Ansible Pilot

Ansible troubleshooting - VMware certificate verify failed connecting to vCenter or ESXi

Let’s troubleshoot together the Ansible fatal error “Unable to connect to vCenter or ESXi API [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)” to find the root cause, connection problem connecting, and successfully run our Ansible For VMware Playbook code.

May 25, 2022
Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons

Ansible troubleshooting - VMware certificate verify failed connecting to vCenter or ESXi

Today we’re going to talk about Ansible troubleshooting, specifically about the “Unable to connect to vCenter or ESXi API [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)” message and enable Ansible For VMware. This fatal error message happens when the Ansible controller is not able to connect to your VMware Infrastructure. The root cause might be a self-signed SSL certificate or a chain-of-trust not correctly installed in your Ansible Controller. I’m Luca Berton and welcome to today’s episode of Ansible Pilot.

The Best Resources For Ansible

Video Course

Books

demo

How to reproduce, troubleshoot, and fix the error “Unable to connect to vCenter or ESXi API[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)”.

The best way of talking about Ansible troubleshooting is to jump in a live demo to show you practically the “Unknown error while connecting to vCenter or ESXi API [Errno -2] Name or service not known” and how to solve it! In this demo, I’m going to reproduce the error and fix using the correct VMware hostname and verify the network configuration on a demo machine.

error code

---
- name: info vm demo
  hosts: localhost
  become: false
  gather_facts: false
  collections:
    - community.vmware
  pre_tasks:
    - include_vars: vars.yml
  tasks:
    - name: get VM info
      vmware_guest_info:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        datacenter: "{{ vcenter_datacenter }}"
        name: "{{ vm_name }}"
      register: detailed_vm_info
    - name: print VM info
      ansible.builtin.debug:
        var: detailed_vm_info
---
vcenter_hostname: "vmware.example.com"
vcenter_datacenter: "vmwaredatacenter"
vcenter_username: "[email protected]"
vcenter_password: "MySecretPassword123"
vm_name: "myvm"
localhost

error execution

$ ansible-playbook vm_info.yml 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [info vm demo] *******************************************************************************
TASK [include_vars] *******************************************************************************
ok: [localhost]
TASK [get VM info] ********************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to vCenter or ESXi API at vmware.example.com on TCP/443: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)"}
PLAY RECAP ****************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

fix code

It’s possible to avoid SSL certificates validation by setting the parameter validate_certs. For a self-signed certificate, you need to disable the SSL certificate validation. However, I strongly recommend di create a custom chain of trust.

---
- name: info vm demo
  hosts: localhost
  become: false
  gather_facts: false
  collections:
    - community.vmware
  pre_tasks:
    - include_vars: vars.yml
  tasks:
    - name: get VM info
      vmware_guest_info:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        datacenter: "{{ vcenter_datacenter }}"
        validate_certs: "{{ vcenter_validate_certs }}"
        name: "{{ vm_name }}"
      register: detailed_vm_info
    - name: print VM info
      ansible.builtin.debug:
        var: detailed_vm_info
---
vcenter_hostname: "vmware.example.com"
vcenter_datacenter: "vmwaredatacenter"
vcenter_username: "[email protected]"
vcenter_password: "MySecretPassword123"
vcenter_validate_certs: false

fix execution

$ ansible-playbook vm_info.yml 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [info vm demo] *******************************************************************************
TASK [include_vars] *******************************************************************************
ok: [localhost]
TASK [get VM info] ********************************************************************************
ok: [localhost]
TASK [print VM info] ******************************************************************************
ok: [localhost] => {
    "detailed_vm_info": {
        "changed": false,
        "failed": false,
        "instance": {
            "annotation": "",
            "current_snapshot": null,
            "customvalues": {},
            "guest_consolidation_needed": false,
            "guest_question": null,
            "guest_tools_status": "guestToolsNotRunning",
            "guest_tools_version": "0",
            "hw_cluster": "cluster",
            "hw_cores_per_socket": 1,
            "hw_datastores": [
                "Datastore-1"
            ],
            "hw_esxi_host": "vmware.example.com",
            "hw_eth0": {
                "addresstype": "assigned",
                "ipaddresses": null,
                "label": "Network adapter 1",
                "macaddress": "00:50:56:a5:48:ee",
                "macaddress_dash": "00-50-56-a5-48-ee",
                "portgroup_key": null,
                "portgroup_portkey": null,
                "summary": "VM Network"
            },
            "hw_files": [
                "[Datastore-1] myvm/myvm.vmx",
                "[Datastore-1] myvm/myvm.vmsd",
                "[Datastore-1] myvm/myvm.vmdk",
                "[Datastore-1] myvm/myvm_1001_1.vmdk"
            ],
            "hw_folder": "/prod-dc/vm/myvm",
            "hw_guest_full_name": null,
            "hw_guest_ha_state": null,
            "hw_guest_id": null,
            "hw_interfaces": [
                "eth0"
            ],
            "hw_is_template": false,
            "hw_memtotal_mb": 1024,
            "hw_name": "myvm",
            "hw_power_status": "poweredOff",
            "hw_processor_count": 1,
            "hw_product_uuid": "42254893-3793-0e4f-9f61-7c37d244c2a8",
            "hw_version": "vmx-14",
            "instance_uuid": "5025d3e9-6c26-30b5-d29a-2c1be5fa3862",
            "ipv4": null,
            "ipv6": null,
            "module_hw": true,
            "moid": "vm-17947",
            "snapshots": [],
            "vimref": "vim.VirtualMachine:vm-17947",
            "vnc": {}
        }
    }
}
PLAY RECAP ****************************************************************************************
localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Recap

Now you know better how to troubleshoot the Ansible “VMware certificate verify failed connecting to vCenter or ESXi” message.

Subscribe to the YouTube channel, Medium, Website, Twitter, and Substack to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 200+ Ansible code

Want to keep this project going? Please donate

Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons
Trustpilot
Follow me

Subscribe not to miss any new releases

FREE Top 10 Best Practices

Top 10 Best Practices of Ansible Automation: save time, reduce errors and stress