Refactor SSL EOF handling

justinc1 · justinc1 · commit 748195e3f66a · 2023-03-21T12:36:35.000+01:00
Signed-off-by: Justin Cinkelj &lt;justin.cinkelj@xlab.si&gt;
diff --git a/plugins/module_utils/client.py b/plugins/module_utils/client.py
@@ -9,6 +9,7 @@
 __metaclass__ = type
 
 import json
+import ssl
 from typing import Any, Optional, Union
 
 from ansible.module_utils.urls import Request, basic_auth_header
@@ -141,6 +142,13 @@ def _request(
                 and type(e.args[0]) == ConnectionResetError
             ):
                 raise ConnectionResetError(e)
+            elif (
+                e.args
+                and isinstance(e.args, tuple)
+                and type(e.args[0])
+                in [ssl.SSLEOFError, ssl.SSLZeroReturnError, ssl.SSLSyscallError]
+            ):
+                raise type(e.args[0])(e)
             raise ScaleComputingError(e.reason)
         return Response(raw_resp.status, raw_resp.read(), raw_resp.headers)
 
diff --git a/plugins/modules/certificate.py b/plugins/modules/certificate.py
@@ -116,28 +116,14 @@ def ensure_present(
             )
             sleep(2)
             continue
-        except errors.ScaleComputingError as ex:
+        except (ssl.SSLEOFError, ssl.SSLZeroReturnError, ssl.SSLSyscallError) as ex:
             # Ignore "EOF occurred in violation of protocol (_ssl.c:997)"
-            # Also other have same problem - https://github.com/psf/requests/issues/3006#issuecomment-183394849.
-            # We do not use requests library, but problem is the same.
-            # ex.args - this is what Exception.__init__() stores into object.
-            ex_reason = ex.args[0]
-            # ex_reason is instance of SSLEOFError or ssl.SSLEOFError
-            strerror = ex_reason.strerror
-            if (
-                "EOF occurred in violation of protocol" in strerror
-                and "ssl.c" in strerror
-            ):
-                module.warn(
-                    f"retry {ii}/{max_retries}, SSLEOFError - ignore and continue"
-                )
-                sleep(2)
-                continue
-            else:
-                module.warn(
-                    f"retry {ii}/{max_retries}, re-raise unexpected exception" + str(ex)
-                )
-                raise
+            # Alternative message "TLS/SSL connection has been closed (EOF) (_ssl.c:1129)".
+            module.warn(
+                f"retry {ii}/{max_retries}, SSL error {ex.__class__.__name__} - ignore and continue"
+            )
+            sleep(2)
+            continue
     after: TypedCertificateToAnsible = dict(certificate=get_certificate(module))
     return True, after, dict(before=before, after=after)
 
diff --git a/tests/integration/targets/certificate/tasks/02_ssl_eof_error.yml b/tests/integration/targets/certificate/tasks/02_ssl_eof_error.yml
@@ -68,7 +68,7 @@
           # - certificate_info.record.certificate != default_cert_info.cert
           - "{{ certificate_info.record.certificate | replace('\n','') == lookup('file', 'certificate_example.crt') | replace('\n','') }}"
           - certificate_info.warnings | length >= 1
-          - certificate_info.warnings[0] == "retry 0/10, SSLEOFError - ignore and continue"
+          - certificate_info.warnings[0] == "retry 0/10, SSL error SSLZeroReturnError - ignore and continue"
 
     - name: Get new / uploaded cert from cluster
       community.crypto.get_certificate:
