Using self-signed SSL-certs when pulling Ansible inventory from XO from a dedicated CM/IaC VM in the pool.

kawreh

Re: Ansible with Xen Orchestra

Solution.

Here, XO (built from sources) is orchestrating a pool of XCP-ng 8.2.1 hosts.
Pool master is xcp.admin.domain (edited). XO VM is xo.local.domain (edited) on debian 12.

I got this working, by generating certs on XO this way:

openssl genrsa -out xo.local.domain.key 4096
openssl req -new -nodes -key xo.local.domain.key -out xo.local.domain.csr
openssl x509 -signkey xo.local.domain.key -in xo.local.domain.csr -req -days 3650 -out xo.local.domain.crt
openssl req -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout xo.rootCA.key -out xo.rootCA.crt
openssl x509 -req -CA xo.rootCA.crt -CAkey xo.rootCA.key -in xo.local.domain.csr -out xo.local.domain.crt -days 3650 -CAcreateserial -extfile xo.local.domain.ext

When generating the above certs and certs for the ansible master node,
CN=<hostname>.local.domain
The file <hostname>.local.domain.ext specifies (SAN) <hostname>.local.domain as one DNS

Do not use snakeoil certs on XO, the standard debian snakeoils use only hostname in CN / SAN fields, not domain.

'xo.xen_orchestra.yml' on the CM VM:

plugin: community.general.xen_orchestra
api_host: xo.local.domain:443
user: <hidden>
password: <hidden>
validate_certs: true
use_ssl: true

'ansible.cfg' need NOT specify enable_plugins = community.general.xen_orchestra

XO inventory may now be pulled from CM/IaC VM and listed this way

ansible-inventory -i xo.xen_orchestra.yml --list

References:
https://xen-orchestra.com/blog/virtops3-ansible-with-xen-orchestra/
https://www.baeldung.com/openssl-self-signed-cert