topic Re: error: certfile should be a valid filesystem path in Automation/API Discussions

error: certfile should be a valid filesystem path

Priyanka_Reddy — Mon, 24 Apr 2023 10:14:25 GMT

Hi Team,

I am trying to automate palo alto version 10.2.3-h2. Initially I tried to use Ansible: palo_security_rule module to push a security rule to palo alto, but I got error "hip_profiles unexpected here". The workaround for this error as looked up in google was to load current config in palo alto, which was not accepted as a feasible solution by my team.

So I tried to use Ansible Api method to push the security rule to palo alto and I am getting this error "msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path",

I haven't got any workarounds for this error, and I didn't understand what this is related to. Can anyone please help me how can I fix this.

Below is the script I have written in ansible for pushing security rule.

- name: Get API key
uri:
url: https://{{ inventory_hostname }}/api/
method: GET
status_code: 200
validate_certs: no
use_proxy: no
return_content: yes
body_format: json
headers:
Content-Type: application/xml
body:
type: keygen
user: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
register: api_key_result1
delegate_to: localhost

- name: print security key
shell: echo "{{ api_key_result.content }}" | grep -o -P '(?<=<key>).*(?=</key>)'
register: key

- name: Create Security rule
uri:
url: 'https://<IP-ADDRESS>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<VALUE>&name=Ansible_Test_Rule'
client_key: "{{ key.stdout_lines }}"
method: POST
status_code: 200
body:
source: <>
destination: <>
service: "HTTPS"
body_format: json
headers:
Content-Type: application/xml
follow_redirects: all
return_content: yes
validate_certs: no
use_proxy: no
register: result

========================================================

ERROR:

File "/usr/lib64/python3.6/http/client.py", line 1422, in __init__
context.load_cert_chain(cert_file, key_file)
TypeError: certfile should be a valid filesystem path
fatal: [<IP>]: FAILED! => {
"changed": false,
"content": "",
"elapsed": 0,
"invocation": {
"module_args": {
"attributes": null,
"backup": null,
"body": {
"destination": "<>",
"service": "HTTPS",
"source": "<IP>"
},
"body_format": "json",
"client_cert": null,
"client_key": "[<KEY>]",
"content": null,
"creates": null,
"delimiter": null,
"dest": null,
"directory_mode": null,
"follow": false,
"follow_redirects": "all",
"force": false,
"force_basic_auth": false,
"group": null,
"headers": {
"Content-Type": "application/xml"
},
"http_agent": "ansible-httpget",
"method": "POST",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"removes": null,
"return_content": true,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"status_code": [
"200"
],
"timeout": 30,
"unix_socket": null,
"unsafe_writes": false,
"url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<DEVICE-GROUP>&name=Ansible_...",
"url_password": null,
"url_username": null,
"use_proxy": false,
"validate_certs": false
}
},
"msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path",
"redirected": false,
"status": -1,
"url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=DEVICE-GROUP>&name=Ansible_T..."
}

==============================================================

my client.py has the below snippet regarding the certfile, i am not sure , do i have to modify the cert__file variable?, if yes where?

===========

try:
import ssl
except ImportError:
pass
else:
class HTTPSConnection(HTTPConnection):
"This class allows communication via SSL."

default_port = HTTPS_PORT

# XXX Should key_file and cert_file be deprecated in favour of context?

def __init__(self, host, port=None, key_file=None, cert_file=None,
timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
source_address=None, *, context=None,
check_hostname=None):
super(HTTPSConnection, self).__init__(host, port, timeout,
source_address)
if (key_file is not None or cert_file is not None or
check_hostname is not None):
import warnings
warnings.warn("key_file, cert_file and check_hostname are "
"deprecated, use a custom context instead.",
DeprecationWarning, 2)
self.key_file = key_file
self.cert_file = cert_file
if context is None:
context = ssl._create_default_https_context()
# enable PHA for TLS 1.3 connections if available
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
will_verify = context.verify_mode != ssl.CERT_NONE
if check_hostname is None:
check_hostname = context.check_hostname
if check_hostname and not will_verify:
raise ValueError("check_hostname needs a SSL context with "
"either CERT_OPTIONAL or CERT_REQUIRED")
if key_file or cert_file:
context.load_cert_chain(cert_file, key_file)
# cert and key file means the user wants to authenticate.
# enable TLS 1.3 PHA implicitly even for custom contexts.
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
self._context = context
self._check_hostname = check_hostname

def connect(self):
"Connect to a host on a given (SSL) port."

super().connect()

Re: error: certfile should be a valid filesystem path

JimmyHolland — Mon, 24 Apr 2023 10:27:52 GMT

Hi @Priyanka_Reddy, the reference documentation for the PAN-OS Ansible collection of modules is here, the security_rule modules specifically is here. There are also tutorials and guides here.

Regarding your first issue, the hip-profiles parameter is no longer used from PAN-OS 10.0 onwards because the Device-ID feature was released, so because you are using PAN-OS 10.2, please remove the hip_profiles: "something" line in your original playbook and that error should go away. You should then not need the subsequent XML API method.

Hope this helps

Re: error: certfile should be a valid filesystem path

Priyanka_Reddy — Wed, 26 Apr 2023 07:13:27 GMT

Hi @JimmyHolland Jimmy,

Thank you for taking time and answering my query. The hip_profiles argument in security rume module is a default one. I have tried removing the hip_profiles: "something", option in my original playbook, but still the playbook automatically takes default value as 'any' to hip_profile and send that to panaroma . Also the modules what you suggested to use need below requirements:

Python 3.8 or higher
Ansible 2.9 or higher

If we upgrade our ansible version and python version, we are in fear that present scripts in ansible server wont work, as it happened once and we had to degrade the version of python in ansible server.

-----------------------------------------------------------------------------------

The ansible version we are using is :

[root@<> ~]# ansible --version
ansible 2.9.27
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /bin/ansible
python version = 3.6.8 (default, Jan 11 2023, 08:43:50) [GCC 8.5.0 20210514 (Red Hat 8.5.0-16)]

--------------------------

Kindly suggest any workarounds related to the API error please.

Re: error: certfile should be a valid filesystem path

JimmyHolland — Wed, 26 Apr 2023 07:36:40 GMT

Hi @Priyanka_Reddy, which version of the PAN-OS collection are you using? There was an enhancement to cover the hip_profiles scenario in 2.10.0, are you using this version or higher?

Re: error: certfile should be a valid filesystem path

Priyanka_Reddy — Fri, 28 Apr 2023 07:16:12 GMT

Hi @JimmyHolland I am using pan-python 0.18.0, as the python version in my ansible server is 3.6 and does not support pan-os collection which requires python 3.8 or higher.

Re: error: certfile should be a valid filesystem path

JimmyHolland — Fri, 28 Apr 2023 07:20:02 GMT

Hi @Priyanka_Reddy, python 3.6 has been end-of-life and not receiving updates or security fixes since 2021 I believe, I strongly suggest upgrading

Re: error: certfile should be a valid filesystem path

Priyanka_Reddy — Fri, 28 Apr 2023 07:39:32 GMT

When we had a patching done on ansible server, the scripts didnt work, so we had to degrade the python version, anyway we wil try upgrading again and get back if the issue persists still