Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate errors from proxies with certain versions of Python #12549

Closed
morungos opened this issue Sep 28, 2015 · 7 comments
Closed

Certificate errors from proxies with certain versions of Python #12549

morungos opened this issue Sep 28, 2015 · 7 comments
Labels
bug This issue/PR relates to a bug.

Comments

@morungos
Copy link

Issue Type

Bug Report

Ansible Version

2.0.0 (devel 132c14e)

OS

OSX Yosemite (tested module file with pyenv against 2.7.8/2.7.9/2.7.10)

Summary

I've just encountered an issue with get_url on Github URLs, which are failing to verify certificates for some versions of Python. I'm fairly sure it's a manifestation of urllib3/urllib3#385, which describes potentially breaking changes to ._tunnel() in Python 3.4.1, backported to Python 2.7.9+. This logic seems to be identical to the connect method in lib/ansible/module_utils/urls.py, and behaves similarly -- the error I'm encountering is:

hostname 'webproxy.uhnres.utoronto.ca' doesn't match either of 'github.com', 'www.github.com'

The same URL can be requested just fine through browsers and curl, so it seems to be a Python-specific (and version-specific, it does not affect Python 2.7.8) certificate verification issue with proxies.

I think the modified logic in urllib3/urllib3#385 (comment) needs to be rolled into the connect method, so that self._tunnel_host is used in place of self.host if needed.

This is deep into the guts of various systems, and I'm not a Python person, but I'll make a PR if you want me to.

Steps to reproduce

This task should do it, if you have a proxy. All that matters is HTTPS + Github + Python 2/7/9+

- name: Webapp | Get release files
  get_url:
    url: "https://github.com/pughlab/tracker/releases/download/2.0.1-RC4/tracker-java-restlet-2.0.1-RC4.war"
    dest: "output.war"
Expected Results

Successful download

Actual Results
{"msg": "hostname 'webproxy.uhnres.utoronto.ca' doesn't match either of 'github.com', 'www.github.com'", "failed": true}
@abadger
Copy link
Contributor

abadger commented Oct 30, 2015

Confirmed that problem exists when run under python-2.7.9+ but not before.

@abadger
Copy link
Contributor

abadger commented Oct 30, 2015

Standard squid connect proxy; nothing fancy.

@jszwedko jszwedko mentioned this issue Nov 3, 2015
Closed
@abadger
Copy link
Contributor

abadger commented Nov 18, 2015

I'm just adding some keywords here as I had a very hard time finding this today when I tried searching for it. tls ssl

@chrrrles chrrrles self-assigned this Nov 18, 2015
@jimi-c jimi-c removed the P3 label Dec 7, 2015
@chrrrles
Copy link
Contributor

chrrrles commented Dec 8, 2015

I was unable to reproduce this using Python 2.7.9 or 2.7.10 using squid 3.4.12 and the latest Ansible devel:

- name: Certificate errors from proxies with certain versions of Python
  hosts: localhost
  tasks:
  - name: Download small file over https
    get_url:
      url: "https://github.com/pughlab/tracker/releases/download/2.0.1-RC4/tracker-java-restlet-2.0.1-RC4.war"
      dest: "/tmp/output.war"
    environment:
      http_proxy: http://localhost:3128
      https_proxy: http://localhost:3128

@chrrrles
Copy link
Contributor

@morungos - Am now able to duplicate this bug (I had not been setting ansible_python_interpreter before... woops) - and am trying to fix this condition by modifying module_utils/urls.py - unfortunately, the changes required here will be more complicated than the fixes in urllib3 that you linked to.

abadger added a commit that referenced this issue Dec 15, 2015
@abadger
First attempt to fix https certificate errors through a proxy with py…
c03aa4c 
…thon-2.7.9+ #12549
@abadger
Copy link
Contributor

abadger commented Dec 15, 2015

@morungos ^ The above change allows the proxy configuration you have to work for me. However, I need to go over the code more to see if that causes any issues where we end up not validating the host against its certificate before I can push it out. Please test and see if you notice any problems with it.

abadger added a commit that referenced this issue Dec 16, 2015
@abadger
First attempt to fix https certificate errors through a proxy with py…
b8d9b10 
…thon-2.7.9+

Fixes #12549
@abadger
Copy link
Contributor

abadger commented Dec 18, 2015

Fix was applied to the devel and stable-2.0 branches. It should fix your issue.

@ansibot ansibot added bug This issue/PR relates to a bug. and removed bug_report labels Mar 7, 2018
@ansible ansible locked and limited conversation to collaborators Apr 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug This issue/PR relates to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jimi-c @abadger @morungos @chrrrles @ansibot