brocade_security_security_certificate_generate

[autocoder10]

Hello, I'm trying to generate the CSR for a lab switch with FOS v9.1.1d2 using brocade_security_security_certificate_generate.py module but getting 400 REST error code. I tried multiple time and still no luck. Can you please let me know where I'm doing wrong.

Error Message:
"POST_resp_data": {
"errors": {
"@xmlns": "urn:ietf:params:xml:ns:yang:ietf-restconf",
"error": {
"error-type": "application",
"error-tag": "operation-failed",
"error-app-tag": "Error",
"error-message": "Invalid input data",
"error-info": {
"error-code": "16715778",
"error-module": "cal"
}
}
}
},
"POST_resp_code": 400,
"POST_resp_reason": "Bad Request",
"msg": "POST failed",

CLI Command Process:
labswitch:switchansible> seccertmgmt generate -csr https
Generating a CSR will automatically do the following:
Delete all existing CSRs.

Warning:
Key-pair generation is CPU intensive and can cause high CPU usage
Private IPs and hostnames should not be part of SCN and/or SAN per CA/Browser forum.

Continue (yes, y, no, n): [no] yes
Country Name (2 letter code, eg, US):US
State or Province Name (full name, eg, California):state1
Locality Name (eg, city name):city1
Organization Name (eg, company name):company1
Organizational Unit Name (eg, department name):test1
Common Name (Fully qualified Domain Name, or IP address):labswitch.domain.com
Email Address:[email protected]
Subject Alternative Name, DNS (Fully Qualified Domain Name, or IP Address):labswitch.domain.com
Subject Alternative Name, DNS (Fully Qualified Domain Name, or IP Address):
Subject Alternative Name, IPAddress (IP v4 or v6 address):
Generating CSR, file name is: 10.10.10.10.csr
labswitch:switchansible>

Playbook:
vars:
generate_inputs:
certificate_entity: csr
certificate_type: https
country_name: US
state_name: state1
locality_name: city1
organization_name: company1
unit_name: test1
domain_name: "labswitch.domain.com"
email_address: "[email protected]"
subject_alternative_name_dns_names:
- dns-name: "labswitch.domain.com"
ip_address_in_subject_alternative_name: false

tasks:

• name: CSR generation. Existing CSR is not compared. This task will always change.
  brocade_security_security_certificate_generate:
  credential: "{{ credential }}"
  vfid: -1
  generate_inputs: "{{generate_inputs}}"

[autocoder10]

@daniel-chung-broadcom @prasad-valmeti-broadcom Can someone please help me with this..

[prasad-valmeti-broadcom]

Please share the FOS ansible version that you are using.
Hope you have looked at the sample playbook for CSR generation and export:
csr_gen_export.yml

Also, share the debug logs with "ansible-playbook .... -vvvvv" to have more insight into the issue.

[autocoder10]

@prasad-valmeti-broadcom :
FOS version:
Kernel: 4.1.35rt41
Fabric OS: v9.1.1d2
Made on: Wed Jul 10 13:50:12 2024
Flash: Fri Nov 29 15:44:29 2024
BootProm: 4.0.22-sb

Ansible Version: Ansible Automation Platform Controller 4.4.8
ansible-playbook [core 2.15.12]
config file = /runner/project/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.9/site-packages/ansible
ansible collection location = /runner/requirements_collections:/root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible-playbook
python version = 3.9.19 (main, Aug 26 2024, 11:01:47) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/usr/bin/python3.9)
jinja version = 3.1.4
libyaml = True
Using /runner/project/ansible.cfg as config file

I reviewed csr_gen_export.yml sample playbook but I need to add few more addl. input vars under "generate_inputs" for our requirement which are below.

Organizational Unit Name (eg, department name):test1
Common Name (Fully qualified Domain Name, or IP address):labswitch.domain.com
Email Address:[email protected]
Subject Alternative Name, DNS (Fully Qualified Domain Name, or IP Address):labswitch.domain.com
Subject Alternative Name, DNS (Fully Qualified Domain Name, or IP Address):
Subject Alternative Name, IPAddress (IP v4 or v6 address):

Debug logs with "ansible-playbook .... -vvvvv":

