Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

apt_repository: Failed to validate the SSL certificate for launchpad.net:443 #9966

Closed
maedox opened this issue Jan 9, 2015 · 15 comments

Comments

@maedox
Copy link
Contributor

commented Jan 9, 2015

Issue Type:

Bug Report

Ansible Version:

ansible 1.8.2
configured module search path = /usr/share/ansible

Environment:

Running from: Linux Mint 17.1 (based on Ubuntu 14.04)
Managing: Ubuntu 10.04, 12.04

Summary:

Adding a PPA with the apt_repository module fails with certificate validation problems.
Manually running add-apt-repository on the host works.

Steps To Reproduce:
- name: "PHP: Add PHP 5.4 PPA"
  apt_repository:
    repo: ppa:ondrej/php5-oldstable
Expected Results:

PPA added under /etc/apt/sources.list.d/

Actual Results:
TASK: [php | PHP: Add PHP 5.4 PPA] ******************************************** 
failed: [host.example.com] => {"failed": true}
msg: Failed to validate the SSL certificate for launchpad.net:443. Use validate_certs=no or make sure your managed systems have a valid CA certificate installed. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible

@bcoca bcoca added P3 labels Jan 9, 2015

@jimi-c

This comment has been minimized.

Copy link
Member

commented Jul 1, 2015

Hi, this situation is no longer present in the devel branch (which will be ansible 2.0). Here is the output using a version of your example above:

root@ubuntu1404:~# ansible-playbook -vv 9966.yml -i localhost, -c local
1 plays in 9966.yml
PLAY: ***************************************************************************
TASK [PHP: Add PHP 5.4 PPA] *****************************************************
changed: [localhost] => {"repo": "ppa:ondrej/php5-oldstable", "invocation": {"module_name": "apt_repository", "module_args": {"repo": "ppa:ondrej/php5-oldstable"}}, "state": "present", "changed": true}
PLAY RECAP **********************************************************************
localhost                  : ok=1    changed=1    unreachable=0    failed=0   

If you continue seeing any problems related to this issue, or if you have any further questions, please let us know by stopping by one of the two mailing lists, as appropriate:

Because this project is very active, we're unlikely to see comments made on closed tickets, but the mailing list is a great way to ask questions, or post if you don't think this particular issue is resolved.

Thank you!

@jimi-c jimi-c closed this Jul 1, 2015

@basictheprogram

This comment has been minimized.

Copy link

commented Dec 10, 2015

I think we have a regression.

$ ansible --version
ansible 2.1.0 (devel 30e729557f) last updated 2015/12/09 22:10:16 (GMT -500)
  lib/ansible/modules/core: (detached HEAD 0b5555b62c) last updated 2015/12/09 22:10:16 (GMT -500)
  lib/ansible/modules/extras: (detached HEAD cbed642009) last updated 2015/12/09 22:10:16 (GMT -500)
  config file = /Users/tanner/projects/ansible.git/playbooks.git/ansible.cfg
  configured module search path = Default w/o overrides
- name: add zfs-native apt repository
  apt_repository: >
      repo="ppa:zfs-native/stable"
      update_cache="yes"
FAILED! => {"changed": false, "failed": true, "msg": "Failed to validate the SSL certificate for launchpad.net:443. Make sure your managed systems have a valid CA certificate installed.  If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine.  You can use validate_certs=False if you do not need to confirm the server\\s identity but this is unsafe and not recommended Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible"}

The managed machine is a fully patched Ubuntu 14.04 and it's python 2.7.6

@my2ter

This comment has been minimized.

Copy link

commented Jun 14, 2016

Hi,

I am using the official docker image for Ubuntu:14.04. https://hub.docker.com/_/ubuntu/ And the following task fails:

  name: Add repository to install last PHP version
  apt_repository:
    repo="ppa:ondrej/php5-5.6"
    update_cache=yes

Ansible installed with homebrew:

ansible --version
ansible 2.1.0.0
FAILED! => {"changed": false, "failed": true, "msg": "Failed to validate the SSL certificate for launchpad.net:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine or you can install the `urllib3`, `pyopenssl`, `ndg-httpsclient`, and `pyasn1` python modules to perform SNI verification in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible"}

Should this be fixed?

Thanks

@arikon

This comment has been minimized.

Copy link

commented Jul 7, 2016

Same error as above ⬆️ on the latest state of stable-2.1 branch

@arikon

This comment has been minimized.

Copy link

commented Jul 7, 2016

@jimi-c Have a look at the above comments, please

@resmo

This comment has been minimized.

Copy link
Member

commented Jul 7, 2016

reopen it based on the recent comments.

@resmo resmo reopened this Jul 7, 2016

@kuza55

This comment has been minimized.

Copy link

commented Jul 25, 2016

I'm also running into this targeting a fresh install of 14.04, is there a workaround for this issue?

[EDIT]: I think in my case this might be because I was trying to configure a VM with hostonly network access, and no route to the internet, so if nothing else maybe the error message could be improved to not be misleading.

@otanner

This comment has been minimized.

Copy link

commented Jul 26, 2016

I'm experiencing the same Ubuntu 14.04 issue. I also tried updating to Python 2.7.12 before running Ansible, didn't help.

@ansibot ansibot added the affects_1.8 label Sep 8, 2016

wunzeco added a commit to wunzeco/ansible-nodejs that referenced this issue Sep 9, 2016

@prevostc

This comment has been minimized.

Copy link

commented Sep 12, 2016

Same issue with ansible 2.1.1.0 on ubuntu 14.04 and python 2.7.6: Failed to validate the SSL certificate for deb.nodesource.com:443. ...

@prevostc

This comment has been minimized.

Copy link

commented Sep 12, 2016

@boris-hocde (in my company) found a solution:

Before python 2.7.9:

- name: Add nodesource apt key
  become: yes
  shell: curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -

After python 2.7.9

- name: Add nodesource apt key
  become: yes
  apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key state=present

ei-grad added a commit to ei-grad/ansible that referenced this issue Sep 25, 2016

Fix misleading SSL error message
The `except` block with exception matching throught
`if 'connection refused' in str(e).lower():` is funny,
but is not user-friendly.

Probably related issues:

- ansible#15679
- ansible#12161
- ansible#9966
- ansible#8221
- ansible#7218

... and more

ei-grad added a commit to ei-grad/ansible that referenced this issue Dec 15, 2016

Fix misleading SSL error message
The `except` block with exception matching throught
`if 'connection refused' in str(e).lower():` is funny,
but is not user-friendly.

Probably related issues:

- ansible#15679
- ansible#12161
- ansible#9966
- ansible#8221
- ansible#7218

... and more

abadger added a commit that referenced this issue Jan 6, 2017

Fix misleading SSL error message
The `except` block with exception matching throught
`if 'connection refused' in str(e).lower():` is funny,
but is not user-friendly.

Probably related issues:

- #15679
- #12161
- #9966
- #8221
- #7218

... and more
@bcoca

This comment has been minimized.

Copy link
Member

commented Jan 23, 2017

These now give a proper error instead of the misleading generic:

"Failed to validate the SSL certificate for deb.nodesource.com:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine or you can install the `urllib3`, `pyopenssl`, `ndg-httpsclient`, and `pyasn1` python modules to perform SNI verification in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [Errno 1] _ssl.c:510: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure."

So I'm going to go ahead and close the issue as we won't be autoupgrading the target pythons.

@bcoca bcoca closed this Jan 23, 2017

@elnur

This comment has been minimized.

Copy link

commented Feb 25, 2017

Installing the ca-certificates APT package in LXC containers solved the issue for me.

popstas added a commit to viasite-ansible/ansible-role-influxdb that referenced this issue Feb 28, 2017

updated to influxdb 1.2.0
Before config template describe:

`default/main.yml`: changed influxdb_install_method to 'repository',
i think that repo inslall is preferred way for most cases.

`handlers/main.yml`: renamed service from 'influxdb' to 'influxd'.

`tasks/install-download.yml`: added checksum check and changed url template.
Added package 'ca-certificate', see ansible/ansible#9966 (comment)

`tasks/main.yml`: merged 4 create directory tasks to one.

## Upgrade config template to v1.2.0

I've compared default config from influxdb v1.2.0 with template and updated template.
I also updated all comments and leaved commented default values for better diff.

New variables not described bellow, see commit.

Deletes and changes:

v0.12
Some configuration parameters from [meta] and [data] was removed. Commits:
- influxdata/influxdb@22173ac
- influxdata/influxdb@686d1a7

v1.0.0:
Config option [cluster] has been replaced with [coordinator]

Section [hinted-handoff] was removed.

### Updated defaults:
hostname = "localhost" # Ansible 2.2 with ansible_default_ipv4.address fires AnsibleUndefinedVariable: {{ ansible_default_ipv4.address }}: 'ansible_default_ipv4' is undefined

[data]
cache-max-memory-size = 1048576000
cache-snapshot-write-cold-duration = "10m"
compact-full-write-cold-duration = "4h"

[coordinator]
write-timeout = "10s"

[admin]
enabled = false

[http]
pprof-enabled = true

[[graphite]]
batch-size = 5000
batch-pending = 10

[[collectd]]
batch-size = 5000
batch-timeout = "10s"

[[opentsdb]]
certificate= "/etc/ssl/influxdb.pem"

[[udp]]
bind-address = ":8089"
batch-size = 5000
batch-pending = 10
@kartsims

This comment has been minimized.

Copy link

commented Aug 14, 2017

Same solution as @elnur for Debian container on Docker

@aaksarin

This comment has been minimized.

Copy link

commented Aug 18, 2017

Installing apt packages python-urllib3, python-openssl, python-pyasn1, python-pip and pip package ndg-httpsclient solved issue for me. Thanks to Yuri Kanivetsky from this thread https://groups.google.com/forum/#!msg/ansible-project/p4dQ0c25bpM/qSsI4JQqBAAJ.

@nvtkaszpir

This comment has been minimized.

Copy link

commented Aug 29, 2017

Too bad the message is hiding underlying network issues like problems with routing.

@ansibot ansibot added bug and removed bug_report labels Mar 6, 2018

titom73 pushed a commit to titom73/ansible-role-gitlab-ci-multi-runner that referenced this issue Mar 8, 2018

Thomas
Issue with SSL and apt-key
According ansible/ansible#9966 and
https://groups.google.com/forum/#!msg/ansible-project/p4dQ0c25bpM/qSsI4JQqBAAJ
it is required to add more packages to play with SSLv3 handshake

 Changes to be committed:
	modified:   tasks/install-docker-on-debian-family.yml

@ansible ansible locked and limited conversation to collaborators Apr 25, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
You can’t perform that action at this time.