topic Re: error: certfile should be a valid filesystem path in Panorama Discussions

error: certfile should be a valid filesystem path

Priyanka_Reddy — Fri, 14 Apr 2023 13:37:12 GMT

Hi Team,

I am trying to automate palo alto version 10.2.3-h2. Initially I tried to use Ansible: palo_security_rule module to push a security rule to palo alto, but I got error "hip_profiles unexpected here". The workaround for this error as looked up in google was to load current config in palo alto, which was not accepted as a feasible solution by my team.

So I tried to use Ansible Api method to push the security rule to palo alto and I am getting this error "msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path",

I haven't got any workarounds for this error, and I didn't understand what this is related to. Can anyone please help me how can I fix this.

Below is the script I have written in ansible for pushing security rule.

- name: Get API key
uri:
url: https://{{ inventory_hostname }}/api/
method: GET
status_code: 200
validate_certs: no
use_proxy: no
return_content: yes
body_format: json
headers:
Content-Type: application/xml
body:
type: keygen
user: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
register: api_key_result1
delegate_to: localhost

- name: print security key
shell: echo "{{ api_key_result.content }}" | grep -o -P '(?<=<key>).*(?=</key>)'
register: key

- name: Create Security rule
uri:
url: 'https://<IP-ADDRESS>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<VALUE>&name=Ansible_Test_Rule'
client_key: "{{ key.stdout_lines }}"
method: POST
status_code: 200
body:
source: <>
destination: <>
service: "HTTPS"
body_format: json
headers:
Content-Type: application/xml
follow_redirects: all
return_content: yes
validate_certs: no
use_proxy: no
register: result

========================================================

ERROR:

File "/usr/lib64/python3.6/http/client.py", line 1422, in __init__
context.load_cert_chain(cert_file, key_file)
TypeError: certfile should be a valid filesystem path
fatal: [<IP>]: FAILED! => {
"changed": false,
"content": "",
"elapsed": 0,
"invocation": {
"module_args": {
"attributes": null,
"backup": null,
"body": {
"destination": "<>",
"service": "HTTPS",
"source": "<IP>"
},
"body_format": "json",
"client_cert": null,
"client_key": "[<KEY>]",
"content": null,
"creates": null,
"delimiter": null,
"dest": null,
"directory_mode": null,
"follow": false,
"follow_redirects": "all",
"force": false,
"force_basic_auth": false,
"group": null,
"headers": {
"Content-Type": "application/xml"
},
"http_agent": "ansible-httpget",
"method": "POST",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"removes": null,
"return_content": true,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"status_code": [
"200"
],
"timeout": 30,
"unix_socket": null,
"unsafe_writes": false,
"url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<DEVICE-GROUP>&name=Ansible_Test_Rule",
"url_password": null,
"url_username": null,
"use_proxy": false,
"validate_certs": false
}
},
"msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path",
"redirected": false,
"status": -1,
"url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=DEVICE-GROUP>&name=Ansible_Test_Rule"
}

Re: error: certfile should be a valid filesystem path

TomYoung — Sun, 16 Apr 2023 11:14:14 GMT

Hi @Priyanka_Reddy ,

These errors are not PANW specific, but I will point you in the right direction.

With regard to the "Ansible: palo_security_rule module" error, all you need to do is find the right syntax. A security policy rule can take a HIP Profile as an option, but the syntax is not correct.
With regard to the API, the cert_file variable in the client.py Python script is incorrect. It needs to be fixed.

Thanks,

Tom

Re: error: certfile should be a valid filesystem path

Priyanka_Reddy — Mon, 17 Apr 2023 07:00:40 GMT

Hi @TomYoung ,

Can you please help me with the correct syntax of panos_security_rule, making hip_profile as an option, in the first point mentioned by you.

Regarding the API "the cert_file variable in the client.py Python script is incorrect" ::::: my client.py has the below snippet regarding the certfile, i am not sure where i have to modify the cert__file variable.

===========

try:
import ssl
except ImportError:
pass
else:
class HTTPSConnection(HTTPConnection):
"This class allows communication via SSL."

default_port = HTTPS_PORT

# XXX Should key_file and cert_file be deprecated in favour of context?

def __init__(self, host, port=None, key_file=None, cert_file=None,
timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
source_address=None, *, context=None,
check_hostname=None):
super(HTTPSConnection, self).__init__(host, port, timeout,
source_address)
if (key_file is not None or cert_file is not None or
check_hostname is not None):
import warnings
warnings.warn("key_file, cert_file and check_hostname are "
"deprecated, use a custom context instead.",
DeprecationWarning, 2)
self.key_file = key_file
self.cert_file = cert_file
if context is None:
context = ssl._create_default_https_context()
# enable PHA for TLS 1.3 connections if available
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
will_verify = context.verify_mode != ssl.CERT_NONE
if check_hostname is None:
check_hostname = context.check_hostname
if check_hostname and not will_verify:
raise ValueError("check_hostname needs a SSL context with "
"either CERT_OPTIONAL or CERT_REQUIRED")
if key_file or cert_file:
context.load_cert_chain(cert_file, key_file)
# cert and key file means the user wants to authenticate.
# enable TLS 1.3 PHA implicitly even for custom contexts.
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
self._context = context
self._check_hostname = check_hostname

def connect(self):
"Connect to a host on a given (SSL) port."

super().connect()

Re: error: certfile should be a valid filesystem path

Priyanka_Reddy — Wed, 19 Apr 2023 12:51:04 GMT

Can anyone help me regarding the above query.