Open
Description
SUMMARY
When running Ansible with Python 3.13, the community.zabbix.zabbix_host module fails to verify certificates trusted by the system trust store.
ISSUE TYPE
- Bug Report
COMPONENT NAME
community.zabbix.zabbix_host
ANSIBLE VERSION
ansible [core 2.18.1]
config file = /home/silejonu/ansible/ansible.cfg
configured module search path = ['/home/silejonu/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/silejonu/ansible/.venv/lib64/python3.13/site-packages/ansible
ansible collection location = /home/silejonu/ansible/collections
executable location = /home/silejonu/ansible/.venv/bin/ansible
python version = 3.13.1 (main, Dec 9 2024, 00:00:00) [GCC 14.2.1 20240912 (Red Hat 14.2.1-3)] (/home/silejonu/ansible/.venv/bin/python)
jinja version = 3.1.5
libyaml = True
CONFIGURATION
COLLECTIONS_PATHS(/home/silejonu/ansible/ansible.cfg) = ['/home/silejonu/ansible/collections']
CONFIG_FILE() = /home/silejonu/ansible/ansible.cfg
DEFAULT_FORCE_HANDLERS(/home/silejonu/ansible/ansible.cfg) = True
DEFAULT_HOST_LIST(/home/silejonu/ansible/ansible.cfg) = ['/home/silejonu/ansible/inventory']
DEFAULT_VAULT_PASSWORD_FILE(/home/silejonu/ansible/ansible.cfg) = /home/silejonu/ansible/.vault_password.txt
EDITOR(env: EDITOR) = /usr/bin/nano
INTERPRETER_PYTHON(/home/silejonu/ansible/ansible.cfg) = auto_silent
GALAXY_SERVERS:
OS / ENVIRONMENT / Zabbix Version
Zabbix 7.0 LTS, installed with official repositories, on CentOS Stream 9.
The certificate is signed by my internal authority, which is trusted by my Ansible controller (Fedora 41) at the system level.
STEPS TO REPRODUCE
- Add a certificate to Zabbix from an internal authority
- Add the root certificate to the trust store of the Ansible controller
python3.13 -m venv .venvsource .venv/bin/activatepip install --upgrade pip ansible-core- Run the example playbook
Example playbook:
- name: Test playbook
hosts: localhost
become: false
tasks:
- name: Add host to Zabbix
delegate_to: zabbix.home.arpa
vars:
ansible_zabbix_auth_key: "[…]"
ansible_network_os: community.zabbix.zabbix
ansible_connection: httpapi
ansible_httpapi_port: 443
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: true
ansible_zabbix_url_path: "/"
community.zabbix.zabbix_host:
force: false
host_name: "test"
visible_name: "test"
host_groups: "Zabbix servers"
status: enabled
state: present
inventory_mode: automatic
interfaces:
- type: agent
main: 1
useip: 0
dns: "test"
port: "10050"EXPECTED RESULTS
The certificates trusted by the system should be trusted by community.zabbix.zabbix_host on all Python versions.
ACTUAL RESULTS
The certificates trusted by the system are trusted by community.zabbix.zabbix_host on Python version 3.12 and below.
