Ansible uri模块和双向TLS

似乎有一个问题让uri模块很好地处理出入境TLS。 我已经设法让客户端验证或服务器验证工作,但不同时,这似乎很奇怪。 旋度相同的安装工作没有问题,如下显示。 如果你有一些经验与uri模块和TLS,也许你可以帮助。

设置

我有设置Apache httpd接受TLS连接主机,自签署的根证书,一个中间CA证书,一个服务器证书签发给127.0.0.1,客户机证书。我可以用旋度测试这个设置,和,一切工作正常,见下文。

文件host.127.0.0.1.cert。 pem包含三个证书:根,中间,和服务器证书。 文件ca.chain。 pem包含两个证书:根和中间。 文件client.SomeUser.cert。 pem包含一个证书:客户端证书

正如你所看到的从下面的输出,我运行python version = 3.7.0

从httpd . conf:

Listen 443
<VirtualHost *:443>
ServerName 127.0.0.1
SSLEngine on
SSLCertificateFile "/path/to/host.127.0.0.1.cert.pem"
SSLCertificateKeyFile "/path/to/host.127.0.0.1.privkey.nopass.pem"
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile "/path/to/ca.chain.pem"
</VirtualHost>
测试与旋度的设置

cURL命令和输出:

$ curl -vvv --cert client.SomeUser.cert.pem --key client.SomeUser.privkey.pem --cacert ca.chain.pem -X GET https://127.0.0.1

• Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
  Enter PEM pass phrase:
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
• successfully set certificate verify locations:
• CAfile: /Users/mans/devel/phenixid/test-ca/src/test/resources/fixtures/tls/ca1/ca.chain.pem
  CApath: none
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Request CERT (13):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Certificate (11):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS handshake, CERT verify (15):
• TLSv1.2 (OUT), TLS change cipher, Client hello (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS change cipher, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: C=SE; ST=Nacka; L=Nacka Strand; O=Example; OU=Testers; CN=127.0.0.1
• start date: Dec 14 11:45:08 2018 GMT
• expire date: Dec 21 11:45:08 2018 GMT
• subjectAltName: host "127.0.0.1" matched cert's IP address!
• issuer: C=SE; ST=Nacka; O=Example; OU=Testers; CN=Example Intermediate CA 1
• SSL certificate verify ok.

  GET / HTTP/1.1
  Host: 127.0.0.1
  User-Agent: curl/7.54.0
  Accept: /

  < HTTP/1.1 200 OK
  < Date: Fri, 14 Dec 2018 15:03:31 GMT
  < Server: Apache/2.4.33 (Unix) LibreSSL/2.2.7
  < Content-Location: index.html.en
  < Vary: negotiate
  < TCN: choice
  < Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
  < ETag: "2d-432a5e4a73a80"
  < Accept-Ranges: bytes
  < Content-Length: 45
  < Content-Type: text/html
  <
  <html><body><h1>It works!</h1></body></html>
  与ANSIBLE测试设置

我ansible任务是这样的:

• name: "GET"
  uri:
  method: GET
  url: https://127.0.0.1/
  validate_certs: yes
  client_cert: "client.SomeUser.cert.pem"
  client_key: "client.SomeUser.privkey.pem"
  这就是我试着运行剧本: ——如果我关掉证书验证在服务器端,客户端接收服务器证书,如果我包括CA链SSL_CERT_FILE env var。好。 ——如果我打开证书验证在服务器端,但把它关掉客户端(validate_certs:没有),服务器接受客户端证书,很好。 ——但如果我打开双方的证书验证,客户无法接受服务器证书。 坏的。

这是ansible命令和输出当失败时:

$ SSL_CERT_FILE=/path/to/ca.chain.pem ansible-playbook my-playbook.yml -vvv
ansible-playbook 2.7.4
config file = /Users/xxx/.ansible.cfg
configured module search path = ['/Users/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /Users/xxx/virtualenvs/p3/lib/python3.7/site-packages/ansible
executable location = /Users/xxx/virtualenvs/p3/bin/ansible-playbook
python version = 3.7.0 (default, Aug 22 2018, 15:22:33) [Clang 9.1.0 (clang-902.0.39.2)]
Using /Users/xxx/.ansible.cfg as config file
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected
Parsed /etc/ansible/hosts inventory source with ini plugin
......output omitted......
The full traceback is:
File "/var/folders/78/n3ytyhrs2415sl3h8h1fms000000gn/T/ansible_uri_payload_bus4199a/ansible_uri_payload.zip/ansible/module_utils/urls.py", line 1259, in fetch_url
client_key=client_key, cookies=cookies)
File "/var/folders/78/n3ytyhrs2415sl3h8h1fms000000gn/T/ansible_uri_payload_bus4199a/ansible_uri_payload.zip/ansible/module_utils/urls.py", line 1162, in open_url
client_cert=client_cert, client_key=client_key, cookies=cookies)
File "/var/folders/78/n3ytyhrs2415sl3h8h1fms000000gn/T/ansible_uri_payload_bus4199a/ansible_uri_payload.zip/ansible/module_utils/urls.py", line 1070, in open
r = urllib_request.urlopen(*urlopen_args)
File "/usr/local/Cellar/python/3.7.0/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/usr/local/Cellar/python/3.7.0/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 523, in open
req = meth(req)
File "/var/folders/78/n3ytyhrs2415sl3h8h1fms000000gn/T/ansible_uri_payload_bus4199a/ansible_uri_payload.zip/ansible/module_utils/urls.py", line 779, in http_request
build_ssl_validation_error(self.hostname, self.port, paths_checked, e)
File "/var/folders/78/n3ytyhrs2415sl3h8h1fms000000gn/T/ansible_uri_payload_bus4199a/ansible_uri_payload.zip/ansible/module_utils/urls.py", line 580, in build_ssl_validation_error
raise SSLValidationError(' '.join(msg) % (hostname, port, ", ".join(paths)))

fatal: [127.0.0.1]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"attributes": null,
"backup": null,
"body": null,
"body_format": "raw",
"client_cert": "/path/to/client.SomeUser.cert.pem",
"client_key": "/path/to/client.SomeUser.privkey.pem",
"content": null,
"creates": null,
"delimiter": null,
"dest": null,
"directory_mode": null,
"follow": false,
"follow_redirects": "safe",
"force": false,
"force_basic_auth": false,
"group": null,
"headers": {},
"http_agent": "ansible-httpget",
"method": "GET",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"removes": null,
"return_content": false,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"status_code": [
200
],
"timeout": 30,
"unsafe_writes": null,
"url": "https://127.0.0.1/",
"url_password": null,
"url_username": null,
"use_proxy": true,
"validate_certs": true
}
},
"msg": "Failed to validate the SSL certificate for 127.0.0.1:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/ansible, /usr/local/etc/openssl. The exception msg was: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1045)."
}
如上所述,ansible-playbook调用作品完美的服务器验证客户端证书或客户机验证服务器证书,但不是同时。 因为这是工作与旋度好,我猜一定有毛病uri模块如何处理TLS。