SSL: DH_KEY_TOO_SMALL in ACI module

Hi,

I ran into an issue after updating to Ansible 2.8.5 (in AWX 9.1.1)

This used to work in the previous version (Ansible 2.8.1, AWX 6.0.0.0)

I fixed some issues from the python 2 to 3 but this one eludes me.

I’m trying here to create a Bridge Domain

I can provide extra info tomorrow as the networking guys who maintain this project are already gone. So if you need any extra info please ask.

{
“msg”: “Connection failed for https://host.name/api/mo/uni/tn-VALUE/BD-BD_000_ACI_test.json. Request failed: <urlopen error [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:877)>”,
“changed”: false,
“invocation”: {
“module_args”: {
“hostname”: “host.name”,
“username”: “cw-user”,
“password”: “VALUE_SPECIFIED_IN_NO_LOG_PARAMETER”,
“bd”: “BD_000_ACI_test”,
“arp_flooding”: true,
“l3_unknown_multicast”: “flood”,
“enable_routing”: true,
“vrf”: “VALUE”,
“tenant”: “VALUE”,
“l2_unknown_unicast”: “flood”,
“state”: “present”,
“validate_certs”: false,
“host”: “host.name”,
“output_level”: “normal”,
“timeout”: 30,
“use_proxy”: true,
“use_ssl”: true,
“port”: null,
“private_key”: null,
“certificate_name”: null,
“bd_type”: null,
“description”: null,
“enable_multicast”: null,
“endpoint_clear”: null,
“endpoint_move_detect”: null,
“endpoint_retention_action”: null,
“endpoint_retention_policy”: null,
“igmp_snoop_policy”: null,
“ip_learning”: null,
“ipv6_nd_policy”: null,
“limit_ip_learn”: null,
“mac_address”: null,
“multi_dest”: null,
“gateway_ip”: null,
“scope”: null,
“subnet_mask”: null,
“protocol”: “https”
}
},
“ansible_facts”: {
“discovered_interpreter_python”: “/usr/libexec/platform-python”
},
“_ansible_no_log”: false
}

Hi All,

I found out how to test some things turns out there is indeed a certificate with a vulnerable DH Key.
So this issue is solved.

  • Ben

The solution for me was to increase the size of the HTTPS DH Param setting from default (1024) to 2048 on the ACI APIC Controller
This setting is found under FabicPolicies>Policies>Pod>ManagementAccess>default