ansible-nodejs-role: SSL Failure on Import the NodeSource GPG key into apt
In the last 24 hours, I began getting a failure on the “Import the NodeSource GPG key into apt” step with Ansible 1.9.2
A full run can be seen in TravisCI: https://travis-ci.org/mozilla/kuma/jobs/158534929
The full URL seems to have a valid certificate: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
However, the root URL now redirects to GitHub: https://deb.nodesource.com
I suspect the problem is that Ansible does certificate validation of the root URL, not the full path, and is detecting a problem with the hostname change.
Here’s the output from a verbose run:
TASK: [nodesource.node | Import the NodeSource GPG key into apt] **************
<127.0.0.1> ESTABLISH CONNECTION FOR USER: vagrant
<127.0.0.1> REMOTE_MODULE apt_key state=present url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key
<127.0.0.1> EXEC ssh -C -tt -vvv -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/Users/john/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o Port=2222 -o IdentityFile="/Users/john/src/kuma/.vagrant/machines/developer-local/virtualbox/private_key" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=vagrant -o ConnectTimeout=30 127.0.0.1 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1473372799.77-250761793755640 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1473372799.77-250761793755640 && echo $HOME/.ansible/tmp/ansible-tmp-1473372799.77-250761793755640'
<127.0.0.1> PUT /var/folders/61/s6_xxhqd3nl27_vgq9fzjmkr0000gq/T/tmpHnT09K TO /home/vagrant/.ansible/tmp/ansible-tmp-1473372799.77-250761793755640/apt_key
<127.0.0.1> EXEC ssh -C -tt -vvv -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/Users/john/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o Port=2222 -o IdentityFile="/Users/john/src/kuma/.vagrant/machines/developer-local/virtualbox/private_key" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=vagrant -o ConnectTimeout=30 127.0.0.1 /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=peqdhgbtpdvxszbvlonushpnfpjjmcyq] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-peqdhgbtpdvxszbvlonushpnfpjjmcyq; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 PYTHONDONTWRITEBYTECODE=1 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1473372799.77-250761793755640/apt_key'"'"''
failed: [developer-local] => {"failed": true}
msg: Failed to validate the SSL certificate for deb.nodesource.com:443. Use validate_certs=False (insecure) or make sure your managed systems have a valid CA certificate installed. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible
FATAL: all hosts have already failed -- aborting
TASK: [nodesource.node | Import the NodeSource GPG key into apt] **************
<127.0.0.1> ESTABLISH CONNECTION FOR USER: vagrant
<127.0.0.1> REMOTE_MODULE apt_key state=present url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key
<127.0.0.1> EXEC ssh -C -tt -vvv -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/Users/john/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o Port=2222 -o IdentityFile="/Users/john/src/kuma/.vagrant/machines/developer-local/virtualbox/private_key" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=vagrant -o ConnectTimeout=30 127.0.0.1 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1473372799.77-250761793755640 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1473372799.77-250761793755640 && echo $HOME/.ansible/tmp/ansible-tmp-1473372799.77-250761793755640'
<127.0.0.1> PUT /var/folders/61/s6_xxhqd3nl27_vgq9fzjmkr0000gq/T/tmpHnT09K TO /home/vagrant/.ansible/tmp/ansible-tmp-1473372799.77-250761793755640/apt_key
<127.0.0.1> EXEC ssh -C -tt -vvv -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/Users/john/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o Port=2222 -o IdentityFile="/Users/john/src/kuma/.vagrant/machines/developer-local/virtualbox/private_key" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=vagrant -o ConnectTimeout=30 127.0.0.1 /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=peqdhgbtpdvxszbvlonushpnfpjjmcyq] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-peqdhgbtpdvxszbvlonushpnfpjjmcyq; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 PYTHONDONTWRITEBYTECODE=1 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1473372799.77-250761793755640/apt_key'"'"''
