New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failed to validate the SSL certificate for github.com:443 #539

Closed
pnik073 opened this Issue Mar 31, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@pnik073
Copy link

pnik073 commented Mar 31, 2018

When I run elasticluster start for SLURM cluster I get SSL certificate failure for github. I try to run setup, correct the build.yml or run with docker but all trials fail. I provide below more info on the errors.

Any suggestions on that?

Local runs

I try to modify /home/vagrant/elasticluster/src/elasticluster/share/playbooks/roles/lmod/tasks/build.yml and at line 70 (i.e., the line after get_url:) with validate_certs: no. Note that the v of validate must be exactly aligned with the u of url: in the line that follows. This run is done from Ubuntu-Xenial with Ansible 2.3.3.0. The elasticluster setup does not help here.

Error log: Without validate_certs: no

TASK [lmod : Download sources] ********************************************************************************************************************************************************
fatal: [frontend001]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to validate the SSL certificate for github.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: (\"bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert protocol version')],)\",)."}

PLAY RECAP ****************************************************************************************************************************************************************************
compute001                 : ok=44   changed=2    unreachable=0    failed=0   
compute002                 : ok=44   changed=2    unreachable=0    failed=0   
frontend001                : ok=67   changed=5    unreachable=0    failed=1   

2018-03-31 00:18:56 ubuntu-xenial gc3.elasticluster[12500] ERROR Command `ansible-playbook --private-key=/home/vagrant/.ssh/elasticluster.pem /home/vagrant/elasticluster/src/elasticluster/share/playbooks/site.yml --inventory=/home/vagrant/.elasticluster/storage/slurm.inventory --become --become-user=root -e elasticluster_output_dir=/tmp/elasticluster.DZUP34.d` failed with exit code 2.
2018-03-31 00:18:56 ubuntu-xenial gc3.elasticluster[12500] ERROR Cannot find the status report file.

Error log: With validate_certs: no

TASK [lmod : Download sources] ********************************************************************************************************************************************************
fatal: [frontend001]: FAILED! => {"changed": false, "failed": true, "msg": "Unsupported parameters for (get_url) module: validate. Supported parameters include: attributes,backup,checksum,content,delimiter,dest,directory_mode,follow,force,force_basic_auth,group,headers,http_agent,mode,owner,regexp,remote_src,selevel,serole,setype,seuser,sha256sum,src,timeout,tmp_dest,unsafe_writes,url,url_password,url_username,use_proxy,validate_certs"}

PLAY RECAP ****************************************************************************************************************************************************************************
compute001                 : ok=47   changed=30   unreachable=0    failed=0   
compute002                 : ok=47   changed=30   unreachable=0    failed=0   
frontend001                : ok=71   changed=46   unreachable=0    failed=1   

2018-03-31 00:02:17 ubuntu-xenial gc3.elasticluster[9278] ERROR Command `ansible-playbook --private-key=/home/vagrant/.ssh/elasticluster.pem /home/vagrant/elasticluster/src/elasticluster/share/playbooks/site.yml --inventory=/home/vagrant/.elasticluster/storage/slurm.inventory --become --become-user=root -e elasticluster_output_dir=/tmp/elasticluster.xJzOmb.d` failed with exit code 2.
2018-03-31 00:02:17 ubuntu-xenial gc3.elasticluster[9278] ERROR Cannot find the status report file.

Docker run

I also run from riccardomurri/elasticluster Docker with the following mount for my conf files. That fails too.

#Dockerfile I use
FROM riccardomurri/elasticluster:1.3.0.pr
VOLUME ["/data"]
WORKDIR /data
#Docker run
sudo docker build -t elasticdocker .
sudo docker run -v myFolderWithSshAndConfFiles/:/data -i -t elasticdocker -c /data/ec.d/slurm.conf start slurm

Error log:

TASK [lmod : Download sources] **********************************************************************************************************
fatal: [frontend001]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to validate the SSL certificate for github.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: (\"bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert protocol version')],)\",)."}
	to retry, use: --limit @/home/elasticluster/share/playbooks/site.retry

PLAY RECAP ******************************************************************************************************************************
compute001                 : ok=47   changed=30   unreachable=0    failed=0   
compute002                 : ok=47   changed=30   unreachable=0    failed=0   
frontend001                : ok=70   changed=46   unreachable=0    failed=1   

2018-03-31 00:34:55 f5da300d2b5c gc3.elasticluster[1] ERROR Command `ansible-playbook --private-key=/data/storage/elasticluster.pem /home/elasticluster/share/playbooks/site.yml --inventory=/home/.elasticluster/storage/slurm.inventory --become --become-user=root` failed with exit code 2.
2018-03-31 00:34:55 f5da300d2b5c gc3.elasticluster[1] ERROR Check the output lines above for additional information on this error.
2018-03-31 00:34:55 f5da300d2b5c gc3.elasticluster[1] ERROR The cluster has likely *not* been configured correctly. You may need to re-run `elasticluster setup` or fix the playbooks.
@riccardomurri

This comment has been minimized.

Copy link
Member

riccardomurri commented Mar 31, 2018

This should now be fixed in the latest "master" branch: so either update you python sources (git pull && pip install -e .) or download the latest Docker image (elasticluster.sh --latest list).

The fix allows you to turn off HTTPS certificate validation; just add this line to any [setup/...] section in your configuration file::

global_var_insecure_https_downloads=yes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment