Ansible troubleshooting - VMware certificate verify failed connecting to vCenter or ESXi

Let’s troubleshoot together the Ansible fatal error “Unable to connect to vCenter or ESXi API [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)” to find the root cause, connection problem connecting, and successfully run our Ansible For VMware Playbook code.

May 25, 2022

Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons

#vmware #troubleshooting #playbook #ssl #hostname #code #certificate #linux #error #fatal

Ansible troubleshooting - VMware certificate verify failed connecting to vCenter or ESXi

Today we’re going to talk about Ansible troubleshooting, specifically about the “Unable to connect to vCenter or ESXi API [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)” message and enable Ansible For VMware. This fatal error message happens when the Ansible controller is not able to connect to your VMware Infrastructure. The root cause might be a self-signed SSL certificate or a chain-of-trust not correctly installed in your Ansible Controller. I’m Luca Berton and welcome to today’s episode of Ansible Pilot.

The Best Resources For Ansible

Certifications

The Linux Foundation Linux Performance Tuning - Build a broad toolkit to optimize Linux performance from the kernel up

Coursera Pro - Unlimited access to 7,000+ world-class courses, hands-on projects, and job-ready certificate programs—all included in your subscription

Video Course

Udemy: Learn Ansible Automation in 250+examples & practical lessons: Learn Ansible with some real-life examples of how to use the most common modules and Ansible Playbook

Printed Book

eBooks

demo

How to reproduce, troubleshoot, and fix the error “Unable to connect to vCenter or ESXi API[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)”.

The best way of talking about Ansible troubleshooting is to jump in a live demo to show you practically the “Unknown error while connecting to vCenter or ESXi API [Errno -2] Name or service not known” and how to solve it! In this demo, I’m going to reproduce the error and fix using the correct VMware hostname and verify the network configuration on a demo machine.

error code

vm_info.yml

---
- name: info vm demo
  hosts: localhost
  become: false
  gather_facts: false
  collections:
    - community.vmware
  pre_tasks:
    - include_vars: vars.yml
  tasks:
    - name: get VM info
      vmware_guest_info:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        datacenter: "{{ vcenter_datacenter }}"
        name: "{{ vm_name }}"
      register: detailed_vm_info
    - name: print VM info
      ansible.builtin.debug:
        var: detailed_vm_info

vars.yml

---
vcenter_hostname: "vmware.example.com"
vcenter_datacenter: "vmwaredatacenter"
vcenter_username: "[email protected]"
vcenter_password: "MySecretPassword123"
vm_name: "myvm"

inventory

localhost

error execution

$ ansible-playbook vm_info.yml 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [info vm demo] *******************************************************************************
TASK [include_vars] *******************************************************************************
ok: [localhost]
TASK [get VM info] ********************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to vCenter or ESXi API at vmware.example.com on TCP/443: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)"}
PLAY RECAP ****************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

fix code

It’s possible to avoid SSL certificates validation by setting the parameter validate_certs. For a self-signed certificate, you need to disable the SSL certificate validation. However, I strongly recommend di create a custom chain of trust.

vm_info.yml

---
- name: info vm demo
  hosts: localhost
  become: false
  gather_facts: false
  collections:
    - community.vmware
  pre_tasks:
    - include_vars: vars.yml
  tasks:
    - name: get VM info
      vmware_guest_info:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        datacenter: "{{ vcenter_datacenter }}"
        validate_certs: "{{ vcenter_validate_certs }}"
        name: "{{ vm_name }}"
      register: detailed_vm_info
    - name: print VM info
      ansible.builtin.debug:
        var: detailed_vm_info

vars.yml

---
vcenter_hostname: "vmware.example.com"
vcenter_datacenter: "vmwaredatacenter"
vcenter_username: "[email protected]"
vcenter_password: "MySecretPassword123"
vcenter_validate_certs: false

fix execution

$ ansible-playbook vm_info.yml 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'
PLAY [info vm demo] *******************************************************************************
TASK [include_vars] *******************************************************************************
ok: [localhost]
TASK [get VM info] ********************************************************************************
ok: [localhost]
TASK [print VM info] ******************************************************************************
ok: [localhost] => {
    "detailed_vm_info": {
        "changed": false,
        "failed": false,
        "instance": {
            "annotation": "",
            "current_snapshot": null,
            "customvalues": {},
            "guest_consolidation_needed": false,
            "guest_question": null,
            "guest_tools_status": "guestToolsNotRunning",
            "guest_tools_version": "0",
            "hw_cluster": "cluster",
            "hw_cores_per_socket": 1,
            "hw_datastores": [
                "Datastore-1"
            ],
            "hw_esxi_host": "vmware.example.com",
            "hw_eth0": {
                "addresstype": "assigned",
                "ipaddresses": null,
                "label": "Network adapter 1",
                "macaddress": "00:50:56:a5:48:ee",
                "macaddress_dash": "00-50-56-a5-48-ee",
                "portgroup_key": null,
                "portgroup_portkey": null,
                "summary": "VM Network"
            },
            "hw_files": [
                "[Datastore-1] myvm/myvm.vmx",
                "[Datastore-1] myvm/myvm.vmsd",
                "[Datastore-1] myvm/myvm.vmdk",
                "[Datastore-1] myvm/myvm_1001_1.vmdk"
            ],
            "hw_folder": "/prod-dc/vm/myvm",
            "hw_guest_full_name": null,
            "hw_guest_ha_state": null,
            "hw_guest_id": null,
            "hw_interfaces": [
                "eth0"
            ],
            "hw_is_template": false,
            "hw_memtotal_mb": 1024,
            "hw_name": "myvm",
            "hw_power_status": "poweredOff",
            "hw_processor_count": 1,
            "hw_product_uuid": "42254893-3793-0e4f-9f61-7c37d244c2a8",
            "hw_version": "vmx-14",
            "instance_uuid": "5025d3e9-6c26-30b5-d29a-2c1be5fa3862",
            "ipv4": null,
            "ipv6": null,
            "module_hw": true,
            "moid": "vm-17947",
            "snapshots": [],
            "vimref": "vim.VirtualMachine:vm-17947",
            "vnc": {}
        }
    }
}
PLAY RECAP ****************************************************************************************
localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0