failed: [developer-local] => {"failed": true}
msg: Failed to validate the SSL certificate for deb.nodesource.com:443. Use validate_certs=False (insecure) or make sure your managed systems have a valid CA certificate installed. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible
FATAL: all hosts have already failed -- aborting
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Reactions: 7
- Comments: 17 (6 by maintainers)
Commits related to this issue
- bug 957802: Install apt-key from Ubuntu keyserver After switching to CloudFront, the key is stored on a server with SNI, and the system Python can no longer download the key. Placing the key on keyse... — committed to mdn/kuma by jwhitlock 8 years ago
- bug 957802: Install apt-key from Ubuntu keyserver After switching to CloudFront, the key is stored on a server with SNI, and the system Python can no longer download the key. Placing the key on keyse... — committed to mdn/kuma by jwhitlock 8 years ago
- Update Dockerfile, sample role ubuntu:trusty requires an apt-get update before installing any packages. Update the sample role to use "become" instead of "sudo", and explictly install version 4, so t... — committed to jwhitlock/ansible-nodejs-role by jwhitlock 8 years ago
- Install GPG key from keyserver.ubuntu.com deb.nodesource.com is now in CloudFront, and older versions of Python (such as than installed in Ubuntu 12.04 and 14.04) can no longer install the GPG key fr... — committed to jwhitlock/ansible-nodejs-role by jwhitlock 8 years ago
- Patching bug discussed here: https://github.com/nodesource/ansible-nodejs-role/issues/33 — committed to CollabraMusic/ansible-nodejs-role by kobelb 8 years ago
- Install GPG key from keyserver.ubuntu.com deb.nodesource.com is now in CloudFront, and older versions of Python (such as than installed in Ubuntu 12.04 and 14.04) can no longer install the GPG key fr... — committed to tjanez/ansible-nodejs-role by jwhitlock 8 years ago
- Change nodesource gpg source FIX: SSL Failure on Import the NodeSource GPG key into apt Nodesource switched to CloudFront using SNI which requires Python 2.7.9 not installed by Trusty by default. h... — committed to RyanFDev/starhackit by RyanFDev 8 years ago
- Install GPG key from keyserver.ubuntu.com deb.nodesource.com is now in CloudFront, and older versions of Python (such as than installed in Ubuntu 12.04 and 14.04) can no longer install the GPG key fr... — committed to liip/drifter by jwhitlock 8 years ago
- Install Node and NPM with native apt-get Get rid of broken nodesource role https://github.com/nodesource/ansible-nodejs-role/issues/24 https://github.com/nodesource/ansible-nodejs-role/issues/33 — committed to betagouv/aides-jeunes-ops by MattiSG 8 years ago
- Add nodesource GPG key to repo Nodesource has recently changed to distribution via CloudFront which requires SNI (see https://github.com/nodesource/distributions/issues/353#issuecomment-245766143), w... — committed to Crown-Commercial-Service/digitalmarketplace-jenkins by TheDoubleK 8 years ago
I see a couple of options to make this work with older Python versions (Ubuntu 12.04, 14.04):
files/nodesource.gpg.key, and change the task to copy and install from a file::I’ve uploaded the key at https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x1655A0AB68576280
It is also possible that the root page https://deb.nodesource.com could be something other than a redirect and it would work, but that may be a restriction of CloudFront.
Hey, @jeffbski after googling, what Yuri Kanivetsky shares in his answer here https://groups.google.com/forum/#!msg/ansible-project/p4dQ0c25bpM/qSsI4JQqBAAJ helped me.
I needed to make sure these packages are installed:
python-urllib3, python-openssl, python-pyasn1, python-pipand installingndg-httpsclientwith pip.From his answer:
This fix was integrated into https://github.com/geerlingguy/ansible-role-nodejs/commit/0372961b152fe496412b75316a1a734b4771ad3e, appears to be working.
With Ansible 1.9.6 and adding parameter
validate_certs: no:Maybe SNI is being used? But Travis CI has a similar error, and it runs Python 2.7.12
Thanks @cesc1989 I appreciate it. That seemed to work.
Great analysis, interested to hear opinions on using the ubuntu key server rather than nodesource endpoint. cc @jwhitlock @chrislea
Cheers