ACTUAL RESULTS

Underlying python requests module fails to verify HTTPS server, despite CA exists in system's trust store (hvac 1.2.1), and despite ansible_hashi_vault_ca_cert points it to system trust store explicitly (hvac 2.0.0).

fatal: [localhost]: FAILED! => 
  msg: 'An unhandled exception occurred while running the lookup plugin ''community.hashi_vault.vault_kv2_get''. Error was a <class ''requests.exceptions.SSLError''>, original message: HTTPSConnectionPool(host=''_redacted_'', port=_redacted_): Max retries exceeded with url: /v1/_redacted_ (Caused by SSLError(SSLCertVerificationError(1, ''[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1134)''))). HTTPSConnectionPool(host=''_redacted_'', port=_redacted_): Max retries exceeded with url: /v1/_redacted_ (Caused by SSLError(SSLCertVerificationError(1, ''[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1134)'')))'

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0