SSL/Certificate errors when running playbooks against Azure

Archives Ansible Project
1

Hello,

So I have an Azure free trial subscription and am trying to deploy VMs for it through ansible. For reference, I mostly followed this guide: https://github.com/erjosito/ansible-azure-lab

I am unable to execute any playbook task at all, even something as simple as merely creating a resource group with a network. Here is the error I always get:

fatal: [192.168.0.177]: FAILED! => {“changed”: false, “failed”: true, “module_stderr”: “From cffi callback <function _verify_callback at 0x318b9b0>:\nTraceback (most recent call last):\n File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper\n _lib.X509_up_ref(x509)\nAttributeError: ‘module’ object has no attribute ‘X509_up_ref’\nTraceback (most recent call last):\n File "/tmp/ansible_uaTUwO/ansible_module_azure_rm_virtualnetwork.py", line 354, in \n main()\n File "/tmp/ansible_uaTUwO/ansible_module_azure_rm_virtualnetwork.py", line 351, in main\n AzureRMVirtualNetwork()\n File "/tmp/ansible_uaTUwO/ansible_module_azure_rm_virtualnetwork.py", line 206, in init\n supports_check_mode=True)\n File "/tmp/ansible_uaTUwO/ansible_modlib.zip/ansible/module_utils/azure_rm_common.py", line 235, in init\n File "/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py", line 440, in init\n self.set_token()\n File "/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py", line 473, in set_token\n raise_with_traceback(AuthenticationError, "", err)\n File "/usr/lib/python2.7/site-packages/msrest/exceptions.py", line 48, in raise_with_traceback\n raise error\nmsrest.exceptions.AuthenticationError: , SSLError: HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /b4f64759-blah-blah/oauth2/token (Caused by SSLError(SSLError("bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)",),))\n”, “module_stdout”: “”, “msg”: “MODULE FAILURE”, “rc”: 0}

I am able to connect to azure via the azure CLI create VMs and such through a bash script, but I need to get this working with ansible.

My credentials file

subscription_id=5eff-blah-blah
client_id=83e09b01-blah-blah
secret=passwordblahblah
tenant=b4f64759-blah-blah

Sample yml

  • name: whatever

hosts: localhost
connection: local

tasks:

  • name: Create virtual network
    azure_rm_virtualnetwork:
    resource_group: myResourceGroup
    name: myVnet
    address_prefixes: “10.10.0.0/16

I have even tried modifying my credentials file to include the azure AD username & password (yes, I know this is considered bad practice, but I got desperate) and it still fails with a certificate error:

ad_user=dummy@dummy.com

password=DummyLab
subscription_id=5eff-blah-blah

fatal: [192.168.0.177]: FAILED! => {“changed”: false, “failed”: true, “module_stderr”: “From cffi callback <function _verify_callback at 0x30f3938>:\nTraceback (most recent call last):\n File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper\n _lib.X509_up_ref(x509)\nAttributeError: ‘module’ object has no attribute ‘X509_up_ref’\nTraceback (most recent call last):\n File "/tmp/ansible_B6bKF3/ansible_module_azure_rm_virtualnetwork.py", line 354, in \n main()\n File "/tmp/ansible_B6bKF3/ansible_module_azure_rm_virtualnetwork.py", line 351, in main\n AzureRMVirtualNetwork()\n File "/tmp/ansible_B6bKF3/ansible_module_azure_rm_virtualnetwork.py", line 206, in init\n supports_check_mode=True)\n File "/tmp/ansible_B6bKF3/ansible_modlib.zip/ansible/module_utils/azure_rm_common.py", line 245, in init\n File "/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py", line 367, in init\n self.set_token()\n File "/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py", line 404, in set_token\n raise_with_traceback(AuthenticationError, "", err)\n File "/usr/lib/python2.7/site-packages/msrest/exceptions.py", line 48, in raise_with_traceback\n raise error\nmsrest.exceptions.AuthenticationError: , SSLError: HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /common/oauth2/token (Caused by SSLError(SSLError("bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)",),))\n”, “module_stdout”: “”, “msg”: “MODULE FAILURE”, “rc”: 0}

2

For anyone else that runs into this, it looks like I had several different versions of python and out dated components, I reinstalled everything from scratch and no longer have this issue.

3

Hi Jos,
Could you please specify what version of python and what components were outdated? I seem to be running into the same problem

4

Hi, I am getting the same exception now. Can you please help me, how you have fixed this issue.

5

Hi,
The OP most likely has an issue on his cacert (somekind of repository used for certificate validation)

Could you run the following command on the machine which is executing the code(in the OP case: 192.168.0.177) and send us the output

`
curl -IvL https://login.microsoftonline.com

`

If your ansible version is >= 2.5, you can use the parameter ( cert_validation_mode: ignore ) to skip the error but this impend some security risk as it won’t check for the certificate validity.

  • SDE