"Python 3.6 is no longer supported by the Python core team" error when running awx.awx modules

Get Help
, ,
1

I run awx.awx modules to configure my Ansible Automation Platform controller. It was working fine until I logged into the controller and ran these 2 commands:

pip install pywinrm
python3 -m pip install --user --ignore-installed pywinrm

Ever since then, when I run the awx.awx modules I receive this error:

/usr/lib/python3.6/site-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography import x509
Traceback (most recent call last):
File “/home/ec2-user/.ansible/tmp/ansible-tmp-1729069344.3817284-192-151642567226331/AnsiballZ_settings.py”, line 107, in
_ansiballz_main()
File “/home/ec2-user/.ansible/tmp/ansible-tmp-1729069344.3817284-192-151642567226331/AnsiballZ_settings.py”, line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File “/home/ec2-user/.ansible/tmp/ansible-tmp-1729069344.3817284-192-151642567226331/AnsiballZ_settings.py”, line 48, in invoke_module
run_name=‘main’, alter_sys=True)
File “/usr/lib64/python3.6/runpy.py”, line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File “/usr/lib64/python3.6/runpy.py”, line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File “/usr/lib64/python3.6/runpy.py”, line 85, in _run_code
exec(code, run_globals)
File “/tmp/ansible_settings_payload_1uf52c7k/ansible_settings_payload.zip/ansible_collections/awx/awx/plugins/modules/settings.py”, line 72, in
File “”, line 971, in _find_and_load
File “”, line 955, in _find_and_load_unlocked
File “”, line 656, in _load_unlocked
File “”, line 626, in _load_backward_compatible
File “/tmp/ansible_settings_payload_1uf52c7k/ansible_settings_payload.zip/ansible_collections/awx/awx/plugins/module_utils/controller_api.py”, line 6, in
File “”, line 971, in _find_and_load
File “”, line 955, in _find_and_load_unlocked
File “”, line 656, in _load_unlocked
File “”, line 626, in _load_backward_compatible
File “/tmp/ansible_settings_payload_1uf52c7k/ansible_settings_payload.zip/ansible/module_utils/urls.py”, line 115, in
File “/home/ec2-user/.local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py”, line 50, in
import OpenSSL.crypto
File “/usr/lib/python3.6/site-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import crypto, SSL
File “/usr/lib/python3.6/site-packages/OpenSSL/crypto.py”, line 1553, in
class X509StoreFlags(object):
File “/usr/lib/python3.6/site-packages/OpenSSL/crypto.py”, line 1573, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module ‘lib’ has no attribute ‘X509_V_FLAG_CB_ISSUER_CHECK’

This is essentially what my playbook looks like:

- name: Configure AAP
  hosts: my-aap-server
  vars:
    controller_host: my-aap-server
    controller_username: aap-user
    controller_password: pass123
  tasks:
    - awx.awx.credential:
        name: Some credential
        credential_type: SSH
        inputs:
          user: my-user
          password: my-password

So Ansible is SSH-ing into the controller, running the awx.awx.credential module, which reaches back to itself via the API to make the changes.

Conversely, if I run the same play against hosts: localhost (e.g.: running it in an execution environment), it works fine.

So I think I broke some dependency on the controller host when I tried to install pywinrm.

I do have Python 3.6.8 installed on the host among other versions, the highest being 3.12. Based on this answer, I ran update-alternatives --set python3 /usr/bin/python3.12 and now python3 --version shows Python 3.12.3, but I still get the same failure in the playbook.

My Ansible version:

ansible [core 2.16.3]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ec2-user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/ec2-user/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.3 (main, Jun 19 2024, 10:06:03) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/usr/bin/python3.12)
  jinja version = 3.1.2
  libyaml = True

Any ideas how to fix it?

2

Ansible Python interpreter is probably still /usr/bin/python. See Ansible Configuration Settings — Ansible Community Documentation how to change it.

3

The message you indicate is just a warning, not an error. The real error is:

File “/tmp/ansible_settings_payload_1uf52c7k/ansible_settings_payload.zip/ansible/module_utils/urls.py”, line 115, in
File “/home/ec2-user/.local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py”, line 50, in
import OpenSSL.crypto
File “/usr/lib/python3.6/site-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import crypto, SSL
File “/usr/lib/python3.6/site-packages/OpenSSL/crypto.py”, line 1553, in
class X509StoreFlags(object):
File “/usr/lib/python3.6/site-packages/OpenSSL/crypto.py”, line 1573, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module ‘lib’ has no attribute ‘X509_V_FLAG_CB_ISSUER_CHECK’

Based on that error, it would seem you are running ansible-core 2.12 which is EOL. From ansible-core 2.14 and newer you shouldn’t get that specific traceback.

As of now ansible-core 2.15 and newer are supported (for another 3 weeks, and then 2.16+), so I’d recommend you upgrade your ansible-core version.

1 Like
6

I forgot to include it in the original post but I’m running Ansible core version 2.16.3.

7

Such stack traces in PyOpenSSL are usually due to a mismatch between the versions of cryptography and PyOpenSSL, or due to a broken cryptography and/or PyOpenSSL installation. For example this can happen if you update cryptography but not PyOpenSSL, which will happen if you do something like pip install --upgrade cryptography or pip install -r requirements.txt which specifies a certain minimum cryptography version you don’t have installed already (but doesn’t specify a corresponding PyOpenSSL version).

1 Like
8

I’m not sure that is possible. Looking at the stack trace:

ansible/module_utils/urls.py”, line 115, in
File “/home/ec2-user/.local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py”, line 50, in

indicates that on line 115 of urls.py that urllib3.contrib.pyopenssl is being imported. In 2.16.3 that is on line 130. And more importantly, as of ansible-core 2.14, that import would never fire on Python 3.6, because Python 3.6 natively supports SNI verification, and the import of pyopenssl is a fallback if native SNI verification is missing.

However, in all versions of 2.12, that import line is on line 115:

It’s possible you have some corrupted install, or multiple installs that are conflicting with each other.

9

I upgraded my ansible installation following the documentation with python3 -m pip install --user ansible-core (now on ansible core version 2.17.5). I also updated the cryptography installation based on @felixfontein 's recommendation with pip install --upgrade cryptography and I’m still getting the same error. It only occurs with the awx.awx collection.

Do you have any ideas as to how I can fix it? I’m kind of stumped.

10

Did you also upgrade PyOpenSSL? Updating cryptography without PyOpenSSL is usually the cause of this problem.