SSL/Certificate errors when running playbooks against Azure

716 views
Skip to first unread message

JOS

unread,
Dec 12, 2017, 4:03:40 PM12/12/17
to Ansible Project
Hello,

So I have an Azure free trial subscription and am trying to deploy VMs for it through ansible.  For reference, I mostly followed this guide: https://github.com/erjosito/ansible-azure-lab

I am unable to execute any playbook task at all, even something as simple as merely creating a resource group with a network.  Here is the error I always get:

fatal: [192.168.0.177]: FAILED! => {"changed": false, "failed": true, "module_stderr": "From cffi callback <function _verify_callback at 0x318b9b0>:\nTraceback (most recent call last):\n  File \"/usr/lib/python2.7/site-packages/OpenSSL/SSL.py\", line 313, in wrapper\n    _lib.X509_up_ref(x509)\nAttributeError: 'module' object has no attribute 'X509_up_ref'\nTraceback (most recent call last):\n  File \"/tmp/ansible_uaTUwO/ansible_module_azure_rm_virtualnetwork.py\", line 354, in <module>\n    main()\n  File \"/tmp/ansible_uaTUwO/ansible_module_azure_rm_virtualnetwork.py\", line 351, in main\n    AzureRMVirtualNetwork()\n  File \"/tmp/ansible_uaTUwO/ansible_module_azure_rm_virtualnetwork.py\", line 206, in __init__\n    supports_check_mode=True)\n  File \"/tmp/ansible_uaTUwO/ansible_modlib.zip/ansible/module_utils/azure_rm_common.py\", line 235, in __init__\n  File \"/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 440, in __init__\n    self.set_token()\n  File \"/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 473, in set_token\n    raise_with_traceback(AuthenticationError, \"\", err)\n  File \"/usr/lib/python2.7/site-packages/msrest/exceptions.py\", line 48, in raise_with_traceback\n    raise error\nmsrest.exceptions.AuthenticationError: , SSLError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /b4f64759-blah-blah/oauth2/token (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)\",),))\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 0}


I am able to connect to azure via the azure CLI create VMs and such through a bash script, but I need to get this working with ansible.


My credentials file

subscription_id=5eff-blah-blah
client_id=83e09b01-blah-blah
secret=passwordblahblah
tenant=b4f64759-blah-blah



Sample yml

- name: whatever
  hosts: localhost
  connection: local

  tasks:
  - name: Create virtual network
    azure_rm_virtualnetwork:
      resource_group: myResourceGroup
      name: myVnet
      address_prefixes: "10.10.0.0/16"

I have even tried modifying my credentials file to include the azure AD username & password (yes, I know this is considered bad practice, but I got desperate) and it still fails with a certificate error:

password=DummyLab
subscription_id=5eff-blah-blah

fatal: [192.168.0.177]: FAILED! => {"changed": false, "failed": true, "module_stderr": "From cffi callback <function _verify_callback at 0x30f3938>:\nTraceback (most recent call last):\n  File \"/usr/lib/python2.7/site-packages/OpenSSL/SSL.py\", line 313, in wrapper\n    _lib.X509_up_ref(x509)\nAttributeError: 'module' object has no attribute 'X509_up_ref'\nTraceback (most recent call last):\n  File \"/tmp/ansible_B6bKF3/ansible_module_azure_rm_virtualnetwork.py\", line 354, in <module>\n    main()\n  File \"/tmp/ansible_B6bKF3/ansible_module_azure_rm_virtualnetwork.py\", line 351, in main\n    AzureRMVirtualNetwork()\n  File \"/tmp/ansible_B6bKF3/ansible_module_azure_rm_virtualnetwork.py\", line 206, in __init__\n    supports_check_mode=True)\n  File \"/tmp/ansible_B6bKF3/ansible_modlib.zip/ansible/module_utils/azure_rm_common.py\", line 245, in __init__\n  File \"/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 367, in __init__\n    self.set_token()\n  File \"/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py\", line 404, in set_token\n    raise_with_traceback(AuthenticationError, \"\", err)\n  File \"/usr/lib/python2.7/site-packages/msrest/exceptions.py\", line 48, in raise_with_traceback\n    raise error\nmsrest.exceptions.AuthenticationError: , SSLError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /common/oauth2/token (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)\",),))\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 0}

JOS

unread,
Dec 18, 2017, 2:15:58 PM12/18/17
to Ansible Project
For anyone else that runs into this, it  looks like I had several different versions of python and out dated components, I reinstalled everything from scratch and no longer have this issue.

david diez

unread,
Jan 23, 2018, 3:06:14 PM1/23/18
to Ansible Project
Hi Jos,
Could you please specify what version of python and what components were outdated? I seem to be running into the same problem

Mahaboob Basha

unread,
Aug 22, 2018, 2:53:41 AM8/22/18
to Ansible Project
Hi, I am getting the same exception now. Can you please help me, how you have fixed this issue. 

Stephane Emilien

unread,
Aug 25, 2018, 7:15:27 AM8/25/18
to Ansible Project
Hi,
The OP most likely has an issue on his cacert (somekind of repository used for certificate validation)

Could you run the following command on the machine which is executing the code(in the OP case: 192.168.0.177) and send us the output
 curl -IvL https://login.microsoftonline.com


If your ansible version is >= 2.5, you can use the parameter ( cert_validation_mode: ignore ) to skip the error but this impend some security risk as it won't check for the certificate validity.

- SDE
Reply all
Reply to author
Forward
0 new messages