SSL issue with get_url module
641 views
Skip to first unread message
Mehul Ved
Feb 19, 2018, 8:03:45 AM2/19/18
to ansible...@googlegroups.com
I am trying to download a file from the repo to a server using
ansible. This has been working fine on all the old machines but on a
new machine, which has the same setup, it keeps giving me SSL error.
My environment is as below:
Jenkins machine(that triggers the ansible job)
$ ansible all -i inventory/localhost -c local -m setup -a
'filter=ansible_python'localhost | SUCCESS => {
"ansible_facts": {
"ansible_python": {
"executable": "/usr/bin/python",
"has_sslcontext": true,
"type": "CPython",
"version": {
"major": 2,
"micro": 9,
"minor": 7,
"releaselevel": "final",
"serial": 0
},
"version_info": [
2,
7,
9,
"final",
0
]
}
},
"changed": false
}
$ ansible all -i inventory/localhost -c local -m uri -a
url=https://devops.rightleads.io/
localhost | SUCCESS => {
"accept_ranges": "bytes",
"changed": false,
"connection": "close",
"content_length": "10701",
"content_type": "text/html",
"date": "Mon, 19 Feb 2018 11:33:15 GMT",
"etag": "\"29cd-54815428d497e\"",
"last_modified": "Thu, 09 Feb 2017 09:03:51 GMT",
"msg": "OK (10701 bytes)",
"redirected": false,
"server": "Apache/2.4.10 (Debian)",
"status": 200,
"url": "https://devops.rightleads.io/",
"vary": "Accept-Encoding"
}
Dev machine
$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m setup -a 'filter=ansible_python' --limit
tag_dev
dev-web | SUCCESS => {
"ansible_facts": {
"ansible_python": {
"executable": "/usr/bin/python",
"has_sslcontext": true,
"type": "CPython",
"version": {
"major": 2,
"micro": 13,
"minor": 7,
"releaselevel": "final",
"serial": 0
},
"version_info": [
2,
7,
13,
"final",
0
]
}
},
"changed": false
}
$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m uri -a url=https://devops.rightleads.io/
--limit tag_dev
dev-web | SUCCESS => {
"accept_ranges": "bytes",
"changed": false,
"connection": "close",
"content_length": "10701",
"content_type": "text/html",
"date": "Mon, 19 Feb 2018 11:35:00 GMT",
"etag": "\"29cd-54815428d497e\"",
"last_modified": "Thu, 09 Feb 2017 09:03:51 GMT",
"msg": "OK (10701 bytes)",
"redirected": false,
"server": "Apache/2.4.10 (Debian)",
"status": 200,
"url": "https://devops.rightleads.io/",
"vary": "Accept-Encoding"
}
$ ansible tag_web -i inventory/gce.py --user admin
--private-key=projectkey --limit=tag_dev --sudo -m get_url -a
"url=https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar
dest=/tmp/webapi.tar force=yes" -vvv
dev-web | SUCCESS => {
"changed": true,
"checksum_dest": null,
"checksum_src": "d14de4a99dd20c5128fd78ddbf6c70801057d4a3",
"dest": "/tmp/webapi.tar",
"gid": 0,
"group": "root",
"invocation": {
"module_args": {
"backup": false,
"checksum": "",
"content": null,
"delimiter": null,
"dest": "/tmp/webapi.tar",
"directory_mode": null,
"follow": false,
"force": true,
"force_basic_auth": false,
"group": null,
"headers": null,
"http_agent": "ansible-httpget",
"mode": null,
"owner": null,
"path": "/tmp/webapi.tar",
"regexp": null,
"remote_src": null,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"sha256sum": "",
"src": null,
"timeout": 10,
"tmp_dest": "",
"unsafe_writes": null,
"url": "https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar",
"url_password": "xxx",
"url_username": "yyy",
"use_proxy": true,
"validate_certs": true
},
"module_name": "get_url"
},
"md5sum": "96166c42eb5a47766dc5e02a2590829f",
"mode": "0644",
"msg": "OK (136683520 bytes)",
"owner": "root",
"size": 136683520,
"src": "/tmp/tmpJgzn5R",
"state": "file",
"uid": 0,
"url": "https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar"
}
$ python -V
Python 2.7.13
