Started learning Ansible and want to facilitate ansible-galaxy search nginx command, but I'm getting:
ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/api': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
Had try to use ansible-galaxy --ignore-certs search nginx and ansible-galaxy -c search nginx but now getting ansible-galaxy: error: unrecognized arguments: --ignore-certs for booth.
OS :
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
Ansible version:
ansible 2.9.5
config file = /home/maciej/projects/priv/ansible_nauka/packt_course/ansible.cfg
configured module search path = ['/home/maciej/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/maciej/.local/lib/python3.6/site-packages/ansible
executable location = /home/maciej/.local/bin/ansible
python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]
I had the same issue, but on Mac OS X.
The underlying problem is that your Python environment is not finding/making use of the default root certificates that are installed on your OS. These root certs are required to connect securely (via TLS) with Ansible Galaxy.
For Mac OS X I was able to solve this based on this answer:
How to make Python use CA certificates from Mac OS TrustStore?
i.e. by running the script to install the certs, shipped with the installation:
cd /Applications/Python\ 3.7/
./Install\ Certificates.command
For Ubuntu / Debian:
Update: As pointed out by Maciej in the accepted answer, certs can be regenerated and added to the environment:
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
P.S.: I would not suggest to use --ignore-certs, this will skip verification of the certificate in the TLS connection, making the connection insecure (allowing Man-in-the-middle attacks)
Worked for me:
ansible-galaxy search --ignore-certs postgresql
Had back to this issue... life is best motivator. What helped me is:
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
For RHEL/CENTOS
You may want to check the cryptopolicy, if the policy is set to future temporarily set it to default
sudo update-crypto-policies --set=DEFAULT
bahrathkumaraju#Bahrathkumarajus-MacBook-Pro vault_ansible % ansible-galaxy collection install community.hashi_vault --ignore-certs
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Downloading https://galaxy.ansible.com/download/community-hashi_vault-3.0.0.tar.gz to /Users/bahrathkumaraju/.ansible/tmp/ansible-local-91443c5vh69v3/tmp76qmz32a/community-hashi_vault-3.0.0-635b3qde
Installing 'community.hashi_vault:3.0.0' to '/Users/bahrathkumaraju/.ansible/collections/ansible_collections/community/hashi_vault'
community.hashi_vault:3.0.0 was installed successfully
bahrathkumaraju#Bahrathkumarajus-MacBook-Pro vault_ansible %
in case someone else is looking at this, the args are order dependent. On rhel8 with a cntlm proxy ....
declare -x https_proxy='127.0.0.1:3128'
declare -x http_proxy='127.0.0.1:3128'
# this works through a proxy
ansible-galaxy collection install ovirt.ovirt --ignore-certs
# this does not
ansible-galaxy --ignore-certs collection install ovirt.ovirt
# and this does not
ansible-galaxy collection --ignore-certs install ovirt.ovirt
Related
Having great difficulty tracking down what is causing the below error when attempting to update any package from any repo. I have tested multiple repos by setting all others to disabled. I have cleaned all cache and removed any dnf yum cache files.
# dnf -v update
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, needs-restarting, playground, repoclosure, repodiff, repograph, repomanage, reposync
DNF version: 4.2.7
cachedir: /var/cache/dnf
repo: downloading from remote: AppStream
error: Curl error (28): Timeout was reached for http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=AppStream&infra=stock [Resolving timed out after 30000 milliseconds] (http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=AppStream&infra=stock).
CentOS-8 - AppStream 0.0 B/s | 0 B 00:30
Cannot download 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=AppStream&infra=stock': Cannot prepare internal mirrorlist: Curl error (28): Timeout was reached for http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=AppStream&infra=stock [Resolving timed out after 30000 milliseconds].
