Error validating launchpad.net SSL certificate?

Archives Ansible Project
1

Hi,

I am using the latest commit from the devel branch, and I am having difficulty adding an Apt repository. The system I am running Ansible on is Ubuntu 12.04, the provisioned host is running 14.04. I am using this task:

  • apt_repository: repo=‘ppa:webupd8team/java’

The error is:
msg: Failed to validate the SSL certificate for launchpad.net:443. Use validate_certs=no or make sure your managed systems have a valid CA certificate installed. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible

I tried extracting the CA certificate file that urls.py builds and pass it to gnutls-cli to check whether the CA certificate is indeed missing:

$ gnutls-cli --x509cafile certstmp.pem launchpad.net
Processed 332 CA certificate(s).
[…]

  • Certificate[0] info:

  • subject OU=Domain Control Validated,CN=launchpad.net', issuer C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http://cer
    ts.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2’, RSA key 2048 bits, signed using RSA-SHA256, activated 2 014-04-08 05:33:03 UTC', expires 2014-07-25 18:24:13 UTC’, SHA-1 fingerprint `3e6aa453dcc8f9888e7ee368b374d9e2b21917c5’

  • Certificate[1] info:

  • subject C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certs.godaddy.com/repository/,CN=Go Daddy Secure Certifica te Authority - G2', issuer C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,CN=Go Daddy Root Certificate Authority - G2’, RSA key
    2048 bits, signed using RSA-SHA256, activated 2011-05-03 07:00:00 UTC', expires 2031-05-03 07:00:00 UTC’, SHA-1 fingerprint `27a
    c9369faf25207bb2627cefaccbe4ef9c319b8’

  • Certificate[2] info:

  • subject C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,CN=Go Daddy Root Certificate Authority - G2', issuer C=US,O=The Go
    Daddy Group, Inc.,OU=Go Daddy Class 2 Certification Authority’, RSA key 2048 bits, signed using RSA-SHA256, activated 2014-01-01 07:00:00 UTC', expires 2031-05-30 07:00:00 UTC’, SHA-1 fingerprint `340b2880f446fcc04e59ed33f52b3d08d6242964’

  • The hostname in the certificate matches ‘launchpad.net’.

  • Peer’s certificate is trusted

[…]

What else can I do to debug this problem?

Regards,
Joost

2

What version of Ansible are you running? There were some changes in 1.5.3+ to address certificate validation issues on Ubuntu systems. Also please make sure that you have the correct CA package installed (ca-certificates) and that the /etc/ssl/certs/ directory is present and contains certificates.

3

Hi James,

Thanks for the ideas. As I mentioned, I am using the latest commit from devel, and have all the certificates. In fact, I showed that if I take the temporary file with CA certificates that Ansible creates and use it with gnutls-cli then the launchpad.net certificate validates.

Regards,
Joost

4

Sorry for missing that. Could you please open an issue for this on github so we can keep track of it?

Thanks!

5

I created an issue: https://github.com/ansible/ansible/issues/7218

If there is anything else I can do to track down the bug, please let me know.

Regards,
Joost