TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType

[vchatela]

PROBLEM SUMMARY
Using the same example as described in ansible galaxy, I get error on undocumented parameter.

STEPS TO REPRODUCE
When using the following code:

---
# Enroll Platform certificate using OAuth authentication (for modern Venafi TPP)
- name: venafi_certificate_tpp_oauth
  hosts: localhost
  gather_facts: no
  connection: local
  vars_files:
    - group_vars/all/vault.yml
    - group_vars/all/vars.yml
  vars:
    client_id: "miam-capabilities"
    scope: "certificate:discover,manage,revoke"
  tasks:
     - name: Request certificate using OAuth token
        venafi.machine_identity.venafi_certificate:
          url: '{{ venafi_url }}'
          access_token: '{{ oauth_response.json.access_token }}'
          zone: '{{ venafi_zone }}'
          privatekey_path: "./artefacts/server.key"
          common_name: "demo-val-nocsr-ansible.airfrance.fr"
          alt_name: "DNS:www.demo-val-nocsr-ansible.airfrance.fr"
          csr_origin: service
          cert_path: '/tmp'
          before_expired_hours: 0  # Accept even short-lived test certificates (1 hour)
          force: false  # Don't force renewal if certificate is still valid
        register: cert_result

I get:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType

While the documentation doesn't mention any path.

EXPECTED RESULTS
When using CSR I don't get any issues:

---
# Enroll Platform certificate using OAuth authentication (for modern Venafi TPP)
- name: venafi_certificate_tpp_oauth
  hosts: localhost
  gather_facts: no
  connection: local
  vars_files:
    - group_vars/all/vault.yml
    - group_vars/all/vars.yml
  vars:
    client_id: "miam-capabilities"
    scope: "certificate:discover,manage,revoke"
  tasks:
    - name: Request certificate using OAuth token
          venafi.machine_identity.venafi_certificate:
            url: '{{ venafi_url }}'
            access_token: '{{ oauth_response.json.access_token }}'
            zone: '{{ venafi_zone }}'
            common_name: 'demo-val-ansible.airfrance.fr'
            csr_origin: provided
            csr_path: "./artefacts/server.csr"
            cert_path: "./artefacts/server.crt"
            chain_path: "./artefacts/server-chain.crt"
            before_expired_hours: 0  # Accept even short-lived test certificates (1 hour)
            force: false  # Don't force renewal if certificate is still valid
          register: cert_result

ENVIRONMENT DETAILS
I am using

$ ansible --version
ansible [core 2.16.3]
  config file = None
  configured module search path = ['/home/valentinc/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/valentinc/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.3 (main, Aug 14 2025, 17:47:21) [GCC 13.3.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True
$ ansible-galaxy collection list | grep venafi
venafi.machine_identity                  1.1.1
$ pip3 show vcert
Name: vcert
Version: 0.18.1
Summary: Python client library for Venafi Trust Protection Platform and Venafi Cloud.  
Home-page: https://github.com/Venafi/vcert-python
Author: Venafi, Inc.
Author-email: opensource@venafi.com
License: ASL
Location: /home/valentinc/.local/lib/python3.12/site-packages
Requires: cryptography, pynacl, python-dateutil, requests, ruamel.yaml, six
Required-by:

Thanks for support !

[philipsd6]

This is because csr_path is not required because it's only required if csr_orgin is provided. It defaults to null/None when not provided (which is a valid configuration if csr_origin is service.)

Then later we have if os.path.exists(self.csr_path) and os.path.isfile(self.csr_path): and neither of those os.path calls should be called with None:

>>> os.path.exists(None)
Traceback (most recent call last):
  File "<python-input-5>", line 1, in <module>
    os.path.exists(None)
    ~~~~~~~~~~~~~~^^^^^^
  File "<frozen genericpath>", line 19, in exists
TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType

[vchatela]

Hi @philipsd6,
Thanks for answer, but in my case I do use the csr_origin=provided so I needed the csr_path that's why I provided the csr_path: "./artefacts/server.csr".
So unsure to get how shall I fix ?

[philipsd6]

If csr_path is not set, then it's None, and the code calls os.path.exists(None) and os.path.isfile(None) and that causes the exception.

You could set csr_path=/dev/null (which exists, but is not a file) and then set csr_origin=service and that would avoid this particular error, but that's obviously not a clean solution.

[vchatela]

I can confirm that adding csr_path=/dev/null allows me to bypass the error ! So your PR should fix thanks !

But now using:

- name: Request certificate using OAuth token
      venafi.machine_identity.venafi_certificate:
        url: '{{ venafi_url }}'
        access_token: '{{ oauth_response.json.access_token }}'
        zone: '{{ venafi_zone }}'
        common_name: "demo-val-nocsr-ansible.airfrance.fr"
        alt_name: "DNS:www.demo-val-nocsr-ansible.airfrance.fr"
        csr_origin: service
        csr_path: /dev/null
        cert_path: '/tmp/demo-val-nocsr-ansible.crt'
        privatekey_passphrase: '{{ venafi_privatekey_passphrase }}'
        before_expired_hours: 0  # Accept even short-lived test certificates (1 hour)
        force: false # Don't force renewal if certificate is still valid
      register: cert_result

I do get :

TASK [Request certificate using OAuth token] **************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "/tmp/ansible_venafi.machine_identity.venafi_certificate_payload_v247vuos/ansible_venafi.machine_identity.venafi_certificate_payload.zip/ansible_collections/venafi/machine_identity/plugins/modules/venafi_certificate.py:582: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.\n/tmp/ansible_venafi.machine_identity.venafi_certificate_payload_v247vuos/ansible_venafi.machine_identity.venafi_certificate_payload.zip/ansible_collections/venafi/machine_identity/plugins/modules/venafi_certificate.py:592: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.\n/tmp/ansible_venafi.machine_identity.venafi_certificate_payload_v247vuos/ansible_venafi.machine_identity.venafi_certificate_payload.zip/ansible_collections/venafi/machine_identity/plugins/modules/venafi_certificate.py:600: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_before_utc.\nTraceback (most recent call last):\n  File \"/home/valentinc/.ansible/tmp/ansible-tmp-1761735736.3497448-2295-261781452573467/AnsiballZ_venafi_certificate.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/home/valentinc/.ansible/tmp/ansible-tmp-1761735736.3497448-2295-261781452573467/AnsiballZ_venafi_certificate.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/valentinc/.ansible/tmp/ansible-tmp-1761735736.3497448-2295-261781452573467/AnsiballZ_venafi_certificate.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.venafi.machine_identity.plugins.modules.venafi_certificate', init_globals=dict(_module_fqn='ansible_collections.venafi.machine_identity.plugins.modules.venafi_certificate', _modlib_path=modlib_path),\n  File \"<frozen runpy>\", line 226, in run_module\n  File \"<frozen runpy>\", line 98, in _run_module_code\n  File \"<frozen runpy>\", line 88, in _run_code\n  File \"/tmp/ansible_venafi.machine_identity.venafi_certificate_payload_v247vuos/ansible_venafi.machine_identity.venafi_certificate_payload.zip/ansible_collections/venafi/machine_identity/plugins/modules/venafi_certificate.py\", line 819, in <module>\n  File \"/tmp/ansible_venafi.machine_identity.venafi_certificate_payload_v247vuos/ansible_venafi.machine_identity.venafi_certificate_payload.zip/ansible_collections/venafi/machine_identity/plugins/modules/venafi_certificate.py\", line 812, in main\n  File \"/tmp/ansible_venafi.machine_identity.venafi_certificate_payload_v247vuos/ansible_venafi.machine_identity.venafi_certificate_payload.zip/ansible_collections/venafi/machine_identity/plugins/modules/venafi_certificate.py\", line 499, in enroll\n  File \"/tmp/ansible_venafi.machine_identity.venafi_certificate_payload_v247vuos/ansible_venafi.machine_identity.venafi_certificate_payload.zip/ansible_collections/venafi/machine_identity/plugins/modules/venafi_certificate.py\", line 534, in _atomic_write\nTypeError: unsupported operand type(s) for +: 'NoneType' and 'str'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

It seems to correctly create the certificate but not be able to download it. So when I rerun the ansible playbook, because I've set force: false it just download it and it works well.