Just getting started messing with these new 2.0 VMWare modules and seem to be stuck on an SSL error. Anyone know how to get around this? Any info would be much appreciated.
fatal: [localhost → localhost]: FAILED! => {“apierror”: “[Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed”, “changed”: false, “failed”: true, “msg”: “Unable to connect to vCenter or ESXi API on TCP/443.”}
Hi,
by default VMware uses a self signed certificate for the vcenter web interface.
You could change this against an official one with a trust anchor your system can verify or configure your play not to verify the certificate. If that is possible, never used that module myself.
Regards,
Marcus
Yup. I know about the default self-signed but I would assume that either pyvmomi module and/or the Ansible documentation might explain on how to get around this error. Especially just for testing purposes. Thanks for the reply though.
we should add validate_certs=yes|no option as we do in other modules.
Absolutely that would be the way to do this.
vsphere_copy already supports this, though we really should do it in
the module_utils shared code
vsphere_guest is based on pysphere and the ansible-extra-modules vmware modules are based on psphere, (both of which are largely abandoned)
but this PR for pyVmomi supported by VWmare should work.
https://github.com/vmware/pyvmomi-community-samples/pull/213/files
A thing you could do, but shouldn’t do for security reasons is note from the error which site-packages directory it is failing at.
Then add the following to the bottom of the sitecustomize.py file therein
import ssl
try:
_create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
pass
else:
ssl._create_default_https_context = _create_unverified_https_context
I am currently testing a PR for module_utils/vmware.py which adds ‘validate_certs’ as an argument.
I ran into a need for this today. How goes your testing? Need any help?
Thanks,
– Jess
Awesome…Looking forward to the outcome…I really do not want to hack any python modules to make it work…But understand if that is the only way short-term.
Looking forward to this patch!
For those testing vmware, i’ve added a few features to vmware.py dynamic inventory which ec2.py inventory comes with but were sorely missing in vmware.py.
instance_filters and --refresh-cache. Plus a bug fix that allows cache_dir to be found.
https://github.com/ansible/ansible/pull/14136
If anyone is interested, i also added some hacky tag support by parsing the guest name and searching for specific tags that can be set in vmware.ini
Then guests with correct names will be put into ansible groups that can be mapped to roles in a vmware_hosts file.
I will make a separate PR for this if folks are interested, but it’s sort of a hack until vsphere_guest supports tags. Right now it suggests that it has ‘notes’ but none showed up for me.
def _get_vm_info(self, vm, prefix=‘vmware’):
‘’’
Return a flattened dict with info about the given virtual machine.
‘’’
vm_info = {
‘name’: vm.name,
}
vm_info[‘class_tag’] = self._parse_name_for_server_class(vm.name)
def _parse_name_for_server_class(self, guest_name):
‘’’
This is a hack to get around lack of support for tags.
Embed the tag in the name and parse it to set the server class - worker, master, server
Then map the simple group to the roles in the vmware_inventory/vmware_hosts file
@param guest_name: name of vmware guest instance. Corresponds to guest field in vsphere_guest.
‘’’
DEFINED_SERVER_CLASS_TAGS = [‘master’, ‘server’, ‘worker’, ‘solutions’]
for class_tag in DEFINED_SERVER_CLASS_TAGS:
if guest_name.find(class_tag) != -1:
return class_tag
return None
at the bottom of
def get_inventory():
vm_class_tag = vm_info.get(‘vmware_class_tag’, None)
if vm_class_tag:
self._add_child(inv, vm_group, ‘class_tag’)
self._add_child(inv, ‘class_tag’, vm_class_tag)
self._add_host(inv, vm_class_tag, vm.name)
I’ve added skip_ssl argument to module_utils/vmware.py. Perhaps that’s not the best implementation…
Where do you suggest adding validate_certs=false? It wasn’t obvious to me
Where do you suggest adding validate_certs=false?
My PR for validate_certs was merged to the master branch (https://github.com/ansible/ansible/pull/14261). I suggest using devel, as it’s already reviewed and merged (add validate_certs=false as param for the module you’re using)
Curious if anyone else has had luck with this in devel? I get “unsupported parameter for module: validate_certs”
I’ve just cloned and installed from devel - works for me.
With VMware_host or another module?
I’ve copied the playbook you’ve pasted, modified credentials and it works.
Thanks! Really appreciate it, I’ll poke at my local environment more.