Getting 401 Error on one Ansible Control Host but not others

[AaronJaegerVA]

We have an Ansible Tower cluster with three nodes (Ansible control hosts). When we run a job template that calls a playbook that calls the Venafi Ansible role, we regularly get this error on node 001, but rarely or never on nodes 002 and 003.

fatal: [vac10appdas607e.va.gov -> vhaispopsans001.vha.med.va.gov]: FAILED! => {"changed": false, "module_stderr": "ERROR:root:Unknown error format: <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\"/>\r\n<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>\r\n<style type=\"text/css\">\r\n<!--\r\nbody{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}\r\nfieldset{padding:0 15px 10px 15px;} \r\nh1{font-size:2.4em;margin:0;color:#FFF;}\r\nh2{font-size:1.7em;margin:0;color:#CC0000;} \r\nh3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} \r\n#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:\"trebuchet MS\", Verdana, sans-serif;color:#FFF;\r\nbackground-color:#555555;}\r\n#content{margin:0 0 0 2%;position:relative;}\r\n.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}\r\n-->\r\n</style>\r\n</head>\r\n<body>\r\n<div id=\"header\"><h1>Server Error</h1></div>\r\n<div id=\"content\">\r\n <div class=\"content-container\"><fieldset>\r\n  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>\r\n  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>\r\n </fieldset></div>\r\n</div>\r\n</body>\r\n</html>\r\n\nTraceback (most recent call last):\n  File \"<stdin>\", line 102, in <module>\n  File \"<stdin>\", line 94, in _ansiballz_main\n  File \"<stdin>\", line 40, in invoke_module\n  File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n    fname, loader, pkg_name)\n  File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n    mod_name, mod_fname, mod_loader, pkg_name)\n  File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n    exec code in run_globals\n  File \"/tmp/ansible_venafi_certificate_payload_x1qscB/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 719, in <module>\n  File \"/tmp/ansible_venafi_certificate_payload_x1qscB/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 710, in main\n  File \"/tmp/ansible_venafi_certificate_payload_x1qscB/ansible_venafi_certificate_payload.zip/ansible/modules/venafi_certificate.py\", line 389, in enroll\n  File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 293, in read_zone_conf\n    status, data = self._post(URLS.ZONE_CONFIG, {\"PolicyDN\":  self._get_policy_dn(tag)})\n  File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 92, in _post\n    self.auth()\n  File \"/usr/lib/python2.7/site-packages/vcert/connection_tpp.py\", line 123, in auth\n    status, user = self.process_server_response(r)\n  File \"/usr/lib/python2.7/site-packages/vcert/common.py\", line 467, in process_server_response\n    (r.status_code, r.request.url))\nvcert.errors.VenafiConnectionError: Server status: 401\n Response: https://vaww.certmgr.va.gov/vedsdk/authorize/\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

The nodes are configured as identically as possible. I am digging for some difference somewhere. Can someone point me in the right direction? Ansible is authenticating with a username/password service account.

[tr1ck3r]

@AaronJaegerVA can you share a bit more on the TPP side of our architecture? Is https://vaww.certmgr.va.gov/ a single TPP API server or a virtual server load balancing traffic between several TPP API servers? Do your Ansible nodes have direct network connectivity with the TPP API endpoint or does traffic traverse a proxy server? Also, do your TPP API servers have certificate authentication enabled in IIS (specifically looking at the SSL Settings of the "VEDSDK" application under the "Venafi" web site)? Are you able to enroll a certificate from your Ansible node 001 using our VCert CLI utility with legacy username/password authentication (i.e. --tpp-user and --tpp-password)?

Have you tried using token authentication with our Ansible Role? Many of the TPP side configuration requirements for legacy username/password authentication do not exist when using token authentication and we strongly advise making the transition to token authentication because legacy username/password authentication will be dropped from TPP in 2021. Token authentication is also more performant and more secure since a token can only be used for API access whereas a username/password can be used to access the TPP web console and possibly other enterprise applications if it is a non-local user.

[AaronJaegerVA]

I will ask our Venafi administrators about token authentication. Thank you.