ipa_replica_install_cacerts failing using rhel_idm playbook via Ansible Automation
Issue
- Not able to automate the things vua ansible rule
{{ 1692
1693 TASK [redhat.rhel_idm.ipareplica : Install - Replica preparation] **************
1694 task path: /usr/share/ansible/collections/ansible_collections/redhat/rhel_idm/roles/ipareplica/tasks/install.yml:153
1695 Using module file /usr/share/ansible/collections/ansible_collections/redhat/rhel_idm/plugins/modules/ipareplica_prepare.py
1696 Pipelining is enabled.
1697 <idm02.ccta.dk> ESTABLISH SSH CONNECTION FOR USER: infra
1698 <idm02.ccta.dk> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="infra"' -o ConnectTimeout=10 -o 'ControlPath="/runner/cp/122e92b721"' idm02.ccta.dk '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=aorixpxgdqckouyhhajiuvfkxzqnyvdt] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-aorixpxgdqckouyhhajiuvfkxzqnyvdt ; /usr/bin/python3'"'"'"'"'"'"'"'"' && sleep 0'"'"''
1699 Escalation succeeded
1700 <idm02.ccta.dk> (0, b'Checking DNS forwarders, please wait ...\\nDNS server 172.31.31.31: answer to query \\'. SOA\\' is missing DNSSEC signatures (no RRSIG data)\\nPlease fix forwarder configuration to enable DNSSEC support.\\nDNS server 172.20.14.4: answer to query \\'. SOA\\' is missing DNSSEC signatures (no RRSIG data)\\nPlease fix forwarder configuration to enable DNSSEC support.\\nDNS server 172.20.15.2: answer to query \\'. SOA\\' is missing DNSSEC signatures (no RRSIG data)\\nPlease fix forwarder configuration to enable DNSSEC support.\\nWARNING: DNSSEC validation will be disabled\\n\\n\{"changed": true, "ccache": "/tmp/krbccfrn1ixci/ccache", "installer_ccache": "/tmp/tmp8eu_oj8i", "subject_base": "O=IDM.CCTA.DK", "forward_policy": "only", "_ca_enabled": false, "_ca_subject": "None", "_subject_base": null, "_kra_enabled": false, "_ca_file": "/etc/ipa/ca.crt", "_top_dir": "/tmp/tmplkpv3e9nipa", "_add_to_ipaservers": true, "_dirsrv_pkcs12_info": ["/etc/ipa/.tmp_pkcs12_dirsrv", "8Bl$sQG@aQ@N496T9_U8;JG*fZcS^^:jxwhzaB0S~"], "_dirsrv_ca_cert": "", "_http_pkcs12_info": ["/etc/ipa/.tmp_pkcs12_http", "9Tf),v|@]DIweSN|AetN{~JC2DHuh[m[*[{O1+e?X"], "_http_ca_cert": "", "_pkinit_pkcs12_info": null, "_pkinit_ca_cert": null, "_random_serial_numbers": false, "no_dnssec_validation": true, "config_setup_ca": false, "config_master_host_name": "idm01.idm.ccta.dk", "config_ca_host_name": "idm01.idm.ccta.dk", "config_kra_host_name": "idm01.idm.ccta.dk", "config_ips": ["172.26.2.101"], "dns_ip_addresses": ["172.26.2.101"], "dns_reverse_zones": [], "rid_base": 1000, "secondary_rid_base": 100000000, "adtrust_netbios_name": "IDM", "adtrust_reset_netbios_name": false, "invocation": {"module_args": {"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "ip_addresses": [], "domain": "idm.ccta.dk", "realm": "IDM.CCTA.DK", "hostname": "idm02.idm.ccta.dk", "principal": "admin", "ca_cert_files": [], "no_host_dns": false, "setup_adtrust": true, "setup_ca": false, "setup_kra": false, "setup_dns": true, "dirsrv_cert_files": ["/root/ssl/idm02.idm.ccta.dk.key", "/root/ssl/idm02.idm.ccta.dk.cer", "/root/ssl/ca-chain.pem"], "dirsrv_pin": "", "http_cert_files": ["/root/ssl/idm02.idm.ccta.dk.key", "/root/ssl/idm02.idm.ccta.dk.cer", "/root/ssl/ca-chain.pem"], "http_pin": "", "pkinit_cert_files": [], "mkhomedir": false, "force_join": false, "no_ntp": false, "ssh_trust_dns": false, "no_ssh": false, "no_sshd": false, "no_dns_sshfp": false, "allow_zone_overlap": false, "reverse_zones": [], "no_reverse": false, "auto_reverse": false, "forwarders": ["172.31.31.31", "172.20.14.4", "172.20.15.2"], "no_forwarders": false, "auto_forwarders": false, "no_dnssec_validation": false, "enable_compat": false, "server": "idm01.idm.ccta.dk", "skip_conncheck": true, "sid_generation_always": false, "rid_base": 1000, "secondary_rid_base": 100000000, "dm_password": null, "dirsrv_cert_name": null, "http_cert_name": null, "pkinit_cert_name": null, "pkinit_pin": null, "keytab": null, "forward_policy": null, "netbios_name": null}}}\\n', b'')
