-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL Failure on Import the NodeSource GPG key into apt #33
Comments
My host machine is OS X running Python 2.7.11, and the managed system is Ubuntu 14.04.4 running Python 2.7.6. With Ansible 1.9.6, the error is:
|
With Ansible 1.9.6 and adding parameter
Maybe SNI is being used? But Travis CI has a similar error, and it runs Python 2.7.12 |
And Ansible 2.1.1.0:
I'll experiment with updating Python tomorrow. |
Just another data point...using
|
Hi @jwhitlock - you're correct, this is a result of us moving the repository hosting to CloudFront. More details are available at nodesource/distributions#353 (comment). |
I see a couple of options to make this work with older Python versions (Ubuntu 12.04, 14.04):
I've uploaded the key at https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x1655A0AB68576280 It is also possible that the root page https://deb.nodesource.com could be something other than a redirect and it would work, but that may be a restriction of CloudFront. |
After switching to CloudFront, the key is stored on a server with SNI, and the system Python can no longer download the key. Placing the key on keyserver.ubuntu.com allows Ansible to download it on our legacy systems. nodesource/ansible-nodejs-role#33
After switching to CloudFront, the key is stored on a server with SNI, and the system Python can no longer download the key. Placing the key on keyserver.ubuntu.com allows Ansible to download it on our legacy systems. nodesource/ansible-nodejs-role#33
ubuntu:trusty requires an apt-get update before installing any packages. Update the sample role to use "become" instead of "sudo", and explictly install version 4, so that it could install correctly. Building this Dockerfile will demonstrate bug nodesource#33.
Great analysis, interested to hear opinions on using the ubuntu key server rather than nodesource endpoint. cc @jwhitlock @chrislea Cheers |
This fix was integrated into geerlingguy/ansible-role-nodejs@0372961, appears to be working. |
I see this happen as well when just attempting to fetch the setup_4.x file from deb.nodesource.com, but oddly only from specific IP addresses. If I run the command "curl -sL https://deb.nodesource.com/setup_4.x | sudo -E bash -" on Ubuntu 12.04.5 LTS, I get different results depending on the public IP of the server from which I run the command.... I have several machines across Florida, but one of them just cannot get that file, and ALL the machines are running the same version of Ubuntu (all updated), same version of wget, curl, and openssl, but one specific machine just hangs when attempting the above install fetch command. I get the following when attempting wget, or curl without the pipe to bash: |
deb.nodesource.com is now in CloudFront, and older versions of Python (such as than installed in Ubuntu 12.04 and 14.04) can no longer install the GPG key from that server. Instead, install the key from keyserver.ubuntu.com, and include an ID so that downloading can be skipped if the key is already installed. Fixes nodesource#33.
This fix doesn't work anymore. I have started getting the following error consistently:
|
Can confirm this is an upstream |
Is it that for example on Ubuntu 14.04 |
ubuntu apt doesn't support SNI, and is listed in the bug-report: |
FIX: SSL Failure on Import the NodeSource GPG key into apt Nodesource switched to CloudFront using SNI which requires Python 2.7.9 not installed by Trusty by default. nodesource/ansible-nodejs-role#33
deb.nodesource.com is now in CloudFront, and older versions of Python (such as than installed in Ubuntu 12.04 and 14.04) can no longer install the GPG key from that server. Instead, install the key from keyserver.ubuntu.com, and include an ID so that downloading can be skipped if the key is already installed. See: nodesource/ansible-nodejs-role#33
Get rid of broken nodesource role nodesource/ansible-nodejs-role#24 nodesource/ansible-nodejs-role#33
Nodesource has recently changed to distribution via CloudFront which requires SNI (see nodesource/distributions#353 (comment)), which looks like it causes issues because the full URL (https://deb.nodesource.com/gpgkey/nodesource.gpg.key) has a valid certificate, but the root URL now redirects to GitHub (https://deb.nodesource.com) It looks like Ansible does certificate validation of the root URL, not the full path, and is detecting a problem with the hostname change. This PR removes the download of the key from github, and instaed adds the GPG key for nodesource explicitly in a file, as suggested here: nodesource/ansible-nodejs-role#33 (comment)
This fix seems to have suddenly stopped working recently :( |
anybody have any ideas? The original error mentions that we need python >= 2.7.9 for SNI to work and my current version is 2.7.6 on the server. Would that help anything? Thanks in advance! |
Hey, @jeffbski after googling, what Yuri Kanivetsky shares in his answer here https://groups.google.com/forum/#!msg/ansible-project/p4dQ0c25bpM/qSsI4JQqBAAJ helped me. I needed to make sure these packages are installed: From his answer: - hosts: all
tasks:
- name: Install apt_key dependencies
apt:
name: '{{ item }}'
with_items: [python-urllib3, python-openssl, python-pyasn1, python-pip]
when: ansible_distribution == 'Ubuntu' or ansible_distribution_release == 'trusty'
- name: Install apt_key dependencies
command: pip install ndg-httpsclient
when: ansible_distribution == 'Ubuntu' or ansible_distribution_release == 'trusty' |
Thanks @cesc1989 I appreciate it. That seemed to work. |
In the last 24 hours, I began getting a failure on the "Import the NodeSource GPG key into apt" step with Ansible 1.9.2
A full run can be seen in TravisCI:
https://travis-ci.org/mozilla/kuma/jobs/158534929
The full URL seems to have a valid certificate:
https://deb.nodesource.com/gpgkey/nodesource.gpg.key
However, the root URL now redirects to GitHub:
https://deb.nodesource.com
I suspect the problem is that Ansible does certificate validation of the root URL, not the full path, and is detecting a problem with the hostname change.
Here's the output from a verbose run:
The text was updated successfully, but these errors were encountered: