Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] netscaler.adc.sslprofile_sslcipher_binding fails when run 2nd time #292

Closed
jacek-777 opened this issue Oct 11, 2023 · 1 comment
Closed

[BUG] netscaler.adc.sslprofile_sslcipher_binding fails when run 2nd time #292

jacek-777 opened this issue Oct 11, 2023 · 1 comment
Assignees
@sumanth-lingappa
Labels
bug

Comments

@jacek-777
Copy link

Describe the bug

netscaler.adc.sslprofile_sslcipher_binding does not work as expected.
Binding ciphers to sslprofile for 2nd time throws an error:
{'errorcode': 3741, 'message': 'Specified cipher is already bound with higher priority', 'severity': 'ERROR'}

Unbinding "DEFAULT" ciphers group does not work either.

SSL default profile is enabled on VPX.

To Reproduce
Steps to reproduce the behaviour:

  1. My ansible-playbook is...
  vars:
    my_ssl_profile:
      name: "MY-SSL-PRF"
      ciphersgroup: "TLSv1.3"

    - name: Setup ssl profile 
      delegate_to: localhost
      netscaler.adc.sslprofile:
        nsip: "{{ nsip }}"
        nitro_auth_token: "{{ sessionid }}"
        validate_certs: no
        state: present
        name: "{{ my_ssl_profile.name }}"


    - name: Bind ciphergroup to SSL Profile
      delegate_to: localhost
      netscaler.adc.sslprofile_sslcipher_binding:
        nsip: "{{ nsip }}"
        nitro_auth_token: "{{ sessionid }}"
        validate_certs: no
        state: present
        name: "{{my_ssl_profile.name }}"
        ciphername: "{{ my_ssl_profile.ciphersgroup }}"
        cipherpriority: "1"

    - name: Unbind default ciphergroup from SSL Profile
      delegate_to: localhost
      netscaler.adc.sslprofile_sslcipher_binding:
        nsip: "{{ nsip }}"
        nitro_auth_token: "{{ sessionid }}"
        validate_certs: no
        state: absent
        name: "{{my_ssl_profile.name}}"
        ciphername: "DEFAULT"
1st run:
PLAY [SSL cipher binding BUG] ******************************************************************************************************************************

TASK [V2 | Sample Task | login] **********************************************************************************************************
changed: [localhost -> localhost]

TASK [Save session id] *******************************************************************************************************************
ok: [localhost]

TASK [Setup ssl profile] *****************************************************************************************************************
ok: [localhost -> localhost]

TASK [Bind ciphergroup to SSL Profile] ***************************************************************************************************
changed: [localhost -> localhost]

TASK [Unbind default ciphergroup from SSL Profile] ***************************************************************************************
ok: [localhost -> localhost]

PLAY RECAP *******************************************************************************************************************************
localhost                  : ok=5    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0


Please note: TASK [Unbind default ciphergroup from SSL Profile]  did not change (DEFAULT cipher were not unbound)







------------
2nd run:


PLAY [SSL cipher binding BUG] ************************************************************************************************************

TASK [V2 | Sample Task | login] **********************************************************************************************************
changed: [localhost -> localhost]

TASK [Save session id] *******************************************************************************************************************
ok: [localhost]

TASK [Setup ssl profile] *****************************************************************************************************************
ok: [localhost -> localhost]

