patterngitMinor
Validating certificates with get_url or yum on CentOS 7 using Ansible
Viewed 0 times
get_urlcentosyumwithvalidatingcertificatesusingansible
Problem
I'm pretty new to Ansible, but it seemed a better tool than a bash script for installing programs from source on remote servers...
Starting from my working-but-fragile bash script, I made an Ansible script to git clone, configure and compile what I need. However some of these sources are large, so I wanted to include the
To make a newer version of git available than is on yum's base/extras/updates repos, I found the IUS repository which has a "safe replacement" package for a few things including git. Helpfully there's an Ansible task set to install their repo. Here's the relevant task:
Ansible however fails this task:
Both yum's ca-certificates and python-urllib3 packages are installed and on the latest version from the yum repos.
Per this comment on github, it seems that Ansible can't handle SNI to get the right SSL certificate without python 2.7.9+. But CentOS 7 ships with p
Starting from my working-but-fragile bash script, I made an Ansible script to git clone, configure and compile what I need. However some of these sources are large, so I wanted to include the
--depth 1 parameter. This is a problem because the CentOS 7 version of git is 1.8.3 and Ansible ignores the depth command if it can't use at least git 1.9.1. Obviously for non-system use, I wouldn't mind having the latest git 2.15 anyway so...To make a newer version of git available than is on yum's base/extras/updates repos, I found the IUS repository which has a "safe replacement" package for a few things including git. Helpfully there's an Ansible task set to install their repo. Here's the relevant task:
- name: install IUS release package
yum:
name: "https://{{ ius_distribution_abbrev }}{{ ansible_distribution_major_version }}.iuscommunity.org/ius-release.rpm"
state: present
when: ansible_os_family == 'RedHat'Ansible however fails this task:
fatal: [MY_REMOTE_IP_ADDRESS]: FAILED! => {"changed": false, "failed": true,
"msg": "Failed to validate the SSL certificate for centos7.iuscommunity.org:443.
Make sure your managed systems have a valid CA certificate installed.
You can use validate_certs=False if you do not need to confirm the servers
identity but this is unsafe and not recommended. Paths checked for this
platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem,
/etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible.
The exception msg was: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)."}Both yum's ca-certificates and python-urllib3 packages are installed and on the latest version from the yum repos.
Per this comment on github, it seems that Ansible can't handle SNI to get the right SSL certificate without python 2.7.9+. But CentOS 7 ships with p
Solution
While it's true that the version of python reported there doesn't have SNI support, I thought that RedHat backported it. But anyways, if not, you can do that yourself:
(This works for
On a broader note:
But CentOS 7 ships with python 2.7.5. You can't upgrade it because get_url has the same issue with SSL and so you would have to download the python source with validate_certs=no.
That's only the case if the server you're downloading Python from relies on SNI. I imagine most of their mirrors do not.
But really, you shouldn't be compiling Python on every individual server. You should do it once, either on a machine that you freeze into an image that you launch further machines off of, or you package it as an rpm and the machines just download that and install it. This allows you to control the download process.
Even simpler: download the package on your desktop (via verified https). Copy it to your file storage. Download from there onto your servers. There's no need to download directly from python.org every time, and it's more reliable to have a local copy anyways.
yum -y install gcc python-devel libffi-devel openssl-devel
pip install pyopenssl ndg-httpsclient pyasn1(This works for
requests at least, I'm not sure about Ansible.)On a broader note:
But CentOS 7 ships with python 2.7.5. You can't upgrade it because get_url has the same issue with SSL and so you would have to download the python source with validate_certs=no.
That's only the case if the server you're downloading Python from relies on SNI. I imagine most of their mirrors do not.
But really, you shouldn't be compiling Python on every individual server. You should do it once, either on a machine that you freeze into an image that you launch further machines off of, or you package it as an rpm and the machines just download that and install it. This allows you to control the download process.
Even simpler: download the package on your desktop (via verified https). Copy it to your file storage. Download from there onto your servers. There's no need to download directly from python.org every time, and it's more reliable to have a local copy anyways.
Code Snippets
yum -y install gcc python-devel libffi-devel openssl-devel
pip install pyopenssl ndg-httpsclient pyasn1Context
StackExchange DevOps Q#2656, answer score: 5
Revisions (0)
No revisions yet.