New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't verify Blue Box apt mirrors #1318
Comments
did you install libssl-dev before running? |
@epwn yep, libssl-dev is installed. I just singled out the second repo to test it out. Doing a curl to the repo doesn't have any sort of SSL errors, I can connect to it just fine. So it's only the playbook/ansible that is having problems with this site. |
I just re-ran my allinone this morning and didnt hit the issue you are having. So its not reproducible, at least not on my end. I guess you could try (although it wouldnt be best practice) to set validate_certs to false on those two repos and see what happens? |
When we set validate_certs to False things worked fine. After looking at https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/urls.py#L569, Python 2.7.10 was tried, and that got through without SSL errors. Does there need to be something in the readme to put a requirement on python >= 2.7.9? |
@j2sol Should we add a line to requirements.txt that requires python >= 2.7.10 based on this issue? |
I'm not sure we want to start expressing python version requirements in requirements.txt. We can document that it is preferred to run Ursula, but we don't know all the ways people install Ursula, and expressing python version requirements there seems antisocial. |
HI, I am seeing a similar issue with the allinone configuration, the first time I run "ursula envs/example/allinone site.yml", it ends with the error below:
If I reran "ursula envs/example/allinone site.yml", then got the same error addressed in this issue topic:
I am running Ubuntu 14.04.3 on x86_64 platforms. Should I update Python on the allinone node? Thank you for any suggestion. |
Sorry, I missed the SSL errors at the bottom there. Ignore! |
Guang, I have been having the same error. That is: the Ursula playbook goes through, all apt things work, then changes the repos, then things apt-related fail. As the message from Nov 3 above says, it's due to Ubuntu 14.04-3 LTS using Python 2.7.6, which doesn't come with support for SNI. (Python 2.7.9 adds that). From what I understand, Ursula uses 2 methods to install packages: (a) the apt module from Ansible with a url, and (b) a url get followed by an install. If you are having a failure of the 1st type, then the hack is to add the "validate_certs: false" to the ansible call. If you are having a failure of the 2nd type (I think your message shows that), then the hack that has worked for me is to create a file (/etc/apt/apt.conf.d/00ursula), that contains the lines:
That hack is based on info from here |
I'm going to bet that you're using the example https://github.com/blueboxgroup/ursula/blob/master/envs/example/defaults-2.0.yml#L456 |
Thanks @j2sol, @jzer7, @notnownikki for your suggestions. Here are the steps I tried:
But these above steps did not help. I then edited the ./roles/apt-repos/tasks/main.yml, changed the validate_certs line to validate_certs: "no", then the "ursula envs/example/allinone site.yml" goes much much further, but finally failed with another SSL cert verification problem:
I am new with Ursula and Ansible, any futher suggestion will be highly appreciated. |
@ligc: I'm not sure how to solve this issue, but one thing that might be helpful in he future is to run w/ the edit: Although in this case, it does not appear verbosity is a problem, so you can pretty much ignore this comment. |
At this point your system's certs file is probably messed up. I'd suggest starting over with a clean OS install and not using the purposefully broken SSL cert in envs/ |
Here's the ansible trace when attempting to run an allinone with Ursula:
The task fails to validate the SSL certificates for the blue box apt mirrors. If I wget anything from the mirror, it succeeds. I tried copying the certificate from the mirror into /etc/ssl/certs, but the error still occurred.
I noticed the last repo succeeds, but that is because validate_certs is False.
The text was updated successfully, but these errors were encountered: