vmware_tools transporter not correctly validating host certificate

[agowa]

SUMMARY

The host certificate is not properly validated.

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.vmware.vmware_tools

ANSIBLE VERSION

ansible [core 2.13.2]
  config file = /root/ansible-playbook/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/ansible
  ansible collection location = /root/ansible-playbook/collections
  executable location = /root/ansible-playbook/.venv/ansible.venv/bin/ansible
  python version = 3.10.4 (main, Nov 16 2022, 14:29:09) [GCC 10.2.1 20210110]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# ansible-galaxy collection list community.vmware

# /root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/ansible_collections
Collection       Version
---------------- -------
community.vmware 2.7.0  

# /root/ansible-playbook/collections/ansible_collections
Collection       Version
---------------- -------
community.vmware *

Currently using community.vmware git checkout at fe41bdc

CONFIGURATION

COLLECTIONS_PATHS(/root/ansible-playbook/ansible.cfg) = ['/root/ansible-playbook/collections']
DEFAULT_BECOME(/root/ansible-playbook/ansible.cfg) = True
DEFAULT_BECOME_FLAGS(/root/ansible-playbook/ansible.cfg) = -l
DEFAULT_BECOME_METHOD(/root/ansible-playbook/ansible.cfg) = su
DEFAULT_FORCE_HANDLERS(/root/ansible-playbook/ansible.cfg) = True
DEFAULT_FORKS(/root/ansible-playbook/ansible.cfg) = 50
DEFAULT_HOST_LIST(/root/ansible-playbook/ansible.cfg) = ['/root/ansible-playbook/inventory.ini']
DEFAULT_MANAGED_STR(/root/ansible-playbook/ansible.cfg) = This file is managed by ansible - local changes will be lost
DEFAULT_REMOTE_USER(/root/ansible-playbook/ansible.cfg) = root
DEFAULT_TRANSPORT(/root/ansible-playbook/ansible.cfg) = ssh
DEFAULT_VAULT_PASSWORD_FILE(/root/ansible-playbook/ansible.cfg) = /root/ansible-playbook/.vpass
DEPRECATION_WARNINGS(/root/ansible-playbook/ansible.cfg) = True
INVENTORY_ENABLED(/root/ansible-playbook/ansible.cfg) = ['ini']
SYSTEM_WARNINGS(/root/ansible-playbook/ansible.cfg) = True

OS / ENVIRONMENT

Ansible running on linux

STEPS TO REPRODUCE

1. Deploy trusted certificates to vmware environment (certificate with san entry of ipaddress:192.0.0.1)
2. Try to do a guest invokation task (like just setup through the vmware_tools transporter)

EXPECTED RESULTS

Certificate should be correctly validated.

ACTUAL RESULTS

The certificate fails validation. (note, curl and wget to https://192.0.0.1/ correctly validate the certificate and consider it trusted)

TASK [vm_deployment_role : Gather facts] ***********************************************************************************************************************************************************
task path: /root/ansible-playbook/roles/vm_deployment_role/tasks/main.yml:84
redirecting (type: connection) ansible.builtin.vmware_tools to community.vmware.vmware_tools
The full traceback is:
Traceback (most recent call last):
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock)
  File "/root/ansible-playbook/.pyenv/versions/3.10.4/lib/python3.10/ssl.py", line 512, in wrap_socket
    return self.sslsocket_class._create(
  File "/root/ansible-playbook/.pyenv/versions/3.10.4/lib/python3.10/ssl.py", line 1070, in _create
    self.do_handshake()
  File "/root/ansible-playbook/.pyenv/versions/3.10.4/lib/python3.10/ssl.py", line 1341, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/requests/adapters.py", line 440, in send
    resp = conn.urlopen(
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.0.0.1', port=443): Max retries exceeded with url: /guestFile?id=225&token=babc2b86-8d81-4b48-929d-f143af5659f4 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/ansible/executor/task_executor.py", line 157, in run
    res = self._execute()
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/ansible/executor/task_executor.py", line 635, in _execute
    result = self._handler.run(task_vars=vars_copy)
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/ansible/plugins/action/normal.py", line 47, in run
    result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async))
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/ansible/plugins/action/__init__.py", line 1026, in _execute_module
    self._make_tmp_path()
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/ansible/plugins/action/__init__.py", line 448, in _make_tmp_path
    result = self._low_level_execute_command(cmd, sudoable=False)
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/ansible/plugins/action/__init__.py", line 1306, in _low_level_execute_command
    rc, stdout, stderr = self._connection.exec_command(cmd, in_data=in_data, sudoable=sudoable)
  File "/root/ansible-playbook/collections/ansible_collections/community/vmware/plugins/connection/vmware_tools.py", line 532, in exec_command
    stdout_response = self._fetch_file_from_vm(stdout)
  File "/root/ansible-playbook/collections/ansible_collections/community/vmware/plugins/connection/vmware_tools.py", line 474, in _fetch_file_from_vm
    response = requests.get(url, verify=self.validate_certs, stream=True)
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/requests/sessions.py", line 529, in request
    resp = self.send(prep, **send_kwargs)
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/requests/sessions.py", line 645, in send
    r = adapter.send(request, **kwargs)
  File "/root/ansible-playbook/.venv/ansible.venv/lib/python3.10/site-packages/requests/adapters.py", line 517, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.0.0.1', port=443): Max retries exceeded with url: /guestFile?id=225&token=babc2b86-8d81-4b48-929d-f143af5659f4 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))
fatal: [localhost -> vm-334320]: FAILED! => {
    "msg": "Unexpected failure during module execution.",
    "stdout": ""
}

The certificate:

[ansibullbot]

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[agowa]

!component plugins/connection/vmware_tools.py