AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible troubleshooting - VMware certificate verify failed connecting to vCenter or ESXi

By Luca Berton · Published 2024-01-01 · Category: installation

Learn how to resolve the "certificate verify failed" error in Ansible when connecting to VMware vCenter. Follow our step-by-step guide for a smooth fix.

Ansible troubleshooting - VMware certificate verify failed connecting to vCenter or ESXi

Ansible troubleshooting - VMware certificate verify failed connecting to vCenter or ESXi

Today we're going to talk about Ansible troubleshooting, specifically about the "Unable to connect to vCenter or ESXi API [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (\_ssl.c:897)" message and enable Ansible For VMware. This fatal error message happens when the Ansible controller is not able to connect to your VMware Infrastructure. The root cause might be a self-signed SSL certificate or a chain-of-trust not correctly installed in your Ansible Controller. I'm Luca Berton and welcome to today's episode of Ansible Pilot.

See also: Ansible troubleshooting - VMware Unknown error while connecting to vCenter or ESXi

Playbook

How to reproduce, troubleshoot, and fix the error "Unable to connect to vCenter or ESXi API[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (\_ssl.c:897)".

The best way of talking about Ansible troubleshooting is to jump in a live Playbook to show you practically the "Unknown error while connecting to vCenter or ESXi API [Errno -2] Name or service not known" and how to solve it! In this Playbook, I'm going to reproduce the error and fix using the correct VMware hostname and verify the network configuration on a demo machine.

error code

• vm_info.yml 
---
- name: info vm Playbook
  hosts: localhost
  become: false
  gather_facts: false
  collections:
    - community.vmware
  pre_tasks:
    - include_vars: vars.yml
  tasks:
    - name: get VM info
      vmware_guest_info:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        datacenter: "{{ vcenter_datacenter }}"
        name: "{{ vm_name }}"
      register: detailed_vm_info
    - name: print VM info
      ansible.builtin.debug:
        var: detailed_vm_info
• vars.yml 
---
vcenter_hostname: "vmware.example.com"
vcenter_datacenter: "vmwaredatacenter"
vcenter_username: "username@vsphere.local"
vcenter_password: "MySecretPassword123"
vm_name: "myvm"
• inventory 
localhost

See also: Ansible troubleshooting - VMware Failed to Import PyVmomi

error execution

$ ansible-playbook vm_info.yml 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [info vm Playbook] *******************************************************************************
TASK [include_vars] *******************************************************************************
ok: [localhost]
TASK [get VM info] ********************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to vCenter or ESXi API at vmware.example.com on TCP/443: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)"}
PLAY RECAP ****************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

fix code

It's possible to avoid SSL certificates validation by setting the parameter validate_certs. For a self-signed certificate, you need to disable the SSL certificate validation. However, I strongly recommend di create a custom chain of trust. • vm_info.yml

---
- name: info vm Playbook
  hosts: localhost
  become: false
  gather_facts: false
  collections:
    - community.vmware
  pre_tasks:
    - include_vars: vars.yml
  tasks:
    - name: get VM info
      vmware_guest_info:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        datacenter: "{{ vcenter_datacenter }}"
        validate_certs: "{{ vcenter_validate_certs }}"
        name: "{{ vm_name }}"
      register: detailed_vm_info
    - name: print VM info
      ansible.builtin.debug:
        var: detailed_vm_info
• vars.yml 
---
vcenter_hostname: "vmware.example.com"
vcenter_datacenter: "vmwaredatacenter"
vcenter_username: "username@vsphere.local"
vcenter_password: "MySecretPassword123"
vcenter_validate_certs: false

See also: Ansible troubleshooting - AWS Failed to import the required Python library (botocore or boto3)

fix execution

$ ansible-playbook vm_info.yml 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [info vm Playbook] *******************************************************************************
TASK [include_vars] *******************************************************************************
ok: [localhost]
TASK [get VM info] ********************************************************************************
ok: [localhost]
TASK [print VM info] ******************************************************************************
ok: [localhost] => {
    "detailed_vm_info": {
        "changed": false,
        "failed": false,
        "instance": {
            "annotation": "",
            "current_snapshot": null,
            "customvalues": {},
            "guest_consolidation_needed": false,
            "guest_question": null,
            "guest_tools_status": "guestToolsNotRunning",
            "guest_tools_version": "0",
            "hw_cluster": "cluster",
            "hw_cores_per_socket": 1,
            "hw_datastores": [
                "Datastore-1"
            ],
            "hw_esxi_host": "vmware.example.com",
            "hw_eth0": {
                "addresstype": "assigned",
                "ipaddresses": null,
                "label": "Network adapter 1",
                "macaddress": "00:50:56:a5:48:ee",
                "macaddress_dash": "00-50-56-a5-48-ee",
                "portgroup_key": null,
                "portgroup_portkey": null,
                "summary": "VM Network"
            },
            "hw_files": [
                "[Datastore-1] myvm/myvm.vmx",
                "[Datastore-1] myvm/myvm.vmsd",
                "[Datastore-1] myvm/myvm.vmdk",
                "[Datastore-1] myvm/myvm_1001_1.vmdk"
            ],
            "hw_folder": "/prod-dc/vm/myvm",
            "hw_guest_full_name": null,
            "hw_guest_ha_state": null,
            "hw_guest_id": null,
            "hw_interfaces": [
                "eth0"
            ],
            "hw_is_template": false,
            "hw_memtotal_mb": 1024,
            "hw_name": "myvm",
            "hw_power_status": "poweredOff",
            "hw_processor_count": 1,
            "hw_product_uuid": "42254893-3793-0e4f-9f61-7c37d244c2a8",
            "hw_version": "vmx-14",
            "instance_uuid": "5025d3e9-6c26-30b5-d29a-2c1be5fa3862",
            "ipv4": null,
            "ipv6": null,
            "module_hw": true,
            "moid": "vm-17947",
            "snapshots": [],
            "vimref": "vim.VirtualMachine:vm-17947",
            "vnc": {}
        }
    }
}
PLAY RECAP ****************************************************************************************
localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Conclusion

Now you know better how to troubleshoot the Ansible "VMware certificate verify failed connecting to vCenter or ESXi" message.

Related Articles

rendering Jinja2 templates with Ansiblebecome_user and become_method in Ansibleorganizing hosts with Ansible inventory

Category: installation

Watch the video: Ansible troubleshooting - VMware certificate verify failed connecting to vCenter or ESXi — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home