ESTABLISH LOCAL CONNECTION FOR USER: root
EXEC /bin/sh -c 'echo ~root && sleep 0'
EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /root/.ansible/tmp"&& mkdir "echo /root/.ansible/tmp/ansible-tmp-1736442044.6332247-131-206189363536400" && echo ansible-tmp-1736442044.6332247-131-206189363536400="echo /root/.ansible/tmp/ansible-tmp-1736442044.6332247-131-206189363536400" ) && sleep 0'
Including module_utils file ansible/init.py
Including module_utils file ansible/module_utils/init.py
Including module_utils file ansible/module_utils/basic.py
Including module_utils file ansible/module_utils/_text.py
Including module_utils file ansible/module_utils/brocade_objects.py
Including module_utils file ansible/module_utils/brocade_access_gateway.py
Including module_utils file ansible/module_utils/brocade_chassis.py
Including module_utils file ansible/module_utils/brocade_connection.py
Including module_utils file ansible/module_utils/brocade_fibrechannel_configuration.py
Including module_utils file ansible/module_utils/brocade_fibrechannel_switch.py
Including module_utils file ansible/module_utils/brocade_interface.py
Including module_utils file ansible/module_utils/brocade_security.py
Including module_utils file ansible/module_utils/brocade_snmp.py
Including module_utils file ansible/module_utils/brocade_ssh.py
Including module_utils file ansible/module_utils/brocade_url.py
Including module_utils file ansible/module_utils/brocade_xml.py
Including module_utils file ansible/module_utils/brocade_yang.py
Including module_utils file ansible/module_utils/common/_json_compat.py
Including module_utils file ansible/module_utils/common/init.py
Including module_utils file ansible/module_utils/common/_utils.py
Including module_utils file ansible/module_utils/common/arg_spec.py
Including module_utils file ansible/module_utils/common/file.py
Including module_utils file ansible/module_utils/common/locale.py
Including module_utils file ansible/module_utils/common/parameters.py
Including module_utils file ansible/module_utils/common/collections.py
Including module_utils file ansible/module_utils/common/process.py
Including module_utils file ansible/module_utils/common/sys_info.py
Including module_utils file ansible/module_utils/common/text/converters.py
Including module_utils file ansible/module_utils/common/text/init.py
Including module_utils file ansible/module_utils/common/text/formatters.py
Including module_utils file ansible/module_utils/common/validation.py
Including module_utils file ansible/module_utils/common/warnings.py
Including module_utils file ansible/module_utils/compat/selectors.py
Including module_utils file ansible/module_utils/compat/init.py
Including module_utils file ansible/module_utils/compat/_selectors2.py
Including module_utils file ansible/module_utils/compat/selinux.py
Including module_utils file ansible/module_utils/distro/init.py
Including module_utils file ansible/module_utils/distro/_distro.py
Including module_utils file ansible/module_utils/errors.py
Including module_utils file ansible/module_utils/parsing/convert_bool.py
Including module_utils file ansible/module_utils/parsing/init.py
Including module_utils file ansible/module_utils/pycompat24.py
Including module_utils file ansible/module_utils/six/init.py
Including module_utils file ansible/module_utils/urls.py
Including module_utils file ansible/module_utils/compat/typing.py
Using module file /runner/project/library/brocade_security_security_certificate_generate.py
PUT /root/.ansible/tmp/ansible-local-10an1tjl82/tmpf2qnuvcx TO /root/.ansible/tmp/ansible-tmp-1736442044.6332247-131-206189363536400/AnsiballZ_brocade_security_security_certificate_generate.py
EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1736442044.6332247-131-206189363536400/ /root/.ansible/tmp/ansible-tmp-1736442044.6332247-131-206189363536400/AnsiballZ_brocade_security_security_certificate_generate.py && sleep 0'
EXEC /bin/sh -c 'SSL_CERT_FILE=files/dfs_prod_G3_chain.pem /usr/bin/env python3 /root/.ansible/tmp/ansible-tmp-1736442044.6332247-131-206189363536400/AnsiballZ_brocade_security_security_certificate_generate.py && sleep 0'
EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1736442044.6332247-131-206189363536400/ > /dev/null 2>&1 && sleep 0'

TASK [CSR generation. Existing CSR is not compared. This task will always change.] ***
task path: /runner/project/Test_newCSRgenerateexport_Updated_INCL2.yml:40
fatal: [labswitch]: FAILED! => {
"GET_url": "https:///rest/running/brocade-fibrechannel-switch/fibrechannel-switch",
"POST_resp_code": 400,
"POST_resp_data": {
"errors": {
"@xmlns": "urn:ietf:params:xml:ns:yang:ietf-restconf",
"error": {
"error-app-tag": "Error",
"error-info": {
"error-code": "16715778",
"error-module": "cal"
},
"error-message": "Invalid input data",
"error-tag": "operation-failed",
"error-type": "application"
}
}
},
"POST_resp_reason": "Bad Request",
"POST_url": "https:///rest/logout",
"changed": false,
"current_attributes": {},
"diff_attributes": {
"certificate-entity": "csr",
"certificate-type": "https",
"country-name": "US",
"domain-name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"email-address": "[email protected]",
"ip-address-in-subject-alternative-name": "false",
"locality-name": "city1",
"organization-name": "company1",
"state-name": "state1",
"subject-alternative-name-dns-names": [
{
"dns-name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
}
],
"unit-name": "test1"
},
"invocation": {
"module_args": {
"credential": {
"fos_ip_addr": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"fos_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"fos_user_name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"https": true
},
"generate_inputs": {
"certificate_entity": "csr",
"certificate_type": "https",
"country_name": "US",
"domain_name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"email_address": "[email protected]",
"ip_address_in_subject_alternative_name": false,
"locality_name": "city1",
"organization_name": "company1",
"state_name": "state1",
"subject_alternative_name_dns_names": [
{
"dns-name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
}
],
"unit_name": "test1"
},
"throttle": null,
"timeout": null,
"vfid": -1
}
},
"msg": "POST failed",
"new_attributes": {
"certificate_entity": "csr",
"certificate_type": "https",
"country_name": "US",
"domain_name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"email_address": "[email protected]",
"ip_address_in_subject_alternative_name": false,
"locality_name": "city1",
"organization_name": "company1",
"state_name": "state1",
"subject_alternative_name_dns_names": [
{
"dns-name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
}
],
"unit_name": "test1"
},
"patch_obj_str": "\ncsr\nhttps\nUS\nstate1\ncity1\ncompany1\ntest1\n\n[email protected]\n[{'dns-name': ''}]\nfalse\n\n",
"ssh_hostkeymust": true
}

[prasad-valmeti-broadcom]

From 9.1 release, brocade-security-yang-types.yang has Obsoleted leaf ip-address-in-subject-alternative-name.
In your playbook, please remove that leaf and try the csr generation.
Please review the yang files for details on whether the leaf is valid for that particular release.

[autocoder10]

It worked once I removed "ip-address-in-subject-alternative-name" option.

Sorry, I got confused. From the below link I still see "ip-address-in-subject-alternative-name" is a valid option. so added that in my task

https://techdocs.broadcom.com/us/en/fibre-channel-networking/fabric-os/fabric-os-rest-api/9-1-x/FOS-REST-API-Parameters/brocade-security-security-certificate-generate_911.html

Thanks for the help.