Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Invalid certificate or key" returned from awx when trying to create machine credential #452

Closed
akcrisp opened this issue Dec 13, 2017 · 10 comments

Comments

3 participants
@akcrisp
Copy link

commented Dec 13, 2017

Hi,

I have a bash script which worked perfectly with ansible tower 3.1.x and api v1.

I am now trying to get it working with awx 1.0.1.273 build and api v2.

Even trying to do this on the command line I get the same error - so I assuming this is user error...

I've assigned the id_rsa key to a variable name (fred) and it includes the begin and end of the key

tower-cli credential create --insecure --name="Andy" -d "tower cli test" -h http://hostname -u admin -p passwd --credential-type="Machine" --organization org --inputs='{"username": "$user", "ssh_key_data": "$fred"}' --fail-on-found.

Clearly I am missing something here ?

Any help appreciated, tried looking for examples but found none doing this on command line.

Andy

@AlanCoding

This comment has been minimized.

Copy link
Member

commented Dec 13, 2017

Reproduced the situation with:

tower-cli credential create --insecure --name="Andy" -d "tower cli test" --credential-type="Machine" --organization Default --inputs='{"username": "$user", "ssh_key_data": "$fred"}' --fail-on-found

Yes, this gives "Invalid certificate or key", and this pertains to the content inside ssh_key_data in inputs.

This is a gnarly, tricky, subject. By using ssh_key_data, you are trying to provide a full ssh key, which is rather large. I made one example of one way you can provide it:

machine_cred_inputs="username: root
ssh_key_data: |
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp
wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5
1s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQABAoGAFijko56+qGyN8M0RVyaRAXz++xTqHBLh
3tx4VgMtrQ+WEgCjhoTwo23KMBAuJGSYnRmoBZM3lMfTKevIkAidPExvYCdm5dYq3XToLkkLv5L2
pIIVOFMDG+KESnAFV7l2c+cnzRMW0+b6f8mR1CJzZuxVLL6Q02fvLi55/mbSYxECQQDeAw6fiIQX
GukBI4eMZZt4nscy2o12KyYner3VpoeE+Np2q+Z3pvAMd/aNzQ/W9WaI+NRfcxUJrmfPwIGm63il
AkEAxCL5HQb2bQr4ByorcMWm/hEP2MZzROV73yF41hPsRC9m66KrheO9HPTJuo3/9s5p+sqGxOlF
L0NDt4SkosjgGwJAFklyR1uZ/wPJjj611cdBcztlPdqoxssQGnh85BzCj/u3WqBpE2vjvyyvyI5k
X6zk7S0ljKtt2jny2+00VsBerQJBAJGC1Mg5Oydo5NwD6BiROrPxGo2bpTbu/fhrT8ebHkTz2epl
U9VQQSQzY1oZMVX8i1m5WUTLPz2yLJIBQVdXqhMCQBGoiuSoSjafUhV7i1cEGpb88h5NBYZzWXGZ
37sJ5QsW+sJyoNde3xH8vdXhzU7eT82D6X/scw9RZz+/6rCJ4p0=
-----END RSA PRIVATE KEY-----"
echo "Tower-CLI DATA FAKER: creating credentials"
# Example credentials for cloud and machine
tower-cli credential create --name="SSH example" --user=$userval --inputs="$machine_cred_inputs" --credential-type="Machine"

That's a starting place, but it's still frustrating. #356 is sorely needed, but more work is needed to hammer out the exact use cases and the syntax patterns that we get when sourcing it from a file.

Unfortunately, even my testing of a pattern like --inputs="{username: root, ssh_key_data: $(cat ~/.ssh/id_rsa)}" still yields no results. This is because the server is actually expecting line breaks, and (on my machine at least) these are dropped in the process of coercing the output to data in the CLI option (although they are not inside of the prior example).

You can see where this comes from in AWX:

https://github.com/ansible/awx/blob/353a9a55c77e0f5a0ad43860fbdc9de5f22f29b8/awx/main/validators.py#L50-L62

Reproduce by using the ^(-{4,}) *BEGIN ([A-Z ]+?) *\1[\r\n]+(.+?)[\r\n]+\1 *END \2 *\1[\r\n]?(.*?)$ pattern inside of:

https://pythex.org/

and selecting DOTALL.

This will show you that

-----BEGIN RSA PRIVATE KEY-----
foobar
-----END RSA PRIVATE KEY-----

is accepted, but

-----BEGIN RSA PRIVATE KEY----- foobar -----END RSA PRIVATE KEY-----

is not.


Meta note to anyone who participates in this conversation: please use caution to not post your private key by accident. The cat above can be dangerous, should it make it to public forums.

@akcrisp

This comment has been minimized.

Copy link
Author

commented Dec 21, 2017

@AlanCoding I've got this working - now based on your example - thanks. However I now need to also specify (I assume as additional --inputs) the following
PRIVATE KEY PASSPHRASE
PRIVILEGE ESCALATION METHOD
PRIVILEGE ESCALATION USERNAME

Can you confirm what the keywords for the above are for use with inputs ? I've looked - nothing in the docs I can see

Thanks

Andy

@akcrisp

This comment has been minimized.

Copy link
Author

commented Dec 21, 2017

@AlanCoding don't worry I managed to figure this out - they are -

ssh_key_unlock: "${passphrase}"
become_method: "${become_meth}"
become_username: "${sudouser}"

It threw me because on the previous versions of tower these were all separated by dash not underscore ie become-method now is become_method

Andy

@bmduffy

This comment has been minimized.

Copy link

commented Feb 1, 2018

Could you please share the solution please? Will there be a PR to fix this?

@akcrisp

This comment has been minimized.

Copy link
Author

commented Feb 1, 2018

@bmduffy

This comment has been minimized.

Copy link

commented Feb 2, 2018

Hi @akcrisp and @AlanCoding,
I made a PR #1116 on this because it is currently blocking me from moving forward on a downstream project using ansible-tower-cli. I should probably add additional keys to the unit tests to cover the case you described but the following passes the unit tests that are there;

    pem = re.compile(
        r'^-{5}\ *BEGIN ([A-Z ]+?)\ *-{5}' +
        r'\s*(.+?)\s*' +
        r'-{5}\ *END [A-Z ]+?\ *-{5}' +
        r'\s?(.*?)$',
        re.DOTALL
    )

I removed the back references because the create an unnecessary match group and back references are more expensive. Also match on whitespace: \s=[ \t\n\r\f\v] not just [\r\n].

@bmduffy

This comment has been minimized.

Copy link

commented Feb 4, 2018

Hi @akcrisp, just wondering how you worked around this issue? It would be good to know.

@akcrisp

This comment has been minimized.

Copy link
Author

commented Feb 5, 2018

@bmduffy

This comment has been minimized.

Copy link

commented Feb 6, 2018

Hi @akcrisp, yes that is really helpful! Thank you very much.

@AlanCoding AlanCoding added this to needs_devel in Credential fixing Apr 27, 2018

@AlanCoding

This comment has been minimized.

Copy link
Member

commented Jun 13, 2018

Closing as this is being addressed in #356

@AlanCoding AlanCoding closed this Jun 13, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.