$ ls -l /etc/ssl/certs/DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 53 Dec 14 00:19
/etc/ssl/certs/DST_Root_CA_X3.pem ->
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
$ echo quit | openssl s_client -connect devops.rightleads.io:443 | head
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = devops.rightleads.io
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=devops.rightleads.io
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
DONE
Demo Machine
$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m setup -a 'filter=ansible_python' --limit
tag_demo
demo-web | SUCCESS => {
"ansible_facts": {
"ansible_python": {
"executable": "/usr/bin/python",
"has_sslcontext": true,
"type": "CPython",
"version": {
"major": 2,
"micro": 13,
"minor": 7,
"releaselevel": "final",
"serial": 0
},
"version_info": [
2,
7,
13,
"final",
0
]
}
},
"changed": false
}
$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m uri -a url=https://devops.rightleads.io/
--limit tag_demo
demo-web | FAILED! => {
"changed": false,
"failed": true,
"msg": "Failed to validate the SSL certificate for
devops.rightleads.io:443. Make sure your managed systems have a valid
CA certificate installed. You can use validate_certs=False if you do
not need to confirm the servers identity but this is unsafe and not
recommended. Paths checked for this platform: /etc/ssl/certs,
/etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
/usr/share/ca-certificates/cacert.org, /etc/ansible"
}
$ ansible tag_web -i inventory/gce.py --user admin
--private-key=projectkey --limit=tag_demo --sudo -m get_url -a
"url=https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar
dest=/tmp/webapi.tar force=yes" -vvv
demo-web | FAILED! => {
"changed": false,
"failed": true,
"invocation": {
"module_args": {
"backup": false,
"checksum": "",
"content": null,
"delimiter": null,
"dest": "/tmp/webapi.tar",
"directory_mode": null,
"follow": false,
"force": true,
"force_basic_auth": false,
"group": null,
"headers": null,
"http_agent": "ansible-httpget",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"sha256sum": "",
"src": null,
"timeout": 10,
"tmp_dest": "",
"unsafe_writes": null,
"url": "https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar",
"url_password": "xxx",
"url_username": "yyy",
"use_proxy": true,
"validate_certs": true
},
"module_name": "get_url"
},
"msg": "Failed to validate the SSL certificate for
devops.rightleads.io:443. Make sure your managed systems have a valid
CA certificate installed. You can use validate_certs=False if you do
not need to confirm the servers identity but this is unsafe and not
recommended. Paths checked for this platform: /etc/ssl/certs,
/etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
/usr/share/ca-certificates/cacert.org, /etc/ansible"
}
$ python -V
Python 2.7.13
$ ls -l /etc/ssl/certs/DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 53 Dec 14 00:19
/etc/ssl/certs/DST_Root_CA_X3.pem ->
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
$ echo quit | openssl s_client -connect devops.rightleads.io:443 | head
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = devops.rightleads.io
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=devops.rightleads.io
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
DONE
Both the machines are exactly identical and when working from CLI, I
get the same result(success) on both the machines but when using
ansible, the demo-web machine keeps failing to download the file with
SSL certificate issue.
What are the places I should look for further debugging?
--
With Regards,
Mehul Ved
ansible. This has been working fine on all the old machines but on a
new machine, which has the same setup, it keeps giving me SSL error.
