Project

General

Profile

Bug #12870

ansible: Failed to validate the SSL certificate for raw.githubusercontent.com when downloading SSH pubkeys

Added by Greg Farnum almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Target version:
-
Start date:
08/31/2015
Due date:
% Done:

0%

Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:

Description

 {'plana09.front.sepia.ceph.com': {'invocation': {'module_name':
    'authorized_key', 'module_args': 'user="ubuntu" key=https://raw.githubuserc
    ontent.com/ceph/keys/autogenerated/ssh/@all.pub'}, 'failed': True, 'msg':
    'Failed to validate the SSL certificate for raw.githubusercontent.com:443.
    Use validate_certs=False (insecure) or make sure your managed systems have
    a valid CA certificate installed. Paths checked for this platform:
    /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
    /usr/share/ca-certificates/cacert.org, /etc/ansible'},
    'mira012.front.sepia.ceph.com': {'invocation': {'module_name':
    'authorized_key', 'module_args': 'user="ubuntu" key=https://raw.githubuserc
    ontent.com/ceph/keys/autogenerated/ssh/@all.pub'}, 'failed': True, 'msg':
    'Failed to validate the SSL certificate for raw.githubusercontent.com:443.
    Use validate_certs=False (insecure) or make sure your managed systems have
    a valid CA certificate installed. Paths checked for this platform:
    /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
    /usr/share/ca-certificates/cacert.org, /etc/ansible'},
    'burnupi08.front.sepia.ceph.com': {'invocation': {'module_name':
    'authorized_key', 'module_args': 'user="ubuntu" key=https://raw.githubuserc
    ontent.com/ceph/keys/autogenerated/ssh/@all.pub'}, 'failed': True, 'msg':
    'Failed to validate the SSL certificate for raw.githubusercontent.com:443.
    Use validate_certs=False (insecure) or make sure your managed systems have
    a valid CA certificate installed. Paths checked for this platform:
    /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs,
    /usr/share/ca-certificates/cacert.org, /etc/ansible'}}

http://pulpito.ceph.com/teuthology-2015-08-24_23:08:02-kcephfs-master-testing-basic-multi/1030714/
http://pulpito.ceph.com/teuthology-2015-08-23_23:18:02-multimds-next-testing-basic-multi/1028549/

Searching my email this also seems to have popped up in a lot of the backport tests and things. Maybe this should be a sepia issue? Not sure.

History

#1 Updated by Andrew Schoen almost 4 years ago

I've seen this one before. This might be the solution, "make sure your managed systems have a valid CA certificate installed". I don't have a lot of knowledge in that area, so I'm not sure what fixing that would take.

We could also just not request keys from github, we've had other issues with that as well. See: http://tracker.ceph.com/issues/12868

#2 Updated by Zack Cerza almost 4 years ago

  • Subject changed from Failed to validate the SSL certificate to ansible: Failed to validate the SSL certificate for raw.githubusercontent.com when downloading SSH pubkeys
  • Status changed from New to Verified

#3 Updated by Andrew Schoen almost 4 years ago

Zack Cerza wrote:

This is another case of http://tracker.ceph.com/issues/12380

The fix could look like:
https://github.com/ceph/ceph-cm-ansible/blob/afbbeac70f98dcc755717063df8913de571b1adb/roles/users/tasks/main.yml#L46-L50

I do see that #12380 had a similar error message about SSL certs. Is that ssl cert error just nonsense and it's actually a timeout on the github side? I guess I'm confused why adding a retry fixes the SSL cert.

#4 Updated by Zack Cerza almost 4 years ago

I think it is nonsense related to a timeout.

#5 Updated by Andrew Schoen almost 4 years ago

  • Assignee set to Andrew Schoen

#6 Updated by Nathan Cutler almost 4 years ago

I just got this error in a recent rados run on firefly-backports (it's the first failed job listed): http://pulpito.ceph.com/smithfarm-2015-08-27_03:39:40-rados-firefly-backports---basic-multi/

The second failure in that run seems to be closely related: Error getting key from: https://raw.githubusercontent.com/ceph/keys/autogenerated/ssh/@all.pub

These two failures occurred in a re-run of dead and failed jobs from an earlier rados suite. That earlier suite also ended with two failures, but those said "Invalid cross-device link": http://pulpito.ceph.com/smithfarm-2015-08-10_12:21:46-rados-firefly-backports---basic-multi/

#7 Updated by Andrew Schoen almost 4 years ago

  • Status changed from Verified to Resolved

Also available in: Atom PDF