get_url: SSL cert verification failed for redirect

[zeldigas]

ISSUE TYPE

• Bug Report

ANSIBLE VERSION

ansible 2.0.1.0
  config file = /cygdrive/c/Users/me/.ansible.cfg
  configured module search path = Default w/o overrides

OS / ENVIRONMENT

Running ansible from windows. Ansible is installed via pip install command in cygwin environment. Managed machine is ubuntu 14.04 in aws.

SUMMARY

File download failed if site redirects to cdn on another domain.

STEPS TO REPRODUCE

Having a instance with running ubuntu 14.04 execute

ansible ubuntu_box -m get_url -a "url=https://packages.chef.io/stable/ubuntu/12.04/chefdk_0.13.21-1_amd64.deb dest=/tmp/my.deb"

EXPECTED RESULTS

File downloads just fine

ACTUAL RESULTS

ubuntu_box | FAILED! => {
    "changed": false,
    "failed": true,
    "invocation": {
        "module_args": {
            "backup": null,
            "checksum": "",
            "content": null,
            "delimiter": null,
            "dest": "/tmp/my.deb",
            "directory_mode": null,
            "follow": false,
            "force": false,
            "force_basic_auth": false,
            "group": null,
            "headers": null,
            "http_agent": "ansible-httpget",
            "mode": null,
            "owner": null,
            "regexp": null,
            "remote_src": null,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "sha256sum": "",
            "src": null,
            "timeout": 10,
            "url": "https://packages.chef.io/stable/ubuntu/12.04/chefdk_0.13.21-1_amd64.deb",
            "url_password": null,
            "url_username": null,
            "use_proxy": true,
            "validate_certs": true
        },
        "module_name": "get_url"
    },
    "msg": "SSL Certificate does not belong to packages.chef.io.  Make sure the url has a certificate that belongs to it or use validate_certs=False (insecure)"
}

[sivel]

Have you tested in 2.0.2? I believe this may have been resolved already.

[Deepakkothandan]

Can confirm the same issue on ansible version 2.0.2.0, running from arch linux and ubuntu 14.04 as target

[sivel]

Your initial report indicated that this happened for redirects. It does not appear that this URL redirects in any manner.

After further inspection, it appears as though the service hosting packages.chef.io uses SNI for it's SSL functionality. Python versions less than 2.7.9 do not support SNI natively, and cannot validate certificates.

New for ansible 2.1 is the ability to validate SSL certs via SNI with older python versions by installing urllib3, pyopenssl, pyasn1, and ndg-httpsclient on the remote server. I have validated that using ansible 2.1.0 with those packages installed allows me to validate the SSL certificate accordingly.

We do not intend on backporting that functionality to 2.0, and 2.1 just entered release candidate as of 26-Apr-2016. Please feel free to test this fix by installing 2.1 RC1 via http://releases.ansible.com/ansible/ansible-2.1.0.0-0.1.rc1.tar.gz

An alternative solution is to set validate_certs=False as indicated by the error message.

If you have further questions please stop by IRC or the mailing list:

• IRC: #ansible on irc.freenode.net
• mailing list: https://groups.google.com/forum/#!forum/ansible-project

[zeldigas]

Ok, it seems that if I want to use ansible 2.0 I need either to upgrade python version or set validate_certs=false.

Thank you!