Error validating launchpad.net SSL certificate?

Joost Cassee

unread,

Apr 28, 2014, 6:48:10 PM4/28/14

to ansible...@googlegroups.com

Hi,

I am using the latest commit from the devel branch, and I am having difficulty adding an Apt repository. The system I am running Ansible on is Ubuntu 12.04, the provisioned host is running 14.04. I am using this task:

- apt_repository: repo='ppa:webupd8team/java'

The error is:

msg: Failed to validate the SSL certificate for launchpad.net:443. Use validate_certs=no or make sure your managed systems have a valid CA certificate installed. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible

I tried extracting the CA certificate file that urls.py builds and pass it to gnutls-cli to check whether the CA certificate is indeed missing:

$ gnutls-cli --x509cafile certstmp.pem launchpad.net

Processed 332 CA certificate(s).

[...]

- Certificate[0] info:

- subject `OU=Domain Control Validated,CN=launchpad.net', issuer `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://cer

ts.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2', RSA key 2048 bits, signed using RSA-SHA256, activated `2

014-04-08 05:33:03 UTC', expires `2014-07-25 18:24:13 UTC', SHA-1 fingerprint `3e6aa453dcc8f9888e7ee368b374d9e2b21917c5'

- Certificate[1] info:

- subject `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certs.godaddy.com/repository/,CN=Go Daddy Secure Certifica

te Authority - G2', issuer `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,CN=Go Daddy Root Certificate Authority - G2', RSA key

2048 bits, signed using RSA-SHA256, activated `2011-05-03 07:00:00 UTC', expires `2031-05-03 07:00:00 UTC', SHA-1 fingerprint `27a

c9369faf25207bb2627cefaccbe4ef9c319b8'

- Certificate[2] info:

- subject `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,CN=Go Daddy Root Certificate Authority - G2', issuer `C=US,O=The Go

Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-01-01

07:00:00 UTC', expires `2031-05-30 07:00:00 UTC', SHA-1 fingerprint `340b2880f446fcc04e59ed33f52b3d08d6242964'

- The hostname in the certificate matches 'launchpad.net'.

- Peer's certificate is trusted

[...]

What else can I do to debug this problem?

Regards,

Joost

James Cammarata

unread,

Apr 28, 2014, 8:58:31 PM4/28/14

to ansible...@googlegroups.com

What version of Ansible are you running? There were some changes in 1.5.3+ to address certificate validation issues on Ubuntu systems. Also please make sure that you have the correct CA package installed (ca-certificates) and that the /etc/ssl/certs/ directory is present and contains certificates.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d8b09d64-5032-48ac-a019-0b2149e43c12%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Joost Cassee

unread,

Apr 29, 2014, 1:08:30 AM4/29/14

to ansible...@googlegroups.com

Hi James,

Thanks for the ideas. As I mentioned, I am using the latest commit from devel, and have all the certificates. In fact, I showed that if I take the temporary file with CA certificates that Ansible creates and use it with gnutls-cli then the launchpad.net certificate validates.

Regards,
Joost

Op 29 apr. 2014 02:58 schreef "James Cammarata" <jcamm...@ansible.com>:

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/lmAp8ui0JEc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAMFyvFhNi5kM8ht-ZdRZLcDUO0jZzL%3Dm25y7P-pBvpgAg4SDMg%40mail.gmail.com.

James Cammarata

unread,

Apr 29, 2014, 3:36:15 PM4/29/14

to ansible...@googlegroups.com

Sorry for missing that. Could you please open an issue for this on github so we can keep track of it?

Thanks!

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEQrH%2BeCL_Q7cu52GzP2CAfuEg1JOZwpCwcgXeJVS2Jj4Xvdgg%40mail.gmail.com.

Joost Cassee

unread,

Apr 29, 2014, 4:15:36 PM4/29/14

to ansible...@googlegroups.com

I created an issue: https://github.com/ansible/ansible/issues/7218

If there is anything else I can do to track down the bug, please let me know.

Regards,
Joost

> https://groups.google.com/d/msgid/ansible-project/CAMFyvFgyzXmQOeWMDhQXRT0XSu7pZ-%2BQTObdtizgNOFAokQCQg%40mail.gmail.com.