Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credential Retrieval fails when web listener uses HTTP/2 #77

Open
1 task
davidpower1985 opened this issue Jan 9, 2025 · 1 comment
Open
1 task

Credential Retrieval fails when web listener uses HTTP/2 #77

davidpower1985 opened this issue Jan 9, 2025 · 1 comment
Labels
kind/bug

Comments

@davidpower1985
Copy link

Summary

We have found during a recent upgrade of the Operating Systems which host our internal Cyberark instance that credential retrieval now fails with an error if the target server for the Ansible call is running on an OS with listeners configured to default to HTTP/2. If we modify the URL to a server within the app running an older OS then the same ansible call works correctly.

Steps to Reproduce

Try to use the cyberark_credential module against a target server running Windows Server 2022

Expected Results

- name: Retrieve Credential
  cyberark.pas.cyberark_credential:
    api_base_url: "https://windows2022.domain.com"
    validate_certs: true
    client_cert: /certificates/MyCertificate.crt
    client_key: /certificates/MyKeyFile.pem
    app_id: "My-AppID"
    query: "Safe=my_safe;UserName=my_user"
    connection_timeout: 60
    query_format: Exact
    fail_request_on_password_change: true
    reason: "Credential Retrival"

Should return a valid result

Actual Results

An error failure is received
{"changed": false, "msg": "Unknown error while retrieving credential.\n*** end_point=https://windows2022.domain.com/AIMWebService/api/Accounts?AppId=My-AppID&Query=Safe%3Dmy_safe%3BUserName%3Dmy_user&ConnectionTimeout=60&QueryFormat=Exact&FailRequestOnPasswordChange=True&reason=Credential%20Retrieval\n[Errno 104] Connection reset by peer", "status_code": -1}

Using

- name: Retrieve Credential
  cyberark.pas.cyberark_credential:
    api_base_url: "https://windows2012.domain.com"
    validate_certs: true
    client_cert: /certificates/MyCertificate.crt
    client_key: /certificates/MyKeyFile.pem
    app_id: "My-AppID"
    query: "Safe=my_safe;UserName=my_user"
    connection_timeout: 60
    query_format: Exact
    fail_request_on_password_change: true
    reason: "Credential Retrival"

Will return a valid result

Reproducible

  • Always

We have verified that using curl we can also reproduce the error when not specifying a --http1.1 flag,

curl -k --cert certificates/MyCertificate.crt --key certificates/MyKeyFile.pem "https://windows2022.domain.com/AIMWebService/api/Accounts?AppID=My-AppID&Query=Safe=my_safe;UserName=my_user"

Will fail with error
curl: (92) HTTP/2 stream 0 was not closed cleanly: HTTP_1_1_REQUIRED (err 13)

However adding a --http1.1 flag to the curl command works correctly

Version/Tag number

ansible [core 2.16.3]
python version = 3.12.6 (main, Sep 23 2024, 09:58:19) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/usr/bin/python3.12)
jinja version = 3.1.2
libyaml = True

Environment setup

Ansible with the cyberark_credential galaxy module

Additional Information

There does not appear to be any option to specify a HTTP protocol in either the Ansible module itself or in the open_url Python library being used by the module
@szh
Copy link
Contributor

szh commented Jan 9, 2025

CC @gl-johnson @cyberark-bizdev @infamousjoeg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@szh @davidpower1985