@max I’m afraid I don’t have a good answer for you. My first suggestion would be to try again after waiting a bit. I tried creating a fresh vm and couldn’t reproduce the problem.
If you have the option of turning on a VPN for your control machine, doing so should change your IP and could get around any potential rate-limiting, if relevant. That may have worked for me once when I think GitHub was rate-limiting me after a few provision attempts, or maybe it was just a coincidence. However, I realize the relevant domain is getcomposer.org, not GitHub.
If you haven’t already, check that you’re using Ansible 2.0.2.0 and Vagrant 1.8.1 (1.8.4 is not working for everybody). You could then
-
vagrant box update
(e.g., to use the latest ubuntu/trusty64
with provider virtualbox
version 20160627.0.0
)
- back up mysql db on vm (if somehow you did anything with the db)
-
vagrant destroy -f && vagrant up
to completely rebuild the vm
If that doesn’t fix it, we can consider the error message, which I understand to be Ansible offering suggestions of what to check in the event of ssl.SSLError or socket.error rather than exact diagnostics of the problem. You probably saw something like
msg: Failed to validate the SSL certificate for getcomposer.org:443.
Make sure your managed systems have a valid CA certificate installed.
If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine.
You can use validate_certs=False if you do not need to confirm the server\s identity but this is unsafe and not recommended.
Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible
- I doubt the problem is a missing/obsolete CA certificate on the vm because your
curl
and wget
succeed.
- I doubt it is an SNI or python version problem because I get the same cert in response to these commands:
# not applying SNI
openssl s_client -connect getcomposer.org:443 | openssl x509 -noout -text
# applying SNI by specifying -servername
openssl s_client -connect getcomposer.org:443 -servername getcomposer.org | openssl x509 -noout -text
If trying later doesn’t work, and a VPN doesn’t work, you may have to do a little more digging, or try a temporary dirty hack and adjust the offending task in the vendor/roles
directory, either setting the validate_certs
option to false
(docs), which is insecure, or change the task to use curl
.