Failure trying to install remote yum package

[Chris Bidwell - NOAA Federal]

This is my playbook:

 tasks:

    - name: download puppet5 rpm

      yum:

        name: https://yum.puppetlabs.com/puppet5/puppet5-release-el-6.noarch.rpm

        state: present

Note:  This is only failing on RHEL6 systems.  So it's got to be something python-related. I've verified that `urllib3`, `pyOpenSSL`, `ndg-httpsclient`, and `pyasn1` are all installed. From reading further, I'm seeing that there are issues relating to python 2.6.6 no able to use SNI.

The full traceback is:

  File "/tmp/ansible_7kxVuI/ansible_modlib.zip/ansible/module_utils/urls.py", line 1055, in fetch_url

    client_key=client_key, cookies=cookies)

  File "/tmp/ansible_7kxVuI/ansible_modlib.zip/ansible/module_utils/urls.py", line 958, in open_url

    r = urllib_request.urlopen(*urlopen_args)

  File "/usr/lib64/python2.6/urllib2.py", line 126, in urlopen

    return _opener.open(url, data, timeout)

  File "/usr/lib64/python2.6/urllib2.py", line 389, in open

    req = meth(req)

  File "/tmp/ansible_7kxVuI/ansible_modlib.zip/ansible/module_utils/urls.py", line 773, in http_request

    build_ssl_validation_error(self.hostname, self.port, paths_checked, e)

  File "/tmp/ansible_7kxVuI/ansible_modlib.zip/ansible/module_utils/urls.py", line 579, in build_ssl_validation_error

    raise SSLValidationError(' '.join(msg) % (hostname, port, ", ".join(paths)))

fatal: [baseworkstation-lx]: FAILED! => {

    "changed": false, 

    "invocation": {

        "module_args": {

            "allow_downgrade": false, 

            "bugfix": false, 

            "conf_file": null, 

            "disable_gpg_check": false, 

            "disable_plugin": [], 

            "disablerepo": null, 

            "enable_plugin": [], 

            "enablerepo": null, 

            "exclude": null, 

            "install_repoquery": true, 

            "installroot": "/", 

            "list": null, 

            "name": [

                "https://yum.puppetlabs.com/puppet5/puppet5-release-el-6.noarch.rpm"

            ], 

            "security": false, 

            "skip_broken": false, 

            "state": "present", 

            "update_cache": false, 

            "update_only": false, 

            "validate_certs": true

        }

    }, 

    "msg": "Failed to validate the SSL certificate for yum.puppetlabs.com:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine  (the python executable used (/usr/bin/python) is version: 2.6.6 (r266:84292, Aug  9 2016, 06:11:56) [GCC 4.4.7 20120313 (Red Hat 4.4.7-17)]) or you can install the `urllib3`, `pyOpenSSL`, `ndg-httpsclient`, and `pyasn1` python modules to perform SNI verification in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [Errno 1] _ssl.c:492: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure."

Thanks in advance...I can't figure this out for the life of me.  

Chris

[S C Rigler]

Hi Chris,

Try adding "validate_certs: false" to your yum arguments.

--Steve

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAHKi8CgC5f%2B%3DJRno9fFjuEq%2B1sFYNtVdKsYpivKjhVxJwXaBGw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Chris Bidwell - NOAA Federal]

Hi, I did that and still no change.  

On Mon, Jul 23, 2018 at 11:35 AM, S C Rigler <rigl...@gmail.com> wrote:

Hi Chris,

Try adding "validate_certs: false" to your yum arguments.

--Steve

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAHKi8CgC5f%2B%3DJRno9fFjuEq%2B1sFYNtVdKsYpivKjhVxJwXaBGw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAFbiokdgMPpuBigZ84TbG9ij%2BM9mRW07CZuHeuEdWq9CGWH4aA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Chris Bidwell, CISSP
Space Weather Prediction Center
National Oceanic Atmospheric Administration
email: chris.b...@noaa.gov

office: 303-497-3204
mobile: 720-496-3126

[Kai Stian Olstad]

On 23.07.2018 19:31, 'Chris Bidwell - NOAA Federal' via Ansible Project
wrote:

> If the website serving the url uses SNI you need
> python >= 2.7.9 on your managed machine (the python executable used
> (/usr/bin/python) is version: 2.6.6 (r266:84292, Aug 9 2016, 06:11:56)
> [GCC 4.4.7 20120313 (Red Hat 4.4.7-17)]) or you can install the
> `urllib3`,
> `pyOpenSSL`, `ndg-httpsclient`, and `pyasn1` python modules to perform
> SNI
> verification in python >= 2.6.

What I can say is that yum.puppetlabs.com is using SNI, how to solve it
on RHEL6 I don't know.

But you could use http, since the package is sign you can always check
the authenticity.

--
Kai Stian Olstad