pfsense_cert - Permission denied

[git-day]

What You Are Seeing?
Using the following module errors with a "PermissionError: [Errno 13] Permission denied:".

• pfsensible.core.pfsense_cert

The playbook is split in two. First playbook simply captures the certificate public and private keys, whilst the second playbook, shown below, attempts to update the config.xml. The two playbooks form part of a template under Ansible AWX. The template uses SSH to connect to the pfsense host and "Privilege Escalation" is ticked.

Ansible Playbook
/////////////////////////////////////////////////////////////////////////////////////////////////////////

---
- name: Upload certificate files
  hosts: fw.local
  gather_facts: no

  tasks:

    - name: Display Wildcard_Cert_Pub_Output content 
      debug:
        msg: " {{ Wildcard_Cert_Pub_Output_Set_Stats.stdout |b64encode }} "

    - name: Display Wildcard_Cert_Key_Output content 
      debug:
        msg: " {{ Wildcard_Cert_Key_Output_Set_Stats.stdout |b64encode }} "

    - name: Import Wildcard-Cert into FW
      pfsensible.core.pfsense_cert:
        method: "import"
        name: "Wildcard-Cert"
        certificate: '{{ Wildcard_Cert_Pub_Output_Set_Stats.stdout | b64encode }}'
        key: '{{ Wildcard_Cert_Key_Output_Set_Stats.stdout | b64encode }}'
        certtype: "server"
        state: present
      when: "'fw.local' in inventory_hostname"

/////////////////////////////////////////////////////////////////////////////////////////////////////////

Output Log
/////////////////////////////////////////////////////////////////////////////////////////////////////////
The full traceback is:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/shutil.py", line 825, in move
os.rename(src, real_dst)
PermissionError: [Errno 13] Permission denied: '/tmp/tmpk0pzhphs' -> '/cf/conf/config.xml'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/admin-ssh/.ansible/tmp/ansible-tmp-1692438958.1501217-32-102164981810539/AnsiballZ_pfsense_cert.py", line 107, in
_ansiballz_main()
File "/home/admin-ssh/.ansible/tmp/ansible-tmp-1692438958.1501217-32-102164981810539/AnsiballZ_pfsense_cert.py", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/admin-ssh/.ansible/tmp/ansible-tmp-1692438958.1501217-32-102164981810539/AnsiballZ_pfsense_cert.py", line 47, in invoke_module…
/////////////////////////////////////////////////////////////////////////////////////////////////////////

[tangowithfoxtrot]

You need to add become: true to your tasks:

---
- name: Upload certificate files
  hosts: fw.local
  gather_facts: no

  tasks:

    - name: Display Wildcard_Cert_Pub_Output content 
      debug:
        msg: " {{ Wildcard_Cert_Pub_Output_Set_Stats.stdout |b64encode }} "

    - name: Display Wildcard_Cert_Key_Output content 
      debug:
        msg: " {{ Wildcard_Cert_Key_Output_Set_Stats.stdout |b64encode }} "

    - name: Import Wildcard-Cert into FW
      pfsensible.core.pfsense_cert:
        method: "import"
        name: "Wildcard-Cert"
        certificate: '{{ Wildcard_Cert_Pub_Output_Set_Stats.stdout | b64encode }}'
        key: '{{ Wildcard_Cert_Key_Output_Set_Stats.stdout | b64encode }}'
        certtype: "server"
        state: present
      when: "'fw.local' in inventory_hostname"
      become: true

and add the pfSense-pkg-sudo package if you haven't already. These modules work by editing the /cf/conf/config.xml file referenced in your error output, which is only writable for the root user.

[opoplawski]

Thank you @tangowithfoxtrot