Make sure your managed systems have a valid CA certificate installed

Can’t for the life of me get this one sorted.

ERROR! Unexpected Exception: Failed to validate the SSL certificate for galaxy.ansible.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/ansible, /usr/local/etc/openssl

1 Like

Did you try re-provisioning using ansible-playbook server.yml -e env=<environment> once more? Or locally using vagrant reload --provision ? Also try to use the -vvv flag for more details.

1 Like

Failed to validate the SSL certificate errors are often just temporary connectivity issues, resolving themselves when you try again later (as @jasperfrumau suggested). However, I don’t recall seeing those types of errors with ERROR! Unexpected Exception.

If it doesn’t resolve by trying later, or adjusting your identity on the network (use VPN, visit coffee shop, etc.), could you give us more context? Echoing @jasperfrumau, it’d be nice to see the complete verbose debug output (add -vvvv):

# verbose provision
ansible-playbook server.yml -e env=<environment> -vvvv

# verbose deploy
ansible-playbook deploy.yml -e "site=<domain> env=<environment>" -vvvv

Is this your first time provisioning to this environment? Depending on your exact issue– I’ve run into errors before when changing the domain after I had already generated certs. After deleting the old certs, re-provisioning letsencrypt failed to work, I had to restart nginx and do a full re-provision.

A follow up reply. I should have been more specific, this was on my local environment!

Turns out my local CA was non existent (wtf) so I went ahead and installed a Thawte CA certificate with Keychain Access and all seems to be good again.

Had an issue with the SSL certificate just locally as well @inthedeepend . So got a

Your connection is not private
Attackers might be trying to steal your information from domain.dev (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID

I also saw in the inspector the following on the certificate:

Subject Alternative Name Missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

as well as :

Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

and provision once more.
So checked the certificate in the keychain and that still seemed to be OK and accepted. Did not see any error in the logs that could help. Internet is up and running. Looking into a manual way to get a new certificate now. Provisioning again does not seem to help.

Update

I needed to remove:

       redirects:
          - www.domain.dev

as I did not set up www. Re-added this after a Trellis upgrade and had removed it for production already. Just not for development. After I changed this and provisioned once more all was not well though and, well, I had a new error:

This server could not prove that it is domain.dev; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection. Learn more.
Reading about this new error at https://superuser.com/questions/1202498/create-self-signed-certificate-with-subjectaltname-to-fix-missing-subjectaltnam atm…
I can however choose now to continue to site at least…
Hmm @fullyint mentioned at LetsEncrypt error on fresh install that I should use self signed or nothing on Vagrant VM’s as verification cannot be made. And that using none is better. Did work before though. Will provision without now…