error: certfile should be a valid filesystem path

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

error: certfile should be a valid filesystem path

L1 Bithead

Hi Team,

I am trying to automate palo alto version 10.2.3-h2. Initially I tried to use Ansible: palo_security_rule module to push a security rule to palo alto, but I got error "hip_profiles unexpected here". The workaround for this error as looked up in google was to load current config in palo alto, which was not accepted as a feasible solution by my team.

So I tried to use Ansible Api method to push the security rule to palo alto and I am getting this error "msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path",

I haven't got any workarounds for this error, and I didn't understand what this is related to. Can anyone please help me how can I fix this.

Below is the script I have written in ansible for pushing security rule.

 

- name: Get API key
uri:
url: https://{{ inventory_hostname }}/api/
method: GET
status_code: 200
validate_certs: no
use_proxy: no
return_content: yes
body_format: json
headers:
Content-Type: application/xml
body:
type: keygen
user: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
register: api_key_result1
delegate_to: localhost

- name: print security key
shell: echo "{{ api_key_result.content }}" | grep -o -P '(?<=<key>).*(?=</key>)'
register: key


- name: Create Security rule
uri:
url: 'https://<IP-ADDRESS>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<VALUE>&name=Ansible_Test_Rule'
client_key: "{{ key.stdout_lines }}"
method: POST
status_code: 200
body:
source: <>
destination: <>
service: "HTTPS"
body_format: json
headers:
Content-Type: application/xml
follow_redirects: all
return_content: yes
validate_certs: no
use_proxy: no
register: result

========================================================

ERROR:

File "/usr/lib64/python3.6/http/client.py", line 1422, in __init__
context.load_cert_chain(cert_file, key_file)
TypeError: certfile should be a valid filesystem path
fatal: [<IP>]: FAILED! => {
"changed": false,
"content": "",
"elapsed": 0,
"invocation": {
"module_args": {
"attributes": null,
"backup": null,
"body": {
"destination": "<>",
"service": "HTTPS",
"source": "<IP>"
},
"body_format": "json",
"client_cert": null,
"client_key": "[<KEY>]",
"content": null,
"creates": null,
"delimiter": null,
"dest": null,
"directory_mode": null,
"follow": false,
"follow_redirects": "all",
"force": false,
"force_basic_auth": false,
"group": null,
"headers": {
"Content-Type": "application/xml"
},
"http_agent": "ansible-httpget",
"method": "POST",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"removes": null,
"return_content": true,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"status_code": [
"200"
],
"timeout": 30,
"unix_socket": null,
"unsafe_writes": false,
"url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<DEVICE-GROUP>&name=Ansible_...",
"url_password": null,
"url_username": null,
"use_proxy": false,
"validate_certs": false
}
},
"msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path",
"redirected": false,
"status": -1,
"url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=DEVICE-GROUP>&name=Ansible_T..."
}

==============================================================

==============================================================

my client.py has the below snippet regarding the certfile, i am not sure , do i have to modify the cert__file variable?, if yes where? 

===========

try:
import ssl
except ImportError:
pass
else:
class HTTPSConnection(HTTPConnection):
"This class allows communication via SSL."

default_port = HTTPS_PORT

# XXX Should key_file and cert_file be deprecated in favour of context?

def __init__(self, host, port=None, key_file=None, cert_file=None,
timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
source_address=None, *, context=None,
check_hostname=None):
super(HTTPSConnection, self).__init__(host, port, timeout,
source_address)
if (key_file is not None or cert_file is not None or
check_hostname is not None):
import warnings
warnings.warn("key_file, cert_file and check_hostname are "
"deprecated, use a custom context instead.",
DeprecationWarning, 2)
self.key_file = key_file
self.cert_file = cert_file
if context is None:
context = ssl._create_default_https_context()
# enable PHA for TLS 1.3 connections if available
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
will_verify = context.verify_mode != ssl.CERT_NONE
if check_hostname is None:
check_hostname = context.check_hostname
if check_hostname and not will_verify:
raise ValueError("check_hostname needs a SSL context with "
"either CERT_OPTIONAL or CERT_REQUIRED")
if key_file or cert_file:
context.load_cert_chain(cert_file, key_file)
# cert and key file means the user wants to authenticate.
# enable TLS 1.3 PHA implicitly even for custom contexts.
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
self._context = context
self._check_hostname = check_hostname

def connect(self):
"Connect to a host on a given (SSL) port."

super().connect()

 

6 REPLIES 6

L5 Sessionator

Hi @Priyanka_Reddy, the reference documentation for the PAN-OS Ansible collection of modules is here, the security_rule modules specifically is here. There are also tutorials and guides here.

 

Regarding your first issue, the hip-profiles parameter is no longer used from PAN-OS 10.0 onwards because the Device-ID feature was released, so because you are using PAN-OS 10.2, please remove the hip_profiles: "something" line in your original playbook and that error should go away. You should then not need the subsequent XML API method.

 

Hope this helps

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi @${userLoginName} Jimmy,

Thank you for taking time and answering my query. The hip_profiles argument in security rume module is a default one. I have tried removing the hip_profiles: "something", option in my original playbook, but still the playbook automatically takes default value as 'any' to hip_profile and send that to panaroma . Also the modules what you suggested to use need below requirements:

  • Python 3.8 or higher

  • Ansible 2.9 or higher

 

If we upgrade our ansible version and python version, we are in fear that present scripts in ansible server wont work, as it happened once and we had to degrade the version of python in ansible server.

 

-----------------------------------------------------------------------------------

The ansible version we are using is :

[root@<> ~]# ansible --version
ansible 2.9.27
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /bin/ansible
python version = 3.6.8 (default, Jan 11 2023, 08:43:50) [GCC 8.5.0 20210514 (Red Hat 8.5.0-16)]

--------------------------

Kindly suggest any workarounds related to the API error please.

L5 Sessionator

Hi @Priyanka_Reddy, which version of the PAN-OS collection are you using? There was an enhancement to cover the hip_profiles scenario in 2.10.0, are you using this version or higher?

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi @${userLoginName} I am using pan-python 0.18.0, as the python version in my ansible server is 3.6 and does not support pan-os collection which requires python 3.8 or higher.

L5 Sessionator

Hi @Priyanka_Reddy, python 3.6 has been end-of-life and not receiving updates or security fixes since 2021 I believe, I strongly suggest upgrading

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

When we had a patching done on ansible server, the scripts didnt work, so we had to degrade the python version, anyway we wil try upgrading again and get back if the issue persists still

  • 2569 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!