The easy solution may just be updating your cacert bundle by updating the
ca-certificates package and then trying again.

My initial look indicates that the server is not using SNI, it has a
wildcard cert, provided by Amazon.

On Wed, Sep 21, 2016 at 8:09 AM, Yuri Kanivetsky <yuri.kanivet...@gmail.com>
wrote:

> Hi,
>
> For some reason, ansible fails to install nodesource's apt key on
> ubuntu/trusty. It seem to worked about a month ago or so (if I'm not
> mistaken).
>
> playbook.yml:
>
>     - hosts: all
>       gather_facts: no
>
>       tasks:
>         - name: apt-get update
>           raw: '! which apt-get
>             && exit 0
>             || apt-get update'
>
>         - name: Install python
>           raw: '! which apt-get
>             && exit 0
>             || apt-get -y install python'
>
>     - hosts: all
>       tasks:
>         - name: Add Nodesource apt key.
>           apt_key:
>             url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
>
> Output:
>
>     $ ansible-playbook playbook.yml -i lxc, -vv
>     ...
>     TASK [Add Nodesource apt key.] ******************************
> *******************
>     task path: /home/yuri/_/deb.nodesource.com/playbook.yml:17
>     fatal: [lxc]: FAILED! => {"changed": false, "failed": true, "msg":
> "Failed to validate the SSL certificate for deb.nodesource.com:443. Make
> sure your managed systems have a valid CA certificate installed. If the
> website serving the url uses SNI you need python >= 2.7.9 on your managed
> machine or you can install the `urllib3`, `pyopenssl`, `ndg-httpsclient`,
> and `pyasn1` python modules to perform SNI verification in python >= 2.6.
> You can use validate_certs=False if you do not need to confirm the servers
> identity but this is unsafe and not recommended. Paths checked for this
> platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem,
> /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible"}
>
> Can I somehow investigate what's causing the issue? I indeed have
> python-2.7.6 there. Can I check if deb.nodesource.com is using SNI? Can
> this be an issue with trusty's certificates? Which packages am I supposed
> to install? I can see python-urllib3, and python-pyasn1. But I can't see
> ndg-httpsclient and pyopenssl for trusty in official repositories. Can I
> somehow get away with not installing these extra packages?
>
> I've run into this issue when trying to use geerlingguy.nodejs role.
>
> Thanks in advance.
>
> Regards,
> Yuri
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/ansible-project/cc68327a-f116-49da-8d13-7c007fc569dc%40googlegroups.
> com
> <https://groups.google.com/d/msgid/ansible-project/cc68327a-f116-49da-8d13-7c007fc569dc%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Matt Martz
@sivel
sivel.net

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAD8N0v9Fd4YJZ85Q2ubWfuaXA-XAHk%3D3CaG%2Bq%3Dv%3DuuNVvi6nKQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to