Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

consul_session: ensure certificate is checked when HTTPS is used #58693

Open
wants to merge 2 commits into
base: devel
from

Conversation

Projects
None yet
2 participants
@pilou-
Copy link
Contributor

commented Jul 4, 2019

SUMMARY

consul_session: ensure that:

  • cert is checked when HTTPS is used
  • cert isn't checked when validate_certs is disabled
ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

consul_session

ADDITIONAL INFORMATION

Depends on #58692. Currently fails with:

Could not retrieve session info 400 Client sent an HTTP request to an HTTPS server
@ansibot

This comment has been minimized.

Copy link
Contributor

commented Jul 4, 2019

@pilou- pilou- force-pushed the pilou-:consul_session_validate_certs branch from 1e50f2f to 1d26884 Jul 21, 2019

@pilou-

This comment has been minimized.

Copy link
Contributor Author

commented Jul 21, 2019

pull-request rebased since #58692 has been merged.

As expected, integration test failed:

TASK [consul : ensure SSL certificate isn't checked when validate_certs is disabled] ***
task path: /root/.ansible/test/tmp/consul-2os7by9u-ÅÑŚÌβŁÈ/test/integration/targets/consul/tasks/consul_session.yml:100
<testhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<testhost> EXEC /bin/sh -c 'echo ~root && sleep 0'
<testhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1563744820.3596995-8858196606187 `" && echo ansible-tmp-1563744820.3596995-8858196606187="` echo /root/.ansible/tmp/ansible-tmp-1563744820.3596995-8858196606187 `" ) && sleep 0'
Using module file /root/ansible/lib/ansible/modules/clustering/consul_session.py
<testhost> PUT /root/.ansible/tmp/ansible-local-150861doyicl6/tmpv7wj6ink TO /root/.ansible/tmp/ansible-tmp-1563744820.3596995-8858196606187/AnsiballZ_consul_session.py
<testhost> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1563744820.3596995-8858196606187/ /root/.ansible/tmp/ansible-tmp-1563744820.3596995-8858196606187/AnsiballZ_consul_session.py && sleep 0'
<testhost> EXEC /bin/sh -c '/usr/bin/python3.6 /root/.ansible/tmp/ansible-tmp-1563744820.3596995-8858196606187/AnsiballZ_consul_session.py && sleep 0'
<testhost> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1563744820.3596995-8858196606187/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/tmp/ansible_consul_session_payload_bsftroy_/__main__.py", line 178, in lookup_sessions
    session_by_id = consul_client.session.info(session_id, dc=datacenter)
  File "/usr/local/lib/python3.6/site-packages/consul/base.py", line 1894, in info
    params=params)
  File "/usr/local/lib/python3.6/site-packages/consul/std.py", line 22, in get
    self.session.get(uri, verify=self.verify, cert=self.cert)))
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 537, in get
    return self.request('GET', url, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 524, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 637, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)

fatal: [testhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "behavior": "release",
            "checks": null,
            "datacenter": null,
            "delay": 15,
            "host": "localhost",
            "id": "71998cee-d817-0edd-da7a-4dc1b2fa1042",
            "name": null,
            "node": null,
            "port": 8501,
            "scheme": "https",
            "state": "info",
            "validate_certs": false
        }
    },
    "msg": "Could not retrieve session info HTTPSConnectionPool(host='localhost', port=8501): Max retries exceeded with url: /v1/session/info/71998cee-d817-0edd-da7a-4dc1b2fa1042 (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))

bugfix will follow.

@pilou- pilou- changed the title [WIP] consul_session: ensure certificate is checked when HTTPS is used consul_session: ensure certificate is checked when HTTPS is used Jul 21, 2019

@ansibot ansibot added community_review and removed WIP labels Jul 21, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.