XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Using self-signed SSL-certs when pulling Ansible inventory from XO from a dedicated CM/IaC VM in the pool.

    Scheduled Pinned Locked Moved Infrastructure as Code
    1 Posts 1 Posters 334 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kawreh
      last edited by

      Re: Ansible with Xen Orchestra

      Solution.

      Here, XO (built from sources) is orchestrating a pool of XCP-ng 8.2.1 hosts.
      Pool master is xcp.admin.domain (edited). XO VM is xo.local.domain (edited) on debian 12.

      I got this working, by generating certs on XO this way:

      openssl genrsa -out xo.local.domain.key 4096
      openssl req -new -nodes -key xo.local.domain.key -out xo.local.domain.csr
      openssl x509 -signkey xo.local.domain.key -in xo.local.domain.csr -req -days 3650 -out xo.local.domain.crt
      openssl req -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout xo.rootCA.key -out xo.rootCA.crt
      openssl x509 -req -CA xo.rootCA.crt -CAkey xo.rootCA.key -in xo.local.domain.csr -out xo.local.domain.crt -days 3650 -CAcreateserial -extfile xo.local.domain.ext

      When generating the above certs and certs for the ansible master node,
      CN=<hostname>.local.domain
      The file <hostname>.local.domain.ext specifies (SAN) <hostname>.local.domain as one DNS

      Do not use snakeoil certs on XO, the standard debian snakeoils use only hostname in CN / SAN fields, not domain.

      'xo.xen_orchestra.yml' on the CM VM:

      plugin: community.general.xen_orchestra
      api_host: xo.local.domain:443
      user: <hidden>
      password: <hidden>
      validate_certs: true
      use_ssl: true

      'ansible.cfg' need NOT specify enable_plugins = community.general.xen_orchestra

      XO inventory may now be pulled from CM/IaC VM and listed this way

      ansible-inventory -i xo.xen_orchestra.yml --list

      References:
      https://xen-orchestra.com/blog/virtops3-ansible-with-xen-orchestra/
      https://www.baeldung.com/openssl-self-signed-cert

      1 Reply Last reply Reply Quote 0

      Hello! It looks like you're interested in this conversation, but you don't have an account yet.

      Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

      With your input, this post could be even better 💗

      Register Login
      • First post
        Last post