Failed to download metadata for repo 'AppStream'
Error: Failed to download metadata for repo 'AppStream'
Each time I attempt a dnf update, load average on the server goes thru the roof, up to 40x
curl can access the mirror site.
curl 'http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=AppStream&infra=stock'
http://ftp.tc.edu.tw/Linux/CentOS/8.2.2004/AppStream/x86_64/os/
http://mirror.horizon.vn/centos/8.2.2004/AppStream/x86_64/os/
http://ftp.jaist.ac.jp/pub/Linux/CentOS/8.2.2004/AppStream/x86_64/os/
http://centosg9.centos.org/centos/8.2.2004/AppStream/x86_64/os/
http://packet01.centos.org/centos/8.2.2004/AppStream/x86_64/os/
http://mirror.s8.centos.org/centos/8.2.2004/AppStream/x86_64/os/
http://centoso7.centos.org/centos/8.2.2004/AppStream/x86_64/os/
http://centosh9.centos.org/centos/8.2.2004/AppStream/x86_64/os/
http://centosc8.centos.org/centos/8.2.2004/AppStream/x86_64/os/
http://centosg7.centos.org/centos/8.2.2004/AppStream/x86_64/os/
I have also tried using baserurl in .repo, same error
I have also replaced the baseurl with one of the url's returned by curl, same error
I have tried many suggestions such as yum/dnf error: Failed to download metadata for repo
and similar, none work for me.
Some articles point to bugs in the env vars for $releaseserver etc. I have also tried replacing with actual values. same error.
Internet connection obviously OK due to curl result.
No proxy used.
DNS OK
cat /etc/redhat-release
CentOS Linux release 8.1.1911 (Core)
uname -a
Linux xxxx 4.18.0-147.5.1.el8_1.x86_64 #1 SMP Wed Feb 5 02:00:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Any suggestions would be greatly appreciated.
For some weird reasons, After setting the nameserver in /etc/resolv.conf to 8.8.8.8 and a reboot fixed the problem for me.
Also, I disabled the Dynamic memory for Hyper-V VM. DNF command is expecting a lot of memory.
Please give it a try.
Regards,
Arockiasamy
The only thing that worked for me was to disable and remove the offending repo.
sudo yum --disablerepo=epel\* remove epel-release.noarch
I'm setting up a Kubernetes cluster and as part of that, I ran the following command (mentioned on official docs: https://kubernetes.io/docs/tasks/tools/install-kubectl/) :
sudo apt-get update && sudo apt-get install -y apt-transport-https
However, it fails with the following error:
Err:3 https://packages.cloud.google.com/apt kubernetes-xenial/main amd64 Packages
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Now, I fetch the certificate with this command :
ex +'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect packages.cloud.google.com:443) -scq > kubecertificate.crt
I get the following response :
verify error:num=20:unable to get local issuer certificate
DONE
But since I see content inside my kubecertificate.crt file , I go ahead and copy the certificate in /usr/local/share/ca-certificates/ directory.
Then I run:
update-ca-certificates
After updating my ca certificates bundle, I re run the first command mentioned.
It again fails with the server certificate verification failed error.
Please help me understand where am I going wrong? Is it because I'm unable to get the local issuer certificate? Please help.
Are you using i386 image or is there some firewall involved? If it is 64bit version of Xenial then it must be some kind of system issue.
Take a look at this case. Especially I would check the current system time date -R and apt-get install NTP as advised by #davidthings as I remember having similar problem. There is also a lot of different solutions which could help, listed in the linked case - check which one is applicable for your and update if you succeeded.
After that you can try with this, to download kubectl, kubelet and kubeadm (or edit it accordingly if you want just one)
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg |
apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
I am using CentOs 6.6 64bit, and have a problem when using curl. The server primarily hosts several wordpress blogs using apache and mysql.
My simplest means to generate the error is with the following yum command which outputs the below
yum list "ca-certi*"
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
* base: cosmos.cites.illinois.edu
* epel: mirror.cogentco.com
* extras: mirrors.rit.edu
* updates: mirrors.rit.edu
Installed Packages
ca-certificates.noarch 2014.1.98-65.1.el6 #base
Soutions tried and failed so far based from googling around
1) I have tried restarting the VPS, no good
2) Executing curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt without any luck
3) This solution was no good at all, as it relies on yum to solve the SSL problem that yum also suffers http://syslint.com/syslint/curl-77-problem-with-the-ssl-ca-cert-path-access-rights-solved/
Can I run these yum steps to install with wget?, would you think it would help?
# yum reinstall ca-certificates
# yum reinstall openssl
I think virtualmin had installed some updates in the last 24 hours, is there a log of updates it ran somewhere?
Can anyone please help get around this "Problem with the SSL CA cert (path? access rights?)" problem.
