I am trying to download a file from the repo to a server using
ansible. This has been working fine on all the old machines but on a
new machine, which has the same setup, it keeps giving me SSL error.
My environment is as below:

Jenkins machine(that triggers the ansible job)

$ ansible all -i inventory/localhost -c local -m setup -a
'filter=ansible_python'localhost | SUCCESS => {
    "ansible_facts": {
        "ansible_python": {
            "executable": "/usr/bin/python",
            "has_sslcontext": true,
            "type": "CPython",
            "version": {
                "major": 2,
                "micro": 9,
                "minor": 7,
                "releaselevel": "final",
                "serial": 0
            },
            "version_info": [
                2,
                7,
                9,
                "final",
                0
            ]
        }
    },
    "changed": false
}

$ ansible all -i inventory/localhost -c local -m uri -a
url=https://devops.rightleads.io/
localhost | SUCCESS => {
    "accept_ranges": "bytes",
    "changed": false,
    "connection": "close",
    "content_length": "10701",
    "content_type": "text/html",
    "date": "Mon, 19 Feb 2018 11:33:15 GMT",
    "etag": "\"29cd-54815428d497e\"",
    "last_modified": "Thu, 09 Feb 2017 09:03:51 GMT",
    "msg": "OK (10701 bytes)",
    "redirected": false,
    "server": "Apache/2.4.10 (Debian)",
    "status": 200,
    "url": "https://devops.rightleads.io/";,
    "vary": "Accept-Encoding"
}



Dev machine

$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m setup -a 'filter=ansible_python' --limit
tag_dev
dev-web | SUCCESS => {
    "ansible_facts": {
        "ansible_python": {
            "executable": "/usr/bin/python",
            "has_sslcontext": true,
            "type": "CPython",
            "version": {
                "major": 2,
                "micro": 13,
                "minor": 7,
                "releaselevel": "final",
                "serial": 0
            },
            "version_info": [
                2,
                7,
                13,
                "final",
                0
            ]
        }
    },
    "changed": false
}

$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m uri -a url=https://devops.rightleads.io/
--limit tag_dev
dev-web | SUCCESS => {
    "accept_ranges": "bytes",
    "changed": false,
    "connection": "close",
    "content_length": "10701",
    "content_type": "text/html",
    "date": "Mon, 19 Feb 2018 11:35:00 GMT",
    "etag": "\"29cd-54815428d497e\"",
    "last_modified": "Thu, 09 Feb 2017 09:03:51 GMT",
    "msg": "OK (10701 bytes)",
    "redirected": false,
    "server": "Apache/2.4.10 (Debian)",
    "status": 200,
    "url": "https://devops.rightleads.io/";,
    "vary": "Accept-Encoding"
}

$ ansible tag_web -i inventory/gce.py --user admin
--private-key=projectkey --limit=tag_dev --sudo -m get_url -a
"url=https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar
dest=/tmp/webapi.tar force=yes" -vvv

dev-web | SUCCESS => {
    "changed": true,
    "checksum_dest": null,
    "checksum_src": "d14de4a99dd20c5128fd78ddbf6c70801057d4a3",
    "dest": "/tmp/webapi.tar",
    "gid": 0,
    "group": "root",
    "invocation": {
        "module_args": {
            "backup": false,
            "checksum": "",
            "content": null,
            "delimiter": null,
            "dest": "/tmp/webapi.tar",
            "directory_mode": null,
            "follow": false,
            "force": true,
            "force_basic_auth": false,
            "group": null,
            "headers": null,
            "http_agent": "ansible-httpget",
            "mode": null,
            "owner": null,
            "path": "/tmp/webapi.tar",
            "regexp": null,
            "remote_src": null,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "sha256sum": "",
            "src": null,
            "timeout": 10,
            "tmp_dest": "",
            "unsafe_writes": null,
            "url": "https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar";,
            "url_password": "xxx",
            "url_username": "yyy",
            "use_proxy": true,
            "validate_certs": true
        },
        "module_name": "get_url"
    },
    "md5sum": "96166c42eb5a47766dc5e02a2590829f",
    "mode": "0644",
    "msg": "OK (136683520 bytes)",
    "owner": "root",
    "size": 136683520,
    "src": "/tmp/tmpJgzn5R",
    "state": "file",
    "uid": 0,
    "url": "https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar";
}

