CERTIFICATE_VERIFY_FAILED

[Sneedes]

Summary

Attempting to use the netapp.um_info collection.
Latest version (21.8.1).

When using the collection in playbook (say na_um_list_clusters module), getting error message along the lines of:
(Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129)')

I can ignore this by setting validate_certs to false...but this isn't desired.
The cert is valid with a our internal/custom CA-signed certificate.
Is "seems" like this Ansible collection is possibly not leveraging the default/system keystore/truststore/CA bundle?

I can add the REQUESTS_CA_BUNDLE environment variable as a workaround as well...but seems odd/inconsistent to have to add the system/default CA bundle. Also...unsure if I should be relying on environment variables from the Python requests module in the netapp.um_info collection that aren't documented.

    - name: List Clusters successfully with custom SSL CA bundle
      netapp.um_info.na_um_list_clusters:
        hostname: "{{ aiqum_hostname }}"
        username: "{{ aiqum_username }}"
        password: "{{ aiqum_password }}"
      environment:
        REQUESTS_CA_BUNDLE: /etc/pki/tls/certs/ca-bundle.crt

    - name: List Clusters successfully by ignoring SSL validation
      netapp.um_info.na_um_list_clusters:
        hostname: "{{ aiqum_hostname }}"
        username: "{{ aiqum_username }}"
        password: "{{ aiqum_password }}"
        validate_certs: false

    - name: List Clusters fails with CERTIFICATE_VERIFY_FAILED
      netapp.um_info.na_um_list_clusters:
        hostname: "{{ aiqum_hostname }}"
        username: "{{ aiqum_username }}"
        password: "{{ aiqum_password }}"

Component Name

na_um_list_clusters

Ansible Version

$ ansible --version
ansible [core 2.15.10]
  config file = /home/IAMERS/nasnyder/.ansible.cfg
  configured module search path = ['/home/IAMERS/nasnyder/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/IAMERS/nasnyder/venvs/ansible-core-2.15.10/lib64/python3.9/site-packages/ansible
  ansible collection location = /home/IAMERS/nasnyder/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/IAMERS/nasnyder/venvs/ansible-core-2.15.10/bin/ansible
  python version = 3.9.18 (main, Jan 24 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/home/IAMERS/nasnyder/venvs/ansible-core-2.15.10/bin/python3)
  jinja version = 3.1.3
  libyaml = True

UM_Info Collection Version

$ ansible-galaxy collection list

# /home/IAMERS/nasnyder/.ansible/collections/ansible_collections
Collection            Version
--------------------- -------
ansible.utils         2.9.0  
community.general     6.4.0  
netapp.cloudmanager   21.22.1
netapp.ontap          22.11.0
netapp.um_info        21.8.1

Playbook

- name: List Clusters
      netapp.um_info.na_um_list_clusters:
        hostname: "{{ aiqum_hostname }}"
        username: "{{ aiqum_username }}"
        password: "{{ aiqum_password }}"

Steps to Reproduce

Expected Results

I expected the collection/modules to not need additional environment variables or configuration to be able to leverage the system default SSL Certificate Authorities.

Actual Results

TASK [List Clusters] ***********************************************************************************************************************************************************************************
task path: /home/IAMERS/nasnyder/dev/ansible/netapp/poc.yml:18
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: nasnyder
<localhost> EXEC /bin/sh -c 'echo ~nasnyder && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/IAMERS/nasnyder/.ansible/tmp `"&& mkdir "` echo /home/IAMERS/nasnyder/.ansible/tmp/ansible-tmp-1718726126.1405203-718140-8897405457221 `" && echo ansible-tmp-1718726126.1405203-718140-8897405457221="` echo /home/IAMERS/nasnyder/.ansible/tmp/ansible-tmp-1718726126.1405203-718140-8897405457221 `" ) && sleep 0'
Using module file /home/IAMERS/nasnyder/.ansible/collections/ansible_collections/netapp/um_info/plugins/modules/na_um_list_clusters.py
<localhost> PUT /home/IAMERS/nasnyder/.ansible/tmp/ansible-local-71813271mfu6m_/tmpaa1i2r8t TO /home/IAMERS/nasnyder/.ansible/tmp/ansible-tmp-1718726126.1405203-718140-8897405457221/AnsiballZ_na_um_list_clusters.py
<localhost> EXEC /bin/sh -c 'chmod u+x /home/IAMERS/nasnyder/.ansible/tmp/ansible-tmp-1718726126.1405203-718140-8897405457221/ /home/IAMERS/nasnyder/.ansible/tmp/ansible-tmp-1718726126.1405203-718140-8897405457221/AnsiballZ_na_um_list_clusters.py && sleep 0'
<localhost> EXEC /bin/sh -c 'python /home/IAMERS/nasnyder/.ansible/tmp/ansible-tmp-1718726126.1405203-718140-8897405457221/AnsiballZ_na_um_list_clusters.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /home/IAMERS/nasnyder/.ansible/tmp/ansible-tmp-1718726126.1405203-718140-8897405457221/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "feature_flags": {},
            "hostname": "internal.aiqumserver.com",
            "http_port": null,
            "max_records": null,
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "username": "aiqum_user1",
            "validate_certs": true
        }
    },
    "msg": "HTTPSConnectionPool(host='internal.aiqumserver.com', port=443): Max retries exceeded with url: /api/datacenter/cluster/clusters (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129)')))"
}