Fix vtl verification

This patch fixes a couple of issues that were causing the NTLS connection to fail: * Changed the CN used in the client cert to be the FQDN to ensure that the CN and hostname match. * Modified the scp commands to add the '-O' option to use the legacy scp protocol. Change-Id: I8996872d917ba9cbeaeb2a1c9a25e9db98713252 (cherry picked from commit 5c101144bc) (cherry picked from commit 757c2e0426) (cherry picked from commit 0821d23814) (cherry picked from commit d93586cc73) (cherry picked from commit 5a92831b80) (cherry picked from commit 5e2fc97ced)
2023-10-06 11:53:47 -04:00 · 2023-10-06 11:53:47 -04:00 · 5b8127c9ff
commit 5b8127c9ff
parent b9fba2800e
2 changed files with 3 additions and 3 deletions
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@ -30,7 +30,7 @@
    client_name: "{{ ansible_facts['fqdn'] }}"
    client_reg_opt: "-hostname"
    client_host: "{{ ansible_facts['fqdn'] }}"
-    client_cert_cn: "{{ inventory_hostname }}"
+    client_cert_cn: "{{ ansible_facts['fqdn'] }}"
  when: lunasa_client_ip is undefined

 - name: set client facts for IP override
--- a/tasks/register_client.yaml
+++ b/tasks/register_client.yaml
@ -6,7 +6,7 @@
 - name: Get the hsm server cert from the hsm_server
  shell: >
    sshpass -p '{{ hsm_admin_password }}'
-    scp -o StrictHostKeyChecking=false -c aes256-cbc
+    scp -O -o StrictHostKeyChecking=false -c aes256-cbc
    admin@{{ hsm_hostname }}:server.pem
    /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
  args:
@ -50,7 +50,7 @@
  block:
    - name: Copy the NTL client cert to the HSM
      shell: >
-        sshpass -p '{{ hsm_admin_password }}' scp -c aes256-cbc
+        sshpass -p '{{ hsm_admin_password }}' scp -O -c aes256-cbc
        /usr/safenet/lunaclient/cert/client/{{ client_cert_cn }}.pem
        admin@{{ hsm_hostname }}:{{ client_host }}.pem