URI module fails with SSL cert validation set to no

When running a task from a playbook using the URI module, I am getting the following SSL error:

`

workstation:documents me$ ansible-playbook --tags checkHealth myplaybook.yml

PLAY [check indexing status] ********************************************************************************************************

TASK [Check for health] *********************************************************************************************************************
fatal: [localhost]: FAILED! => {“changed”: false, “content”: “”, “msg”: “Status code was -1 and not [200]: Request failed: <urlopen error EOF occurred in violation of protocol (_ssl.c:590)>”, “redirected”: false, “status”: -1, “url”: “https://site.domain.tld/rest/check/”}
to retry, use: --limit @/Users/me/myplaybook.retry

PLAY RECAP *******************************************************************************************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1

`

This is what the task looks like:

`

tasks:

• name: Check for health
  uri:
  url: https://site.domain.tld/rest/check/
  method: GET
  user: ansible
  password: “{{ ansible }}”
  force_basic_auth: yes
  body_format: json
  return_content: yes
  validate_certs: no
  status_code: 200
  register: results
  tags:
• checkHealth

`

As you can see, I am telling it not to validate_certs: no however, I still get the above error. I am running this on MacOS 10.12.6, where there are some Python OpenSSL issues. However, I took the proper steps to mitigate that. Here is what I am running:

Ansible version = 2.5.4
Ansible is pointing to = python version 3.6.5
OpenSSL version = 1.0.2o 27 Mar 2018

I suspect the Python module is not honoring the validate_certs option or my install of Python 3 isn’t using the right TLS version 1.2? I’m not sure what else to check here. Any pointers?

Maybe add -vvvvv and see if there are additional error message that is helpful?

When I run it in verbose, the message for that task is pretty much the same:

“msg”: “Status code was -1 and not [200]: Request failed: <urlopen error EOF occurred in violation of protocol (_ssl.c:590)>”,

“redirected”: false,

“status”: -1,

“url”: “https://site.domain.tld/rest/check/”

Here is the full verbosity output:

`

=> ansible-playbook --tags checkHealth ~/myplaybook.yml -vvv
ansible-playbook 2.5.4
config file = /Users/me/.ansible.cfg
configured module search path = [‘/Users/me/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
executable location = /usr/local/bin/ansible-playbook
python version = 3.6.5 (default, Apr 25 2018, 14:26:36) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)]
Using /Users/me/.ansible.cfg as config file
Parsed /Users/me/ansible/inventory inventory source with ini plugin

PLAYBOOK: myplaybook.yml *******************************************************************************************************************************************************************************************************************************************************************************************
1 plays in /Users/me/myplaybook.yml
Read vars_file ‘…/Vault.yml’
Read vars_file ‘…/Vault.yml’

PLAY [check indexing status] ******************************************************************************************************************************************************************************************************************************************************************************
META: ran handlers
Read vars_file ‘…/Vault.yml’

TASK [Check for “Lucene” health] *******************************************************************************************************************************************************************************************************************************************************************************************
task path: /Users/me/myplaybook.yml:10
Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/net_tools/basics/uri.py
ESTABLISH LOCAL CONNECTION FOR USER: me
EXEC /bin/sh -c ‘echo ~me2 && sleep 0’
EXEC /bin/sh -c ‘( umask 77 && mkdir -p “echo /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664” && echo ansible-tmp-1528389571.6054752-184913372491664=“echo /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664” ) && sleep 0’
PUT /Users/me/.ansible/tmp/ansible-local-75437a7u_k2kd/tmphmuwa7sm TO /Users/eh3512/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664/uri.py
EXEC /bin/sh -c ‘chmod u+x /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664/ /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664/uri.py && sleep 0’
EXEC /bin/sh -c ‘/usr/bin/python /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664/uri.py && sleep 0’
EXEC /bin/sh -c ‘rm -f -r /Users/me/.ansible/tmp/ansible-tmp-1528389571.6054752-184913372491664/ > /dev/null 2>&1 && sleep 0’
The full traceback is:
File “/var/folders/kz/j5vz888d39q0hsrd15ml4214by4qgx/T/ansible_Wlj9po/ansible_module_uri.py”, line 471, in main
uresp[‘location’] = absolute_location(url, uresp[‘location’])

fatal: [localhost]: FAILED! => {
“changed”: false,
“content”: “”,
“invocation”: {
“module_args”: {
“attributes”: null,
“backup”: null,
“body”: null,
“body_format”: “json”,
“client_cert”: null,
“client_key”: null,
“content”: null,
“creates”: null,
“delimiter”: null,
“dest”: null,
“directory_mode”: null,
“follow”: false,
“follow_redirects”: “safe”,
“force”: false,
“force_basic_auth”: true,
“group”: null,
“headers”: {
“Authorization”: “Basic YksdjhfksjdhfZSnJhT1l4TmUw”,
“Content-Type”: “application/json”
},
“http_agent”: “ansible-httpget”,
“method”: “GET”,
“mode”: null,
“owner”: null,
“password”: “VALUE_SPECIFIED_IN_NO_LOG_PARAMETER”,
“regexp”: null,
“register”: “results”,
“remote_src”: null,
“removes”: null,
“return_content”: true,
“selevel”: null,
“serole”: null,
“setype”: null,
“seuser”: null,
“src”: null,
“status_code”: [
“200”
],
“timeout”: 30,
“unsafe_writes”: null,
“url”: “https://site.domain.tld/rest/check/”,
“url_password”: “VALUE_SPECIFIED_IN_NO_LOG_PARAMETER”,
“url_username”: “ansible”,
“use_proxy”: true,
“user”: “ansible”,
“validate_certs”: false
}
},
“msg”: “Status code was -1 and not [200]: Request failed: <urlopen error EOF occurred in violation of protocol (_ssl.c:590)>”,
“redirected”: false,
“status”: -1,
“url”: “https://site.domain.tld/rest/check/”
}
to retry, use: --limit @/Users/me/myplaybook.retry

PLAY RECAP *****************************************************************************************************************************************************************************************************************************************************************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1

`

The problem is not with SSL verification, but in this case the default ciphers utilized by python do not include the ciphers needed for the site you are communicating with.

As such, python is failing to even communicate over SSL: “urlopen error EOF occurred in violation of protocol”

The site is likely requiring use of old and insecure ciphers.

Thanks for the response. Despite what you have mentioned, I still don’t know how to proceed. This seems to only occur on MacOS. I have three machines running exactly the same versions of Python and OpenSSL. I even installed Python with brew using —with-brewed-openssl option. When I run a check of the openssl version within the Python interpreter, it shows the right version of openssl too not the older outdated version. So, I’m not sure what to do considering Linux and even WSL works just fine even with the same versions.

The one thing I have not done is compile a version of Python. I’ve only done the install via brew. To add to that, it’s definitely Python causing the issue at this point and would prefer not to have to maintain a compiled version of Python. I was/am hoping someone on MacOS has experienced the same issue and found a solution. I’ve looked at many threads regarding this same issue and none point to a fix for me.

Thanks for your help, though

Just an update. I installed pyopenssl thinking it would help since it’s a wrapper around openssl and was suggested by someone in reddit. Still having the same issue.