Vmware deploy ovf Authenticity of the host's SSL certificate is not verified

I use ansible version ansible [core 2.17.3]
and the community.vmware collection version 4.5.0

I want to deploy a ovf from a https url.
I already find out that I had to open incoming httpclient 443
But now I get Authenticity of the host’s SSL certificate is not verified
I tried different ova’s. Local deployment wit ovf works well.
Remote deployment with terraform is alos working

the validate_certs false part is only working for the vcenter part. The enviroment VMWARE_VALIDATE_CERTS is also not working.
Is there a solutions without importing all certificates


  • hosts: all
    gather_facts: no
    collections:
    • community.vmware
      vars:
      vcenter_hostname: vc02.contoso.local
      vcenter_username: admin
      vcenter_password: supersecretpassword
      #ansible_python_interpreter: /usr/bin/python3
      tasks:
    • name: vmware ovf deploy
      community.vmware.vmware_deploy_ovf:
      validate_certs: false
      datacenter: Datacenter1
      #cluster: “Cluster1”
      esxi_hostname: esxdc1-1.contoso.local
      datastore: “VMFS-ESX-DC1-A”
      networks: {“VM-Network”: “FRONTEND”}
      hostname: ‘{{ vcenter_hostname }}’
      username: ‘{{ vcenter_username }}’
      password: ‘{{ vcenter_password }}’
      url: “https://cloud-images.ubuntu.com/releases/xenial/release/ubuntu-16.04-server-cloudimg-amd64.ova
      #ovf: /tmp/ubuntu-16.04-server-cloudimg-amd64.ova
      #wait_for_ip_address: true
      delegate_to: localhost
      environment:
      VMWARE_VALIDATE_CERTS: false

Could you run ansible with -vvv and show us the error message? This might help to analyze the problem.

Sounds like maybe they’re behind a firewall and cloud-images.ubuntu.com isn’t trusted because it’s been re-signed by the firewall CA (deep-packet-inspection), and the module is failing to validate the cert because it doesn’t trust the CA and the validate_certs parameter only applies to the vmware/vcenter connection.

One solution may be to install the firewall’s CA on the control node, and export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt as an environment variable to ensure it is loaded by python.

Sorry for late reaction below the error I get:
The docker container with ansible can download the ova without problems.
Also the esx server can download I with wget.
When I first download the file and then deploy with the ova option instead of the url option it works fine.

Who is responsible for downloading the ova?

fatal: [localhost]: FAILED! => {
“changed”: false,
“module_stderr”: “/tmp/ansible_community.vmware.vmware_deploy_ovf_payload_lqjy5tej/ansible_community.vmware.vmware_deploy_ovf_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_deploy_ovf.py:287: FutureWarning: Possible nested set at position 138\npyVmomi.VmomiSupport.vim.fault.SSLVerifyFault: (vim.fault.SSLVerifyFault) {\n dynamicType = ,\n dynamicProperty = (vmodl.DynamicProperty) ,\n msg = "Authenticity of the host’s SSL certificate is not verified.",\n faultCause = ,\n faultMessage = (vmodl.LocalizableMessage) ,\n selfSigned = false,\n thumbprint = ‘45:2D:A0:ED:21:1E:EA:EB:B3:01:A3:29:03:67:9D:24:B9:D8:96:97’\n}\n\nThe above exception was the direct cause of the following exception:\n\nTraceback (most recent call last):\n File "/root/.ansible/tmp/ansible-tmp-1728309148.7326674-2136-20966311542930/AnsiballZ_vmware_deploy_ovf.py", line 107, in \n _ansiballz_main()\n File "/root/.ansible/tmp/ansible-tmp-1728309148.7326674-2136-20966311542930/AnsiballZ_vmware_deploy_ovf.py", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/root/.ansible/tmp/ansible-tmp-1728309148.7326674-2136-20966311542930/AnsiballZ_vmware_deploy_ovf.py", line 47, in invoke_module\n runpy.run_module(mod_name=‘ansible_collections.community.vmware.plugins.modules.vmware_deploy_ovf’, init_globals=dict(_module_fqn=‘ansible_collections.community.vmware.plugins.modules.vmware_deploy_ovf’, _modlib_path=modlib_path),\n File "", line 226, in run_module\n File "", line 98, in _run_module_code\n File "", line 88, in _run_code\n File "/tmp/ansible_community.vmware.vmware_deploy_ovf_payload_lqjy5tej/ansible_community.vmware.vmware_deploy_ovf_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_deploy_ovf.py", line 925, in \n File "/tmp/ansible_community.vmware.vmware_deploy_ovf_payload_lqjy5tej/ansible_community.vmware.vmware_deploy_ovf_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_deploy_ovf.py", line 913, in main\n File "/tmp/ansible_community.vmware.vmware_deploy_ovf_payload_lqjy5tej/ansible_community.vmware.vmware_deploy_ovf_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_deploy_ovf.py", line 685, in upload\n File "/tmp/ansible_community.vmware.vmware_deploy_ovf_payload_lqjy5tej/ansible_community.vmware.vmware_deploy_ovf_payload.zip/ansible_collections/community/vmware/plugins/module_utils/vmware.py", line 156, in wait_for_task\n File "", line 3, in raise_from\nansible_collections.community.vmware.plugins.module_utils.vmware.TaskError: ("Authenticity of the host’s SSL certificate is not verified.", ‘45:2D:A0:ED:21:1E:EA:EB:B3:01:A3:29:03:67:9D:24:B9:D8:96:97’)\n”,
“module_stdout”: “”,
“msg”: “MODULE FAILURE\nSee stdout/stderr for the exact error”,
“rc”: 1
}