Failed to validate the SSL certificate for github.com:443 while executing ansible-container build

My main.yml is executing a task called dumb-init and we are getting “msg”: "Failed to validate the SSL certificate for github.com:443. Make sure your managed systems have a valid CA certificate installed " error

STEPS TO REPRODUCE

Command used : sudo ansible-container --debug build

Main.yml

• name: Install dumb init
  get_url:
  url: https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64
  dest: /usr/bin/dumb-init
  owner: root
  group: root
  mode: 0775
  environment:
  http_proxy: “http://xxx-proxy-out.xxx.com:8080”
  https_proxy: “http://xxx-proxy-out.xxxx.com:8080”
  HTTP_PROXY: “http://xxx-proxy-out.xxxx.com:8080”
  HTTPS_PROXY: “http://xx-proxy-out.xxx.com:8080”
  COmmand Used : sudo ansible-container --debug build

Log:
META: ran handlers
TASK [node_container : Install dumb init] **************************************
task path: /src/roles/node_container/tasks/main.yml:2
Using module file /usr/lib/python2.7/site-packages/ansible/modules/net_tools/basics/get_url.py
<6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> ESTABLISH DOCKER CONNECTION FOR USER: root
<6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> EXEC [‘/usr/local/bin/docker’, ‘exec’, ‘-i’, u’6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98’, u’/bin/sh’, ‘-c’, u"/bin/sh -c ‘echo ~ && sleep 0’“]
<6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> EXEC [‘/usr/local/bin/docker’, ‘exec’, ‘-i’, u’6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98’, u’/bin/sh’, ‘-c’, u’/bin/sh -c ‘( umask 77 && mkdir -p “echo /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135” && echo ansible-tmp-1510211281.96-149794489024135=“echo /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135” ) && sleep 0’‘]
<6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> PUT /tmp/tmpUO7dPT TO /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135/get_url.py
<6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> EXEC [’/usr/local/bin/docker’, ‘exec’, ‘-i’, u’6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98’, u’/bin/sh’, ‘-c’, u”/bin/sh -c ‘chmod u+x /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135/ /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135/get_url.py && sleep 0’"]
<6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> EXEC [‘/usr/local/bin/docker’, ‘exec’, ‘-i’, u’6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98’, u’/bin/sh’, ‘-c’, u’/bin/sh -c ‘https_proxy=http://prod-proxy-out.xxx.com:8080 http_proxy=http://prod-proxy-out.xxx.com:8080 HTTPS_PROXY=http://prod-proxy-out.xxxx.com:8080 HTTP_PROXY=http://prod-proxy-out.xxx.com:8080 /_usr/bin/python /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135/get_url.py; rm -rf “/root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135/” > /dev/null 2>&1 && sleep 0’‘]
The full traceback is:
File “/tmp/ansible_eDZL6J/ansible_modlib.zip/ansible/module_utils/urls.py”, line 1046, in fetch_url
client_key=client_key, cookies=cookies)
File “/tmp/ansible_eDZL6J/ansible_modlib.zip/ansible/module_utils/urls.py”, line 953, in open_url
r = urllib_request.urlopen(*urlopen_args)
File “/_usr/lib/python2.7/urllib2.py”, line 154, in urlopen
return opener.open(url, data, timeout)
File “/_usr/lib/python2.7/urllib2.py”, line 427, in open
req = meth(req)
File “/tmp/ansible_eDZL6J/ansible_modlib.zip/ansible/module_utils/urls.py”, line 765, in http_request
build_ssl_validation_error(self.hostname, self.port, paths_checked, e)
File “/tmp/ansible_eDZL6J/ansible_modlib.zip/ansible/module_utils/urls.py”, line 591, in build_ssl_validation_error
raise SSLValidationError(’ ‘.join(msg) % (hostname, port, ", ".join(paths)))
fatal: [ansible.node-container]: FAILED! => {
“changed”: false,
“failed”: true,
“invocation”: {
“module_args”: {
“attributes”: null,
“backup”: null,
“checksum”: “”,
“client_cert”: null,
“client_key”: null,
“content”: null,
“delimiter”: null,
“dest”: “/usr/bin/dumb-init”,
“directory_mode”: null,
“follow”: false,
“force”: false,
“force_basic_auth”: false,
“group”: “root”,
“headers”: null,
“http_agent”: “ansible-httpget”,
“mode”: 509,
“owner”: “root”,
“regexp”: null,
“remote_src”: null,
“selevel”: null,
“serole”: null,
“setype”: null,
“seuser”: null,
“sha256sum”: “”,
“src”: null,
“timeout”: 10,
“tmp_dest”: null,
“unsafe_writes”: null,
“url”: “https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64”,
“url_password”: null,
“url_username”: null,
“use_proxy”: true,
“validate_certs”: true
}
},
“msg”: “Failed to validate the SSL certificate for github.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590).”
}
to retry, use: --limit @/tmp/tmpAZLAaM/playbook.retry
PLAY RECAP *********************************************************************
ansible.node-container : ok=1 changed=0 unreachable=0 failed=1
2017-11-09T07:08:02.678075 Error applying role! [container.core] caller_file=/_ansible/container/core.py caller_func=apply_role_to_container caller_line=680 engine=<container.docker.engine.Engine object at 0x7f5b840bf710> exit_code=2 playbook=[{‘hosts’: u’ansible.node-container’, ‘roles’: [‘node_container’], ‘vars’: {}}]
2017-11-09T07:08:02.684010 Playbook run finished. [container.core] caller_file=/_ansible/container/core.py caller_func=conductorcmd_build caller_line=811 exit_code=2
Traceback (most recent call last):
File “/usr/bin/conductor”, line 11, in
load_entry_point(‘ansible-container’, ‘console_scripts’, ‘conductor’)()
File “/_ansible/container/init.py”, line 19, in wrapped
return fn(*args, **kwargs)
File “/_ansible/container/cli.py”, line 399, in conductor_commandline
**params)
File “/_ansible/container/init.py”, line 19, in wrapped
return fn(*args, **kwargs)
File “/_ansible/container/core.py”, line 813, in conductorcmd_build
raise RuntimeError(‘Build failed.’)
RuntimeError: Build failed.
Exception in thread Thread-2:
Traceback (most recent call last):
File “/usr/lib64/python2.7/threading.py”, line 812, in __bootstrap_inner
self.run()
File “/usr/lib64/python2.7/threading.py”, line 765, in run
self.__target(*self.__args, **self.__kwargs)
File “/usr/lib/python2.7/site-packages/container/utils/logmux.py”, line 40, in produce
for message in iterator:
File “/usr/lib/python2.7/site-packages/docker/api/client.py”, line 339, in _multiplexed_response_stream_helper
header = response.raw.read(STREAM_HEADER_SIZE_BYTES)
File “/usr/lib/python2.7/site-packages/urllib3/response.py”, line 231, in read
raise ProtocolError(‘Connection broken: %r’ % e, e)
ProtocolError: (‘Connection broken: IncompleteRead(0 bytes read)’, IncompleteRead(0 bytes read))

2017-11-09T07:08:02.876617 Could not connect to container host. Check your docker config [container.cli] caller_file=/usr/lib/python2.7/site-packages/container/cli.py caller_func=call caller_line=328

ANsible _ Version :

Ansible Container, version 0.9.2

Your playbook says that the environment should contain an HTTPS_PROXY variable.
That is used by your get_url task.
One explanation is that your proxy does Man in the Middle (or SSLBump
in squid terms).
The error below is pretty clear about how solve that.

Dick