$ python -V
Python 2.7.13

$ ls -l /etc/ssl/certs/DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 53 Dec 14 00:19
/etc/ssl/certs/DST_Root_CA_X3.pem ->
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

$ echo quit | openssl s_client -connect devops.rightleads.io:443 | head
 depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
 verify return:1
 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 verify return:1
 depth=0 CN = devops.rightleads.io
 verify return:1
 CONNECTED(00000003)
 ---
 Certificate chain
  0 s:/CN=devops.rightleads.io
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 DONE



Demo Machine

$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m setup -a 'filter=ansible_python' --limit
tag_demo
demo-web | SUCCESS => {
    "ansible_facts": {
        "ansible_python": {
            "executable": "/usr/bin/python",
            "has_sslcontext": true,
            "type": "CPython",
            "version": {
                "major": 2,
                "micro": 13,
                "minor": 7,
                "releaselevel": "final",
                "serial": 0
            },
            "version_info": [
                2,
                7,
                13,
                "final",
                0
            ]
        }
    },
    "changed": false
}

$ ansible tag_web -i inventory/gce.py -u admin
--private-key=projectkey -m uri -a url=https://devops.rightleads.io/
--limit tag_demo
demo-web | FAILED! => {
    "changed": false,
    "failed": true,
    "msg": "Failed to validate the SSL certificate for
devops.rightleads.io:443. Make sure your managed systems have a valid
CA certificate installed. You can use validate_certs=False if you do
not need to confirm the servers identity but this is unsafe and not
recommended. Paths checked for this platform: /etc/ssl/certs,
/etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
/usr/share/ca-certificates/cacert.org, /etc/ansible"
}

$ ansible tag_web -i inventory/gce.py --user admin
--private-key=projectkey --limit=tag_demo --sudo -m get_url -a
"url=https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar
dest=/tmp/webapi.tar force=yes" -vvv

demo-web | FAILED! => {
    "changed": false,
    "failed": true,
    "invocation": {
        "module_args": {
            "backup": false,
            "checksum": "",
            "content": null,
            "delimiter": null,
            "dest": "/tmp/webapi.tar",
            "directory_mode": null,
            "follow": false,
            "force": true,
            "force_basic_auth": false,
            "group": null,
            "headers": null,
            "http_agent": "ansible-httpget",
            "mode": null,
            "owner": null,
            "regexp": null,
            "remote_src": null,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "sha256sum": "",
            "src": null,
            "timeout": 10,
            "tmp_dest": "",
            "unsafe_writes": null,
            "url": "https://devops.rightleads.io/repo/webapi/webapi_demo_4.tar";,
            "url_password": "xxx",
            "url_username": "yyy",
            "use_proxy": true,
            "validate_certs": true
        },
        "module_name": "get_url"
    },
    "msg": "Failed to validate the SSL certificate for
devops.rightleads.io:443. Make sure your managed systems have a valid
CA certificate installed. You can use validate_certs=False if you do
not need to confirm the servers identity but this is unsafe and not
recommended. Paths checked for this platform: /etc/ssl/certs,
/etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
/usr/share/ca-certificates/cacert.org, /etc/ansible"
}

$ python -V
Python 2.7.13

$ ls -l /etc/ssl/certs/DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 53 Dec 14 00:19
/etc/ssl/certs/DST_Root_CA_X3.pem ->
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

$ echo quit | openssl s_client -connect devops.rightleads.io:443 | head
 depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
 verify return:1
 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 verify return:1
 depth=0 CN = devops.rightleads.io
 verify return:1
 CONNECTED(00000003)
 ---
 Certificate chain
  0 s:/CN=devops.rightleads.io
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 DONE


Both the machines are exactly identical and when working from CLI, I
get the same result(success) on both the machines but when using
ansible, the demo-web machine keeps failing to download the file with
SSL certificate issue.
What are the places I should look for further debugging?

-- 
With Regards,
Mehul Ved

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CADTL0obngeLg3ze41U0_GecySOebWfo6wG%3DdH20zCPmUjfaOOg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to