Thanks for the prompt to look further. Turns out it’s not your primary system openssl version that matters, but your python’s ssl.
TL;DR
I’m guessing you’re using Ansible installed via homebrew (kudos to GitHub user 1ambda).
Try brew uninstall -f ansible then pip install ansible
Make sure you’re on python >= 2.7.9
Ansible via homebrew
# ansible installed from latest homebrew
# https://github.com/Homebrew/homebrew-core/blob/29d5b28ca721eca971521af13a4e9a9a9d32bdd9/Formula/ansible.rb
$ ansible-galaxy --version
ansible 2.4.3.0
# python's openSSL version
$ python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 0.9.8zh 14 Jan 2016
# availability of ssl.PROTOCOL_TLSv1_2
$ python -c 'import ssl; ssl.PROTOCOL_TLSv1_2'
Traceback (most recent call last):
File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2'
# reproduce failed galaxy role install
$ ansible-galaxy install -r requirements.yml
- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.6.1.tar.gz
[ERROR]: failed to download the file: Failed to validate the SSL certificate for github.com:443.
Make sure your managed systems have a valid CA certificate installed. You can use
validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not
recommended. Paths checked for this platform: /etc/ssl/certs, /etc/ansible, /usr/local/etc/openssl.
The exception msg was: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version
(_ssl.c:590).
[WARNING]: - composer was NOT installed successfully.
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
Ansible via pip
# Use ansible from pip instead
# uninstall ansible from homebrew
$ brew uninstall -f ansible
Uninstalling ansible... (11,507 files, 141MB)
# install ansible using pip
$ pip install ansible==2.4.2
Collecting ansible==2.4.2
...
Successfully installed ansible-2.4.2.0
$ ansible-galaxy --version
ansible 2.4.2.0
# python version (I used pyenv)
$ python --version
Python 2.7.13
# python's openSSL version
$ python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2n 7 Dec 2017
# availability of ssl.PROTOCOL_TLSv1_2
$ python -c 'import ssl; ssl.PROTOCOL_TLSv1_2'
echo?
0
# demonstrate successful galaxy role install
$ ansible-galaxy install -r requirements.yml
- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.6.1.tar.gz
- extracting composer to /Users/philip/tests/site1.com/trellis/vendor/roles/composer
- composer (1.6.1) was installed successfully
- downloading role 'ntp', owned by geerlingguy
...
- geerlingguy.daemonize (1.2.0) was installed successfully
Ansible on with python <= 2.7.8
$ python --version
Python 2.7.8
$ ansible-galaxy --version
ansible 2.4.2.0
# openSSL version ok
$ python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2n 7 Dec 2017
# but missing ssl.PROTOCOL_TLSv1_2
$ python -c 'import ssl; ssl.PROTOCOL_TLSv1_2'
Traceback (most recent call last):
File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2'
# so, galaxy roles install will fail with slightly different error
$ ansible-galaxy install -r requirements.yml
- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.6.1.tar.gz
[ERROR]: failed to download the file: Failed to validate the SSL certificate for github.com:443.
Make sure your managed systems have a valid CA certificate installed. If the website serving the
url uses SNI you need python >= 2.7.9 on your managed machine (the python executable used
(/usr/local/var/pyenv/versions/2.7.8/bin/python2.7) is version: 2.7.8 (default, Feb 10 2017,
21:08:58) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]) or you can install the
`urllib3`, `pyOpenSSL`, `ndg-httpsclient`, and `pyasn1` python modules to perform SNI verification
in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers
identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs,
/etc/ansible, /usr/local/etc/openssl. The exception msg was: [Errno 1] _ssl.c:514:
error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version.
[WARNING]: - composer was NOT installed successfully.
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
SSH
The crypto removal notice also mentions removal of diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1.
# if ssh to github succeeds, you should be fine
$ ssh -T git@github.com
Hi fullyint! Youve successfully authenticated, but GitHub does not provide shell access.
# check which kexalgorithms your ssh client will try to offer
$ ssh -G git@github.com | grep kex
kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
# or this command, but it doesn't show priority/sequence
$ ssh -Q kex
<some list>
Check that the kex (key exchange algorithms) have some overlap with what github.com is willing to use: https://sshcheck.com/server/github.com/