Reputation: 1499
How to fix following ansible galaxy SSL error?
Started learning Ansible and want to facilitate ansible-galaxy search nginx command, but I'm getting:
ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/api': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
Had try to use ansible-galaxy --ignore-certs search nginx and ansible-galaxy -c search nginx but now getting ansible-galaxy: error: unrecognized arguments: --ignore-certs for booth.
OS :
Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic
Ansible version:
ansible 2.9.5
config file = /home/maciej/projects/priv/ansible_nauka/packt_course/ansible.cfg
configured module search path = ['/home/maciej/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/maciej/.local/lib/python3.6/site-packages/ansible
executable location = /home/maciej/.local/bin/ansible
python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]
Upvotes: 17
Views: 59124
Answers (7)
Reputation: 46
I was also facing the same issue and was able to fix by following the steps below (Mac OS).
Make sure certifi python module is stalled.
pip3 install certify
Update ~/.bash_profile with following.
CERT_PATH=$(python3 -m certifi)
export SSL_CERT_FILE=${CERT_PATH}
export REQUESTS_CA_BUNDLE=${CERT_PATH}
source ~/.bash_profile
Upvotes: 2
Reputation: 1
I am using Linux Mint 20.3, I was attempting to install ansible through the following command for OVOS:
sh -c "curl -s https://raw.githubusercontent.com/OpenVoiceOS/ovos-installer/main/installer.sh -o installer.sh && chmod +x installer.sh && sudo ./installer.sh && rm installer.sh"
I kept getting a fail on ssl certificate validation.
Keeping in mind that the OS is using python3.8, OpenVoice is using python3.11, so any changes that are done with:
sudo update-ca-certificates --fresh
are effecting the python3.8 version, not python3.11. After some research I found that the python3.11 environment was using /usr/local/ssl to search for the certificates. So the work around that I came up with was to link /usr/local/ssl/cert to /etc/ssl/cert folders
What I did was opened the /usr/local/ssl folder as root and change the cert folder in that directory to cert-bkp. I opened /ect/ssl in a different window, then used Ctrl + Shift to drag and drop the cert folder from /etc/ssl to /usr/local/ssl <--- Placing a shortcut link from /etc/ssl/cert folder to /usr/local/ssl/cert.
After this, I was then able to install ansible-galaxy with no issues. I hope this helps others in the future to resolve this issue.
Upvotes: 0
Reputation: 599
I had the same issue, but on Mac OS X.
The underlying problem is that your Python environment is not finding/making use of the default root certificates that are installed on your OS. These root certs are required to connect securely (via TLS) with Ansible Galaxy.
For Mac OS X I was able to solve this based on this answer: How to make Python use CA certificates from Mac OS TrustStore?
i.e. by running the script to install the certs, shipped with the installation:
cd /Applications/Python\ 3.7/
./Install\ Certificates.command
(your Python version might be different)
For Ubuntu / Debian:
Update: As pointed out by Maciej in the accepted answer, certs can be regenerated and added to the environment:
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
P.S.: I would not suggest to use --ignore-certs, this will skip verification of the certificate in the TLS connection, making the connection insecure (allowing Man-in-the-middle attacks)
Upvotes: 30
Reputation: 41
in case someone else is looking at this, the args are order dependent. On rhel8 with a cntlm proxy ....
declare -x https_proxy='127.0.0.1:3128'
declare -x http_proxy='127.0.0.1:3128'
# this works through a proxy
ansible-galaxy collection install ovirt.ovirt --ignore-certs
# this does not
ansible-galaxy --ignore-certs collection install ovirt.ovirt
# and this does not
ansible-galaxy collection --ignore-certs install ovirt.ovirt
Upvotes: 3
Reputation: 1
For RHEL/CENTOS
You may want to check the cryptopolicy, if the policy is set to future temporarily set it to default
sudo update-crypto-policies --set=DEFAULT
Upvotes: 0
Reputation: 1499
Had back to this issue... life is best motivator. What helped me is:
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
Upvotes: 7
Reputation: 103
Worked for me:
ansible-galaxy search --ignore-certs postgresql
Upvotes: 7
Related Questions
- Ansible: Create a Self-Signed SSL Certificate and Key
- Issue with installing ansible-galaxy azure.azcollection
- Copy the ssl certificate from a server to a host in ansible
- ansible-galaxy error: API server not found
- Error in ansible 2.3.2- Unsupported proxy scheme: https
- Install ansible galaxy using ansible
- Python Requests SSLError with internal CA
- Ansible-galaxy throws ImportError: No module named yaml
- Ansible roles/packages - Ansible Galaxy - error on installation MAC OSX
- ansible-galaxy failing for init install - Failed to get data from the API server - a bytes-like object is required, not 'str'