Failed to validate the SSL certificate for deb.nodesource.com:443

1,853 views
Skip to first unread message

Yuri Kanivetsky

unread,
Sep 21, 2016, 1:26:41 PM9/21/16
to Ansible Project
Hi,

For some reason, ansible fails to install nodesource's apt key on ubuntu/trusty. It seem to worked about a month ago or so (if I'm not mistaken).

playbook.yml:

    - hosts: all
      gather_facts: no

      tasks:
        - name: apt-get update
          raw: '! which apt-get
            && exit 0
            || apt-get update'

        - name: Install python
          raw: '! which apt-get
            && exit 0
            || apt-get -y install python'

    - hosts: all
      tasks:
        - name: Add Nodesource apt key.
          apt_key:

Output:

    $ ansible-playbook playbook.yml -i lxc, -vv
    ...
    TASK [Add Nodesource apt key.] *************************************************
    task path: /home/yuri/_/deb.nodesource.com/playbook.yml:17
    fatal: [lxc]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to validate the SSL certificate for deb.nodesource.com:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine or you can install the `urllib3`, `pyopenssl`, `ndg-httpsclient`, and `pyasn1` python modules to perform SNI verification in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible"}

Can I somehow investigate what's causing the issue? I indeed have python-2.7.6 there. Can I check if deb.nodesource.com is using SNI? Can this be an issue with trusty's certificates? Which packages am I supposed to install? I can see python-urllib3, and python-pyasn1. But I can't see ndg-httpsclient and pyopenssl for trusty in official repositories. Can I somehow get away with not installing these extra packages?

I've run into this issue when trying to use geerlingguy.nodejs role.

Thanks in advance.

Regards,
Yuri

Matt Martz

unread,
Sep 21, 2016, 2:15:49 PM9/21/16
to ansible...@googlegroups.com
The easy solution may just be updating your cacert bundle by updating the ca-certificates package and then trying again.

My initial look indicates that the server is not using SNI, it has a wildcard cert, provided by Amazon.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cc68327a-f116-49da-8d13-7c007fc569dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Matt Martz
@sivel
sivel.net

Yuri Kanivetsky

unread,
Sep 21, 2016, 6:24:16 PM9/21/16
to Ansible Project
The easy solution may just be updating your cacert bundle by updating the ca-certificates package and then trying again.

Adding

    - name: Update ca-certificates
      apt:
        name: ca-certificates
        state: latest

before installing apt key didn't help.
 
My initial look indicates that the server is not using SNI, it has a wildcard cert, provided by Amazon.

Following this answer on serverfault.com:


I get:

$ dig +noall +answer deb.nodesource.com
deb.nodesource.com.     300     IN      CNAME   d2buw04m05mirl.cloudfront.net.
d2buw04m05mirl.cloudfront.net. 60 IN    A       54.230.230.81
...
$ openssl s_client -servername deb.nodesource.com -tlsextdebug -connect d2buw04m05mirl.cloudfront.net:443 2>/dev/null | grep "server name"
TLS server extension "server name" (id=0), len=0

Which most likely means, that the server uses SNI.

Here's what I came up with:

- hosts: all
  tasks:
    - name: Install apt_key dependencies
      apt:
        name: '{{ item }}'
      with_items: [python-urllib3, python-openssl, python-pyasn1, python-pip]
      when: ansible_distribution == 'Ubuntu' or ansible_distribution_release == 'trusty'

    - name: Install apt_key dependencies
      command: pip install ndg-httpsclient
      when: ansible_distribution == 'Ubuntu' or ansible_distribution_release == 'trusty'

After this apt key gets installed.

Regards,
Yuri
Reply all
Reply to author
Forward
0 new messages