Re: Automate identity certificate import on Cisco IOS XE

TTNChulo25 · ‎04-25-2025

I've been struggling to automate the import of the identity certificate on a Cisco IOS device (specifically 8000V) using an Ansible playbook. I run into 1 of 2 problems:
1. Using the cisco ios_config module, the task will timeout after issuing the crypto pki import {{ trustpoint }} certificate and won't send the base64 certificate because it's waiting on user input.

2. Using either the cisco ios_command or the netcommon.cli_command modules, the task inserts an additional return character after issuing the crypto command and exits before the certificate can be sent.

code:

- name: Get Identity Certificate
set_fact:
idcert: >
{{ (lookup('file', s2s_tp_identity_cert_file)) }}

- name: Import identity certificate
ansible.netcommon.cli_command:
command: "{{ item }}"
prompt: ".*itself.*"
answer: "{{ idcert }}"
loop:
- "config t"
- "crypto pki import TEST-TP certificate"

Result:
TASK [roles/ansible.role.cisco-8k-generate-csr : Import identity certificate] ************** ok:
[test-s2s-01] => (item=config t) failed: [test-s2s-01] (item=crypto pki import TEST-TP certificate) =>
{"ansible_loop_var": "item", "changed": false, "item": "crypto pki import TEST-TP certificate",
"msg": "rse or verify imported certificate\r\n\r\ntest-s2s-01(config)#MIICljCCAhygAwIBAgIURvT6AAAAAAAAAAAAAAAAAAAAAIYwCgYIKoZIzj0EAwMw\r\nMIICljCCAhygAwIBAgIURvT6AAAAAAAAAAAAAAAAAAAAAIYwCgYIKoZIzj0EAwMw\r\n ^\r\n%
Invalid input detected at '^' marker.\r\n\r\ntest-s2s-01(config)#"}

Alternative variation to the command:
- name: Import identity certificate
ansible.netcommon.cli_command:
command: "config t\ncrypto pki import TEST-TP certificate\n{{ idcert }}\n"

I was able to successfully achieve this task with a Cisco ASAv since they have the "nointeractive" option, but that doesn't exist for Cisco IOS. Anyone know a different workaround I may be missing on this? Thanks in advance.

bigevilbeard · ‎04-28-2025

Its just a guess, but wondered if you can use the expect module, i used this ages back when handling interactive command sessions https://docs.ansible.com/ansible/latest/collections/ansible/builtin/expect_module.html

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

TTNChulo25 · ‎04-28-2025

Thanks for the response, I've also tried with the expect module as well. Here's the code I wrote for it:

- name: Generate certificate template
ansible.builtin.expect:
command: "ssh {{ ansible_user }}@{{ ansible_host }}"
echo: true
responses:
'Password:': "{{ ansible_pass }}"
.*>: "enable"
^(?!.*\(config\).*).*#$: "configure terminal"
^.*\(config\)#$: "crypto pki import TEST-TP certificate"
.*itself.*: "{{ idcert }}\n"

Unfortunately, I end up creating an infinite loop with this; the task never stops or times out unless I manually stop it. I can't see any output because I have to intervene, but my guess is that it's failing while trying to insert the certificate, and when it sees the global config prompt again, it re-issues the crypto pki command again and keeps going indefinitely.

bigevilbeard · ‎04-28-2025

@TTNChulo25 sure thing! I think you need to add a quit/exit in there to stop the loop. You could add this on your code at the bottom, might work?

'^.*\(config\)#$': "exit"

Maybe (please test this), i am not 100% this is going to work, might need some expert tweaks, it should handle each state.

- name: Import certificate with detailed expect patterns
  ansible.builtin.expect:
    command: "ssh {{ ansible_user }}@{{ ansible_host }}"
    echo: true
    timeout: 300
    responses:
      'Password:': "{{ ansible_pass }}"
      '.*>': "enable"
      '^.*#$': "configure terminal"
      '^.*\(config\)#$': "crypto pki import TEST-TP certificate"
      '.*itself.*': "{{ idcert }}\n\n"
      '.*successfully imported.*': "exit"
      'Invalid input.*': "exit"
      '^.*\(config\)#$': "exit"

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io