TIA
More easy solution for centos 6/7. Remove ca and reinstall certificate.
rm -f /etc/ssl/certs/ca-bundle.crt && yum reinstall -y ca-certificates
Problem that if you just only reinstall certs. This will dont replace ca-bundle. Leave it new with .rpmnew name.
this worked for me :
centos 6
mkdir /usr/src/ca-certificates && cd /usr/src/ca-certificates
wget
http://mirror.centos.org/centos/6/os/x86_64/Packages/ca-certificates-2015.2.6-65.0.1.el6_7.noarch.rpm
rpm2cpio ca-certificates-2015.2.6-65.0.1.el6_7.noarch.rpm | cpio -idmv
cp -pi ./etc/pki/tls/certs/ca-bundle.* /etc/pki/tls/certs/
do yes to override
to check :
curl -vvv https://www.unixy.net
Solution from here
https://www.virtualmin.com/node/35857
nss-softokn breaks yum/rpm in CentOS 6 In order to fix it do the following:
wget http://mirror.centos.org/centos/6/updates/x86_64/Packages/nss-softokn-fr...
rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv
cd lib64
cp libfreeblpriv3.* /lib64
yum update # sync new repo package
My company's website is on an EC2 instance. The os is ubuntu 10.04. Currently we are using packages installed through apt-get. We have apache 2.2.14 and openssl 0.9.8k. After some security audit, I was told to update the version of openssl. The latest version of openssl on the 0.9.8 line is 0.9.8y. Is it compatible with apache 2.2.14 ? If so, Is it easy or at least possible to upgrade the openssl only ? I read it on somewhere that some people simply recommend to upgrade the whole os. Any comments ?
I did try to upgrade by downloading the tarball of
httpd-2.2.24 + openssl 0.9.8y
I installed them both under
/usr/local/apache2
/usr/local/ssl
I configured apache by
./configure --enable-modules=all --enable-mods-shared="all ssl" \
--with-ssl=/usr/local/ssl/ --enable-ssl
the /usr/local/ssl/bin/openssl does show 0.9.8y
but my web service shows apache 2.2.24 + openssl 0.9.8k
Any idea how to fix it ? Thanks.
$ ldd /usr/local/apache2/bin/httpd
...
libssl.so.0.9.8 => /lib/libssl.so.0.9.8
libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8
...
The libssl.so.0.9.8 is still found in /lib/ system directory by the loader, not /usr/local/ssl. So you need to set LD_LIBRARY_PATH before running httpd:
$ export LD_LIBRARY_PATH=/usr/local/ssl/lib && /usr/local/apache2/bin/httpd
See also this document for more info on compatibility between apache & openssl. See this table for info on binary compatibility of openssl 0.9.8k and 0.9.8y.
I'm trying to get started on libvirt with VirtualBox as a virtualization solution. I installed everything and VirtualBox itself is running when using their VBoxHeadless command.
However, libvirt fails to connect to VirtualBox:
# virsh -c vbox:///session
libvir: error : could not connect to vbox:///session
error: failed to connect to the hypervisor
I could not find any hints in the libvirt documentation that point to whether I have to make any domain specific configuration before using virsh.
Does anyone have a hint? Or even better, maybe a tutorial that works through the way of using libvirt, virsh or it's APIs (my later goal) from the ground up.
If you are doing this on Ubuntu, then the problem is their libvirt package is built without VirtualBox support.
You can rebuild the package with support very easily. Something like:
apt-get source -d libvirt
sudo apt-get build-dep libvirt
dpkg-source -x libvirt*dsc
Go into the libvirt directory and edit debian/rules so that instead of --without-vbox it says --with-vbox. You can add an entry to the top of debian/changelog so the package is compiled as a different version (e.g., append ~local1 to the version).
dpkg-buildpackage -us -uc -b -rfakeroot
You'll get new .debs built in the directory above. Use dpkg -i to install the relevant ones (libvirt0, libvirt0-bin, and whatever else you want).
Double-check whether or not you have write access to /var/run/libvirt/libvirt-sock.
The socket file should have permissions similar to:
$ sudo ls -la /var/run/libvirt/libvirt-sock
srwxrwx--- 1 root libvirtd 0 2010-08-24 14:54 /var/run/libvirt/libvirt-sock
I think it could be helpful also to increase the libvirt logging capabilities by running this in your shell:
export LIBVIRT_DEBUG=1
There is Ubuntu PPA for libvirt with VirtualBox support: https://launchpad.net/~cxl/+archive/ubuntu/libvirt