0

0

I wish to synchronize letsencrypt credentials from host S to Host D using an ansible task running on host H.

My current task looks like this:

- name: Synchronize local letsencrypt directory
  ansible.posix.synchronize:
    src: /etc/letsencrypt
    dest: /etc/letsencrypt
    archive: true
    checksum: true
    delete: true
    recursive: true
    become_user: myuserid
    rsync_path: "sudo rsync"
  become: true
  delegate_to: S

On host S:

drwxr-xr-x. 9 root root 4096 Jul 10 01:15 /etc/letsencrypt

On host D:

drwxr-xr-x. 2 root root 6 Apr  8 07:58 /etc/letsencrypt

The error message I am getting is:

TASK [sync_certs - rsync from certificate master host to certificate slave host] ******************************************
fatal: [D]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect password: Permission denied, please try again.", "unreachable": true}

Since root login is prohibited on all hosts, the task runs as an ordinary user with sudo permissions to execute "bash". This is the situation on all hosts.

Any help would be greatly appreciated.

PS: The following bash script runs successfully. Unfortunately, it asks for a passsword for myuserid.

sudo /usr/bin/rsync --rsync-path="sudo rsync" --acls --archive --checksum --delete --links --numeric-ids --recursive --stats --times --verbose  /etc/letsencrypt myuseridl@testFedora.jlhimpel.net::letsencrypt
dubby
  • 1
  • 2

2 Answers2

0

Can you login via ssh with the user “myuserid”? I think the key of problem is the key share between hosts S and D. Check how do you run the playbook and add the flag -umyuserid -k

Stefano Zaniboni
  • 11
  • 3
  • I can successfully ssh to "myuserid" without having to supply a password. I use ssh-rsa keys to accomplish this. – dubby Jul 12 '21 at 01:30
  • When I run the playbook with -u myuserid -k, I get the same error as shown in my original question. – dubby Jul 12 '21 at 01:31
  • Have you tried specifying the ssh key to use explicitly with `—private-key` flag? – Ackack Jul 12 '21 at 06:48
0

You are trying to connect to the remote host "S" as a user which is not set up for ansible to use, or does not exist, thus ansible cannot ssh to the host and authenticate. You need to specify the correct remote_user to connect to that host.

Further, your task is doing something bizarre: You have asked for it to sudo to myuserid instead of root, and then run sudo rsync again to actually run the rsync process. There's no need for any of this; just let it sudo to root as it normally would.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Michael, I removed the "become_user" and added a "remote_user: myuserid". I get the same error as shown in my original question. – dubby Jul 12 '21 at 01:36
  • @dubby Are you 100% sure you have supplied the correct credentials for that user to ssh to that system? Check the logs on that system to find out what may have gone wrong. – Michael Hampton Jul 12 '21 at 10:24
  • Michael, There is nothing in the systemd journal that indicates any sort of problem. I have the userid and password for the ansible login and root in /etc/rsyncd.secrets. Question: Should the password in that file be plain text or should it be hashed? I am using plain text. I can't seem to locate any docs that indicate if it s/b hashed or not. – dubby Jul 12 '21 at 19:37
  • Michael, I reran the task with -vvvvv and captured the output. Unfortunately, it's >740 lines. If I figure out how to use pastebin would you be able to interpret the failed login? – dubby Jul 12 '21 at 20:38
  • @dubby You don't use ssh keys?! – Michael Hampton Jul 12 '21 at 21:59
  • I do use ssh keys from a shell script version of rsync and it works fine. I'm assuming that ansible uses ssh to communicate between hosts. All my other playbooks connect and execute on these same hosts just fine. – dubby Jul 13 '21 at 02:29