Vmware deploy ovf Authenticity of the host's SSL certificate is not verified

daemenseth · September 11, 2024, 7:05pm

I use ansible version ansible [core 2.17.3]
and the community.vmware collection version 4.5.0

I want to deploy a ovf from a https url.
I already find out that I had to open incoming httpclient 443
But now I get Authenticity of the host’s SSL certificate is not verified
I tried different ova’s. Local deployment wit ovf works well.
Remote deployment with terraform is alos working

the validate_certs false part is only working for the vcenter part. The enviroment VMWARE_VALIDATE_CERTS is also not working.
Is there a solutions without importing all certificates

hosts: all
gather_facts: no
collections:
- community.vmware
  vars:
  vcenter_hostname: vc02.contoso.local
  vcenter_username: admin
  vcenter_password: supersecretpassword
  #ansible_python_interpreter: /usr/bin/python3
  tasks:
- name: vmware ovf deploy
  community.vmware.vmware_deploy_ovf:
  validate_certs: false
  datacenter: Datacenter1
  #cluster: “Cluster1”
  esxi_hostname: esxdc1-1.contoso.local
  datastore: “VMFS-ESX-DC1-A”
  networks: {“VM-Network”: “FRONTEND”}
  hostname: ‘{{ vcenter_hostname }}’
  username: ‘{{ vcenter_username }}’
  password: ‘{{ vcenter_password }}’
  url: “https://cloud-images.ubuntu.com/releases/xenial/release/ubuntu-16.04-server-cloudimg-amd64.ova”
  #ovf: /tmp/ubuntu-16.04-server-cloudimg-amd64.ova
  #wait_for_ip_address: true
  delegate_to: localhost
  environment:
  VMWARE_VALIDATE_CERTS: false

mariolenz · September 12, 2024, 2:24pm

Could you run ansible with -vvv and show us the error message? This might help to analyze the problem.

Denney-tech · September 12, 2024, 6:25pm

Sounds like maybe they’re behind a firewall and cloud-images.ubuntu.com isn’t trusted because it’s been re-signed by the firewall CA (deep-packet-inspection), and the module is failing to validate the cert because it doesn’t trust the CA and the validate_certs parameter only applies to the vmware/vcenter connection.

One solution may be to install the firewall’s CA on the control node, and export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt as an environment variable to ensure it is loaded by python.

daemenseth · October 7, 2024, 1:56pm

Sorry for late reaction below the error I get:
The docker container with ansible can download the ova without problems.
Also the esx server can download I with wget.
When I first download the file and then deploy with the ova option instead of the url option it works fine.

Who is responsible for downloading the ova?

