SSL error with gce_instance_template and ansible

177 views
Skip to first unread message

sushrismi...@citrix.com

unread,
Jun 19, 2017, 11:35:29 AM6/19/17
to Ansible Project
Hi 
I am a new bee in Ansible. I am trying to manage and create google cloud properties using  ansible. However I am getting SSL related errors while connecting. 

I tried
1.. downloading the latest  cacert.pem from https://curl.haxx.se/docs/caextract.html and set the variable SSL_CERT_FILE. 
2. Downoading cacert from *googleapis.google.com with no success

But no success. Could someone please let me know what SSL cert I need to set to get this working ?

Playbook details:

- hosts: localhost

  tasks:

    - name: create instance template

      gce_instance_template: 

        name: case_mgmt_template

        size: n1-standard-2

        image_family: centos-7-v20170523

        state: present

        project_id: "{{ project_id }}"

        credentials_file: "{{ credentials_file }}"

        service_account_email: "{{ service_account_email }}"


Error Details:

fatal: [localhost]: FAILED! => {

    "changed": false, 

    "failed": true

}


MSG:


Unexpected response: ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)). Detail: Traceback (most recent call last):

  File "/tmp/ansible_M7On7q/ansible_modlib.zip/ansible/module_utils/gcp.py", line 267, in gcp_connect

    project=creds['project_id'])

  File "/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/compute/drivers/gce.py", line 1795, in __init__

    super(GCENodeDriver, self).__init__(user_id, key, **kwargs)

  File "/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/base.py", line 948, in __init__

    self.connection = self.connectionCls(*args, **conn_kwargs)

  File "/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/compute/drivers/gce.py", line 99, in __init__

    credential_file=credential_file, **kwargs)

  File "/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py", line 765, in __init__

    user_id, key, auth_type, credential_file, scopes, **kwargs)

  File "/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py", line 660, in __init__

    self.token = self.oauth2_conn.get_new_token()

  File "/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py", line 537, in get_new_token

    return self._token_request(request)

  File "/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py", line 368, in _token_request

    data=data)

  File "/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/base.py", line 603, in request

    headers=headers, stream=stream)

  File "/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/http.py", line 215, in request

    verify=self.verification

  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 461, in request

    resp = self.send(prep, **send_kwargs)

  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 573, in send

    r = adapter.send(request, **kwargs)

  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send

    raise SSLError(e, request=request)

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)  



Regards,

Sushri

Dick Visser

unread,
Jun 20, 2017, 10:11:49 AM6/20/17
to ansible...@googlegroups.com
On 19 June 2017 at 13:46, <sushrismi...@citrix.com> wrote:
> Hi
> I am a new bee in Ansible. I am trying to manage and create google cloud
> properties using ansible. However I am getting SSL related errors while
> connecting.
>
> I tried
> 1.. downloading the latest cacert.pem from
> https://curl.haxx.se/docs/caextract.html and set the variable SSL_CERT_FILE.
> 2. Downoading cacert from *googleapis.google.com with no success
>
> But no success. Could someone please let me know what SSL cert I need to set
> to get this working ?
>
> Playbook details:

What versions do you have of:

* OS
* Ansible
* Python

?

sushrismi...@citrix.com

unread,
Jun 20, 2017, 12:08:02 PM6/20/17
to Ansible Project
Thank you for your response. 
Please find the below details;

OS: CentOS 7
Ansible: 2.3.1.0
Python: 2.7.5

Dick Visser

unread,
Jun 20, 2017, 5:25:39 PM6/20/17
to ansible...@googlegroups.com
Can you run with verbose flags (-vvvv) and what is the output then?
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/c2f0e2ce-aa3e-4b07-90ac-d87d2e6be0cd%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.



--
Dick Visser
Sr. System & Network Engineer
GÉANT

Want to join us? We're hiring: https://www.geant.org/jobs

sushrismi...@citrix.com

unread,
Jun 21, 2017, 12:30:08 AM6/21/17
to Ansible Project
PLease find the verbose output . It does not give much info about the error though.

Loading callback plugin debug of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc


PLAYBOOK: createVM.yml *******************************************************************************************

1 plays in createVM.yml


PLAY [localhost] *************************************************************************************************


TASK [Gathering Facts] *******************************************************************************************

Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/setup.py

<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: ansible

<127.0.0.1> EXEC /bin/sh -c 'echo ~ && sleep 0'

<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389 `" && echo ansible-tmp-1498018836.92-250910727127389="` echo /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389 `" ) && sleep 0'

<127.0.0.1> PUT /tmp/tmpqriHPk TO /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389/setup.py

<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389/ /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389/setup.py && sleep 0'

<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-mjlpwykedxecazwcwjlmuxivezlrzfbn; /usr/bin/python2 /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389/setup.py; rm -rf "/opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389/" > /dev/null 2>&1'"'"' && sleep 0'

ok: [localhost]

META: ran handlers


TASK [create instance template] **********************************************************************************

task path: /opt/ansible/gcloud/createVM.yml:8

Using module file /usr/lib/python2.7/site-packages/ansible/modules/cloud/google/gce_instance_template.py

<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: ansible

<127.0.0.1> EXEC /bin/sh -c 'echo ~ && sleep 0'

