From 757c2e042696123935f51905b5b9d6c779358de2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Fri, 6 Oct 2023 11:53:47 -0400 Subject: [PATCH] Fix vtl verification This patch fixes a couple of issues that were causing the NTLS connection to fail: * Changed the CN used in the client cert to be the FQDN to ensure that the CN and hostname match. * Modified the scp commands to add the '-O' option to use the legacy scp protocol. Change-Id: I8996872d917ba9cbeaeb2a1c9a25e9db98713252 (cherry picked from commit 5c101144bcb6db119fb0bf955fc8636c86baf33d) --- tasks/main.yaml | 2 +- tasks/register_client.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/main.yaml b/tasks/main.yaml index b54939c..c541faa 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -32,7 +32,7 @@ client_name: "{{ ansible_facts['fqdn'] }}" client_reg_opt: "-hostname" client_host: "{{ ansible_facts['fqdn'] }}" - client_cert_cn: "{{ inventory_hostname }}" + client_cert_cn: "{{ ansible_facts['fqdn'] }}" when: lunasa_client_ip is undefined - name: Set client facts for IP override diff --git a/tasks/register_client.yaml b/tasks/register_client.yaml index a3b72d9..bc62f96 100644 --- a/tasks/register_client.yaml +++ b/tasks/register_client.yaml @@ -6,7 +6,7 @@ - name: Get the hsm server cert from the hsm_server ansible.builtin.shell: > sshpass -p '{{ hsm_admin_password }}' - scp -o StrictHostKeyChecking=false -c aes256-cbc + scp -O -o StrictHostKeyChecking=false -c aes256-cbc admin@{{ hsm_hostname }}:server.pem /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem args: @@ -52,7 +52,7 @@ block: - name: Copy the NTL client cert to the HSM ansible.builtin.shell: > - sshpass -p '{{ hsm_admin_password }}' scp -c aes256-cbc + sshpass -p '{{ hsm_admin_password }}' scp -O -c aes256-cbc /usr/safenet/lunaclient/cert/client/{{ client_cert_cn }}.pem admin@{{ hsm_hostname }}:{{ client_host }}.pem