On Python 3.13, the following error is raised:
Read vars_file 'vault/zabbix.yml'
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<zabbix.home.arpa> ESTABLISH LOCAL CONNECTION FOR USER: silejonu
<zabbix.home.arpa> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/silejonu/.ansible/tmp/ansible-local-46113ym17bas `"&& mkdir "` echo /home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948 `" && echo ansible-tmp-1736974837.76897-4745-189524040544948="` echo /home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948 `" ) && sleep 0'
Using module file /home/silejonu/ansible/collections/ansible_collections/community/zabbix/plugins/modules/zabbix_host.py
<zabbix.home.arpa> PUT /home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/tmpoittgqmy TO /home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/AnsiballZ_zabbix_host.py
<zabbix.home.arpa> EXEC /bin/sh -c 'chmod u+x /home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/ /home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/AnsiballZ_zabbix_host.py && sleep 0'
<zabbix.home.arpa> EXEC /bin/sh -c '/home/silejonu/ansible/.venv/bin/python /home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/AnsiballZ_zabbix_host.py && sleep 0'
<zabbix.home.arpa> EXEC /bin/sh -c 'rm -f -r /home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/AnsiballZ_zabbix_host.py", line 107, in <module>
_ansiballz_main()
~~~~~~~~~~~~~~~^^
File "/home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/AnsiballZ_zabbix_host.py", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/AnsiballZ_zabbix_host.py", line 47, in invoke_module
runpy.run_module(mod_name='ansible_collections.community.zabbix.plugins.modules.zabbix_host', init_globals=dict(_module_fqn='ansible_collections.community.zabbix.plugins.modules.zabbix_host', _modlib_path=modlib_path),
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
run_name='__main__', alter_sys=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<frozen runpy>", line 226, in run_module
File "<frozen runpy>", line 98, in _run_module_code
File "<frozen runpy>", line 88, in _run_code
File "/tmp/ansible_community.zabbix.zabbix_host_payload_7_wyfrlp/ansible_community.zabbix.zabbix_host_payload.zip/ansible_collections/community/zabbix/plugins/modules/zabbix_host.py", line 1356, in <module>
File "/tmp/ansible_community.zabbix.zabbix_host_payload_7_wyfrlp/ansible_community.zabbix.zabbix_host_payload.zip/ansible_collections/community/zabbix/plugins/modules/zabbix_host.py", line 1143, in main
File "/tmp/ansible_community.zabbix.zabbix_host_payload_7_wyfrlp/ansible_community.zabbix.zabbix_host_payload.zip/ansible_collections/community/zabbix/plugins/module_utils/base.py", line 20, in __init__
File "/tmp/ansible_community.zabbix.zabbix_host_payload_7_wyfrlp/ansible_community.zabbix.zabbix_host_payload.zip/ansible_collections/community/zabbix/plugins/module_utils/api_request.py", line 53, in api_version
File "/tmp/ansible_community.zabbix.zabbix_host_payload_7_wyfrlp/ansible_community.zabbix.zabbix_host_payload.zip/ansible/module_utils/connection.py", line 183, in __rpc__
ansible.module_utils.connection.ConnectionError: Could not connect to https://zabbix.home.arpa:443///api_jsonrpc.php: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1018)
fatal: [zabbix -> zabbix.home.arpa]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/AnsiballZ_zabbix_host.py\", line 107, in <module>\n _ansiballz_main()\n ~~~~~~~~~~~~~~~^^\n File \"/home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/AnsiballZ_zabbix_host.py\", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/home/silejonu/.ansible/tmp/ansible-local-46113ym17bas/ansible-tmp-1736974837.76897-4745-189524040544948/AnsiballZ_zabbix_host.py\", line 47, in invoke_module\n runpy.run_module(mod_name='ansible_collections.community.zabbix.plugins.modules.zabbix_host', init_globals=dict(_module_fqn='ansible_collections.community.zabbix.plugins.modules.zabbix_host', _modlib_path=modlib_path),\n ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n run_name='__main__', alter_sys=True)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"<frozen runpy>\", line 226, in run_module\n File \"<frozen runpy>\", line 98, in _run_module_code\n File \"<frozen runpy>\", line 88, in _run_code\n File \"/tmp/ansible_community.zabbix.zabbix_host_payload_7_wyfrlp/ansible_community.zabbix.zabbix_host_payload.zip/ansible_collections/community/zabbix/plugins/modules/zabbix_host.py\", line 1356, in <module>\n File \"/tmp/ansible_community.zabbix.zabbix_host_payload_7_wyfrlp/ansible_community.zabbix.zabbix_host_payload.zip/ansible_collections/community/zabbix/plugins/modules/zabbix_host.py\", line 1143, in main\n File \"/tmp/ansible_community.zabbix.zabbix_host_payload_7_wyfrlp/ansible_community.zabbix.zabbix_host_payload.zip/ansible_collections/community/zabbix/plugins/module_utils/base.py\", line 20, in __init__\n File \"/tmp/ansible_community.zabbix.zabbix_host_payload_7_wyfrlp/ansible_community.zabbix.zabbix_host_payload.zip/ansible_collections/community/zabbix/plugins/module_utils/api_request.py\", line 53, in api_version\n File \"/tmp/ansible_community.zabbix.zabbix_host_payload_7_wyfrlp/ansible_community.zabbix.zabbix_host_payload.zip/ansible/module_utils/connection.py\", line 183, in __rpc__\nansible.module_utils.connection.ConnectionError: Could not connect to https://zabbix.home.arpa:443///api_jsonrpc.php: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1018)\n",
"module_stdout": "",
"msg": "MODULE FAILURE: No start of json char found\nSee stdout/stderr for the exact error",
"rc": 1
}
Metadata
Metadata
Assignees
Labels
No labels