Software Development Kit (SDK) and API Discussions

Ansible: Install ssl certificate on admin vserver

Boreus
3,341 Views

Hello,

 

we're trying to deploy and install a CA-signed ssl certificate on the admin vserver to get HTTPS when connecting to the cluster webgui.

With the netapp.ontap.na_ontap_security_certificates module we have successfully deployed the certificate on the cluster, but it will not be used by the vserver.

 

We somehow need to execute this command.

security ssl modify -vserver [VSERVER] -serial [SERIAL] -ca [CA]

 

Is this possible without using the na_ontap_ssh_command module?

 

https://docs.ansible.com/ansible/latest/collections/netapp/ontap/na_ontap_security_certificates_module.html#ansible-collections-netapp-ontap-na-ontap-...

1 ACCEPTED SOLUTION

DarrenJ
3,271 Views

Understood. You will likely need the na_ontap_ssh_command module as you mentioned, as I'm not aware of any other way to install it. 

 

Others might have a better suggestion though.

View solution in original post

7 REPLIES 7

DarrenJ
3,284 Views

This might be useful. 

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_install_a_Certificate_Authority_(CA)_signed_certificate_in_ONTA...

 

Are you trying to find a way to install it without getting into the CLI at all? 

Boreus
3,273 Views

Hey,

yes we would like to completely change the ceritificate via ansible.

DarrenJ
3,272 Views

Understood. You will likely need the na_ontap_ssh_command module as you mentioned, as I'm not aware of any other way to install it. 

 

Others might have a better suggestion though.

hilke_p
117 Views

Is there still no other way?

I like to renew all certificates with acme.

Therefor I have to get all certs which are used for ssl.

Here is missing an subset in the ontap_rest_info and a seperate module for ssl itself to modify the used certificates.

Will there come something, because na_ontap_ssh_comand does not come back with "security ssl show".

hilke_p
117 Views

Here the fatal error:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: EOFError
fatal: [stcl-1092]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible-tmp-1734079897.7925482-2334-30473195858796/AnsiballZ_na_ontap_ssh_command.py\", line 107, in <module>\n _ansiballz_main()\n File \"/tmp/ansible-tmp-1734079897.7925482-2334-30473195858796/AnsiballZ_na_ontap_ssh_command.py\", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/tmp/ansible-tmp-1734079897.7925482-2334-30473195858796/AnsiballZ_na_ontap_ssh_command.py\", line 47, in invoke_module\n runpy.run_module(mod_name='ansible_collections.netapp.ontap.plugins.modules.na_ontap_ssh_command', init_globals=dict(_module_fqn='ansible_collections.netapp.ontap.plugins.modules.na_ontap_ssh_command', _modlib_path=modlib_path),\n File \"/usr/lib64/python3.9/runpy.py\", line 225, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.9/runpy.py\", line 97, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File \"/usr/lib64/python3.9/runpy.py\", line 87, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_netapp.ontap.na_ontap_ssh_command_payload_elfmmg7l/ansible_netapp.ontap.na_ontap_ssh_command_payload.zip/ansible_collections/netapp/ontap/plugins/modules/na_ontap_ssh_command.py\", line 254, in <module>\n File \"/tmp/ansible_netapp.ontap.na_ontap_ssh_command_payload_elfmmg7l/ansible_netapp.ontap.na_ontap_ssh_command_payload.zip/ansible_collections/netapp/ontap/plugins/modules/na_ontap_ssh_command.py\", line 249, in main\n File \"/tmp/ansible_netapp.ontap.na_ontap_ssh_command_payload_elfmmg7l/ansible_netapp.ontap.na_ontap_ssh_command_payload.zip/ansible_collections/netapp/ontap/plugins/modules/na_ontap_ssh_command.py\", line 164, in __init__\n File \"/usr/local/lib/python3.9/site-packages/paramiko/client.py\", line 485, in connect\n self._auth(\n File \"/usr/local/lib/python3.9/site-packages/paramiko/client.py\", line 754, in _auth\n self._transport.auth_publickey(username, key)\n File \"/usr/local/lib/python3.9/site-packages/paramiko/transport.py\", line 1670, in auth_publickey\n self.auth_handler.auth_publickey(username, key, my_event)\n File \"/usr/local/lib/python3.9/site-packages/paramiko/auth_handler.py\", line 129, in auth_publickey\n self._request_auth()\n File \"/usr/local/lib/python3.9/site-packages/paramiko/auth_handler.py\", line 191, in _request_auth\n self.transport._send_message(m)\n File \"/usr/local/lib/python3.9/site-packages/paramiko/transport.py\", line 1929, in _send_message\n self.packetizer.send_message(data)\n File \"/usr/local/lib/python3.9/site-packages/paramiko/packet.py\", line 435, in send_message\n self.write_all(out)\n File \"/usr/local/lib/python3.9/site-packages/paramiko/packet.py\", line 368, in write_all\n raise EOFError()\nEOFError\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

hilke_p
59 Views

Please do not bother, problem was that automatically the ssh_key_forwarding tried to use keys, when there was a login configured with username and password.
after fixing that I could use the module na_ontap_ssh_comand.

 

Still, why is there no possibility with a native ansible module, nor an rest call, when it was possible in ontapi (with the powershell module) for example.

CAPATEL_NET1984
2,959 Views

would like to see the code if possible.. i am using cli commands in ansible but useful to see how you coded the whole workflow using modules.

 

Public