TASK [Bind ciphergroup to SSL Profile] ***************************************************************************************************
fatal: [localhost -> localhost]: FAILED! => {"changed": true, "loglines": ["DEBUG: Initializing ModuleExecutor for resource sslprofile_sslcipher_binding", "TRACE: ENTRY: get_valid_desired_states() called with ('sslprofile_sslcipher_binding',), {}", "TRACE: EXIT: get_valid_desired_states() returned {'absent', 'present'}", "TRACE: ENTRY: get_netscaler_version() called with (<ansible_collections.netscaler.adc.plugins.module_utils.client.NitroAPIClient object at 0x7ffa17d2b438>,), {}", "TRACE: ENTRY: get_resource() called with (<ansible_collections.netscaler.adc.plugins.module_utils.client.NitroAPIClient object at 0x7ffa17d2b438>, 'nsversion'), {}", "TRACE: ENTRY: send() called with (<ansible_collections.netscaler.adc.plugins.module_utils.client.NitroAPIClient object at 0x7ffa17d2b438>, 'GET', 'https://x.x.x.x/nitro/v1/config/nsversion'), {}", "DEBUG: self={'_module': <ansible.module_utils.basic.AnsibleModule object at 0x7ffa17e2ea58>, 'check_mode': False, 'api_path': 'nitro/v1/config', '_headers': {'Content-Type': 'application/json', 'User-Agent': 'ansible-ctxadc', 'Cookie': 'NITRO_AUTH_TOKEN=********'}}", "DEBUG: fetch_url()-resonse-info={'url': 'https://x.x.x.x/nitro/v1/config/nsversion', 'status': 200, 'date': 'Wed, 11 Oct 2023 11:39:39 GMT', 'server': 'Apache', 'x-frame-options': 'SAMEORIGIN', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'cache-control': 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0', 'pragma': 'no-cache', 'vary': 'Accept-Encoding', 'feature-policy': \"camera 'none'; microphone 'none'; geolocation 'none'\", 'referrer-policy': 'no-referrer', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-length': '200', 'content-type': 'application/json; charset=utf-8', 'connection': 'close', 'cookies_string': '', 'cookies': {}, 'msg': 'OK (200 bytes)'}", "TRACE: EXIT: send() returned (200, {'errorcode': 0, 'message': 'Done', 'severity': 'NONE', 'nsversion': {'installedversion': False, 'version': 'NetScaler NS13.0: Build 87.9.nc, Date: Jul 29 2022, 10:59:37   (64-bit)', 'mode': '1'}})", "TRACE: EXIT: get_resource() returned [{'installedversion': False, 'version': 'NetScaler NS13.0: Build 87.9.nc, Date: Jul 29 2022, 10:59:37   (64-bit)', 'mode': '1'}]", "TRACE: EXIT: get_netscaler_version() returned (13.0, 87.9)", "INFO: NetScaler version: 13.0-87.9", "DEBUG: All params (including non module-specific params) are: {'nsip': 'x.x.x.x', 'nitro_auth_token': '********', 'validate_certs': False, 'state': 'present', 'name': 'MY-SSL-PRF', 'ciphername': 'TLSv1.3', 'cipherpriority': 1.0, 'nitro_protocol': 'https', 'save_config': False, 'api_path': 'nitro/v1/config', 'nitro_user': None, 'nitro_pass': None, 'cipheraliasname': None, 'description': None}", "TRACE: ENTRY: _filter_resource_module_params() called with (<ansible_collections.netscaler.adc.plugins.module_utils.module_executor.ModuleExecutor object at 0x7ffa17dca7f0>,), {}", "DEBUG: Desired `sslprofile_sslcipher_binding` module specific params are: {'name': 'MY-SSL-PRF', 'ciphername': 'TLSv1.3', 'cipherpriority': 1.0}", "TRACE: EXIT: _filter_resource_module_params() returned None", "TRACE: ENTRY: get_existing_resource() called with (<ansible_collections.netscaler.adc.plugins.module_utils.module_executor.ModuleExecutor object at 0x7ffa17dca7f0>,), {}", "TRACE: ENTRY: get_resource() called with (<ansible_collections.netscaler.adc.plugins.module_utils.client.NitroAPIClient object at 0x7ffa17d2b438>,), {'resource_name': 'sslprofile_sslcipher_binding', 'resource_id': 'MY-SSL-PRF', 'args': {}, 'filter': {'ciphername': 'TLSv1.3'}}", "TRACE: ENTRY: send() called with (<ansible_collections.netscaler.adc.plugins.module_utils.client.NitroAPIClient object at 0x7ffa17d2b438>, 'GET', 'https://x.x.x.x/nitro/v1/config/sslprofile_sslcipher_binding/MY-SSL-PRF?filter=ciphername:TLSv1.3'), {}", "DEBUG: self={'_module': <ansible.module_utils.basic.AnsibleModule object at 0x7ffa17e2ea58>, 'check_mode': False, 'api_path': 'nitro/v1/config', '_headers': {'Content-Type': 'application/json', 'User-Agent': 'ansible-ctxadc', 'Cookie': 'NITRO_AUTH_TOKEN=********'}}", "DEBUG: fetch_url()-resonse-info={'url': 'https://x.x.x.x/nitro/v1/config/sslprofile_sslcipher_binding/MY-SSL-PRF?filter=ciphername:TLSv1.3', 'status': 200, 'date': 'Wed, 11 Oct 2023 11:39:39 GMT', 'server': 'Apache', 'x-frame-options': 'SAMEORIGIN', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'cache-control': 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0', 'pragma': 'no-cache', 'vary': 'Accept-Encoding', 'feature-policy': \"camera 'none'; microphone 'none'; geolocation 