Project

General

Profile

Bug #12870

ansible: Failed to validate the SSL certificate for raw.githubusercontent.com when downloading SSH pubkeys

Added by Greg Farnum over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
% Done:

0%

Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

 {'plana09.front.sepia.ceph.com': {'invocation': {'module_name':
    'authorized_key', 'module_args': 'user="ubuntu" key=https://raw.githubuserc
    ontent.com/ceph/keys/autogenerated/ssh/@all.pub'}, 'failed': True, 'msg':
    'Failed to validate the SSL certificate for raw.githubusercontent.com:443.
    Use validate_certs=False (insecure) or make sure your managed systems have
    a valid CA certificate installed. Paths checked for this platform:
    /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
    /usr/share/ca-certificates/cacert.org, /etc/ansible'},
    'mira012.front.sepia.ceph.com': {'invocation': {'module_name':
    'authorized_key', 'module_args': 'user="ubuntu" key=https://raw.githubuserc
    ontent.com/ceph/keys/autogenerated/ssh/@all.pub'}, 'failed': True, 'msg':
    'Failed to validate the SSL certificate for raw.githubusercontent.com:443.
    Use validate_certs=False (insecure) or make sure your managed systems have
    a valid CA certificate installed. Paths checked for this platform:
    /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
    /usr/share/ca-certificates/cacert.org, /etc/ansible'},
    'burnupi08.front.sepia.ceph.com': {'invocation': {'module_name':
    'authorized_key', 'module_args': 'user="ubuntu" key=https://raw.githubuserc
    ontent.com/ceph/keys/autogenerated/ssh/@all.pub'}, 'failed': True, 'msg':
    'Failed to validate the SSL certificate for raw.githubusercontent.com:443.
    Use validate_certs=False (insecure) or make sure your managed systems have
    a valid CA certificate installed. Paths checked for this platform:
    /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
    /usr/share/ca-certificates/cacert.org, /etc/ansible'}}

http://pulpito.ceph.com/teuthology-2015-08-24_23:08:02-kcephfs-master-testing-basic-multi/1030714/
http://pulpito.ceph.com/teuthology-2015-08-23_23:18:02-multimds-next-testing-basic-multi/1028549/

Searching my email this also seems to have popped up in a lot of the backport tests and things. Maybe this should be a sepia issue? Not sure.

History

#1 Updated by Andrew Schoen over 8 years ago

I've seen this one before. This might be the solution, "make sure your managed systems have a valid CA certificate installed". I don't have a lot of knowledge in that area, so I'm not sure what fixing that would take.

We could also just not request keys from github, we've had other issues with that as well. See: http://tracker.ceph.com/issues/12868

#2 Updated by Zack Cerza over 8 years ago

  • Subject changed from Failed to validate the SSL certificate to ansible: Failed to validate the SSL certificate for raw.githubusercontent.com when downloading SSH pubkeys
  • Status changed from New to 12

#3 Updated by Andrew Schoen over 8 years ago

Zack Cerza wrote:

This is another case of http://tracker.ceph.com/issues/12380

The fix could look like:
https://github.com/ceph/ceph-cm-ansible/blob/afbbeac70f98dcc755717063df8913de571b1adb/roles/users/tasks/main.yml#L46-L50

I do see that #12380 had a similar error message about SSL certs. Is that ssl cert error just nonsense and it's actually a timeout on the github side? I guess I'm confused why adding a retry fixes the SSL cert.

#4 Updated by Zack Cerza over 8 years ago

I think it is nonsense related to a timeout.

#5 Updated by Andrew Schoen over 8 years ago

  • Assignee set to Andrew Schoen

#6 Updated by Nathan Cutler over 8 years ago

I just got this error in a recent rados run on firefly-backports (it's the first failed job listed): http://pulpito.ceph.com/smithfarm-2015-08-27_03:39:40-rados-firefly-backports---basic-multi/

The second failure in that run seems to be closely related: Error getting key from: https://raw.githubusercontent.com/ceph/keys/autogenerated/ssh/@all.pub

These two failures occurred in a re-run of dead and failed jobs from an earlier rados suite. That earlier suite also ended with two failures, but those said "Invalid cross-device link": http://pulpito.ceph.com/smithfarm-2015-08-10_12:21:46-rados-firefly-backports---basic-multi/

Also available in: Atom PDF