<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392 `" && echo ansible-tmp-1498018839.89-233748004022392="` echo /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392 `" ) && sleep 0'

<127.0.0.1> PUT /tmp/tmpEwW49m TO /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392/gce_instance_template.py

<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392/ /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392/gce_instance_template.py && sleep 0'

<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-xifpovkgfndyqgmzlspifcobymolqzoi; /usr/bin/python2 /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392/gce_instance_template.py; rm -rf "/opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392/" > /dev/null 2>&1'"'"' && sleep 0'

fatal: [localhost]: FAILED! => {

    "changed": false, 

    "failed": true, 

    "invocation": {

        "module_args": {

            "automatic_restart": null, 

            "can_ip_forward": false, 

            "credentials_file": "/opt/ansible/gcloud/.cred/case-mgmt-dev-f452642d06ab.json", 

            "description": null, 

            "disk_auto_delete": true, 

            "disk_type": "pd-standard", 

            "disks": null, 

            "external_ip": "ephemeral", 

            "image": null, 

            "image_family": "centos-7-v20170523", 

            "metadata": null, 

            "name": "case_mgmt_template", 

            "network": "default", 

            "nic_gce_struct": null, 

            "pem_file": null, 

            "preemptible": null, 

            "project_id": "case-mgmt-dev", 

            "service_account_email": "replaced the service account details", 

            "service_account_permissions": null, 

            "size": "n1-standard-2", 

            "source": null, 

            "state": "present", 

            "subnetwork": null, 

            "tags": null

        }

    }

}


MSG:


Unexpected response: ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)). Detail: Traceback (most recent call last):

  File "/tmp/ansible_P8l394/ansible_modlib.zip/ansible/module_utils/gcp.py", line 267, in gcp_connect

sushrismi...@citrix.com

unread,
Jul 3, 2017, 8:05:46 AM7/3/17
to Ansible Project
It seems it is happening with all the  GCE module , I am trying to excute. Even ./gce.py --list gives the same error.
After searching couple of blogs , I managed to get rid of the error , however a new error has appeared now.

To fix I installed: pip install pyOpenSSL ndg-httpsclient pyasn1

Now the new errors are:

Traceback (most recent call last):

  File "./gce.py", line 496, in <module>

    GceInventory()

  File "./gce.py", line 168, in __init__

    self.driver = self.get_gce_driver()

  File "./gce.py", line 313, in get_gce_driver

    gce = get_driver(Provider.GCE)(*args, **kwargs)

  File "/usr/lib/python2.7/site-packages/libcloud/compute/drivers/gce.py", line 1795, in __init__

    super(GCENodeDriver, self).__init__(user_id, key, **kwargs)

  File "/usr/lib/python2.7/site-packages/libcloud/common/base.py", line 952, in __init__

    self.connection = self.connectionCls(*args, **conn_kwargs)

  File "/usr/lib/python2.7/site-packages/libcloud/compute/drivers/gce.py", line 99, in __init__

    credential_file=credential_file, **kwargs)

  File "/usr/lib/python2.7/site-packages/libcloud/common/google.py", line 765, in __init__

    user_id, key, auth_type, credential_file, scopes, **kwargs)

  File "/usr/lib/python2.7/site-packages/libcloud/common/google.py", line 660, in __init__

    self.token = self.oauth2_conn.get_new_token()

  File "/usr/lib/python2.7/site-packages/libcloud/common/google.py", line 537, in get_new_token

    return self._token_request(request)

  File "/usr/lib/python2.7/site-packages/libcloud/common/google.py", line 368, in _token_request

    data=data)

  File "/usr/lib/python2.7/site-packages/libcloud/common/base.py", line 607, in request

    headers=headers, stream=stream)

  File "/usr/lib/python2.7/site-packages/libcloud/http.py", line 215, in request

    verify=self.verification

  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 465, in request

    resp = self.send(prep, **send_kwargs)

  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 573, in send

    r = adapter.send(request, **kwargs)

  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 370, in send

    timeout=timeout

  File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 544, in urlopen

    body=body, headers=headers)

  File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 344, in _make_request

    self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)

  File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 314, in _raise_timeout

    if 'timed out' in str(err) or 'did not complete (read)' in str(err):  # Python 2.6



The connectivity is not an issue , as I am able to perform all the operations using gcloud command. 
Any help will be appreciated, as it is been a long time I am struggling with this. 

sushrismi...@citrix.com

unread,
Jul 4, 2017, 6:39:01 AM7/4/17
to Ansible Project
If anyone is facing the same issue , hope this will solve the issue

the certifi==2015.04.28 version fixed the issue with google modules.  Not sure at this point , if it broke anything else.


On Monday, June 19, 2017 at 9:05:29 PM UTC+5:30, sushrismi...@citrix.com wrote:

va...@redhat.com

unread,
Nov 22, 2017, 11:09:06 PM11/22/17
to Ansible Project
Hi,

You may need to enter the value of playbook variable 'service_account_email'   as the one which mentioned in the 'json' credential file.


On Monday, June 19, 2017 at 9:05:29 PM UTC+5:30, sushrismi...@citrix.com wrote:
Reply all
Reply to author
Forward
0 new messages