fatal: [localhost]: FAILED! => {
“changed”: false,
“module_stderr”: “/tmp/ansible_community.vmware.vmware_deploy_ovf_payload_lqjy5tej/ansible_community.vmware.vmware_deploy_ovf_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_deploy_ovf.py:287: FutureWarning: Possible nested set at position 138\npyVmomi.VmomiSupport.vim.fault.SSLVerifyFault: (vim.fault.SSLVerifyFault) {\n dynamicType = ,\n dynamicProperty = (vmodl.DynamicProperty) ,\n msg = "Authenticity of the host’s SSL certificate is not verified.",\n faultCause = ,\n faultMessage = (vmodl.LocalizableMessage) ,\n selfSigned = false,\n thumbprint = ‘45:2D:A0:ED:21:1E:EA:EB:B3:01:A3:29:03:67:9D:24:B9:D8:96:97’\n}\n\nThe above exception was the direct cause of the following exception:\n\nTraceback (most recent call last):\n File "/root/.ansible/tmp/ansible-tmp-1728309148.7326674-2136-20966311542930/AnsiballZ_vmware_deploy_ovf.py", line 107, in \n _ansiballz_main()\n File "/root/.ansible/tmp/ansible-tmp-1728309148.7326674-2136-20966311542930/AnsiballZ_vmware_deploy_ovf.py", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/root/.ansible/tmp/ansible-tmp-1728309148.7326674-2136-20966311542930/AnsiballZ_vmware_deploy_ovf.py", line 47, in invoke_module\n runpy.run_module(mod_name=‘ansible_collections.community.vmware.plugins.modules.vmware_deploy_ovf’, init_globals=dict(_module_fqn=‘ansible_collections.community.vmware.plugins.modules.vmware_deploy_ovf’, _modlib_path=modlib_path),\n File "", line 226, in run_module\n File "", line 98, in _run_module_code\n File "", line 88, in _run_code\n File "/tmp/ansible_community.vmware.vmware_deploy_ovf_payload_lqjy5tej/ansible_community.vmware.vmware_deploy_ovf_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_deploy_ovf.py", line 925, in \n File "/tmp/ansible_community.vmware.vmware_deploy_ovf_payload_lqjy5tej/ansible_community.vmware.vmware_deploy_ovf_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_deploy_ovf.py", line 913, in main\n File "/tmp/ansible_community.vmware.vmware_deploy_ovf_payload_lqjy5tej/ansible_community.vmware.vmware_deploy_ovf_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_deploy_ovf.py", line 685, in upload\n File "/tmp/ansible_community.vmware.vmware_deploy_ovf_payload_lqjy5tej/ansible_community.vmware.vmware_deploy_ovf_payload.zip/ansible_collections/community/vmware/plugins/module_utils/vmware.py", line 156, in wait_for_task\n File "", line 3, in raise_from\nansible_collections.community.vmware.plugins.module_utils.vmware.TaskError: ("Authenticity of the host’s SSL certificate is not verified.", ‘45:2D:A0:ED:21:1E:EA:EB:B3:01:A3:29:03:67:9D:24:B9:D8:96:97’)\n”,
“module_stdout”: “”,
“msg”: “MODULE FAILURE\nSee stdout/stderr for the exact error”,
“rc”: 1
}

mikemorency · October 9, 2024, 5:50pm

someone else has the same issue

mikemorency · October 9, 2024, 9:05pm

This module is kind of crazy. As far as I can tell, its trying to get vCenter to download the OVA file directly from the URL, but the certificate verification is not straightforward.

I think your best bet would be to download the file locally first, and then deploy it to your vcenter. It might be a bit slower since its an extra step, but youll have better control over the download process and wont be fighting with vCenters cert store. For example

  - name: Deploy OVF
    delegate_to: localhost
    block:
    - name: Download OVA
      ansible.builtin.get_url:
        url: "https://cloud-images.ubuntu.com/releases/xenial/release/ubuntu-16.04-server-cloudimg-amd64.ova"
        dest: "{{ playbook_dir }}/mmtest.ova"
    - name: Deploy OVF
      community.vmware.vmware_deploy_ovf:
        validate_certs: false
        datacenter: Eco-Datacenter
        cluster: Eco-Cluster
        name: mmtest-deploy-ovf
        power_on: false
        folder: mm-test
        datastore: eco-iscsi-ds2
        ovf: "{{ playbook_dir }}/mmtest.ova"

daemenseth · October 10, 2024, 7:24am

mikemorency:

et would be to download the file locally first, and then deploy it to your vcenter. It might be a bit slower since its an extra step, but youll have better control over the download process and wont be fighting with vCenters cert store. For example
  - name: Deploy OVF

Yess the download option is now my workaround

Topic		Replies	Views
SSL Handshake Errors with vmware_deploy_ovf in Ansible – Other Modules Work Fine Get Help collections , playbook , vmware	3	43	October 10, 2024
Vmware ssl certs (works in one module, not the other!) Get Help collections , vmware	13	620	January 18, 2024
Community VMware Deploy OVF With AWX Get Help awx , vmware	3	226	May 13, 2024
Issue with AWX EE and Connecting to vcenter Get Help awx , rhel , windows , vmware , openssl , ee	7	592	April 20, 2024
Connection error: HTTPSConnectionPool(host='192.168.X.X', port=443 Get Help awx	13	471	February 21, 2024

Vmware deploy ovf Authenticity of the host's SSL certificate is not verified

Related topics