Regression of #9966?

Archives Ansible Developer
1

Getting what looks like a regression of https://github.com/ansible/ansible/issues/9966.

Since the issue is closed posting what is there here.

$ ansible --version
ansible 2.1.0 (devel 30e729557f) last updated 2015/12/09 22:10:16 (GMT -500)
lib/ansible/modules/core: (detached HEAD 0b5555b62c) last updated 2015/12/09 22:10:16 (GMT -500)
lib/ansible/modules/extras: (detached HEAD cbed642009) last updated 2015/12/09 22:10:16 (GMT -500)
config file = /Users/tanner/projects/ansible.git/playbooks.git/ansible.cfg
configured module search path = Default w/o overrides

- name: add zfs-native apt repository
apt_repository: >
repo="ppa:zfs-native/stable"
update_cache="yes"

FAILED! => {"changed": false, "failed": true, "msg": "Failed to validate the SSL certificate for launchpad.net:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine. You can use validate_certs=False if you do not need to confirm the server\s identity but this is unsafe and not recommended Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible"}

The managed machine is a fully patched Ubuntu 14.04 and it’s python 2.7.6

2

A wireshark dump of the HTTPs request should help clearing this up. Are you behind a corporate proxy which intercepts SSL? I am not sure if launchpad uses SNI, in which case Python 2.7 (<2.7.9) will just not work. Can you try this in a shell: python -c “import urllib2; print 2.urlopen(‘https://launchpad.net’).read()”

Cheers,
Florian

3

Not behind any proxy or firewall.

$ python -c “import urllib2; print urllib2.urlopen(‘https://launchpad.net’).read()”

http://git.io/v0fGA

4

Maybe ansible uses a different CA bundle, can you check the paths returned from https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/urls.py#L430-L483 and if the root ca in question is in there?

5

/etc/ssl/certs

DigiCert_Assured_ID_Root_CA.pem
DigiCert_Assured_ID_Root_G2.pem
DigiCert_Assured_ID_Root_G3.pem
DigiCert_Global_Root_CA.pem
DigiCert_Global_Root_G2.pem
DigiCert_Global_Root_G3.pem
DigiCert_High_Assurance_EV_Root_CA.pem
DigiCert_Trusted_Root_G4.pem

launchpad.net is telling me CA is DigiCert_High_Assurance_EV_Root_CA.pem

$ openssl verify DigiCert_High_Assurance_EV_Root_CA.pem
DigiCert_High_Assurance_EV_Root_CA.pem: OK

6

Hmm... Finally got a chance to try this out tonight. Was not able to
reproduce. I don't have a fully patched system but it is
Ubuntu-14.04.... Not sure if I have python-2.7.5 or python-2.7.6:

badger@ubuntu14:~$ dpkg -s python|grep Version
Version: 2.7.5-5ubuntu3
badger@ubuntu14:~$ python --version
Python 2.7.6

[pts/26@roan]$ ansible --version
*[devel] (18:35:03)
ansible 2.1.0 (devel 89603a0509) last updated 2015/12/13 11:34:00 (GMT -700)
  lib/ansible/modules/core: (yum-use-rpm 0125770d8d) last updated
2015/12/13 09:23:57 (GMT -700)
  lib/ansible/modules/extras: (devel 51813e0033) last updated
2015/12/10 08:10:37 (GMT -700)
  config file = /etc/ansible/ansible.cfg
  configured module search path = Default w/o overrides

[pts/26@roan]$ ansible-playbook -i /etc/ansible/hosts.mine
/var/tmp/9966.yml --sudo -K
SUDO password:

PLAY ***************************************************************************

TASK [wait_for host=ubuntu14 port=22] ******************************************
ok: [ubuntu14 -> localhost]

TASK [add zfs-native apt repository] *******************************************
changed: [ubuntu14]

PLAY RECAP *********************************************************************
ubuntu14 : ok=2 changed=1 unreachable=0 failed=0

[pts/26@roan]$ cat /var/tmp/9966.yml
*[devel] (18:35:07)