SSLValidationError in urls.py when urllib3 is installed with ansbile 2.4.0 and pyhon 2.7.13 #31998
Description
ISSUE TYPE
- Bug Report
COMPONENT NAME
get_url
ANSIBLE VERSION
From Fedora 27 currently up-to-date as of 10/20/2017:
ansible 2.4.0.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/xenith/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.13 (default, Aug 16 2017, 12:56:26) [GCC 7.1.1 20170802 (Red Hat 7.1.1-7)]
OS / ENVIRONMENT
Fedora 27 Beta, up-to-date 2017-10-20 on updates-testing repository (bleeding edge, but not rawhide)
SUMMARY
When and only when python2-urllib3 and dependent packages are installed, get_url fails
STEPS TO REPRODUCE
---
- hosts: all
connection: local
become: yes
tasks:
- name: Remove urllib3 on Fedora
package:
name: python2-urllib3
state: absent
- name: Test get_url without urllib3
get_url:
url: "https://download.rocket.chat/stable"
dest: .
validate_certs: true
- name: Install urllib3 on Fedora
package:
name: python2-urllib3
state: installed
- name: Test urllib3 failure
get_url:
url: "https://download.rocket.chat/stable"
dest: .
validate_certs: trueEXPECTED RESULTS
Download the file, like it does when urllib3 isn't installed
ACTUAL RESULTS
TASK [get_url] *******************************************************************************************************************************************************
task path: /home/xenith/git/RocketChat.Server/tests/urllib_fail.yaml:13
Using module file /usr/lib/python2.7/site-packages/ansible/modules/net_tools/basics/get_url.py
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: xenith
<localhost> EXEC /bin/sh -c 'echo ~ && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/xenith/.ansible/tmp/ansible-tmp-1508524890.54-154445362747043 `" && echo ansible-tmp-1508524890.54-154445362747043="` echo /home/xenith/.ansible/tmp/ansible-tmp-1508524890.54-154445362747043 `" ) && sleep 0'
<localhost> PUT /tmp/tmpCPcFea TO /home/xenith/.ansible/tmp/ansible-tmp-1508524890.54-154445362747043/get_url.py
<localhost> EXEC /bin/sh -c 'chmod u+x /home/xenith/.ansible/tmp/ansible-tmp-1508524890.54-154445362747043/ /home/xenith/.ansible/tmp/ansible-tmp-1508524890.54-154445362747043/get_url.py && sleep 0'
<localhost> EXEC /bin/sh -c 'sudo -H -S -p "[sudo via ansible, key=eggmjjdikqtvadeojfmmozbynslidgbv] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-eggmjjdikqtvadeojfmmozbynslidgbv; /usr/bin/python /home/xenith/.ansible/tmp/ansible-tmp-1508524890.54-154445362747043/get_url.py; rm -rf "/home/xenith/.ansible/tmp/ansible-tmp-1508524890.54-154445362747043/" > /dev/null 2>&1'"'"' && sleep 0'
The full traceback is:
File "/tmp/ansible_t9pKZ8/ansible_modlib.zip/ansible/module_utils/urls.py", line 1044, in fetch_url
client_key=client_key, cookies=cookies)
File "/tmp/ansible_t9pKZ8/ansible_modlib.zip/ansible/module_utils/urls.py", line 951, in open_url
r = urllib_request.urlopen(*urlopen_args)
File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib64/python2.7/urllib2.py", line 427, in open
req = meth(req)
File "/tmp/ansible_t9pKZ8/ansible_modlib.zip/ansible/module_utils/urls.py", line 763, in http_request
build_ssl_validation_error(self.hostname, self.port, paths_checked, e)
File "/tmp/ansible_t9pKZ8/ansible_modlib.zip/ansible/module_utils/urls.py", line 591, in build_ssl_validation_error
raise SSLValidationError(' '.join(msg) % (hostname, port, ", ".join(paths)))
fatal: [localhost]: FAILED! => {
"changed": false,
"failed": true,
"invocation": {
"module_args": {
"attributes": null,
"backup": null,
"checksum": "",
"client_cert": null,
"client_key": null,
"content": null,
"delimiter": null,
"dest": ".",
"directory_mode": null,
"follow": false,
"force": false,
"force_basic_auth": false,
"group": null,
"headers": null,
"http_agent": "ansible-httpget",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"sha256sum": "",
"src": null,
"timeout": 10,
"tmp_dest": null,
"unsafe_writes": null,
"url": "https://download.rocket.chat/stable",
"url_password": null,
"url_username": null,
"use_proxy": true,
"validate_certs": true
}
},
"msg": "Failed to validate the SSL certificate for download.rocket.chat:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: (\"bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')],)\",)."
}
to retry, use: --limit @/home/xenith/git/RocketChat.Server/tests/urllib_fail.retry
PLAY RECAP ***********************************************************************************************************************************************************
localhost : ok=2 changed=0 unreachable=0 failed=1
Additional info:
Has package versions: https://github.com/ansible/ansible/issues/18528#issuecomment-338284006
https://github.com/ansible/ansible/issues/25402#issuecomment-338286531