1701 changed: [idm02.ccta.dk] => {
1702 "_add_to_ipaservers": true,
1703 "_ca_enabled": false,
1704 "_ca_file": "/etc/ipa/ca.crt",
1705 "_ca_subject": "None"}}
>>> As an output of {_}redhat.rhel_idm.ipareplica_prepare{_}, registerd in 'result_ipareplica_prepare' (). The value is a string: _"None"_ [https://github.com/freeipa/ansible freeipa/blob/v1.12.0/roles/ipareplica/tasks/install.yml#L207|https://gss--c.vf.force.com/apex/URL]
{{ 1706 "_dirsrv_ca_cert": "",
1707 "_dirsrv_pkcs12_info": [
1708 "/etc/ipa/.tmp_pkcs12_dirsrv",
1709 "8Bl$sQG@aQ@N496T9_U8;JG*fZcS^^:jxwhzaB0S~"
1710 ],
1711 "_http_ca_cert": "",
1712 "_http_pkcs12_info": [
1713 "/etc/ipa/.tmp_pkcs12_http",
1714 "9Tf),v|@]DIweSN|AetN\{~JC2DHuh[m[*[{O1+e?X"
1715 ],
1716 "_kra_enabled": false,
1717 "_pkinit_ca_cert": null,
1718 "_pkinit_pkcs12_info": null,
1719 "_random_serial_numbers": false,
1720 "_subject_base": null,
1721 "_top_dir": "/tmp/tmplkpv3e9nipa",
1722 "adtrust_netbios_name": "IDM",
1723 "adtrust_reset_netbios_name": false,
1724 "ccache": "/tmp/krbccfrn1ixci/ccache",
1725 "changed": true,
1726 "config_ca_host_name": "idm01.idm.ccta.dk",
1727 "config_ips": [
1728 "172.26.2.101"
1729 ],
1730 "config_kra_host_name": "idm01.idm.ccta.dk",
1731 "config_master_host_name": "idm01.idm.ccta.dk",
1732 "config_setup_ca": false,
1733 "dns_ip_addresses": [
1734 "172.26.2.101"
1735 ],
1736 "dns_reverse_zones": [],
1737 "forward_policy": "only",
1738 "installer_ccache": "/tmp/tmp8eu_oj8i",
1739 "invocation": {
1740 "module_args": {
1741 "allow_zone_overlap": false,
1742 "auto_forwarders": false,
1743 "auto_reverse": false,
1744 "ca_cert_files": [],
1745 "dirsrv_cert_files": [
1746 "/root/ssl/idm02.idm.ccta.dk.key",
1747 "/root/ssl/idm02.idm.ccta.dk.cer",
1748 "/root/ssl/ca-chain.pem"
1749 ],
1750 "dirsrv_cert_name": null,
1751 "dirsrv_pin": "",
1752 "dm_password": null,
1753 "domain": "idm.ccta.dk",
1754 "enable_compat": false,
1755 "force_join": false,
1756 "forward_policy": null,
1757 "forwarders": [
1758 "172.31.31.31",
1759 "172.20.14.4",
1760 "172.20.15.2"
1761 ],
1762 "hostname": "idm02.idm.ccta.dk",
1763 "http_cert_files": [
1764 "/root/ssl/idm02.idm.ccta.dk.key",
1765 "/root/ssl/idm02.idm.ccta.dk.cer",
1766 "/root/ssl/ca-chain.pem"
1767 ],
1768 "http_cert_name": null,
1769 "http_pin": "",
1770 "ip_addresses": [],
1771 "keytab": null,
1772 "mkhomedir": false,
1773 "netbios_name": null,
1774 "no_dns_sshfp": false,
1775 "no_dnssec_validation": false,
1776 "no_forwarders": false,
1777 "no_host_dns": false,
1778 "no_ntp": false,
1779 "no_reverse": false,
1780 "no_ssh": false,
1781 "no_sshd": false,
1782 "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
1783 "pkinit_cert_files": [],
1784 "pkinit_cert_name": null,
1785 "pkinit_pin": null,
1786 "principal": "admin",
1787 "realm": "IDM.CCTA.DK",
1788 "reverse_zones": [],
1789 "rid_base": 1000,
1790 "secondary_rid_base": 100000000,
1791 "server": "idm01.idm.ccta.dk",
1792 "setup_adtrust": true,
1793 "setup_ca": false,
1794 "setup_dns": true,
1795 "setup_kra": false,
1796 "sid_generation_always": false,
1797 "skip_conncheck": true,
1798 "ssh_trust_dns": false
1799 }
1800 },
1801 "no_dnssec_validation": true,
1802 "rid_base": 1000,
1803 "secondary_rid_base": 100000000,
1804 "subject_base": "O=IDM.CCTA.DK"
1805 }
1806
...}}
>>> Now, ipareplica_install_cacerts is called with : __ca_subject: "{{ result_ipareplica_prepare.{_}ca_subject }}"{_} [https://github.com/freeipa/ansible-freeipa/blob/v1.12.0/roles/ipareplica/tasks/install.yml#L265|https://gss--c.vf.force.com/apex/URL]
{{ 1855
1856 TASK [redhat.rhel_idm.ipareplica : Install - Install CA certs] *****************
1857 task path: /usr/share/ansible/collections/ansible_collections/redhat/rhel_idm/roles/ipareplica/tasks/install.yml:237
1858 Using module file /usr/share/ansible/collections/ansible_collections/redhat/rhel_idm/plugins/modules/ipareplica_install_ca_certs.py
