Hello,

in my previous post i'd set the variable you mean to false, in this current post i want that variable set to true

Sometimes it causes issue while installing root certificate in ca trust store if it is not a default well known public root certificate in ca trust. One another reason may be permission as we are installing it via user root and running playbook via non-root user.

Next we can see if there is any parameter in playbook which defines the path to root certificate and use it to validate the connection.

Regards,

Sachchidanand

Hello,

rui.crt & castore.pem both are unable to be installed in Linux Centos, both of them written in /etc/pki/tls/certs/ca-bundle.trust.crt once update-ca-trust command executed but undetectable by Ansible

but i try to solve this problem using other way with this schema :

CA Certificate server : centos 8.4 (192.168.50.6)

VMWare ESXI : (ESXI server 7u3) 192.168.50.5

Ansible controller : centos 8.4 (192.168.50.3)

1. I generate CSR certificate in ESXI web console and then send this certificate to be signed by the CA server

2. I install CA certificate in the Ansible controller. This CA certificate would be written in /etc/pki/tls/certs/ca-bundle.crt once update-ca-trust command executed

3. I install CSR signed by CA root to ESXI Server by uploading this certificate via ESXI web console

4. CA certificate unable to be installed in ESXI Server

After all that, i tested again and the result is showing other error

Below is the CA certificate been installed in Ansible controller

Below is the CSR certificate signed by the CA and installed in the ESXI server

Please help guys to overcome error  [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '192.168.50.5'. (_ssl.c:1129)"} of the Ansible

How you generated CSR in ESXi web console? I'll also try this in my setup.

Regards,

Sachchidanand

Hello, 

Yes i generated ESXI CSR certificate and then i sent this CSR to centos 8.4 CA Server to be signed by the CA (see my schema above). and then i sent back this CSR after been signed to ESXI to be installed in. the image about CSR just as visualization.

Update : i installed CA certificate to ESXI by writing the CA certificate file content to castore.pem in ESXI server. After that i test again but still unlucky, i still get same error, IP address mismatch

I mean to say you have generated csr from web console like GUI or you used openssl command to generate the csr?

Regards,

Sachchidanand

Hello,

I generated CSR using ESXI web console

Hello @Sachchidanand 

That's great, my case is solved, now my Ansible Playbook able to connect to ESXI Server 7 using certificate. To be successful i do these steps :

In ESXI Server :

- create .cnf file in ESXI Server

- create private key file first for CSR certificate & save this private key

- generate CSR certificate using private key that just created

- verify the CSR certificate has Subject Alternative Name

- send the CSR to the CA Server to be signed

In CA Server (Centos 8.4)

- make sure the CSR already existed in this server

- sign the CSR with extensions & extfile option in openssl command & output to .crt file

- verify the CRT certificate has Subject Alternative Name

Back to ESXI Server

- write the content of CRT file (signed certificate) to /etc/vmware/ssl/rui.crt

- write the content of private key file to /etc/vmware/ssl/rui.key

- restart  hypervisor server

In Ansible Controller

- install CA Certificate in this server

This is the result of my test