Fix vtl verification

This patch fixes a couple of issues that were causing the NTLS connection to fail: * Changed the CN used in the client cert to be the FQDN to ensure that the CN and hostname match. * Modified the scp commands to add the '-O' option to use the legacy scp protocol. Change-Id: I8996872d917ba9cbeaeb2a1c9a25e9db98713252 (cherry picked from commit 5c101144bc) (cherry picked from commit 757c2e0426) (cherry picked from commit 0821d23814)
2023-10-06 11:53:47 -04:00 · 2023-10-06 11:53:47 -04:00 · d93586cc73
commit d93586cc73
parent bbf8f858c1
2 changed files with 3 additions and 3 deletions
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@ -30,7 +30,7 @@
    client_name: "{{ ansible_facts['fqdn'] }}"
    client_reg_opt: "-hostname"
    client_host: "{{ ansible_facts['fqdn'] }}"
-    client_cert_cn: "{{ inventory_hostname }}"
+    client_cert_cn: "{{ ansible_facts['fqdn'] }}"
  when: lunasa_client_ip is undefined

 - name: set client facts for IP override
--- a/tasks/register_client.yaml
+++ b/tasks/register_client.yaml
@ -6,7 +6,7 @@
 - name: Get the hsm server cert from the hsm_server
  shell: >
    sshpass -p '{{ hsm_admin_password }}'
-    scp -o StrictHostKeyChecking=false -c aes256-cbc
+    scp -O -o StrictHostKeyChecking=false -c aes256-cbc
    admin@{{ hsm_hostname }}:server.pem
    /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
  args:
@ -50,7 +50,7 @@
  block:
    - name: Copy the NTL client cert to the HSM
      shell: >
-        sshpass -p '{{ hsm_admin_password }}' scp -c aes256-cbc
+        sshpass -p '{{ hsm_admin_password }}' scp -O -c aes256-cbc
        /usr/safenet/lunaclient/cert/client/{{ client_cert_cn }}.pem
        admin@{{ hsm_hostname }}:{{ client_host }}.pem