My environment is as below:
Jenkins machine(that triggers the ansible job)
$ ansible all -i inventory/localhost -c local -m setup -a
'filter=ansible_python'localhost | SUCCESS => {
"ansible_facts": {
"ansible_python": {
"executable": "/usr/bin/python",
"has_sslcontext": true,
"type": "CPython",
"version": {
"major": 2,
"micro": 9,
"minor": 7,
"releaselevel": "final",
"serial": 0
},
"version_info": [
2,
7,
9,
"final",
0
]
}
},
"changed": false
}
$ ansible all -i inventory/localhost -c local -m uri -a
url=https://devops.rightleads.io/
localhost | SUCCESS => {
"accept_ranges": "bytes",
"changed": false,
"connection": "close",
"content_length": "10701",
"content_type": "text/html",
"date": "Mon, 19 Feb 2018 11:33:15 GMT",
"etag": "\"29cd-54815428d497e\"",
"last_modified": "Thu, 09 Feb 2017 09:03:51 GMT",
"msg": "OK (10701 bytes)",
"redirected": false,
"server": "Apache/2.4.10 (Debian)",
"status": 200,
"url": "https://devops.rightleads.io/",
"vary": "Accept-Encoding"
}
Dev machine
$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m setup -a 'filter=ansible_python' --limit
tag_dev
dev-web | SUCCESS => {
"ansible_facts": {
"ansible_python": {
"executable": "/usr/bin/python",
"has_sslcontext": true,
"type": "CPython",
"version": {
"major": 2,
"micro": 13,
"minor": 7,
"releaselevel": "final",
"serial": 0
},
"version_info": [
2,
7,
13,
"final",
0
]
}
},
"changed": false
}
$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m uri -a url=https://devops.rightleads.io/
--limit tag_dev
dev-web | SUCCESS => {
"accept_ranges": "bytes",
"changed": false,
"connection": "close",
"content_length": "10701",
"content_type": "text/html",
"date": "Mon, 19 Feb 2018 11:35:00 GMT",
"etag": "\"29cd-54815428d497e\"",
"last_modified": "Thu, 09 Feb 2017 09:03:51 GMT",
"msg": "OK (10701 bytes)",
"redirected": false,
"server": "Apache/2.4.10 (Debian)",
"status": 200,
"url": "https://devops.rightleads.io/",
"vary": "Accept-Encoding"
}
$ ansible tag_web -i inventory/gce.py --user admin
--private-key=projectkey --limit=tag_dev --sudo -m get_url -a
"url=https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar
dest=/tmp/webapi.tar force=yes" -vvv
dev-web | SUCCESS => {
"changed": true,
"checksum_dest": null,
"checksum_src": "d14de4a99dd20c5128fd78ddbf6c70801057d4a3",
"dest": "/tmp/webapi.tar",
"gid": 0,
"group": "root",
"invocation": {
"module_args": {
"backup": false,
"checksum": "",
"content": null,
"delimiter": null,
"dest": "/tmp/webapi.tar",
"directory_mode": null,
"follow": false,
"force": true,
"force_basic_auth": false,
"group": null,
"headers": null,
"http_agent": "ansible-httpget",
"mode": null,
"owner": null,
"path": "/tmp/webapi.tar",
"regexp": null,
"remote_src": null,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"sha256sum": "",
"src": null,
"timeout": 10,
"tmp_dest": "",
"unsafe_writes": null,
"url": "https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar",
"url_password": "xxx",
"url_username": "yyy",
"use_proxy": true,
"validate_certs": true
},
"module_name": "get_url"
},
"md5sum": "96166c42eb5a47766dc5e02a2590829f",
"mode": "0644",
"msg": "OK (136683520 bytes)",
"owner": "root",
"size": 136683520,
"src": "/tmp/tmpJgzn5R",
"state": "file",
"uid": 0,
"url": "https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar"
}
$ python -V
Python 2.7.13
$ ls -l /etc/ssl/certs/DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 53 Dec 14 00:19
/etc/ssl/certs/DST_Root_CA_X3.pem ->
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
$ echo quit | openssl s_client -connect devops.rightleads.io:443 | head
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = devops.rightleads.io
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=devops.rightleads.io
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
DONE
Demo Machine
$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m setup -a 'filter=ansible_python' --limit
tag_demo
demo-web | SUCCESS => {
"ansible_facts": {
"ansible_python": {
"executable": "/usr/bin/python",
"has_sslcontext": true,
"type": "CPython",
"version": {
"major": 2,
"micro": 13,
"minor": 7,
"releaselevel": "final",
"serial": 0
},
"version_info": [
2,
7,
13,
"final",
0
]
}
},
"changed": false
}
$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m uri -a url=https://devops.rightleads.io/
--limit tag_demo
demo-web | FAILED! => {
"changed": false,
"failed": true,
"msg": "Failed to validate the SSL certificate for
devops.rightleads.io:443. Make sure your managed systems have a valid
CA certificate installed. You can use validate_certs=False if you do
not need to confirm the servers identity but this is unsafe and not
