Read timed out on first run when enrolling Venafi certificates #29
Comments
|
Hi @AaronJaegerVA, can you please confirm which CA you are using? For all of our DevOps integrations, including Ansible, we only consider CAs that are capable of reliably issuing certificates in 60 seconds or less to be applicable. |
|
Internal CA at a Government department.
|
|
Hi, |
|
Thank you for letting us know @sajayku, it does indeed sounds like a bug in vcert-python. The default timeout should be 180 seconds if the |
PROBLEM SUMMARY
Getting Timeout on "Enroll Venafi certificate on ..." on first run. Second run works okay because certificate has been created by then.
STEPS TO REPRODUCE
Use the role to enroll a certificate for a server that does not already have one.
EXPECTED RESULTS
The certificate is generated as expected and copied to the remote server.
ACTUAL RESULTS
{
"exception": "Traceback (most recent call last):\n File "", line 102, in \n File "", line 94, in _ansiballz_main\n File "", line 40, in invoke_module\n File "/usr/lib64/python2.7/runpy.py", line 176, in run_module\n fname, loader, pkg_name)\n File "/usr/lib64/python2.7/runpy.py", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code\n exec code in run_globals\n File "/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py", line 718, in \n File "/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py", line 709, in main\n File "/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py", line 388, in enroll\n File "/usr/lib/python2.7/site-packages/vcert/connection_tpp.py", line 285, in read_zone_conf\n status, data = self._post(URLS.ZONE_CONFIG, {"PolicyDN": self._get_policy_dn(tag)})\n File "/usr/lib/python2.7/site-packages/vcert/connection_tpp.py", line 91, in _post\n self.auth()\n File "/usr/lib/python2.7/site-packages/vcert/connection_tpp.py", line 120, in auth\n **self._http_request_kwargs)\n File "/usr/lib/python2.7/site-packages/requests/api.py", line 108, in post\n return request('post', url, data=data, json=json, **kwargs)\n File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request\n response = session.request(method=method, url=url, **kwargs)\n File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 486, in request\n resp = self.send(prep, **send_kwargs)\n File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 598, in send\n r = adapter.send(request, **kwargs)\n File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 433, in send\n raise ReadTimeout(e, request=request)\nrequests.exceptions.ReadTimeout: HTTPSConnectionPool(host='xxx.xxx.xxx.xxx', port=443): Read timed out. (read timeout=60)\n",
"_ansible_no_log": false,
"_ansible_delegated_vars": {
"ansible_host": "xxx.xxx.xxx.xxx"
},
"module_stderr": "Traceback (most recent call last):\n File "", line 102, in \n File "", line 94, in _ansiballz_main\n File "", line 40, in invoke_module\n File "/usr/lib64/python2.7/runpy.py", line 176, in run_module\n fname, loader, pkg_name)\n File "/usr/lib64/python2.7/runpy.py", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code\n exec code in run_globals\n File "/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py", line 718, in \n File "/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py", line 709, in main\n File "/tmp/ansible_venafi_certificate_payload_unXgMF/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py", line 388, in enroll\n File "/usr/lib/python2.7/site-packages/vcert/connection_tpp.py", line 285, in read_zone_conf\n status, data = self._post(URLS.ZONE_CONFIG, {"PolicyDN": self._get_policy_dn(tag)})\n File "/usr/lib/python2.7/site-packages/vcert/connection_tpp.py", line 91, in _post\n self.auth()\n File "/usr/lib/python2.7/site-packages/vcert/connection_tpp.py", line 120, in auth\n **self._http_request_kwargs)\n File "/usr/lib/python2.7/site-packages/requests/api.py", line 108, in post\n return request('post', url, data=data, json=json, **kwargs)\n File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request\n response = session.request(method=method, url=url, **kwargs)\n File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 486, in request\n resp = self.send(prep, **send_kwargs)\n File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 598, in send\n r = adapter.send(request, **kwargs)\n File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 433, in send\n raise ReadTimeout(e, request=request)\nrequests.exceptions.ReadTimeout: HTTPSConnectionPool(host='xxx.xxx.xxx.xxx', port=443): Read timed out. (read timeout=60)\n",
"changed": false,
"module_stdout": "",
"rc": 1,
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}
ENVIRONMENT DETAILS
Using Ansible Tower v3.6.3 to run the role.
COMMENTS/WORKAROUNDS
Running the role again for the same server succeeds because the certificate is already generated and the enroll task completes quickly.
I don't think it's the role that's broken, but rather a default timeout value in the Python requests library. Perhaps the role could allow the timeout to be adjusted upward from the default 60 seconds to allow the Venafi server more time to generate the certificate.
The text was updated successfully, but these errors were encountered: