aruboss_file_transfer using https

[lizhang-uth]

How do I make the switch trust my SSL certificate where the OS image is located? I'm trying to use arubaoss_file_transfer and https and it's failing. I'm getting "status": "FTS_CONN_FAILED", "result": "Peer unreachable." error message. I think it's because the switch doesn't trust the SSL certificate. I'm testing on a 3810M switch on KB.16.10.0015 image. I didn't find a command in the cli to use https to transfer file.

[alagoutte]

Hi,

What the playbook ?

What do you have on the log ? (you can enable debug rest on cli)

Do you have check the web server log ? it is self signed certificate or public certificate ?

Do you have try to include CA on the switch ?

[lizhang-uth]

Playbook

• hosts: all
  gather_facts: False
  vars:
  new_os_version: "16_11_0004"
  collections:
  - arubanetworks.aos_switch
  - ansible.netcommon
  tasks:
  - name: Retrieve platform
  arubaoss_facts:
  gather_subset: ['host_system_info']
  provider:
  host: "{{ ansible_host }}"
  use_ssl: true
  register: facts_output

      - name: Transfer KB image
        arubaoss_file_transfer:
          file_url: "http://fileserver.netops.uth.edu/images/KB_{{ new_os_version  }}.swi"
          file_type: "FTT_FIRMWARE"
          action: "FTA_DOWNLOAD"
          boot_image: "BI_PRIMARY_IMAGE"
          provider: 
            host: "{{ ansible_host }}"
          use_ssl: true
        when: facts_output.ansible_facts.ansible_net_host_system_info.firmware_version is search("KB.")
  

Output from Ansible
{
"msg": "image transfer failed with code: FTS_CONN_FAILED",
"total_time": 1,
"invocation": {
"module_args": {
"file_url": "https://fileserver.netops.uth.edu/images/KB_16_11_0004.swi",
"file_type": "FTT_FIRMWARE",
"action": "FTA_DOWNLOAD",
"boot_image": "BI_PRIMARY_IMAGE",
"provider": {
"host": "10.18.253.95",
"username": "switchapi",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"use_proxy": false,
"transport": "aossapi",
"validate_certs": false,
"api_version": "None",
"port": null,
"ssh_keyfile": null,
"use_ssl": null,
"timeout": null
},
"use_ssl": true,
"copy_iter": 20,
"validate_certs": false,
"api_version": "v7.0",
"show_tech_option": null,
"host": "10.18.253.95",
"port": null,
"username": "switchapi",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ssh_keyfile": null,
"timeout": null
}
},
"_ansible_no_log": false,
"changed": false
}

Logs from the switch:
I 05/20/22 15:29:43 00159 update: FT file transfer failed
W 05/20/22 15:29:43 04186 http: Connection to
https://fileserver.netops.uth.edu/images/KB_16_11_0004.swi failed
(server response 0).

When I use http, it works. I see in the firewall logs the switch attempts to use https and it's allow through the firewall.

I don't know how to "include CA on the switch". This is my question. I tried to create 3 new ta_profiles and copy the CA to them. I created 3 because 1 root and 2 intermediaries. The are INCOMMON profiles below. Is this right?

uct-m60lab-playground# sh crypto pki ta-profile

Profile Name Profile Status CRL Configured OCSP Configured

---

IDEVID_ROOT Root Certificate Installed
AAA Certific... Root Certificate Installed No No
default Self-signed Certificate Ins... No No
GEOTRUST_CA Root Certificate Installed No No
ARUBA_CA Root Certificate Installed No No
COMODO_RSA_CA Root Certificate Installed No No
AddTrust Ext... Root Certificate Installed No No
USERTrust RS... Root Certificate Installed No No
INCOMMON_INTER1 Root Certificate Installed No No
INCOMMON_CA Root Certificate Installed No No
INCOMMON_INTER2 Root Certificate Installed No No

[lizhang-uth]

I just notice in the switch log, the switch is trying to use http and the url starts with https.

[alagoutte]

I just notice in the switch log, the switch is trying to use http and the url starts with https.

Need to check if upgrade via HTTPS is supported...