SSL error with gce_instance_template and ansible

Archives Ansible Project
1

Hi
I am a new bee in Ansible. I am trying to manage and create google cloud properties using ansible. However I am getting SSL related errors while connecting.

I tried
1… downloading the latest cacert.pem from https://curl.haxx.se/docs/caextract.html and set the variable SSL_CERT_FILE.
2. Downoading cacert from *googleapis.google.com with no success

But no success. Could someone please let me know what SSL cert I need to set to get this working ?

Playbook details:

  • hosts: localhost

tasks:

  • name: create instance template

gce_instance_template:

name: case_mgmt_template

size: n1-standard-2

image_family: centos-7-v20170523

state: present

project_id: “{{ project_id }}”

credentials_file: “{{ credentials_file }}”

service_account_email: “{{ service_account_email }}”

Error Details:

fatal: [localhost]: FAILED! => {

“changed”: false,

“failed”: true

}

MSG:

Unexpected response: ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)). Detail: Traceback (most recent call last):

File “/tmp/ansible_M7On7q/ansible_modlib.zip/ansible/module_utils/gcp.py”, line 267, in gcp_connect

project=creds[‘project_id’])

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/compute/drivers/gce.py”, line 1795, in init

super(GCENodeDriver, self).init(user_id, key, **kwargs)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/base.py”, line 948, in init

self.connection = self.connectionCls(*args, **conn_kwargs)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/compute/drivers/gce.py”, line 99, in init

credential_file=credential_file, **kwargs)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py”, line 765, in init

user_id, key, auth_type, credential_file, scopes, **kwargs)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py”, line 660, in init

self.token = self.oauth2_conn.get_new_token()

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py”, line 537, in get_new_token

return self._token_request(request)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py”, line 368, in _token_request

data=data)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/base.py”, line 603, in request

headers=headers, stream=stream)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/http.py”, line 215, in request

verify=self.verification

File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 461, in request

resp = self.send(prep, **send_kwargs)

File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 573, in send

r = adapter.send(request, **kwargs)

File “/usr/lib/python2.7/site-packages/requests/adapters.py”, line 431, in send

raise SSLError(e, request=request)

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Regards,

Sushri

2

What versions do you have of:

* OS
* Ansible
* Python

?

3

Thank you for your response.
Please find the below details;

OS: CentOS 7
Ansible: 2.3.1.0
Python: 2.7.5

4

Can you run with verbose flags (-vvvv) and what is the output then?

5

PLease find the verbose output . It does not give much info about the error though.

Loading callback plugin debug of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/init.pyc

PLAYBOOK: createVM.yml *******************************************************************************************

1 plays in createVM.yml

PLAY [localhost] *************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************

Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/setup.py

<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: ansible

<127.0.0.1> EXEC /bin/sh -c ‘echo ~ && sleep 0’

<127.0.0.1> EXEC /bin/sh -c ‘( umask 77 && mkdir -p “echo /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389” && echo ansible-tmp-1498018836.92-250910727127389=“echo /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389” ) && sleep 0’

<127.0.0.1> PUT /tmp/tmpqriHPk TO /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389/setup.py

<127.0.0.1> EXEC /bin/sh -c ‘chmod u+x /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389/ /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389/setup.py && sleep 0’

<127.0.0.1> EXEC /bin/sh -c ‘sudo -H -S -n -u root /bin/sh -c ‘"’“‘echo BECOME-SUCCESS-mjlpwykedxecazwcwjlmuxivezlrzfbn; /usr/bin/python2 /opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389/setup.py; rm -rf “/opt/ansible/.ansible/tmp/ansible-tmp-1498018836.92-250910727127389/” > /dev/null 2>&1’”’"’ && sleep 0’

ok: [localhost]

META: ran handlers

TASK [create instance template] **********************************************************************************

task path: /opt/ansible/gcloud/createVM.yml:8

Using module file /usr/lib/python2.7/site-packages/ansible/modules/cloud/google/gce_instance_template.py

<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: ansible

<127.0.0.1> EXEC /bin/sh -c ‘echo ~ && sleep 0’

<127.0.0.1> EXEC /bin/sh -c ‘( umask 77 && mkdir -p “echo /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392” && echo ansible-tmp-1498018839.89-233748004022392=“echo /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392” ) && sleep 0’

<127.0.0.1> PUT /tmp/tmpEwW49m TO /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392/gce_instance_template.py

<127.0.0.1> EXEC /bin/sh -c ‘chmod u+x /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392/ /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392/gce_instance_template.py && sleep 0’

