Connection error: HTTPSConnectionPool(host='192.168.X.X', port=443

marshit · February 16, 2024, 1:41am

Hello All,

I’m using the NetApp simulator along with trying to test out Ansible playbooks. I don’t have a custom SSL certificate; I just use the self-signed one.

If I put the following within the playbook or a variable, I still receive the error below:

https_option: false

validate_certs_option: false

fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "None: Connection error: HTTPSConnectionPool(host='192.168.X.X', port=443): Max retries exceeded with url: /api/cluster?fields=version (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate

It doesn’t matter what I do; the ansible script I run still wants to check the SSL certificate.

[admin@RHEL9-AWX ~]$ pip --version
pip 21.2.3 from /usr/lib/python3.9/site-packages/pip (python 3.9)

[admin@RHEL9-AWX ~]$ ansible --version
ansible [core 2.14.9]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/admin/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/admin/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.18 (main, Jan  4 2024, 00:00:00) [GCC 11.4.1 20230605 (Red Hat 11.4.1-2)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

---
collections:
- name: netapp.ontap
  version: '21.6.0'
- name: ansible.utils

How do I get past this dang annoying issue? This is the only item preventing me from running the playbook.

akira6592 · February 16, 2024, 1:49am

Hello.

Could you tell us a playbook you wrote to help us understand the problem?

marshit · February 16, 2024, 2:03am

@akira6592 Would you want just a snippet of the beginning of the playbook where the section called out the https and cert validation? I ask because the playbook is long.

marshit · February 16, 2024, 2:27am

@akira6592 Here is the beginning of the playbook where the problem is occurring:

---
- hosts: localhost
  gather_facts: false
  name: NetApp SVM Setup
  vars_files:
  - variables-1.yml
  vars:
    login: &login
     hostname: "{{ clusterip }}"
     username: "{{ user }}"
     password: "{{ pass }}"
     validate_certs: false
  tasks:
  - name: Create SVM
    na_ontap_svm:
      state: present
      name: "{{ svmname }}"
      root_volume: "{{ rootvolname }}"
      root_volume_aggregate: "{{ rootvolaggr }}"
      root_volume_security_style: "{{ rootvolsecurity }}"
      aggr_list: "{{ allowedaggrs }}"
      allowed_protocols: "{{ allowedprotocols }}"
      hostname: "{{ clusterip }}"
      username: "{{ user }}"
      password: "{{ pass }}"

These variables no longer apply since I don’t have them within the playbook any longer as variables, but they are what I originally used below:

# Cluster Login
clusterip: '{{ hostname }}'
user: '{{ user }}'
pass: '{{ pass }}'
https_option: true
validate_certs_option: true


---
- hosts: localhost
  gather_facts: false
  name: NetApp SVM Setup
  vars_files:
  - variables.yml
  vars:
    login: &login
     hostname: "{{ clusterip }}"
     username: "{{ user }}"
     password: "{{ pass }}"
     https: "{{ https_option }}"
     validate_certs: "{{ validate_certs_option }}"

akira6592 · February 16, 2024, 4:54am

Is the YAML anchor &login used in playbook as alias?

It seems the snippet does not apply validate_certs: false .

marshit · February 16, 2024, 5:19am

@akira6592 The anchor is not used as an alias. What do you mean it doesn’t apply

validate_certs: false?

akira6592 · February 16, 2024, 5:37am

@marshit

If not applied(used) anywhere, then the validate_certs option in the na_ontap_svm module would default true.

Therefore, it is necessary to explicitly specify validate_certs: false as an option in the module.

  - name: Create SVM
    na_ontap_svm:
      state: present
      name: "{{ svmname }}"
      root_volume: "{{ rootvolname }}"
      root_volume_aggregate: "{{ rootvolaggr }}"
      root_volume_security_style: "{{ rootvolsecurity }}"
      aggr_list: "{{ allowedaggrs }}"
      allowed_protocols: "{{ allowedprotocols }}"
      hostname: "{{ clusterip }}"
      username: "{{ user }}"
      password: "{{ pass }}"
      validate_certs: false    # here

marshit · February 16, 2024, 6:56am

@akira6592 I understand what you mean a little better, so I’m now using the &login variable.

