Skip to content

hashi_vault lookup cannot be instructed to use 3rd party root certificates #85553

New issue
New issue
Closed as not planned
Closed as not planned
hashi_vault lookup cannot be instructed to use 3rd party root certificates#85553
Labels
bot_closed
@juresaht2

Description

@juresaht2
juresaht2
opened on Jul 25, 2025

Summary

I'm using a hashi_vault lookup, which connects to my server as per pre-configured environment variables. My server uses a certificate issued by a 3rd party root (my company's CA).

I am getting the error:

  msg: 'An unhandled exception occurred while running the lookup plugin ''hashi_vault''. Error was a <class ''requests.exceptions.SSLError''>, original message: HTTPSConnectionPool(host=''vault.server.hostname'', port=8200): Max retries exceeded with url: /v1/my/path (Caused by SSLError(SSLCertVerificationError(1, ''[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)''))). HTTPSConnectionPool(host=''vault.server.hostname'', port=8200): Max retries exceeded with url: /v1/my/path (Caused by SSLError(SSLCertVerificationError(1, ''[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)'')))'

Vault access works normally in bash. It is my understanding that this is because python does not by default use the system-wide root certificate store. In normal python usage this can be resolved by setting the environment variable:

environment:
  REQUESTS_CA_BUNDLE: "/etc/ssl/certs/ca-bundle.crt"

Unfortunately it looks like that setting these environment variables in Ansible (either on the playbook or the task level) does not affect the lookup.

Therefore this situation cannot be resolved.

Issue Type

Bug Report

Component Name

hashi_vault lookup

Ansible Version

ansible [core 2.16.2]
  executable location = /usr/local/bin/ansible
  python version = 3.11.5 (main, Oct 25 2023, 14:45:39) [GCC 8.5.0 20210514 (Red Hat 8.5.0-21)] (/usr/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

Configuration

Not relevant

OS / Environment

CentOS Stream release 8

Steps to Reproduce

- debug:
     msg: "{{ lookup('hashi_vault', 'secret=my/path') }}"

Expected Results

No SSL error.

Actual Results

msg: 'An unhandled exception occurred while running the lookup plugin ''hashi_vault''. Error was a <class ''requests.exceptions.SSLError''>, original message: HTTPSConnectionPool(host=''vault.server.hostname'', port=8200): Max retries exceeded with url: /v1/my/path (Caused by SSLError(SSLCertVerificationError(1, ''[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)''))). HTTPSConnectionPool(host=''vault.server.hostname'', port=8200): Max retries exceeded with url: /v1/my/path (Caused by SSLError(SSLCertVerificationError(1, ''[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)'')))'

Code of Conduct

  • I agree to follow the Ansible Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    bot_closed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions