有关如何解决Ansible在GitHub上出现SSL错误无法运行的故事

3 年 ago
逸, 科
3 minutes

情况

某天我在 ansible-galaxy 上寻找一个可能有用的 Ansible 角色搜索了很长时间,
然后我想立即安装,却遇到了以下错误。
(hogehoge 是一个不存在的角色,在这里只是用于举例说明。)

$ ansible-galaxy install hogehoge
- downloading role 'hogehoge', owned by fugafuga
- downloading role from https://github.com/...
 [ERROR]: failed to download the file: Failed to validate the SSL certificate for github.com:443. Make sure your managed systems have a valid CA certificate installed. You
can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs,
/etc/ansible, /usr/local/etc/openssl. The exception msg was: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590).

 [WARNING]: - hogehoge was NOT installed successfully.

ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

帮助我,哆啦A梦。

In Chinese:

条件

作者的境况

    • macOS Sierra

 

    • Homebrew 1.5.10-22-gcb6828d

 

    • Ansible 2.4.3 (Homebrew経由)

 

    • Python 3.6.4 (Pyenv経由)

 

    Openssl 1.0.2n 7 Dec 2017 (Homebrew経由)

造成此结果的原委

总结来说,大概是因为GitHub废弃了TLSv1而导致的各种问题。
如果跟踪处理过程,似乎是由于Python的某种处理引起了某些情况发生。(随便说的)

但是在环境方面,我应该已经基本更新到最新状态了…(大概需要 OpenSSL(1.0.2n)和 Python(2.7.14或更高版本)。)

$ python --version
Python 3.6.4

$ openssl version
OpenSSL 1.0.2n  7 Dec 2017

$ python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2n  7 Dec 2017

$ python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2n  7 Dec 2017

$ ansible --version
ansible 2.4.3.0
  config file = None
  configured module search path = [u'/Users/n-funaki/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.10 (default, Feb  7 2017, 00:08:15) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)]

你在幹嘛?

Ansible的Python版本是“2.7.10”……这就是问题所在。
虽然我不太清楚详情,但我觉得这可能与执行Ansible安装时的依赖关系有关。

解决方案

当我重新安装ansible后,问题得到解决。

## 一旦 brew でansibleをアンインストール
$ brew uninstall ansible
Uninstalling /usr/local/Cellar/ansible/2.4.3.0... (11,827 files, 143.7MB)

## 再度 ansibleをインストール
$ brew install ansible
Updating Homebrew...
==> Installing dependencies for ansible: python@2
==> Installing ansible dependency: python@2
==> Downloading https://homebrew.bintray.com/bottles/python@2-2.7.14_3.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring python@2-2.7.14_3.sierra.bottle.tar.gz
...
See: https://docs.brew.sh/Homebrew-and-Python
==> Summary
?  /usr/local/Cellar/python@2/2.7.14_3: 4,550 files, 81.0MB
==> Installing ansible
==> Downloading https://homebrew.bintray.com/bottles/ansible-2.4.3.0_3.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring ansible-2.4.3.0_3.sierra.bottle.tar.gz
?  /usr/local/Cellar/ansible/2.4.3.0_3: 11,220 files, 137.4MB

我想喝啤酒。

## バージョンを確認   「$ source ~/.bash_profile」が必要かも?
$ ansible --version
ansible 2.4.3.0
  config file = None
  configured module search path = [u'/Users/n-funaki/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.4.3.0_3/libexec/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.14 (default, Mar 10 2018, 00:01:04) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)]

经过重新安装,Ansible的Python版本更新为2.7.14。

当我再次执行ansible-galaxy时,顺利地成功了。

$ ansible-galaxy install hogehoge
- downloading role 'hogehoge', owned by fugafuga
- downloading role from https://github.com/...
- extracting hogehoge to /Users/n-funaki/.ansible/roles/hogehoge
- hogehoge (master) was installed successfully

那是个附加而且离题的补充。

如果通过Homebrew的方式安装,似乎会受到Homebrew上Ansible的依赖关系的影响,但如果想要任意的Python版本,可以通过pip(Python的软件包管理器)来安装。

$ python --version
Python 3.6.4

$ pip3 --version
pip 9.0.1 from /Users/n-funaki/.pyenv/versions/3.6.4/lib/python3.6/site-packages (python 3.6)

## pipでansibleインストール
$ sudo pip3 install ansible

... ながいログ ...

Successfully installed MarkupSafe-1.0 PyYAML-3.12 ansible-2.4.3.0 asn1crypto-0.24.0 bcrypt-3.1.4 cffi-1.11.5 cryptography-2.1.4 idna-2.6 jinja2-2.10 paramiko-2.4.1 pyasn1-0.4.2 pycparser-2.18 pynacl-1.2.1 six-1.11.0

## インストールされたansibleを確認
$ ansible --version
ansible 2.4.3.0
  config file = None
  configured module search path = ['/Users/n-funaki/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/n-funaki/.pyenv/versions/3.6.4/lib/python3.6/site-packages/ansible
  executable location = /Users/n-funaki/.pyenv/versions/3.6.4/bin/ansible
  python version = 3.6.4 (default, Mar 16 2018, 13:56:26) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)]

关于我遇到的情况,
我现在就说这么多。

bannerAds