This is my playbook:
tasks:
- name: download puppet5 rpm
yum:
name: https://yum.puppetlabs.com/puppet5/puppet5-release-el-6.noarch.rpm
state: present
Note: This is only failing on RHEL6 systems. So it’s got to be something python-related. I’ve verified that urllib3, pyOpenSSL, ndg-httpsclient, and pyasn1 are all installed. From reading further, I’m seeing that there are issues relating to python 2.6.6 no able to use SNI.
The full traceback is:
File “/tmp/ansible_7kxVuI/ansible_modlib.zip/ansible/module_utils/urls.py”, line 1055, in fetch_url
client_key=client_key, cookies=cookies)
File “/tmp/ansible_7kxVuI/ansible_modlib.zip/ansible/module_utils/urls.py”, line 958, in open_url
r = urllib_request.urlopen(*urlopen_args)
File “/usr/lib64/python2.6/urllib2.py”, line 126, in urlopen
return _opener.open(url, data, timeout)
File “/usr/lib64/python2.6/urllib2.py”, line 389, in open
req = meth(req)
File “/tmp/ansible_7kxVuI/ansible_modlib.zip/ansible/module_utils/urls.py”, line 773, in http_request
build_ssl_validation_error(self.hostname, self.port, paths_checked, e)
File “/tmp/ansible_7kxVuI/ansible_modlib.zip/ansible/module_utils/urls.py”, line 579, in build_ssl_validation_error
raise SSLValidationError(’ '.join(msg) % (hostname, port, ", ".join(paths)))
fatal: [baseworkstation-lx]: FAILED! => {
“changed”: false,
“invocation”: {
“module_args”: {
“allow_downgrade”: false,
“bugfix”: false,
“conf_file”: null,
“disable_gpg_check”: false,
“disable_plugin”: ,
“disablerepo”: null,
“enable_plugin”: ,
“enablerepo”: null,
“exclude”: null,
“install_repoquery”: true,
“installroot”: “/”,
“list”: null,
“name”: [
“https://yum.puppetlabs.com/puppet5/puppet5-release-el-6.noarch.rpm”
],
“security”: false,
“skip_broken”: false,
“state”: “present”,
“update_cache”: false,
“update_only”: false,
“validate_certs”: true
}
},
“msg”: “Failed to validate the SSL certificate for yum.puppetlabs.com:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine (the python executable used (/usr/bin/python) is version: 2.6.6 (r266:84292, Aug 9 2016, 06:11:56) [GCC 4.4.7 20120313 (Red Hat 4.4.7-17)]) or you can install the urllib3, pyOpenSSL, ndg-httpsclient, and pyasn1 python modules to perform SNI verification in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [Errno 1] _ssl.c:492: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.”