标签:美的 ror -- username err off cer cts gen
似乎有一个问题让uri模块很好地处理出入境TLS。 我已经设法让客户端验证或服务器验证工作,但不同时,这似乎很奇怪。 旋度相同的安装工作没有问题,如下显示。 如果你有一些经验与uri模块和TLS,也许你可以帮助。设置
我有设置Apache httpd接受TLS连接主机,自签署的根证书,一个中间CA证书,一个服务器证书签发给127.0.0.1,客户机证书。我可以用旋度测试这个设置,和,一切工作正常,见下文。
文件host.127.0.0.1.cert。 pem包含三个证书:根,中间,和服务器证书。 文件ca.chain。 pem包含两个证书:根和中间。 文件client.SomeUser.cert。 pem包含一个证书:客户端证书
正如你所看到的从下面的输出,我运行python version = 3.7.0
从httpd . conf:
Listen 443
<VirtualHost *:443>
ServerName 127.0.0.1
SSLEngine on
SSLCertificateFile "/path/to/host.127.0.0.1.cert.pem"
SSLCertificateKeyFile "/path/to/host.127.0.0.1.privkey.nopass.pem"
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile "/path/to/ca.chain.pem"
</VirtualHost>
测试与旋度的设置
cURL命令和输出:
$ curl -vvv --cert client.SomeUser.cert.pem --key client.SomeUser.privkey.pem --cacert ca.chain.pem -X GET https://127.0.0.1
GET / HTTP/1.1
Host: 127.0.0.1
User-Agent: curl/7.54.0
Accept: /< HTTP/1.1 200 OK
< Date: Fri, 14 Dec 2018 15:03:31 GMT
< Server: Apache/2.4.33 (Unix) LibreSSL/2.2.7
< Content-Location: index.html.en
< Vary: negotiate
< TCN: choice
< Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
< ETag: "2d-432a5e4a73a80"
< Accept-Ranges: bytes
< Content-Length: 45
< Content-Type: text/html
<
<html><body><h1>It works!</h1></body></html>
与ANSIBLE测试设置
我ansible任务是这样的:
这是ansible命令和输出当失败时:
$ SSL_CERT_FILE=/path/to/ca.chain.pem ansible-playbook my-playbook.yml -vvv
ansible-playbook 2.7.4
config file = /Users/xxx/.ansible.cfg
configured module search path = [‘/Users/xxx/.ansible/plugins/modules‘, ‘/usr/share/ansible/plugins/modules‘]
ansible python module location = /Users/xxx/virtualenvs/p3/lib/python3.7/site-packages/ansible
executable location = /Users/xxx/virtualenvs/p3/bin/ansible-playbook
python version = 3.7.0 (default, Aug 22 2018, 15:22:33) [Clang 9.1.0 (clang-902.0.39.2)]
Using /Users/xxx/.ansible.cfg as config file
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected
/etc/ansible/hosts did not meet script requirements, check plugin documentation if this is unexpected
Parsed /etc/ansible/hosts inventory source with ini plugin
......output omitted......
The full traceback is:
File "/var/folders/78/n3ytyhrs2415sl3h8h1fms000000gn/T/ansible_uri_payload_bus4199a/ansible_uri_payload.zip/ansible/module_utils/urls.py", line 1259, in fetch_url
client_key=client_key, cookies=cookies)
File "/var/folders/78/n3ytyhrs2415sl3h8h1fms000000gn/T/ansible_uri_payload_bus4199a/ansible_uri_payload.zip/ansible/module_utils/urls.py", line 1162, in open_url
client_cert=client_cert, client_key=client_key, cookies=cookies)
File "/var/folders/78/n3ytyhrs2415sl3h8h1fms000000gn/T/ansible_uri_payload_bus4199a/ansible_uri_payload.zip/ansible/module_utils/urls.py", line 1070, in open
r = urllib_request.urlopen(*urlopen_args)
File "/usr/local/Cellar/python/3.7.0/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/usr/local/Cellar/python/3.7.0/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 523, in open
req = meth(req)
File "/var/folders/78/n3ytyhrs2415sl3h8h1fms000000gn/T/ansible_uri_payload_bus4199a/ansible_uri_payload.zip/ansible/module_utils/urls.py", line 779, in http_request
build_ssl_validation_error(self.hostname, self.port, paths_checked, e)
File "/var/folders/78/n3ytyhrs2415sl3h8h1fms000000gn/T/ansible_uri_payload_bus4199a/ansible_uri_payload.zip/ansible/module_utils/urls.py", line 580, in build_ssl_validation_error
raise SSLValidationError(‘ ‘.join(msg) % (hostname, port, ", ".join(paths)))
fatal: [127.0.0.1]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"attributes": null,
"backup": null,
"body": null,
"body_format": "raw",
"client_cert": "/path/to/client.SomeUser.cert.pem",
"client_key": "/path/to/client.SomeUser.privkey.pem",
"content": null,
"creates": null,
"delimiter": null,
"dest": null,
"directory_mode": null,
"follow": false,
"follow_redirects": "safe",
"force": false,
"force_basic_auth": false,
"group": null,
"headers": {},
"http_agent": "ansible-httpget",
"method": "GET",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"removes": null,
"return_content": false,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"status_code": [
200
],
"timeout": 30,
"unsafe_writes": null,
"url": "https://127.0.0.1/",
"url_password": null,
"url_username": null,
"use_proxy": true,
"validate_certs": true
}
},
"msg": "Failed to validate the SSL certificate for 127.0.0.1:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/ansible, /usr/local/etc/openssl. The exception msg was: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1045)."
}
如上所述,ansible-playbook调用作品完美的服务器验证客户端证书或客户机验证服务器证书,但不是同时。 因为这是工作与旋度好,我猜一定有毛病uri模块如何处理TLS。
标签:美的 ror -- username err off cer cts gen
原文地址:http://blog.51cto.com/14021402/2331567