recommended. Paths checked for this platform: /etc/ssl/certs,
/etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
/usr/share/ca-certificates/cacert.org, /etc/ansible"
}
$ ansible tag_web -i inventory/gce.py --user admin
--private-key=projectkey --limit=tag_demo --sudo -m get_url -a
"url=https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar
dest=/tmp/webapi.tar force=yes" -vvv
demo-web | FAILED! => {
"changed": false,
"failed": true,
"invocation": {
"module_args": {
"backup": false,
"checksum": "",
"content": null,
"delimiter": null,
"dest": "/tmp/webapi.tar",
"directory_mode": null,
"follow": false,
"force": true,
"force_basic_auth": false,
"group": null,
"headers": null,
"http_agent": "ansible-httpget",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"sha256sum": "",
"src": null,
"timeout": 10,
"tmp_dest": "",
"unsafe_writes": null,
"url": "https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar",
"url_password": "xxx",
"url_username": "yyy",
"use_proxy": true,
"validate_certs": true
},
"module_name": "get_url"
},
"msg": "Failed to validate the SSL certificate for
devops.rightleads.io:443. Make sure your managed systems have a valid
CA certificate installed. You can use validate_certs=False if you do
not need to confirm the servers identity but this is unsafe and not
recommended. Paths checked for this platform: /etc/ssl/certs,
/etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
/usr/share/ca-certificates/cacert.org, /etc/ansible"
}
$ python -V
Python 2.7.13
$ ls -l /etc/ssl/certs/DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 53 Dec 14 00:19
/etc/ssl/certs/DST_Root_CA_X3.pem ->
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
$ echo quit | openssl s_client -connect devops.rightleads.io:443 | head
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = devops.rightleads.io
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=devops.rightleads.io
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
DONE
Both the machines are exactly identical and when working from CLI, I
get the same result(success) on both the machines but when using
ansible, the demo-web machine keeps failing to download the file with
SSL certificate issue.
What are the places I should look for further debugging?
--
With Regards,
Mehul Ved
Mehul Ved
Feb 20, 2018, 7:23:53 AM2/20/18
to ansible...@googlegroups.com
As a follow up, I tried connecting to devops.rightleads.io from python
and it checking the certificate, it works fine. But, ansible still
seems to be throwing the SSL error.
>>> import socket, ssl
>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> context.check_hostname = True
>>> context.load_default_certs()
>>>
>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>>> ssl_sock = context.wrap_socket(s, server_hostname='devops.rightleads.io')
>>> ssl_sock.connect(('devops.rightleads.io', 443))
>>>
>>> cert = ssl_sock.getpeercert()
>>> print(cert)
{'subjectAltName': (('DNS', 'devops.rightleads.io'),), 'notBefore':
u'Feb 18 11:09:28 2018 GMT', 'caIssuers':
(u'http://cert.int-x3.letsencrypt.org/',), 'OCSP':
(u'http://ocsp.int-x3.letsencrypt.org',), 'serialNumber':
u'03789CEA86C5F31787ED45697AACB172BA58', 'notAfter': 'May 19 11:09:28
2018 GMT', 'version': 3L, 'subject': ((('commonName',
u'devops.rightleads.io'),),), 'issuer': ((('countryName', u'US'),),
(('organizationName', u"Let's Encrypt"),), (('commonName', u"Let's
Encrypt Authority X3"),))}
and it checking the certificate, it works fine. But, ansible still
seems to be throwing the SSL error.
>>> import socket, ssl
>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> context.check_hostname = True
>>> context.load_default_certs()
>>>
>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>>> ssl_sock = context.wrap_socket(s, server_hostname='devops.rightleads.io')
>>> ssl_sock.connect(('devops.rightleads.io', 443))
>>>
>>> cert = ssl_sock.getpeercert()
>>> print(cert)
{'subjectAltName': (('DNS', 'devops.rightleads.io'),), 'notBefore':
u'Feb 18 11:09:28 2018 GMT', 'caIssuers':
(u'http://cert.int-x3.letsencrypt.org/',), 'OCSP':
(u'http://ocsp.int-x3.letsencrypt.org',), 'serialNumber':
u'03789CEA86C5F31787ED45697AACB172BA58', 'notAfter': 'May 19 11:09:28
2018 GMT', 'version': 3L, 'subject': ((('commonName',
u'devops.rightleads.io'),),), 'issuer': ((('countryName', u'US'),),
(('organizationName', u"Let's Encrypt"),), (('commonName', u"Let's
Encrypt Authority X3"),))}
Mehul Ved
Feb 21, 2018, 4:45:14 AM2/21/18
to ansible...@googlegroups.com
Turned out to be a google cloud issue, not ansible.
Reply all
Reply to author
Forward
0 new messages