In Ansible Automation Platform Testing External "Thycotic Secret Server" credential fails with SSL based error

Solution In Progress - Updated -

Environment

  • Red Hat® Ansible Automation Platform 2.x

Issue

  • Testing External "Thycotic Secret Server" credential with Secret ID and Secret Field on the AAP web UI fails with CERTIFICATE_VERIFY_FAILED error.

  • How to fix the SSL error for test run from "Thycotic Secret Server" credential type?

Resolution

  • There are couple of ways to fix the SSL issues at the AAP for this plugin:

    1. Create an container image containing the SSL CA bundle certificate and use this image to run the jobs.

    2. Install the CA SSL certificate at the Host that run the AAP application.

    3. As this plugin reads environment variables, you can have the bundle CA cert for Thycotic at the controller host and set the environment variable 'REQUESTS_CA_BUNDLE' to the CA cert, as per the module documentation.

  • If you are using OCP cluster, you will need to have a secret with the bundle CA cert and import it at the application pod. You may follow the reference doc for the same. However, make sure to change the names to match with the CA cert from Thycotic.

Diagnostic Steps

  • Run the playbook manually from cli with the same values from the credential configured in Automation Controller. Here is the reference doc to follow.

  • When the play gets executed it throws the following error SSL: CERTIFICATE_VERIFY_FAILED while connecting to Thycotic:

    fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while templating '{{\n    lookup(\n  'community.general.tss',\n    0,\n   base_url='https://<host_fqdn>/SecretServer/',\n    username='<username>',\n        password='<password>'\n )\n}}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'community.general.tss'. Error was a <class 'requests.exceptions.SSLError'>, original message: HTTPSConnectionPool(host='<host_fqdn>', port=443): Max retries exceeded with url: /SecretServer/oauth2/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))). HTTPSConnectionPool(host='<host_fqdn>', port=443): Max retries exceeded with url: /SecretServer/oauth2/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))"}

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments