CODEWITHSUNDEEP
ansibleapt
chris01
chris01

Reputation: 12321

Module apt_repository: Why is validate_certs not working?

I have an Ansible playbook that adds an Apt repository. The Repo is located on my own server - accessed by HTTPS (with a self-signed cert).

If I put the repo manually in the hosts sources.list I get this error when updating the cache.

Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.

Ok, its self-signed. Disable the check and all is fine.

apt -o "Acquire::https::Verify-Peer=false" update

Very good - now I try to handle it with Ansible.

- name: add my repo and update cache
  apt_repository:
    repo: deb https://myserver/debian bullseye main
    filename: myrepo
    validate_certs: false
    state: present

No matter if I set validate_certs: false - it fails any time.

FAILED! => {"changed": false, "msg": "Failed to update apt cache: unknown reason"}

If I make the repo public via HTTP and change the URL then all is fine. Also if I keep it with HTTPS-selfsigned and set

Acquire::https::Verify-Peer "false";

at the update-seeking hosts apt-config it will work too.

But I expect validate_certs to handle that. So why is it not working??

debian 11.6
ansible 2.10.8
python 3.9.2

Upvotes: 2

Views: 939

Answers (1)

flowerysong
flowerysong

Reputation: 2949

The validate_certs argument to apt_repository does not affect the configuration of apt or the repository, it controls whether certs are validated during the module's internal fetching of PPA info.

If you want apt to ignore validation failures, you need to configure apt accordingly.

Upvotes: 3

Related Questions