Ansible unarchive module failure: "Failed to validate the SSL certificate"

PicoutputCls asked:

Recently I have been changing the way that the Python environment on client machines, configured using Ansible, are setup.

This has involved minimising the number of packages installed and configured in the system Python install (on Ubuntu 14.04 clients), to avoid the potential for library conflicts when the client machines are subsequently used for development activities.

Since having made this change I have been having issues with the unarchive Ansible module failing to validate SSL certificates if the remote_src is used in conjunction with an HTTPS URL.

An example of a command which has been failing is as follows:

- name: Get and untar opus-1.1.2
  unarchive:
    src="http://downloads.xiph.org/releases/opus/opus-1.1.2.tar.gz"
    dest="/opt/library-sources"
    remote_src=yes

When run, the above command fails with the following error message:

fatal: [10.0.0.90]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to validate the SSL certificate for downloads.xiph.org:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine or you can install the `urllib3`, `pyopenssl`, `ndg-httpsclient`, and `pyasn1` python modules to perform SNI verification in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible"}

My understanding of this error is that Python libraries are missing which the unarchive is dependent on.

What I haven’t been able to figure out from any of the Ansible documentation is whether these packages are requirements of the Python environment on the server machine (charged with running the Ansible scripts) and or the client machines (on which the tasks detailed in the Ansible scripts are executed).

It should be noted that I have Ansible installed on the server machine (also running Ubuntu 14.04), via pip which also has the following versions of the packages mentioned in the error message installed:

urllib3==1.7.1
ndg-httpsclient==0.4.3
pyasn1==0.4.2
pyOpenSSL==0.13

This leads me to believe that these packages are likely required on client machine as well as the server.

Does anybody know on which machines (server and or client) these packages are required? I would also be interested to know where this is documented because it may raise issues elsewhere in my Ansible scripts.

My answer:


You should be aware that unarchive takes place on the server which ansible is managing, not the machine on which you are running it, when remote_src=yes and the src is a URL.

You should further be aware that visiting http://downloads.xiph.org/ redirects to https://downloads.xiph.org/ which is a secure web site, which further redirects to https://ftp.osuosl.org/pub/xiph/ if you manage to get that far.

As such, the SSL certificate validation takes place on that server, and the software and CA certificates necessary to perform that validation must be on that server. Further, they need to be system packages, not packages you have installed yourself with pip. You should ensure that installing these prerequisites is among the earliest provisioning tasks you run.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.