'none'\", 'referrer-policy': 'no-referrer', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-length': '57', 'content-type': 'application/json; charset=utf-8', 'connection': 'close', 'cookies_string': '', 'cookies': {}, 'msg': 'OK (57 bytes)'}", "TRACE: EXIT: send() returned (200, {'errorcode': 0, 'message': 'Done', 'severity': 'NONE'})", "TRACE: EXIT: get_resource() returned []", "TRACE: EXIT: get_existing_resource() returned {}", "TRACE: ENTRY: main() called with (<ansible_collections.netscaler.adc.plugins.module_utils.module_executor.ModuleExecutor object at 0x7ffa17dca7f0>,), {}", "TRACE: ENTRY: create_or_update() called with (<ansible_collections.netscaler.adc.plugins.module_utils.module_executor.ModuleExecutor object at 0x7ffa17dca7f0>,), {}", "TRACE: ENTRY: update_diff_list() called with (<ansible_collections.netscaler.adc.plugins.module_utils.module_executor.ModuleExecutor object at 0x7ffa17dca7f0>,), {'existing': {}, 'desired': {'name': 'MY-SSL-PRF', 'ciphername': 'TLSv1.3', 'cipherpriority': 1.0}}", "TRACE: EXIT: update_diff_list() returned None", "INFO: Resource sslprofile_sslcipher_binding:MY-SSL-PRF does not exist. Will be CREATED.", "TRACE: ENTRY: create_resource() called with (<ansible_collections.netscaler.adc.plugins.module_utils.client.NitroAPIClient object at 0x7ffa17d2b438>, 'sslprofile_sslcipher_binding', {'name': 'MY-SSL-PRF', 'ciphername': 'TLSv1.3', 'cipherpriority': 1.0}), {}", "TRACE: ENTRY: _check_create_resource_params() called with ('sslprofile_sslcipher_binding', {'name': 'MY-SSL-PRF', 'ciphername': 'TLSv1.3', 'cipherpriority': 1.0}), {}", "TRACE: EXIT: _check_create_resource_params() returned (True, None, {'name': 'MY-SSL-PRF', 'ciphername': 'TLSv1.3', 'cipherpriority': 1.0})", "TRACE: ENTRY: send() called with (<ansible_collections.netscaler.adc.plugins.module_utils.client.NitroAPIClient object at 0x7ffa17d2b438>, 'POST', 'https://x.x.x.x/nitro/v1/config/sslprofile_sslcipher_binding', '{\"sslprofile_sslcipher_binding\": {\"name\": \"MY-SSL-PRF\", \"ciphername\": \"TLSv1.3\", \"cipherpriority\": 1.0}}'), {}", "DEBUG: self={'_module': <ansible.module_utils.basic.AnsibleModule object at 0x7ffa17e2ea58>, 'check_mode': False, 'api_path': 'nitro/v1/config', '_headers': {'Content-Type': 'application/json', 'User-Agent': 'ansible-ctxadc', 'Cookie': 'NITRO_AUTH_TOKEN=********'}}", "DEBUG: fetch_url()-resonse-info={'url': 'https://x.x.x.x/nitro/v1/config/sslprofile_sslcipher_binding', 'status': 599, 'date': 'Wed, 11 Oct 2023 11:39:39 GMT', 'server': 'Apache', 'x-frame-options': 'SAMEORIGIN', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'cache-control': 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0', 'pragma': 'no-cache', 'feature-policy': \"camera 'none'; microphone 'none'; geolocation 'none'\", 'referrer-policy': 'no-referrer', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-length': '111', 'content-type': 'application/json; charset=utf-8', 'connection': 'close', 'msg': 'HTTP Error 599: Netscaler specific error', 'body': b'{ \"errorcode\": 3741, \"message\": \"Specified cipher is already bound with higher priority\", \"severity\": \"ERROR\" }'}", "TRACE: EXIT: send() returned (599, {'errorcode': 3741, 'message': 'Specified cipher is already bound with higher priority', 'severity': 'ERROR'})", "TRACE: ENTRY: return_response() called with (), {'status_code': 599, 'response_body': {'errorcode': 3741, 'message': 'Specified cipher is already bound with higher priority', 'severity': 'ERROR'}, 'operation': 'create_resource', 'resource_name': 'sslprofile_sslcipher_binding'}", "ERROR: create_resource FAILED; status_code: 599; Reason:{'errorcode': 3741, 'message': 'Specified cipher is already bound with higher priority', 'severity': 'ERROR'}", "TRACE: EXIT: return_response() returned (False, \"ERROR: create_resource FAILED; status_code: 599; Reason:{'errorcode': 3741, 'message': 'Specified cipher is already bound with higher priority', 'severity': 'ERROR'}\")", "TRACE: EXIT: create_resource() returned (False, \"ERROR: create_resource FAILED; status_code: 599; Reason:{'errorcode': 3741, 'message': 'Specified cipher is already bound with higher priority', 'severity': 'ERROR'}\")", "TRACE: ENTRY: return_failure() called with (<ansible_collections.netscaler.adc.plugins.module_utils.module_executor.ModuleExecutor object at 0x7ffa17dca7f0>, \"ERROR: create_resource FAILED; status_code: 599; Reason:{'errorcode': 3741, 'message': 'Specified cipher is already bound with higher priority', 'severity': 'ERROR'}\"), {}"], "msg": "ERROR: create_resource FAILED; status_code: 599; Reason:{'errorcode': 3741, 'message': 'Specified cipher is already bound with higher priority', 'severity': 'ERROR'}"}

