Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bigip_device_info from F5 BIG-IP does not show client-ssl-profiles if selected 'Client Certificate Constrained Delegation' #2423

Open
f5killer opened this issue Aug 21, 2024 · 2 comments
Open

bigip_device_info from F5 BIG-IP does not show client-ssl-profiles if selected 'Client Certificate Constrained Delegation' #2423

f5killer opened this issue Aug 21, 2024 · 2 comments
Labels
enhancement PRs or Issues for basic feature requests for an existing module.

Comments

@f5killer
Copy link

f5killer commented Aug 21, 2024
edited
Loading

COMPONENT NAME

bigip_device_info

Environment: Ansible Module

ANSIBLE VERSION
ansible [core 2.15.1]
  config file = None
  configured module search path = ['/Users/xyz/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/xyz/homebrew/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.11.9 (main, Apr  2 2024, 08:25:04) [Clang 15.0.0 (clang-1500.3.9.4)] (/opt/homebrew/opt/[email protected]/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True
BIGIP VERSION
16.x
CONFIGURATION
OS / ENVIRONMENT
SUMMARY

bigip_device_info module doesn't capture gather_subset for client-ssl-profiles if Client Certificate Constrained Delegation selected for Client Fallback Certificate
F5 Config:-

 ltm profile client-ssl test-skyse {
    app-service none
    **c3d-client-fallback-cert** lb-june_cert_May2023
    ca-file test01.test_211.crt
    cert-key-chain {
        default_fqdn_2023_1 {
            cert default.crt
            chain fqdn_2023
            key default.key
            usage CA
        }
        default_test01.test_211_0 {
            cert default.crt
            chain test01.test_211.crt
            key default.key
        }
    }
    defaults-from clientssl
    inherit-ca-certkeychain false
    inherit-certkeychain false
    peer-cert-mode request
    ssl-forward-proxy enabled
}
STEPS TO REPRODUCE

Looks like its bug

    - name: Collect BIG-IP information
      bigip_device_info:
        gather_subset:
          - client-ssl-profiles
        provider: "{{ provider }}"
      delegate_to: localhost


##### EXPECTED RESULTS
Full Cert cleint profile info to be displayed, here '**lb-june_cert_May2023**' should also displayed.

##### ACTUAL RESULTS
<!--- What actually happened? If possible run with high verbosity (-vvvv) -->

<!--- Paste verbatim command output between quotes below -->

        {
            "alert_timeout": 0,
            "allow_non_ssl": "no",
            "authenticate_depth": 9,
            "authenticate_frequency": "once",
            "ca_file": "/Common/fqdn_2023.crt",
            "cache_size": 262144,
            "cache_timeout": 3600,
            "certificate_file": "/Common/default.crt",
            "chain_file": "/Common/test01.test_211.crt",
            "ciphers": [
                "DEFAULT"
            ],
            "description": "none",
            "forward_proxy_ca_certificate_file": "/Common/default.crt",
            "forward_proxy_ca_key_file": "/Common/default.key",
            "forward_proxy_certificate_extension_include": [
                "basic-constraints",
                "subject-alternative-name"
            ],
            "forward_proxy_certificate_lifespan": 30,
            "forward_proxy_enabled": "yes",
            "forward_proxy_lookup_by_ipaddr_port": "no",
            "full_path": "/Common/test-skyse",
            "handshake_timeout": 10,
            "key_file": "/Common/default.key",
            "modssl_methods": "no",
            "name": "test-skyse",
            "parent": "/Common/clientssl",
            "peer_certification_mode": "request",
            "profile_mode_enabled": "yes",
            "renegotiation": "yes",
            "renegotiation_maximum_record_delay": 0,
            "renegotiation_period": 0,
            "retain_certificate": "yes",
            "secure_renegotiation_mode": "require",
            "session_ticket": "no",
            "sni_default": "no",
            "sni_require": "no",
            "strict_resume": "no",
            "unclean_shutdown": "yes"
        }
@f5killer f5killer added bug Issues that are related to bugs in the Ansible modules untriaged issue that needs an initial response from the developers labels Aug 21, 2024
@pgouband
Copy link
Contributor

Hi @f5killer,

Thanks for your feedback. It's not a bug. As described in https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/bigip_device_info_module.html#bigip-device-info-module-3 only some informations are queried.
We will monitor if there are more request on the same topic.

@pgouband pgouband added enhancement PRs or Issues for basic feature requests for an existing module. and removed bug Issues that are related to bugs in the Ansible modules untriaged issue that needs an initial response from the developers labels Aug 26, 2024
@f5killer
Copy link
Author

f5killer commented Sep 3, 2024

Added case also.. 00671573

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement PRs or Issues for basic feature requests for an existing module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pgouband @f5killer