error: certfile should be a valid filesystem path

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

error: certfile should be a valid filesystem path

L1 Bithead

Hi Team,

I am trying to automate palo alto version 10.2.3-h2. Initially I tried to use Ansible: palo_security_rule module to push a security rule to palo alto, but I got error "hip_profiles unexpected here". The workaround for this error as looked up in google was to load current config in palo alto, which was not accepted as a feasible solution by my team.

So I tried to use Ansible Api method to push the security rule to palo alto and I am getting this error "msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path",

I haven't got any workarounds for this error, and I didn't understand what this is related to. Can anyone please help me how can I fix this.

Below is the script I have written in ansible for pushing security rule.

 

- name: Get API key
uri:
url: https://{{ inventory_hostname }}/api/
method: GET
status_code: 200
validate_certs: no
use_proxy: no
return_content: yes
body_format: json
headers:
Content-Type: application/xml
body:
type: keygen
user: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
register: api_key_result1
delegate_to: localhost

- name: print security key
shell: echo "{{ api_key_result.content }}" | grep -o -P '(?<=<key>).*(?=</key>)'
register: key


- name: Create Security rule
uri:
url: 'https://<IP-ADDRESS>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<VALUE>&name=Ansible_Test_Rule'
client_key: "{{ key.stdout_lines }}"
method: POST
status_code: 200
body:
source: <>
destination: <>
service: "HTTPS"
body_format: json
headers:
Content-Type: application/xml
follow_redirects: all
return_content: yes
validate_certs: no
use_proxy: no
register: result

========================================================

ERROR:

File "/usr/lib64/python3.6/http/client.py", line 1422, in __init__
context.load_cert_chain(cert_file, key_file)
TypeError: certfile should be a valid filesystem path
fatal: [<IP>]: FAILED! => {
"changed": false,
"content": "",
"elapsed": 0,
"invocation": {
"module_args": {
"attributes": null,
"backup": null,
"body": {
"destination": "<>",
"service": "HTTPS",
"source": "<IP>"
},
"body_format": "json",
"client_cert": null,
"client_key": "[<KEY>]",
"content": null,
"creates": null,
"delimiter": null,
"dest": null,
"directory_mode": null,
"follow": false,
"follow_redirects": "all",
"force": false,
"force_basic_auth": false,
"group": null,
"headers": {
"Content-Type": "application/xml"
},
"http_agent": "ansible-httpget",
"method": "POST",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"removes": null,
"return_content": true,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"status_code": [
"200"
],
"timeout": 30,
"unix_socket": null,
"unsafe_writes": false,
"url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<DEVICE-GROUP>&name=Ansible_...",
"url_password": null,
"url_username": null,
"use_proxy": false,
"validate_certs": false
}
},
"msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path",
"redirected": false,
"status": -1,
"url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=DEVICE-GROUP>&name=Ansible_T..."
}

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @Priyanka_Reddy ,

 

These errors are not PANW specific, but I will point you in the right direction.

 

  1. With regard to the "Ansible: palo_security_rule module" error, all you need to do is find the right syntax.  A security policy rule can take a HIP Profile as an option, but the syntax is not correct.
  2. With regard to the API, the cert_file variable in the client.py Python script is incorrect.  It needs to be fixed.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung ,

Can you please help me with the correct syntax of panos_security_rule,  making hip_profile as an option, in the first point mentioned by you.

Regarding the API "the cert_file variable in the client.py Python script is incorrect" ::::: my client.py has the below snippet regarding the certfile, i am not sure where i have to modify the cert__file variable.

===========

try:
import ssl
except ImportError:
pass
else:
class HTTPSConnection(HTTPConnection):
"This class allows communication via SSL."

default_port = HTTPS_PORT

# XXX Should key_file and cert_file be deprecated in favour of context?

def __init__(self, host, port=None, key_file=None, cert_file=None,
timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
source_address=None, *, context=None,
check_hostname=None):
super(HTTPSConnection, self).__init__(host, port, timeout,
source_address)
if (key_file is not None or cert_file is not None or
check_hostname is not None):
import warnings
warnings.warn("key_file, cert_file and check_hostname are "
"deprecated, use a custom context instead.",
DeprecationWarning, 2)
self.key_file = key_file
self.cert_file = cert_file
if context is None:
context = ssl._create_default_https_context()
# enable PHA for TLS 1.3 connections if available
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
will_verify = context.verify_mode != ssl.CERT_NONE
if check_hostname is None:
check_hostname = context.check_hostname
if check_hostname and not will_verify:
raise ValueError("check_hostname needs a SSL context with "
"either CERT_OPTIONAL or CERT_REQUIRED")
if key_file or cert_file:
context.load_cert_chain(cert_file, key_file)
# cert and key file means the user wants to authenticate.
# enable TLS 1.3 PHA implicitly even for custom contexts.
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
self._context = context
self._check_hostname = check_hostname

def connect(self):
"Connect to a host on a given (SSL) port."

super().connect()

L1 Bithead

Can anyone help me regarding the above query.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!