-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api_ca does not default to system cert bundle #468
Comments
Hi @nlvw and thanks for the issue. Unless mistaken, the client doesn't specify a path to a CA bundle at all (even a default one) when doing requests unless there is one provided via the configuration so I would expect that to come from python or the requests library. Out of curiosity, could you use pure python requests to see if it also gets a SSL error? Something like this (replacing the demo URL with your own) should be sufficient:
For what it's worth, I am also running on Fedora and do not need to specify ``api_ca` when using the demo and it works with a letsencrypt cert. I know there's an env variable to set different bundle paths but that shouldn't be necessary. |
@dmsimard I guess in your case it's not a self signed certificate. As soon as you are using a self signed certificate you have to give the path to the system ca bundle to the Python requests library, e.g. by simple setting REQUESTS_CA_BUNDLE. |
And the path differ between e.g. Ubuntu and Fedora. Thus hard to set a default there. |
@hille721 I don't have bandwidth to try and reproduce right now but we have a working integration test to validate that it works for self signed certificates here: https://github.com/ansible-community/ara-collection/pull/57/files and it looks sufficient to specify api_ca. It hasn't run in a while but I will trigger it to get some fresh results. |
I can try and investigate later but in the meantime the job returned successfully: https://ansible.softwarefactory-project.io/zuul/build/50e09cec38da4fafbc5dc57136d8f1fe |
Don't get me wrong. Don't see this as a bug or problem. We need to set REQUEST_CA_BUNDLE not only for Ara but for all our Python tools in which the requests library is used and there we have a lot. Thus not a problem for me and that's why I won't spend time for further investigation. |
And just to clarify, we don't set any certificate / ca-bundle in the Ara config, but ONLY the REQUEST_CA_BUNDLE environment variable. So either you have to set api_ca in Ara config which will pass this to requests as |
Using requests with not self signed url:
Using requests with self signed certificate, wont't work
Simple set REQUESTS_CA_BUNDLE and it will work:
tested with Fedora 36 and a Virtual Environment. Fun fact: If I'm using not a virtual environment, but the system Python it will work without setting REQUESTS_CA_BUNDLE.
|
Yes, it's a common enough issue that I have seen with python things before but I had not noticed it with ara (yet?). I suppose since this is a known issue we should add a little something to the troubleshooting docs: https://github.com/ansible-community/ara/blob/master/doc/source/troubleshooting.rst I'll leave this issue opened in the meantime. |
What is the issue ?
When using ARA 1.6.0 with a HTTPS API Server the callback plugin will fail due to a certificate error. It seems like it is not checking the default cert bundle on they system (Fedora 37 in my case) as the following fixes the error
Without
api_ca
the connection fails withWhat should be happening ?
The default ca bundle trusted by the system should be used by default when
api_ca
is not specifiedSoftware Versions
Ansible = 7.1.0 (Core = 2.14)
OS = Fedora 37
Python = 3.11
ARA = 1.6.0
Install Source = pip
The text was updated successfully, but these errors were encountered: