-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate errors from proxies with certain versions of Python #12549
Comments
Confirmed that problem exists when run under python-2.7.9+ but not before. |
Standard squid connect proxy; nothing fancy. |
I'm just adding some keywords here as I had a very hard time finding this today when I tried searching for it. tls ssl |
I was unable to reproduce this using Python 2.7.9 or 2.7.10 using squid 3.4.12 and the latest Ansible devel:
|
@morungos - Am now able to duplicate this bug (I had not been setting ansible_python_interpreter before... woops) - and am trying to fix this condition by modifying module_utils/urls.py - unfortunately, the changes required here will be more complicated than the fixes in urllib3 that you linked to. |
@morungos ^ The above change allows the proxy configuration you have to work for me. However, I need to go over the code more to see if that causes any issues where we end up not validating the host against its certificate before I can push it out. Please test and see if you notice any problems with it. |
Fix was applied to the devel and stable-2.0 branches. It should fix your issue. |
Issue Type
Bug Report
Ansible Version
2.0.0 (devel 132c14e)
OS
OSX Yosemite (tested module file with pyenv against 2.7.8/2.7.9/2.7.10)
Summary
I've just encountered an issue with get_url on Github URLs, which are failing to verify certificates for some versions of Python. I'm fairly sure it's a manifestation of urllib3/urllib3#385, which describes potentially breaking changes to
._tunnel()
in Python 3.4.1, backported to Python 2.7.9+. This logic seems to be identical to theconnect
method inlib/ansible/module_utils/urls.py
, and behaves similarly -- the error I'm encountering is:The same URL can be requested just fine through browsers and
curl
, so it seems to be a Python-specific (and version-specific, it does not affect Python 2.7.8) certificate verification issue with proxies.I think the modified logic in urllib3/urllib3#385 (comment) needs to be rolled into the
connect
method, so thatself._tunnel_host
is used in place ofself.host
if needed.This is deep into the guts of various systems, and I'm not a Python person, but I'll make a PR if you want me to.
Steps to reproduce
This task should do it, if you have a proxy. All that matters is HTTPS + Github + Python 2/7/9+
Expected Results
Successful download
Actual Results
The text was updated successfully, but these errors were encountered: