URI module fails with SSL cert validation set to no
3,399 views
Skip to first unread message
Tito Valentin
Jun 6, 2018, 9:11:09 PM6/6/18
to Ansible Project
When running a task from a playbook using the URI module, I am getting the following SSL error:
This is what the task looks like:
As you can see, I am telling it not to validate_certs: no however, I still get the above error. I am running this on MacOS 10.12.6, where there are some Python OpenSSL issues. However, I took the proper steps to mitigate that. Here is what I am running:
workstation:documents me$ ansible-playbook --tags checkHealth myplaybook.yml
PLAY [check indexing status] ********************************************************************************************************
TASK [Check for health] *********************************************************************************************************************fatal: [localhost]: FAILED! => {"changed": false, "content": "", "msg": "Status code was -1 and not [200]: Request failed: <urlopen error EOF occurred in violation of protocol (_ssl.c:590)>", "redirected": false, "status": -1, "url": "https://site.domain.tld/rest/check/"} to retry, use: --limit @/Users/me/myplaybook.retry
PLAY RECAP *******************************************************************************************************************************************localhost : ok=0 changed=0 unreachable=0 failed=1This is what the task looks like:
tasks: - name: Check for health uri: method: GET user: ansible password: "{{ ansible }}" force_basic_auth: yes body_format: json return_content: yes validate_certs: no status_code: 200 register: results tags: - checkHealthAs you can see, I am telling it not to validate_certs: no however, I still get the above error. I am running this on MacOS 10.12.6, where there are some Python OpenSSL issues. However, I took the proper steps to mitigate that. Here is what I am running:
Ansible version = 2.5.4
Ansible is pointing to = python version 3.6.5
OpenSSL version = 1.0.2o 27 Mar 2018
I suspect the Python module is not honoring the validate_certs option or my install of Python 3 isn't using the right TLS version 1.2? I'm not sure what else to check here. Any pointers?
Tony Chia
Jun 7, 2018, 12:13:28 PM6/7/18
to Ansible Project
Maybe add -vvvvv and see if there are additional error message that is helpful?
Tito Valentin
Jun 7, 2018, 3:49:17 PM6/7/18
to Ansible Project
When I run it in verbose, the message for that task is pretty much the same:
"msg": "Status code was -1 and not [200]: Request failed: <urlopen error EOF occurred in violation of protocol (_ssl.c:590)>","redirected": false,"status": -1,"url": "https://site.domain.tld/rest/check/"
Here is the full verbosity output:
| => ansible-playbook --tags checkHealth ~/myplaybook.yml -vvvansible-playbook 2.5.4 config file = /Users/me/.ansible.cfg configured module search path = ['/Users/me/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/lib/python3.6/site-packages/ansible executable location = /usr/local/bin/ansible-playbook python version = 3.6.5 (default, Apr 25 2018, 14:26:36) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)]Using /Users/me/.ansible.cfg as config fileParsed /Users/me/ansible/inventory inventory source with ini plugin
PLAYBOOK: myplaybook.yml *******************************************************************************************************************************************************************************************************************************************************************************************1 plays in /Users/me/myplaybook.ymlRead vars_file '../Vault.yml'Read vars_file '../Vault.yml'
PLAY [check indexing status] ******************************************************************************************************************************************************************************************************************************************************************************META: ran handlersRead vars_file '../Vault.yml'
TASK [Check for "Lucene" health] *******************************************************************************************************************************************************************************************************************************************************************************************task path: /Users/me/myplaybook.yml:10Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/net_tools/basics/uri.py<localhost> ESTABLISH LOCAL CONNECTION FOR USER: me<localhost> EXEC /bin/sh -c 'echo ~me2 && sleep 0'<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664 `" && echo ansible-tmp-1528389571.6054752-184913372491664="` echo /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664 `" ) && sleep 0'<localhost> PUT /Users/me/.ansible/tmp/ansible-local-75437a7u_k2kd/tmphmuwa7sm TO /Users/eh3512/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664/uri.py<localhost> EXEC /bin/sh -c 'chmod u+x /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664/ /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664/uri.py && sleep 0'<localhost> EXEC /bin/sh -c '/usr/bin/python /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664/uri.py && sleep 0'<localhost> EXEC /bin/sh -c 'rm -f -r /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664/ > /dev/null 2>&1 && sleep 0'The full traceback is: File "/var/folders/kz/j5vz888d39q0hsrd15ml4214by4qgx/T/ansible_Wlj9po/ansible_module_uri.py", line 471, in main uresp['location'] = absolute_location(url, uresp['location'])
fatal: [localhost]: FAILED! => { "changed": false, "content": "", "invocation": { "module_args": { "attributes": null, "backup": null, "body": null, "body_format": "json", "client_cert": null, "client_key": null, "content": null, "creates": null, "delimiter": null, "dest": null, "directory_mode": null, "follow": false, "follow_redirects": "safe", "force": false, "force_basic_auth": true, "group": null, "headers": { "Authorization": "Basic YksdjhfksjdhfZSnJhT1l4TmUw", "Content-Type": "application/json" }, "http_agent": "ansible-httpget", "method": "GET", "mode": null, "owner": null, "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "regexp": null, "register": "results", "remote_src": null, "removes": null, "return_content": true, "selevel": null, "serole": null, "setype": null, "seuser": null, "src": null, "status_code": [ "200" ], "timeout": 30, "unsafe_writes": null, "url": "https://site.domain.tld/rest/check/", "url_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "url_username": "ansible", "use_proxy": true, "user": "ansible", "validate_certs": false } }, "msg": "Status code was -1 and not [200]: Request failed: <urlopen error EOF occurred in violation of protocol (_ssl.c:590)>", "redirected": false, "status": -1, "url": "https://site.domain.tld/rest/check/"} to retry, use: --limit @/Users/me/myplaybook.retry
PLAY RECAP *****************************************************************************************************************************************************************************************************************************************************************************************************************localhost : ok=0 changed=0 unreachable=0 failed=1
Matt Martz
Jun 7, 2018, 3:55:52 PM6/7/18
to ansible...@googlegroups.com
The problem is not with SSL verification, but in this case the default ciphers utilized by python do not include the ciphers needed for the site you are communicating with.
As such, python is failing to even communicate over SSL: "urlopen error EOF occurred in violation of protocol"
The site is likely requiring use of old and insecure ciphers.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c3b16810-24dd-4d2b-9ec8-1b82affee9bb%40googlegroups.com.
Tito Valentin
Jun 10, 2018, 1:05:32 PM6/10/18
to Ansible Project
Thanks for the response. Despite what you have mentioned, I still don't know how to proceed. This seems to only occur on MacOS. I have three machines running exactly the same versions of Python and OpenSSL. I even installed Python with brew using ---with-brewed-openssl option. When I run a check of the openssl version within the Python interpreter, it shows the right version of openssl too not the older outdated version. So, I'm not sure what to do considering Linux and even WSL works just fine even with the same versions.
The one thing I have not done is compile a version of Python. I've only done the install via brew. To add to that, it's definitely Python causing the issue at this point and would prefer not to have to maintain a compiled version of Python. I was/am hoping someone on MacOS has experienced the same issue and found a solution. I've looked at many threads regarding this same issue and none point to a fix for me.
Thanks for your help, though
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c3b16810-24dd-4d2b-9ec8-1b82affee9bb%40googlegroups.com.
Tito Valentin
Jun 10, 2018, 8:28:57 PM6/10/18
to Ansible Project
Just an update. I installed pyopenssl thinking it would help since it's a wrapper around openssl and was suggested by someone in reddit. Still having the same issue.
Reply all
Reply to author
Forward
0 new messages