PLAY RECAP *******************************************************************************************************************************
localhost                  : ok=3    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

I am seeing the below error...
{'errorcode': 3741, 'message': 'Specified cipher is already bound with higher priority', 'severity': 'ERROR'}

Expected behaviour

  1. Binding cipher for 2nd and consecutive times should not throw an error.
  2. DEFAULT cipher should be removed from binding
Results from CLI:
show ssl profile MY-SSL-PRF
1)      Name: MY-SSL-PRF        (Front-End)
.....
1)      Cipher Name: TLSv1.3     Priority :1
        Description: Predefined Cipher Alias

2)      Cipher Name: DEFAULT     Priority :2
        Description: Predefined Cipher Alias

Environment (please complete the following information):

  • ansible-galaxy collection list | grep netscaler.adc
    netscaler.adc 2.0.1

  • Python version python --version
    Python 3.6.8

  • Ansible version ansible --version
    ansible [core 2.11.12]
    config file = /etc/ansible/ansible.cfg
    configured module search path = ['/home/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
    ansible python module location = /home/xxx/projects/.venv/lib/python3.6/site-packages/ansible
    ansible collection location = /home/xxx/.ansible/collections:/usr/share/ansible/collections
    executable location = /home/xxx/projects/.venv/bin/ansible
    python version = 3.6.8 (default, May 30 2023, 08:41:09) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
    jinja version = 3.0.3
    libyaml = True

  • NetScaler version show ns version output
    NetScaler NS13.0: Build 87.9.nc, Date: Jul 29 2022, 10:59:37 (64-bit)
    PS also tested on 13.1 latest 49.13

Additional context

Have also tried using netscaler.adc.sslprofile with desired mode - but that did not work either

- name: Setup ssl profile 
  delegate_to: localhost
  netscaler.adc.sslprofile:
    nsip: "{{ nsip }}"
    nitro_auth_token: "{{ sessionid }}"
    validate_certs: no
    state: present
    name: "{{ my_ssl_profile.name }}"
    sslprofile_sslcipher_binding: 
      mode: desired
      binding_members:
        - name: "{{ my_ssl_profile.name }}"
          ciphername: "{{ my_ssl_profile.ciphersgroup }}"
          cipherpriority: 1
sumanth-lingappa added a commit that referenced this issue Jan 8, 2024
@sumanth-lingappa
Merge pull request #337 from netscaler/issue-292-sslprofile_sslcipher…
5e26e9f 
…_binding-fails-at-2nd-run

Issue #292 sslprofile sslcipher binding fails at 2nd run
@sumanth-lingappa
Copy link
Collaborator

@jacek-777, this issue is fixed. This will be release in the next release.

However, you can also download this latest fix from the github directly.

ansible-galaxy collection install "git+https://github.com/netscaler/ansible-collection-netscaleradc.git" --force

Refer ansible-galaxy collection install "git+https://github.com/netscaler/ansible-collection-netscaleradc.git" [--force]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumanth-lingappa sumanth-lingappa

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sumanth-lingappa @jacek-777