---
- hosts: localhost
  gather_facts: false
  name: NetApp SVM Setup
  vars_files:
  - variables-1.yml
  vars:
    login: &login
     hostname: "{{ clusterip }}"
     username: "{{ user }}"
     password: "{{ pass }}"
     https: "{{ https_option }}"
     validate_certs: "{{ validate_certs_option }}"
     use_rest: always

  tasks:
  - name: Create SVM
    na_ontap_svm:
      state: present
      name: "{{ svmname }}"
      root_volume: "{{ rootvolname }}"
      root_volume_aggregate: "{{ rootvolaggr }}"
      root_volume_security_style: "{{ rootvolsecurity }}"
      aggr_list: "{{ allowedaggrs }}"
      allowed_protocols: "{{ allowedprotocols }}"
      <<: *login
  - name: Start NFS
    na_ontap_nfs:
      state: present
      service_state: started
      vserver: "{{ svmname }}"
      nfsv3: enabled
      <<: *login

marshit · February 16, 2024, 7:08am

@akira6592 I’m past the SSL error now, but for some odd reason I now receive this error - [WARNING]: Collection netapp.ontap does not support Ansible version

2

2.12.5.post0

Which is strange because per the requirements for 22.9.0 of NetApp module (ontap.netapp) I’m at python 3.9 and ansible 2.15.x and I still seem to not be able to run all playbooks, only certain modules will work.

The below requirements are needed on the host that executes this module.

Ansible 2.9 or later - 2.12 or later is recommended.
Python3 - 3.9 or later is recommended.
When using ZAPI, netapp-lib 2018.11.13 or later (install using ‘pip install netapp-lib’), netapp-lib 2020.3.12 is strongly recommended as it provides better error reporting for connection issues
a physical or virtual clustered Data ONTAP system, the modules support Data ONTAP 9.1 and onward, REST support requires ONTAP 9.6 or later.

I’m only able to run most playbooks if I specifically put version 21.6.0 within my requirements.yml file. I don’t really understand why that is happening.

akira6592 · February 16, 2024, 1:00pm

@marshit

FYI. You can also use Module default grouup without using YAML anchor and alias.

For netapp.ontap collection, the group name is netapp_ontap (netapp.ontap.netapp_ontap).

---
- hosts: localhost
  gather_facts: false
  name: NetApp SVM Setup
  vars_files:
  - variables-1.yml

  module_defaults:
    group/netapp.ontap.netapp_ontap:
      hostname: "{{ clusterip }}"
      username: "{{ user }}"
      password: "{{ pass }}"
      https: "{{ https_option }}"
      validate_certs: "{{ validate_certs_option }}"
      use_ssrest: always

  tasks:
  - name: Create SVM
    na_ontap_svm:
      state: present
      name: "{{ svmname }}"
      root_volume: "{{ rootvolname }}"
      root_volume_aggregate: "{{ rootvolaggr }}"
      root_volume_security_style: "{{ rootvolsecurity }}"
      aggr_list: "{{ allowedaggrs }}"
      allowed_protocols: "{{ allowedprotocols }}"

  - name: Start NFS
    na_ontap_nfs:
      state: present
      service_state: started
      vserver: "{{ svmname }}"
      nfsv3: enabled

Please select your preferred method

marshit · February 16, 2024, 4:51pm

@akira6592 I tried that but I still keep getting this error now:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: netapp_lib.api.zapi.zapi.NaApiError: NetApp API failed. Reason - Unable to connect:(ConnectionRefusedError(111, 'Connection refused'),)
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/usr/lib64/python3.8/urllib/request.py\", line 1354, in do_open\n    h.request(req.get_method(), req.selector, req.data, headers,\n  File \"/usr/lib64/python3.8/http/client.py\", line 1256, in request\n    self._send_request(method, url, body, headers, encode_chunked)\n  File \"/usr/lib64/python3.8/http/client.py\", line 1302, in _send_request\n    self.endheaders(body, encode_chunked=encode_chunked)\n  File \"/usr/lib64/python3.8/http/client.py\", line 1251, in endheaders\n    self._send_output(message_body, encode_chunked=encode_chunked)\n  File \"/usr/lib64/python3.8/http/client.py\", line 1011, in _send_output\n    self.send(msg)\n  File \"/usr/l…

I can access the system just fine and SSH directly to the appliance. I wonder if I need to change my bindep.txt file to everything 3.9?

findutils [compile platform:centos-8 platform:rhel-8]
gcc [compile platform:centos-8 platform:rhel-8]
make [compile platform:centos-8 platform:rhel-8]
python38-devel [compile platform:centos-8 platform:rhel-8]
python38-cffi [platform:centos-8 platform:rhel-8]
python38-cryptography [platform:centos-8 platform:rhel-8]
python38-pycparser [platform:centos-8 platform:rhel-8]

akira6592 · February 19, 2024, 11:33am

@marshit

The error message seems to be omitted.

self.send(msg)\n  File \"/usr/l…

Anyway, a Python 3.9 or higher environment will have less trouble.

marshit · February 19, 2024, 8:26pm

I changed these options to tue/false and it seemd to have got me past the connection error:

 https: "{{ https_option }}"
 validate_certs: "{{ validate_certs_option }}"

This is interesting because I’m pretty sure I changed that before, but maybe at that point there was some other issue.

I also made sure of my requirements.yml file had version 22.9.0 of netapp.ontap. I think this ticket can be closed.

akira6592 · February 21, 2024, 2:24pm

@marshit Thank you for reporting.
I am glad you were able to resolve the issue.