<127.0.0.1> EXEC /bin/sh -c ‘sudo -H -S -n -u root /bin/sh -c ‘"’“‘echo BECOME-SUCCESS-xifpovkgfndyqgmzlspifcobymolqzoi; /usr/bin/python2 /opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392/gce_instance_template.py; rm -rf “/opt/ansible/.ansible/tmp/ansible-tmp-1498018839.89-233748004022392/” > /dev/null 2>&1’”’"’ && sleep 0’

fatal: [localhost]: FAILED! => {

“changed”: false,

“failed”: true,

“invocation”: {

“module_args”: {

“automatic_restart”: null,

“can_ip_forward”: false,

“credentials_file”: “/opt/ansible/gcloud/.cred/case-mgmt-dev-f452642d06ab.json”,

“description”: null,

“disk_auto_delete”: true,

“disk_type”: “pd-standard”,

“disks”: null,

“external_ip”: “ephemeral”,

“image”: null,

“image_family”: “centos-7-v20170523”,

“metadata”: null,

“name”: “case_mgmt_template”,

“network”: “default”,

“nic_gce_struct”: null,

“pem_file”: null,

“preemptible”: null,

“project_id”: “case-mgmt-dev”,

“service_account_email”: “replaced the service account details”,

“service_account_permissions”: null,

“size”: “n1-standard-2”,

“source”: null,

“state”: “present”,

“subnetwork”: null,

“tags”: null

}

}

}

MSG:

Unexpected response: ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)). Detail: Traceback (most recent call last):

File “/tmp/ansible_P8l394/ansible_modlib.zip/ansible/module_utils/gcp.py”, line 267, in gcp_connect

project=creds[‘project_id’])

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/compute/drivers/gce.py”, line 1795, in init

super(GCENodeDriver, self).init(user_id, key, **kwargs)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/base.py”, line 948, in init

self.connection = self.connectionCls(*args, **conn_kwargs)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/compute/drivers/gce.py”, line 99, in init

credential_file=credential_file, **kwargs)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py”, line 765, in init

user_id, key, auth_type, credential_file, scopes, **kwargs)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py”, line 660, in init

self.token = self.oauth2_conn.get_new_token()

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py”, line 537, in get_new_token

return self._token_request(request)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/google.py”, line 368, in _token_request

data=data)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/common/base.py”, line 603, in request

headers=headers, stream=stream)

File “/usr/lib/python2.7/site-packages/apache_libcloud-2.0.0-py2.7.egg/libcloud/http.py”, line 215, in request

verify=self.verification

File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 461, in request

resp = self.send(prep, **send_kwargs)

File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 573, in send

r = adapter.send(request, **kwargs)

File “/usr/lib/python2.7/site-packages/requests/adapters.py”, line 431, in send

raise SSLError(e, request=request)

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

6

It seems it is happening with all the GCE module , I am trying to excute. Even ./gce.py --list gives the same error.
After searching couple of blogs , I managed to get rid of the error , however a new error has appeared now.

To fix I installed: pip install pyOpenSSL ndg-httpsclient pyasn1

Now the new errors are:

Traceback (most recent call last):

File “./gce.py”, line 496, in

GceInventory()

File “./gce.py”, line 168, in init

self.driver = self.get_gce_driver()

File “./gce.py”, line 313, in get_gce_driver

gce = get_driver(Provider.GCE)(*args, **kwargs)

File “/usr/lib/python2.7/site-packages/libcloud/compute/drivers/gce.py”, line 1795, in init

super(GCENodeDriver, self).init(user_id, key, **kwargs)

File “/usr/lib/python2.7/site-packages/libcloud/common/base.py”, line 952, in init

self.connection = self.connectionCls(*args, **conn_kwargs)

File “/usr/lib/python2.7/site-packages/libcloud/compute/drivers/gce.py”, line 99, in init

credential_file=credential_file, **kwargs)

File “/usr/lib/python2.7/site-packages/libcloud/common/google.py”, line 765, in init

user_id, key, auth_type, credential_file, scopes, **kwargs)

File “/usr/lib/python2.7/site-packages/libcloud/common/google.py”, line 660, in init

self.token = self.oauth2_conn.get_new_token()

File “/usr/lib/python2.7/site-packages/libcloud/common/google.py”, line 537, in get_new_token

return self._token_request(request)

File “/usr/lib/python2.7/site-packages/libcloud/common/google.py”, line 368, in _token_request

data=data)

File “/usr/lib/python2.7/site-packages/libcloud/common/base.py”, line 607, in request

headers=headers, stream=stream)

File “/usr/lib/python2.7/site-packages/libcloud/http.py”, line 215, in request

verify=self.verification

File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 465, in request

resp = self.send(prep, **send_kwargs)

File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 573, in send

r = adapter.send(request, **kwargs)

File “/usr/lib/python2.7/site-packages/requests/adapters.py”, line 370, in send

timeout=timeout

File “/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py”, line 544, in urlopen

body=body, headers=headers)

File “/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py”, line 344, in _make_request

self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)

File “/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py”, line 314, in _raise_timeout

if ‘timed out’ in str(err) or ‘did not complete (read)’ in str(err): # Python 2.6

The connectivity is not an issue , as I am able to perform all the operations using gcloud command.
Any help will be appreciated, as it is been a long time I am struggling with this.

7

If anyone is facing the same issue , hope this will solve the issue

the certifi==2015.04.28 version fixed the issue with google modules. Not sure at this point , if it broke anything else.

Reference URL: https://github.com/omab/python-social-auth/issues/566

8

Hi,

You may need to enter the value of playbook variable ‘service_account_email’ as the one which mentioned in the ‘json’ credential file.