Github and new Cryptographic Standard

I just downloaded latest Trellis, I am using Python 2.7 and Ansible 2.4, everything used to be ok, however running vagrant up I get this issue

Bringing machine ‘default’ up with ‘virtualbox’ provider…
==> default: Checking if box ‘bento/ubuntu-16.04’ is up to date…
==> default: [vagrant-hostsupdater] Checking for host entries
==> default: [vagrant-hostsupdater] Skipping adding host entries (config.vm.network hostsupdater: “skip” is set)
==> default: [vagrant-hostmanager:guests] Updating hosts file on active guest virtual machines…
==> default: [vagrant-hostmanager:host] Updating hosts file on your workstation (password may be required)…
==> default: Running provisioner: ansible…
default: Running ansible-galaxy…

  • downloading role ‘composer’, owned by geerlingguy
  • downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.6.1.tar.gz
    [ERROR]: failed to download the file: Failed to validate the SSL certificate
    for github.com:443. Make sure your managed systems have a valid CA certificate
    installed. You can use validate_certs=False if you do not need to confirm the
    servers identity but this is unsafe and not recommended. Paths checked for this
    platform: /etc/ssl/certs, /etc/ansible, /usr/local/etc/openssl. The exception
    msg was: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version
    (_ssl.c:661).

[WARNING]: - composer was NOT installed successfully.

ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

I just saw this, unsure if it matters, I have tried upgrading to python3, upgrading openSSl, nothing seems to work:

Ansible and Trellis are currently compatible with Python 2 only (Python 3 compat likely mid 2018).

Could also search discourse for the error output snippet Make sure your managed systems have a valid CA certificate installed.

Is there a minimum openSSL version I need to have, I think I am on 0.9.8

I’m not aware of a minimum requirement for openSSL. My local machine is on 0.9.8 too, and without trouble. On rare occasions I have a similar failed galaxy role installation (2% of the time, maybe?).

So you are completely fine now running this now after the GitHub changes to their SSL?

Ansible-galaxy install -r requirements.yml

1 Like

Having the same error here trying to run roots-example-project on my local machine.

Running Vagrant 2.0.2 and Ansible 2.4.2.0

Thanks for the prompt to look further. Turns out it’s not your primary system openssl version that matters, but your python’s ssl.

TL;DR

I’m guessing you’re using Ansible installed via homebrew (kudos to GitHub user 1ambda).
Try brew uninstall -f ansible then pip install ansible
Make sure you’re on python >= 2.7.9

:warning: Ansible via homebrew

# ansible installed from latest homebrew
# https://github.com/Homebrew/homebrew-core/blob/29d5b28ca721eca971521af13a4e9a9a9d32bdd9/Formula/ansible.rb

$ ansible-galaxy --version
ansible 2.4.3.0

# python's openSSL version
$ python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 0.9.8zh 14 Jan 2016

# availability of ssl.PROTOCOL_TLSv1_2
$ python -c 'import ssl; ssl.PROTOCOL_TLSv1_2'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2'

# reproduce failed galaxy role install
$ ansible-galaxy install -r requirements.yml
- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.6.1.tar.gz
 [ERROR]: failed to download the file: Failed to validate the SSL certificate for github.com:443.
Make sure your managed systems have a valid CA certificate installed. You can use
validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not
recommended. Paths checked for this platform: /etc/ssl/certs, /etc/ansible, /usr/local/etc/openssl.
The exception msg was: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version
(_ssl.c:590).
 [WARNING]: - composer was NOT installed successfully.
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

:star: Ansible via pip

# Use ansible from pip instead

# uninstall ansible from homebrew
$ brew uninstall -f ansible
Uninstalling ansible... (11,507 files, 141MB)

# install ansible using pip
$ pip install ansible==2.4.2
Collecting ansible==2.4.2
...
Successfully installed ansible-2.4.2.0

$ ansible-galaxy --version
ansible 2.4.2.0

# python version (I used pyenv)
$ python --version
Python 2.7.13

# python's openSSL version
$ python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2n  7 Dec 2017

# availability of ssl.PROTOCOL_TLSv1_2
$ python -c 'import ssl; ssl.PROTOCOL_TLSv1_2'
echo?
0

# demonstrate successful galaxy role install
$ ansible-galaxy install -r requirements.yml
- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.6.1.tar.gz
- extracting composer to /Users/philip/tests/site1.com/trellis/vendor/roles/composer
- composer (1.6.1) was installed successfully
- downloading role 'ntp', owned by geerlingguy
...
- geerlingguy.daemonize (1.2.0) was installed successfully

:warning: Ansible on with python <= 2.7.8

$ python --version
Python 2.7.8

$ ansible-galaxy --version
ansible 2.4.2.0

# openSSL version ok
$ python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2n  7 Dec 2017

# but missing ssl.PROTOCOL_TLSv1_2
$ python -c 'import ssl; ssl.PROTOCOL_TLSv1_2'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2' 

# so, galaxy roles install will fail with slightly different error
$ ansible-galaxy install -r requirements.yml
- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.6.1.tar.gz
 [ERROR]: failed to download the file: Failed to validate the SSL certificate for github.com:443.
Make sure your managed systems have a valid CA certificate installed. If the website serving the
url uses SNI you need python >= 2.7.9 on your managed machine  (the python executable used
(/usr/local/var/pyenv/versions/2.7.8/bin/python2.7) is version: 2.7.8 (default, Feb 10 2017,
21:08:58) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]) or you can install the
`urllib3`, `pyOpenSSL`, `ndg-httpsclient`, and `pyasn1` python modules to perform SNI verification
in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers
identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs,
/etc/ansible, /usr/local/etc/openssl. The exception msg was: [Errno 1] _ssl.c:514:
error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version.
 [WARNING]: - composer was NOT installed successfully.
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

SSH

The crypto removal notice also mentions removal of diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1.

# if ssh to github succeeds, you should be fine
$ ssh -T git@github.com
Hi fullyint! Youve successfully authenticated, but GitHub does not provide shell access.

# check which kexalgorithms your ssh client will try to offer
$ ssh -G git@github.com | grep kex
kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

# or this command, but it doesn't show priority/sequence
$ ssh -Q kex
<some list>

Check that the kex (key exchange algorithms) have some overlap with what github.com is willing to use: https://sshcheck.com/server/github.com/

More discussion of openSSH versions.

4 Likes

I was still getting the issue and python was pointing to the Mac OSX python with 0.9.8 until I symbolically linked homebrew python version (which is using the updated openssl library)

3 Likes

This was my solution in part as well.

After updating Python via Homebrew, I updated my $PATH as the homebrew info python command suggests:

If you wish to have this formula's python executable in your PATH then add
the following:
  export PATH="/usr/local/opt/python/libexec/bin:$PATH"
2 Likes

After days of frustration and trying many different things eg, virtualenv, pip, homebrew and installing Python from python.org, here is what helped me solve the error I was getting:

I was trying to install an Ansible role via ansible-galaxy. The error I was getting was this:

> ansible-galaxy install -c geerlingguy.apache
...
 [ERROR]: failed to download the file: <urlopen error [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1
alert protocol version (_ssl.c:590)>

First I could not get Python on my Mac to use the correct version of OpenSSL:

> python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 0.9.8zh 14 Jan 2016

While trying to solve the issue, I had ended up with several Pythons installed. So I needed to first sort that out, I tried many things, can’t remember all for which I apologize. I settled on having howebrew install Python, pointed my env to it, created the symlink below manually since homebrew would not, and was able to get Phython working in a consistent manner:

> brew install python

> brew link --overwrite python

> ls -n /usr/local/bin/python
lrwxr-xr-x 1 502 37 Mar  1 20:46 /usr/local/bin/python -> ../../../Library/Frameworks/Python.framework/Versions/2.7/bin/python

> cd /usr/local/bin/ ; rm python

> ln -s ../Cellar/python/2.7.14_3/bin/python2 python

> ls -n /usr/local/bin/python
lrwxr-xr-x 1 502 37 Mar  1 21:02 /usr/local/bin/python -> ../Cellar/python/2.7.14_3/bin/python2

> which python
/usr/local/bin/python

> python -V
Python 2.7.14

> python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2n  7 Dec 2017

However, I still could not get Ansible to use the correct version of Phython:

> ansible-galaxy --version
ansible-galaxy 2.4.3.0
...
  python version = 2.7.10 (v2.7.10:15c95b7d81dc, May 23 2015, 09:33:12) [GCC 4.2.1 (Apple Inc. build 5666) (dot 3)]

This was because some people had recommended installing Ansible via Pip, which I had done. But I had settled on using howebrew to install Python. So I unistalled Ansible via pip and re-installed via homebrew and now things are working as expected:

> pip uninstall ansible

> brew install ansible

> ansible-galaxy --version
ansible-galaxy 2.4.3.0
...
  python version = 2.7.14 (default, Mar  1 2018, 19:23:40) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]

> ansible-galaxy install -c geerlingguy.apache
...
- geerlingguy.apache (2.1.1) was installed successfully
4 Likes

I was having the same errors after upgrading to High Sierra OS:

- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.6.1.tar.gz
 [ERROR]: failed to download the file: Failed to validate the SSL certificate for github.com:443.
Make sure your managed systems have a valid CA certificate installed. 

Unistalling Ansible via pip and re-installing via homebrew did the trick for me as well. Thanks!

2 Likes

I spent a bunch of time mucking around with Homebrew Python and --with-brewed-openssl.

Using the pip-installed version was the solution for me as well.

@swalkinshaw I’m confused why ansible version isn’t included with Vagrant and Virtualbox versions on the Trellis README. I found it in the merge at https://github.com/roots/trellis/pull/895.

Because newer versions of Trellis/Vagrant auto-install Ansible on the VM/guest. Trellis validates your Ansible version anyway.

1 Like

I wonder if under the “Git Clone” section of Troubleshooting it would make sense to mention that the pip installed version of Ansible is preferred.