1859 Pipelining is enabled.
1860 <idm02.ccta.dk> ESTABLISH SSH CONNECTION FOR USER: infra
1861 <idm02.ccta.dk> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="infra"' -o ConnectTimeout=10 -o 'ControlPath="/runner/cp/122e92b721"' idm02.ccta.dk '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=utvsjivybobpbrrqwlxiiwumhsfnghax] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-utvsjivybobpbrrqwlxiiwumhsfnghax ; /usr/bin/python3'"'"'"'"'"'"'"'"' && sleep 0'"'"''
1862 Escalation succeeded
1863 <idm02.ccta.dk> (1, b'\\n\{"failed": true, "msg": "argument \\'_ca_subject\\' is of type <class \\'NoneType\\'> and we were unable to convert to str: \\'None\\' is not a string and conversion is not allowed", "invocation": {"module_args": {"dm_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "ip_addresses": [], "domain": "idm.ccta.dk", "realm": "IDM.CCTA.DK", "hostname": "idm02.idm.ccta.dk", "ca_cert_files": [], "no_host_dns": false, "setup_adtrust": true, "setup_kra": false, "setup_dns": true, "setup_ca": false, "dirsrv_cert_files": ["/root/ssl/idm02.idm.ccta.dk.key", "/root/ssl/idm02.idm.ccta.dk.cer", "/root/ssl/ca-chain.pem"], "force_join": false, "server": "idm01.idm.ccta.dk", "ccache": "/tmp/krbccfrn1ixci/ccache", "installer_ccache": "/tmp/tmp8eu_oj8i", "subject_base": "O=IDM.CCTA.DK", "_top_dir": "/tmp/tmplkpv3e9nipa", "_add_to_ipaservers": true, "_ca_subject": null, "_subject_base": null, "dirman_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "config_setup_ca": false, "config_master_host_name": "idm01.idm.ccta.dk", "config_ca_host_name": "idm01.idm.ccta.dk", "config_ips": ["172.26.2.101"]}}}\\n', b'')
1864 <idm02.ccta.dk> Failed to connect to the host via ssh:
1865 fatal: [idm02.ccta.dk]: FAILED! => {
1866 "changed": false,
1867 "invocation": {
1868 "module_args": {
1869 "_add_to_ipaservers": true,
1870 "_ca_subject": null,}}
>>> The value passed to the module is now null, instead of the string "None"
{{ 1871 "_subject_base": null,
1872 "_top_dir": "/tmp/tmplkpv3e9nipa",
1873 "ca_cert_files": [],
1874 "ccache": "/tmp/krbccfrn1ixci/ccache",
1875 "config_ca_host_name": "idm01.idm.ccta.dk",
1876 "config_ips": [
1877 "172.26.2.101"
1878 ],
1879 "config_master_host_name": "idm01.idm.ccta.dk",
1880 "config_setup_ca": false,
1881 "dirman_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
1882 "dirsrv_cert_files": [
1883 "/root/ssl/idm02.idm.ccta.dk.key",
1884 "/root/ssl/idm02.idm.ccta.dk.cer",
1885 "/root/ssl/ca-chain.pem"
1886 ],
1887 "dm_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
1888 "domain": "idm.ccta.dk",
1889 "force_join": false,
1890 "hostname": "idm02.idm.ccta.dk",
1891 "installer_ccache": "/tmp/tmp8eu_oj8i",
1892 "ip_addresses": [],
1893 "no_host_dns": false,
1894 "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
1895 "realm": "IDM.CCTA.DK",
1896 "server": "idm01.idm.ccta.dk",
1897 "setup_adtrust": true,
1898 "setup_ca": false,
1899 "setup_dns": true,
1900 "setup_kra": false,
1901 "subject_base": "O=IDM.CCTA.DK"
1902 }
1903 },
1904 "msg": "argument '_ca_subject' is of type <class 'NoneType'> and we were unable to convert to str: 'None' is not a string and conversion is not allowed"
1905 }
1906
...}}
Environment
- RHEL 9.3
- IPA
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
